Malware Analysis Report

2025-01-23 05:56

Sample ID 240523-ftshvseg7v
Target 87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe
SHA256 d268e72941bb4f750a076db6db5b630c7809c56587879e666a102074e1f2c105
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d268e72941bb4f750a076db6db5b630c7809c56587879e666a102074e1f2c105

Threat Level: Known bad

The file 87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 05:10

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 05:10

Reported

2024-05-23 05:12

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilknfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhfagipa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbbkja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dchali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fehjeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoffmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bokphdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjijdadm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgmkmecg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeempocb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkbib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhahlj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efppoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Goddhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Balijo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bghabf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Comimg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmekoalh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hdfflm32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfagipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddokpmfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkpbgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfagipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfagipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjijdadm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Gmibbifn.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Comimg32.exe C:\Windows\SysWOW64\Clomqk32.exe N/A
File created C:\Windows\SysWOW64\Epafjqck.dll C:\Windows\SysWOW64\Dmafennb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File created C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Dgnijonn.dll C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Cjlgiqbk.exe C:\Windows\SysWOW64\Cgmkmecg.exe N/A
File created C:\Windows\SysWOW64\Clnlnhop.dll C:\Windows\SysWOW64\Epieghdk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Jnmgmhmc.dll C:\Windows\SysWOW64\Fjlhneio.exe N/A
File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Afkbib32.exe C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Ahokfj32.exe N/A
File created C:\Windows\SysWOW64\Dobkmdfq.dll C:\Windows\SysWOW64\Ahokfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bokphdld.exe N/A
File created C:\Windows\SysWOW64\Qdoneabg.dll C:\Windows\SysWOW64\Bhcdaibd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gopkmhjk.exe N/A
File created C:\Windows\SysWOW64\Qahefm32.dll C:\Windows\SysWOW64\Gopkmhjk.exe N/A
File created C:\Windows\SysWOW64\Pfabenjd.dll C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Hojopmqk.dll C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Maomqp32.dll C:\Windows\SysWOW64\Cciemedf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Efppoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe C:\Windows\SysWOW64\Ghfbqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe C:\Windows\SysWOW64\Cciemedf.exe N/A
File created C:\Windows\SysWOW64\Ccdcec32.dll C:\Windows\SysWOW64\Cobbhfhg.exe N/A
File created C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Efncicpm.exe N/A
File created C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Comimg32.exe C:\Windows\SysWOW64\Clomqk32.exe N/A
File created C:\Windows\SysWOW64\Ekklaj32.exe C:\Windows\SysWOW64\Eilpeooq.exe N/A
File created C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ebgacddo.exe N/A
File created C:\Windows\SysWOW64\Lnnhje32.dll C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Qhbpij32.dll C:\Windows\SysWOW64\Glfhll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe C:\Windows\SysWOW64\Fmekoalh.exe N/A
File created C:\Windows\SysWOW64\Bcqgok32.dll C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Pccobp32.dll C:\Windows\SysWOW64\Afmonbqk.exe N/A
File created C:\Windows\SysWOW64\Pdfdcg32.dll C:\Windows\SysWOW64\Bkodhe32.exe N/A
File created C:\Windows\SysWOW64\Nobdlg32.dll C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Dekpaqgc.dll C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Ekklaj32.exe N/A
File created C:\Windows\SysWOW64\Qefpjhef.dll C:\Windows\SysWOW64\Ccfhhffh.exe N/A
File created C:\Windows\SysWOW64\Bioggp32.dll C:\Windows\SysWOW64\Cjbmjplb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Ddokpmfo.exe N/A
File created C:\Windows\SysWOW64\Gfedefbi.dll C:\Windows\SysWOW64\Dchali32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Facdeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File created C:\Windows\SysWOW64\Bfekgp32.dll C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bpafkknm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Cnippoha.exe N/A
File created C:\Windows\SysWOW64\Pkjapnke.dll C:\Windows\SysWOW64\Dngoibmo.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afmonbqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clomqk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgmkmecg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkodhe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bokphdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpcbqk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ekklaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Inljnfkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ccfhhffh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cciemedf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aoffmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alihbgdo.dll" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjpqdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjijdadm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Comimg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgilchkf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 1540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 1540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 1540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2696 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2696 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2696 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2696 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2480 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Afmonbqk.exe
PID 2480 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Afmonbqk.exe
PID 2480 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Afmonbqk.exe
PID 2480 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Afmonbqk.exe
PID 2500 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Afmonbqk.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2500 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Afmonbqk.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2500 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Afmonbqk.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2500 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Afmonbqk.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2512 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 2512 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 2512 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 2512 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 2516 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 2516 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 2516 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 2516 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 2428 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2428 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2428 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2428 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2368 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2368 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2368 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2368 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 1228 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1228 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1228 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1228 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1724 wrote to memory of 312 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Balijo32.exe
PID 1724 wrote to memory of 312 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Balijo32.exe
PID 1724 wrote to memory of 312 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Balijo32.exe
PID 1724 wrote to memory of 312 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Balijo32.exe
PID 312 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bhfagipa.exe
PID 312 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bhfagipa.exe
PID 312 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bhfagipa.exe
PID 312 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bhfagipa.exe
PID 2312 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Bhfagipa.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2312 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Bhfagipa.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2312 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Bhfagipa.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2312 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Bhfagipa.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 1556 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 1556 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 1556 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 1556 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2040 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 2040 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 2040 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 2040 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 2816 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2816 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2816 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2816 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bjijdadm.exe
PID 2924 wrote to memory of 268 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2924 wrote to memory of 268 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2924 wrote to memory of 268 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bpcbqk32.exe
PID 2924 wrote to memory of 268 N/A C:\Windows\SysWOW64\Bjijdadm.exe C:\Windows\SysWOW64\Bpcbqk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Afkbib32.exe

C:\Windows\system32\Afkbib32.exe

C:\Windows\SysWOW64\Aoffmd32.exe

C:\Windows\system32\Aoffmd32.exe

C:\Windows\SysWOW64\Afmonbqk.exe

C:\Windows\system32\Afmonbqk.exe

C:\Windows\SysWOW64\Ahokfj32.exe

C:\Windows\system32\Ahokfj32.exe

C:\Windows\SysWOW64\Bbdocc32.exe

C:\Windows\system32\Bbdocc32.exe

C:\Windows\SysWOW64\Bhahlj32.exe

C:\Windows\system32\Bhahlj32.exe

C:\Windows\SysWOW64\Bkodhe32.exe

C:\Windows\system32\Bkodhe32.exe

C:\Windows\SysWOW64\Bokphdld.exe

C:\Windows\system32\Bokphdld.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Balijo32.exe

C:\Windows\system32\Balijo32.exe

C:\Windows\SysWOW64\Bhfagipa.exe

C:\Windows\system32\Bhfagipa.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bjijdadm.exe

C:\Windows\system32\Bjijdadm.exe

C:\Windows\SysWOW64\Bpcbqk32.exe

C:\Windows\system32\Bpcbqk32.exe

C:\Windows\SysWOW64\Cgmkmecg.exe

C:\Windows\system32\Cgmkmecg.exe

C:\Windows\SysWOW64\Cjlgiqbk.exe

C:\Windows\system32\Cjlgiqbk.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Cjpqdp32.exe

C:\Windows\system32\Cjpqdp32.exe

C:\Windows\SysWOW64\Clomqk32.exe

C:\Windows\system32\Clomqk32.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Cjbmjplb.exe

C:\Windows\system32\Cjbmjplb.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Ddokpmfo.exe

C:\Windows\system32\Ddokpmfo.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Dbehoa32.exe

C:\Windows\system32\Dbehoa32.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Ebgacddo.exe

C:\Windows\system32\Ebgacddo.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 140

Network

N/A

Files

\Windows\SysWOW64\Afkbib32.exe

MD5 be794675d3c72dfe49a6d1d33629e2d8
SHA1 60d7fad3ad6a4f6a26a169766ac3cef9f21de314
SHA256 e6aaa319260242564368fce44ed546b7ff2606b724a2c1bfbb00a05cbf317d3e
SHA512 ed8f05bd820a030ae55fa5b1bbcc8ad537778eb98f9884448796f7a8cae4bdd6f8d8ccdb21b3d3a9f4176b8608ad1791c7e6e300b519392ce9caa58868fe3d8b

memory/1540-6-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1540-5-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-18-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Aoffmd32.exe

MD5 933052198d18a900108cffd1cc63b58a
SHA1 40d9f699eb06a4b3899b862cf047b821c0cbe4b5
SHA256 cbc487a932c5ba75df9a4298ef67cee5d18bce32a66bca4d1daf398d581dbec7
SHA512 62ea7c02cd5149f55ba4612d535313d77580caf6cee02ca105e0cdcb4e8f503000b53609135019e1112eb2de1f74467c6b9bb183da6fde31b43884518ec8a2db

\Windows\SysWOW64\Afmonbqk.exe

MD5 a32b9bf50296f923e3f5c5626ea796a9
SHA1 6f9dac894804af1dd23f96dc1f39f82db61c679e
SHA256 971688a4562fa6dc4353a2c58aeea66cf5caa2fd5ff56188f61d9aa76b290dae
SHA512 efed110881970c4037c544f248891913103246536c583d62067d0b6ef36ba9b532d882d9221e9c9667e2682f784e6f5e105162177f107039c69b0ef6c940b5b2

memory/2696-31-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2480-39-0x0000000001F70000-0x0000000001FB2000-memory.dmp

memory/2500-46-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ahokfj32.exe

MD5 7efcd0d5990b67584eebd2a3ba3413a9
SHA1 653526a35fc8f7c399e7cb31d036d1543d462126
SHA256 0447f288aba996da1330adb44f0236e9b4c1796a3a363fdfc1b1a9d9b7db5402
SHA512 caf74040ceb79b87a313c17efc2e867098fa2736468e4d299ee4aec294f9134c9d90ad56abdf05dc54ee4bcfa400ca87d8007de7a7383f9ac1813db4f8d8ca00

memory/2512-54-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2480-34-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bbdocc32.exe

MD5 305cbd4daaae2a15b561e49606d1d31e
SHA1 e3b7c98ad451501e639fd31d802c4c7b51259c69
SHA256 7d934470b287b055b2c8bd12180ff85a1267fa227580ccf7c55475b3d0e8252f
SHA512 982669cb18e3f9d03cfd0e3b2f053bf8cc42536571f5eefd962bec9c997f41951faddab0ffa8594d04902eb3951ca2ec69c7dc230d8ec8ad1513d710f67057d2

memory/2512-62-0x0000000000320000-0x0000000000362000-memory.dmp

\Windows\SysWOW64\Bhahlj32.exe

MD5 98387ab29b2f4b79ffba3be272ea8f9d
SHA1 d49a0a89232a88771c37f774eb646210889c06a6
SHA256 42632f6ca6a865b107edec11ac0814c8a59f9a52b2b38570f5e925ca11182f6a
SHA512 8425d30e57d96e09bb9fa4d7f16130c9a0704ad6e01dc30f5f4fd2068fce3916c0eb49e96b6bdf5f91630c00b20f1b29aab4cccf4d5e8e8dde04122d3a34f9df

\Windows\SysWOW64\Bkodhe32.exe

MD5 10045f9d8763e2b64051830081926680
SHA1 299299be14344d743635548f9b5ae6461c92b708
SHA256 652d8c48ef6ab3424e6652847156c6d7b4f8d9a7c37be23687b45e7edeb311e5
SHA512 0f4a88abf4f874f7cf6b996005eeb124f6c0f885baec9cc5c52743ae311cc7c76b70fbcf3b138ce37be486ff1980e46f1aada715e221a7a78234c2bf230f5afd

memory/2368-93-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2428-92-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Bokphdld.exe

MD5 76525ea67b2d6bd396611595f3075d6c
SHA1 3fb48f57dec902d084c16901cdafc5cb0f2cae4e
SHA256 ef7899d9017a2280557f14907fdceb7fddb3fea5bc4e55a730750db5a71073cd
SHA512 f842443c583213a056f30931939161ff0a4036970cd55b174c4e1e2e3daebc399a313830dec282d33f1051c075851b6f2bb63ff2dc3579b4350964a63948773d

memory/2368-101-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1228-112-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Bhcdaibd.exe

MD5 0001fbd22cc3aef6d3157be4f286af7a
SHA1 40a08700ec83b2de6a3746b68631c2e2e2aceb99
SHA256 380c8a9d452bae867545686081f3154acfe4ab6b5b480b8da0a2106e983b9799
SHA512 dda8df0ebd194e03041c7d4d70491b3f3fe0d53f13ae5f1fa1df22b587819c5e7bd3396f7c48a4d5328e4fe498f5f0a89223927c5cc6beb0e57d50f82d3b9890

memory/2368-111-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1724-121-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Balijo32.exe

MD5 ee89ca60d357c870cd4371bb347debfc
SHA1 e25854496087b9e452e30c6970d7b27d42ca54cc
SHA256 056a4d33d2d1f32def02517391c4af6cd802b71d6b685133f8be95bbba4dd777
SHA512 8c55225d223629b815f7b055f9edef5c48f273f7cf4c2b2a5e508b51756441232605fe0a6cef50e6cb13f7c7f82d66d18da05820a1cbf532241b8dd26b3a21f5

memory/312-146-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2312-152-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bhfagipa.exe

MD5 71704a44fba74d7d7f619a5629b633d2
SHA1 6ac2de6cbc3e2e71c776e588f1c86dc48d48b559
SHA256 0b331f6763bf22c52c4b0b992bfbd9523e9e58edfdc7b8ed1780fe3f608fd2bb
SHA512 f8b865cf20f688bd895fc5166da287af6ceb198801ffe67159456957b77e022c5f01a1451828cc0b6cb8535ba4a38c3e6f51ed58a1d924818f2d0904df977300

\Windows\SysWOW64\Bghabf32.exe

MD5 da94c7b9efb6793a8cccc1707748ebbe
SHA1 4f8e97234095b1bc7dcc802304c869c01c3ff152
SHA256 4c6d4dcbec9d9696433e06a28a37fc93e4a23079f21cf2e7a0643ac8e45da04c
SHA512 b284fb4ecec652bd29b086deba6ace853d2633930401cf9d18b4ee13618b2ce4d15b607fe2e9a7e5cabe51282891fa6652326e3e38cf0365cee3d1bd8b61346e

memory/2312-160-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Bpafkknm.exe

MD5 7a295f39e86fe78e796d42fea50a65d0
SHA1 c045d5f1afbe558d7fe5bee69658dc84811b9a20
SHA256 ebf16965576e2339e260124453bfa6e1108a69f9f787a9e6a62464923f30f37d
SHA512 85e3536a3617993d07cf2fd866ffe35293781ad3b79d5d7379ac2622fb95e4daae730045f434f3dbe8d884126b71a19e8ad7fa6bec7e5f31ac8f454ddb761fd2

memory/1556-168-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bkfjhd32.exe

MD5 49c196b6a1d7868483a5397c739d732e
SHA1 e650cf2f3b282b98589d988c7f3578da21c22367
SHA256 4d5e1723beb2db311d0488e2e7576e83676528a33a07a6cb3b08e1ddb79aa39e
SHA512 ed1639e8a5ba94000b38629f36b5712af8c0cb4861222fe069c68176d252473abd780f865cb9a6033410b7ea99b5e0e54bb4bfa54c073fdd478f48c8b89f4d18

memory/2040-178-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Bjijdadm.exe

MD5 796a088fc6652bdd146510e42e853ff6
SHA1 01c084c411423c60b0a903a2ee564ed52dd0de4f
SHA256 e6f10eed96cbf4641643bc1b5f409ca5c0075e8e798cca14713716a2445718b1
SHA512 20fd688cfd02dd3e0fb2fd8496074f867e83e8f985b4b50b34c3081228e76471f6b605b676827880a1a9a428514a2867f3a6dbe0f021b0d3c17eebd6239312ee

memory/2040-187-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2924-201-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2816-200-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bpcbqk32.exe

MD5 e4e27bcd491b083e8ef37ef679b71dba
SHA1 5bc96f9870bfdcc2fe00e8074df3a0950306c6a9
SHA256 a57b45c4fae59758834aae3d4358536b4365703e8baba2695de7ed3ec0e01825
SHA512 f5b4de41174f5017745ae99f4249e249d23aa688050588c8fb3af06c351182237e85af527312f0a37d2ed92df4404a352477747539da63f9ebe08f59144d3012

memory/268-217-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Cgmkmecg.exe

MD5 0d4f0ed90dfdafa503a7faa6f6c75a9d
SHA1 0fa542151813d30f051f4c1615924ed6ca2d2f3b
SHA256 a5036ce426946cbdd57cdaf01def50bbf325bba8bdeb53bcca3a878108b0068c
SHA512 d4af8907e0619bc0cef0178b35cf024aa880c41b9b2c9ffed418bd30ebe5d944daf1567d188e9246df1c603a3b10c9e82f14d7d2a32b8e93ca7801a0359e1996

memory/268-224-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/1404-228-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Cjlgiqbk.exe

MD5 571cbfd3d416dc1e3a4810eabc50e00d
SHA1 57ac3b3223140291a8d864315f89b924cb7956c1
SHA256 5836000783a40a11444a0d81f47885dda7f1b2d8432c6d4345d6ff4c23b4fb57
SHA512 29277a149338dc56e8358a03e912687dbd44c491c1aa1aa5133b3c4da55951e95485b9897000110d615661832d486c1c45b8e8ab0fa21e26c9c8a76b1bad043c

memory/1696-237-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Cljcelan.exe

MD5 7d6b84611cdb500734c8b35bdf654102
SHA1 7bbbf16d4842a1d848b03e74d8ca2f05ceddc251
SHA256 da1eb55d54aa2453b919f11211c5d6262bc5718fe547d6651f72341b8960a347
SHA512 bf7da4a52aea897f53beb940d7710d745f0008c5ae7cddad68895daf21d74ee874ab9fd6fc6adb1fd9b621260602f6c973da3356f1079f54f0c19faf07e64047

memory/1696-243-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1696-244-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1608-245-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1640-260-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Cnippoha.exe

MD5 dfeed54d46152aeda01e8d1e5456b958
SHA1 1f9810efe8d32cd075ba6d87f2b71a4f699fecb9
SHA256 4575c739cd950419003201362d9ee0aa9ca242ee743d382189deb042bfcae1ec
SHA512 7db4594a3d04e6e72a4be7b2eeeebab04b6f4632d4e394c71c0fddd6ff023098d94ca76720709298a693a8ecaf0d4de1addc54f4f36507b31617f6e4ee1fd6d9

memory/1608-255-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/1608-254-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Cfbhnaho.exe

MD5 8d75800aad0e7572eb172e71c88361c2
SHA1 3f6a2a4ab4675847684d1f59869f9cef4c2d7286
SHA256 f69d76e48e64f7cd0e14c85ffbf5f5ed16dba30d1fa34c56881fff7af899b7ba
SHA512 578d8f0f65db28087666a7af268226a74059700b2d43d3f887fae906cdd400f2f4183e2426d8044fd294631aa177368014b02c92b23d8f651a0cd4658852f232

memory/1640-266-0x00000000005E0000-0x0000000000622000-memory.dmp

memory/1620-271-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1640-265-0x00000000005E0000-0x0000000000622000-memory.dmp

C:\Windows\SysWOW64\Ccfhhffh.exe

MD5 31d3fe8bc5cac31ff0b05ca8567acc7e
SHA1 aae20fc4308ccb8634828594768f7903db963f14
SHA256 0127cd3310a6be5c740404a412c8c845fb34b9e4ad10fe5847bb949cef13723d
SHA512 494eb89ca34ef344bba3efe8fc6378f15ac8c3f7b274daea53b63abdd9453e565e6c3aecd7591cf96b7de45ab5fcc5023ae79814557b30aef4eb5a1bde877c04

C:\Windows\SysWOW64\Cjpqdp32.exe

MD5 ae58b9f2d16ccff5c5a227af9af1352b
SHA1 e8a52837bd1dea31540e209a6ed4bb6946ead1ff
SHA256 1be87917a75261ced1dec550ba68b2808f437b1e6c0cf7a1fe3f84c156456f82
SHA512 552ce651f325cd14197c8f030d861f78e8ab574e38e7f28e3579d2909766c2a3b7dd95f1f48c42e095dbec38ae865c217e067a79b3a400797d462bf7e3504c2d

memory/1552-286-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1620-282-0x0000000000450000-0x0000000000492000-memory.dmp

memory/1620-280-0x0000000000450000-0x0000000000492000-memory.dmp

memory/1552-293-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/1552-288-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Comimg32.exe

MD5 229f7a9b16ed56889992679f190639b8
SHA1 4cd33d5bb0609ee6dc60a1d548b47b23b97f28ca
SHA256 fb6eca3da7c5033a14ccd8959be9c6d486afc991e77aa319b7f9cba258973d4f
SHA512 eb49fe3cfb77fdc814861857b880c34f309458318e6a113c9adaa2b7873abe2860297f1665dcdf69caaad38fe94f6229632a26dc9c86a923bda160e2fd31bb61

memory/684-309-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Cciemedf.exe

MD5 a4dc9f9635b9f78e8ec60c3b4b6e606d
SHA1 cbf215fcc72ace2dea050cc37e155698ba8b1ca1
SHA256 31e4f44ae677188473f9d6cb7e21ddef871762b03c1428d3d96092a742693efc
SHA512 545e1c1f4de613a03831bbe901f5839f79d27ba2bd47c79819f85ccc6dcac9f5b69811dc0dbf9b3007ffb208a20f0c577a7300661e6aa23927729f3c30c3d139

memory/1940-313-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1940-316-0x0000000000450000-0x0000000000492000-memory.dmp

memory/684-300-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1956-299-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1956-298-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Clomqk32.exe

MD5 c6204d69e73c329223e1bbfdfbaf0cce
SHA1 e8f381677918de604af97dcdb1ed1fcd075b16f0
SHA256 b6709629f03cb07a67f1fb8c0370474fd704b992582cdf7adc36f9c53673533f
SHA512 58995b4c5de12961957a3cfd0be7c1bd5d998ecff729fba4638278f8696bb25a793f2ddcf5941fce0156b76c362918674f469550002e44ee82e68acde06a021f

memory/1956-287-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-321-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1940-320-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Cjbmjplb.exe

MD5 b897445ec2ca57a0a50493e133002292
SHA1 d2856374707e32cc5620427079f44c94917a02ef
SHA256 5f509eeeaa6a34918f2714ebf38da8e99abe643423b534ffe5e79c43edaeebfc
SHA512 2707cb7a3966d12ebf4061d0d5ec674d343b58c1cca60e52dc8de15921c464ce94430e0d67a9259f6a4675bad06545b532bdd6502f81cd303e40c0d3c248f3a6

memory/2716-332-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-331-0x00000000005E0000-0x0000000000622000-memory.dmp

memory/2832-330-0x00000000005E0000-0x0000000000622000-memory.dmp

C:\Windows\SysWOW64\Cckace32.exe

MD5 bca1db45b4f4621bf4f90a315cb7db56
SHA1 4bc81e80aa0035a08289f0e84822bc1d50261ec9
SHA256 100916adfdbcf081400a97ae29acb2bc3b3b93682ba38df6a8d5646103b1dc46
SHA512 3a358109b262b3a73d870208d81fed6cc4685d21a08ca4db366c98157fa535653f1d2df03b8c887278c2b34b4b5facb6ee5a1d5d717e43488074e33cfa9fb982

memory/2716-345-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2296-347-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2716-346-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 8bb575a305b5c91d02a4a5be3733e287
SHA1 e74e5ae8b787819ad9220023ad8107a912c41908
SHA256 4dfa92e4d0a366fcba271e51c49080976346f821c16e9f3206a5dd4bd9af7640
SHA512 21969923eaf376e79b538f3cfa12f86712bad6191dcf5ba4b5cecc59bd07e48dcc01b29a7c10b0fc88a6e3762e1b6f7c63b8933d680f67832506adf39017163c

memory/2524-354-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2296-353-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2296-352-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Cobbhfhg.exe

MD5 32f19b4e335c274710ad5ba93109202b
SHA1 d2490e67f65e0f410adbc0302b35ba3fbdab62f0
SHA256 4e378e0a113a7ebbdc8247ec35ff0d6eb997b622737b9d99ff60df509f9a6bdd
SHA512 eaaf3090d03b68fee794facf308a041142a7fc488cd7c3e0183c83e2ac9c099736cb95b30bb25e1d8d893f27281e45a1ac4b9f47acd82dde932112e88a5604a8

memory/2524-363-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2524-364-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Dflkdp32.exe

MD5 678404a272532b95dcb1fbdbc7d167ee
SHA1 b7bcb76d72803b557f6ab02c770646783a3d2fb1
SHA256 4a5078074f52236277b96c409c977107a1b3acd174b5d686309e327f544b8314
SHA512 9994bbda8d51ce6704801cfbaa05e796a3c16622d582fa1d99e0260278ea7c3f55fde3bf1336781d8aa7c0a6b215b2c5a67e716174ff28222a748f772376ddba

memory/2380-369-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2860-376-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2380-375-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2380-374-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Ddokpmfo.exe

MD5 a79421228c85fca5b7ec65f49afc00bf
SHA1 4f49bb8f71b50b139144fa9a8c5df85079ee2c11
SHA256 449db8674d987febfe99b0ef0888c58d4f43613de53e3187894d58540052e1e8
SHA512 9b8103764d611017878a12ee027cb6291ef4185adf0b4e09f7eb33828c99374fee1597d8fe263ba9dfea4fe41dd1d3d1c52a12dd5587cb1ab604f687633783ae

memory/2860-390-0x0000000000250000-0x0000000000292000-memory.dmp

memory/624-402-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2888-401-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2888-398-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2888-395-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2860-394-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 100fb304d85e2d8745cb07439cfc6a0b
SHA1 2f3f3d8f3e449cf8b4207f99a174f6ea0c796388
SHA256 5cf9bba9b09af0f0db408721ca20a0bfb35a04624add23bc0ca6b888656d5f54
SHA512 c5fadbdabed020cc9805b74592177154f2838dbf737d7974baae19fc69b1091443cf482e47e3156f37e1d656d2250570f4932a90a12ccced591128d54335cbf9

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 741ea0ec058bd6ea6c82ed521f0a9316
SHA1 83fab4000020a819fdacd6ff6784c2e0646746d3
SHA256 61dcc0c1183284b01b0d537f861619bc923299022a533bf3cd80046ad8c29cc5
SHA512 dfac5a7d836430b20e8b88f14e1a802c27f3f3469e5d21ab14b2ed2a8cb3224ce03ebc0d3acdd9022aeeaa2d769edbe25aeeb67d63ab4a3f74a8c632e3273c31

memory/1728-413-0x0000000000400000-0x0000000000442000-memory.dmp

memory/624-412-0x0000000000310000-0x0000000000352000-memory.dmp

memory/624-411-0x0000000000310000-0x0000000000352000-memory.dmp

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 ffc80a32c34615a50cf8b3acb25e3336
SHA1 ef31b78646acbbfd2b4dcabef9b1cff92c464cd9
SHA256 b767a05d5f97e17f627c14e0501181e69bb6555bbf9f26a729f91f18de3740c4
SHA512 10c8bc1fbd7b3e926b23d0f48ea07f1f03dd63edabc436f612100e0fdfb88c01ff0df684f32733eb6102b313c5a189f0cef3765d3683c85625afd5c420c5e5b5

memory/1728-419-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1600-420-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1728-418-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Dbehoa32.exe

MD5 0125786a84858433e519633c764a9565
SHA1 45b722c6f1b1f73f879855680a1575680ff58b35
SHA256 463dd38d05bceb77a3d2d607b15208b97c1b9fc7ded2113895cf7a6258356c57
SHA512 a02d8f92e8dceca6567ba9ddf44b882117cf25be8046e587f17463fd318b144a12159abeba2effd7ade13178621995ce4a36fa29f295d6883a6eb793fcec799a

memory/1584-435-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1600-434-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1584-440-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1448-442-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1584-441-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 99335629c5ce8f8fcc710c56af1d1acd
SHA1 7b12bbbabc99b4cb0b5980efb0d0f397afadfa81
SHA256 a58544d26a651a4bb83a8707d6d64d8956487da6bab7c1c3407e994a87dcc04f
SHA512 6828ee951d3ad039d1428cc66efe4ad7ceed27d2f71f0818d7c1ff5fa3fa84fb5f33dcc7f9f959c0abb4e3cf2fba0f20000d825c929f1971089534f13f272bf2

memory/1600-433-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1448-452-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1448-451-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 9547c3010e394baebcaf976a45a83534
SHA1 6d4e445ded6542e5175f6eca021ebd97f5281bf5
SHA256 8e19d067e76e0f0799bc87287b01f2e62e3a252f21ad3c361d8f1151e7325575
SHA512 dfd25fdae7e13599dac60916fffa065de25753d59293c4377e77ef4c5ea2387002fd22d92046fc3f7b91657125bded21cc96bb6605657e14ffae840e9a8bb576

C:\Windows\SysWOW64\Dchali32.exe

MD5 e2f15a7620898a4900e95fb156d84838
SHA1 41aa41a08e22977eee73b6be66fc107a66f317e8
SHA256 34b57582f18e95b44ce2c95ce98080b3b7408a10a62041e2b81c12418598dd7e
SHA512 4cd48d2a5da0035a9e89463140af96ec2a372e5340872675d8b4d8c414b41193594e222f12a2fef62f67918f372874d8b6ccc0984972c349e28bec33475222ec

memory/2264-462-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2264-461-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2008-473-0x00000000003B0000-0x00000000003F2000-memory.dmp

memory/1912-479-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2008-478-0x00000000003B0000-0x00000000003F2000-memory.dmp

C:\Windows\SysWOW64\Dfgmhd32.exe

MD5 1b0553f7852759ae18fe6de801c95a0f
SHA1 ee6022fa56e496d9352e1c740585c47b605be4ff
SHA256 99682c0f6015d9e7beb139abea5930b48b57f79371045f7ddf358b9bdf90c488
SHA512 19f346dade6ea1782c63dbe5739b80b7be9b63839163b45020639f036f8e91ac3230adfa4a2d3b290b41ca665aa92f69ddb48b45db34c814f76fab834ad03395

memory/2008-469-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2264-468-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1904-486-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1912-485-0x0000000000450000-0x0000000000492000-memory.dmp

memory/1912-484-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Dmafennb.exe

MD5 a541a0946957f434469ca90fe144b9c5
SHA1 e83fc1404636d8f56fca3d09bebaae738af7277a
SHA256 49a774d05155413a46bfebba6511cf0532d85704f699686d4c73fe3040eddac9
SHA512 811fa76746fad7273b8a3b73cb9c2b058890ebd5589f2b152a06a877de5efd7afcb235cc2e6709cffb46683490028ce0d3a0f01c747c0a1ac0323bfe71dcd07a

C:\Windows\SysWOW64\Epaogi32.exe

MD5 a0423af111cbbe1aad752949fc43df65
SHA1 c603dd94019f4a755b24e4a54ae1098ed26ad8b4
SHA256 2716bb9df69eb9fd83c55bb35b50dac59f18a96c56cf78f5ad5d25fcdf0a54bf
SHA512 56ed55a41c3b7d3e56d55bd7161bc466a30fbcac8f7f85e68f6601c1b48a24511e95294523d7c0ded1ef305c4b189441c47c93359acfb3f6e5a022625eacb949

memory/1904-495-0x0000000001F80000-0x0000000001FC2000-memory.dmp

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 a05108798d135c9fcf59e2590eff5fe9
SHA1 b42082aa79a0ac19886c8fdb4b21f77923b98b61
SHA256 0af4c4b363d58d54d71bdb965c1f0563f98ebf27b6b851dc97b701c3ff1da4a7
SHA512 9324100f163d75b481da706b72cd4013e45848cf3872a5e875e51226e11984a0d03af627a450b161a16b6befb4dcb10f4967fcd3860fde8322d236b0069c0873

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 866595870347243cfddcc470ad5f6e04
SHA1 8db05945ad7a5ea3b853b0eb52ee5fd1f4a78839
SHA256 66e4004c9434b07d1b09e8c9b8db12a88d3acc4e832e6faae9fb0d65c19f7e68
SHA512 b3abcca816ec9f6c9b4aae18f34cb5ed1598f2c80704000f22bd49c9b66d50ffd3d4cd8c79b9c63de2bea3a7bdf4818112e31c0060f47182858087c1f430e4fe

C:\Windows\SysWOW64\Ecpgmhai.exe

MD5 887fd193b79d0fb475a1dbba12730ab3
SHA1 b3335559b4d3592b27f4d4b145b51a71c04c075d
SHA256 2e090a11ba2c79ec24feb15b1b178161a9da39e30e0f8de1e414cb9e54d8b428
SHA512 2b68f9fb68108cdf687298bbb645a7b84e39c58e107ed9d2b493831e1dc94ea5bf505f126dded460a0d4e320a54f704f128eb15fd0c59d8af4f899f775b3d423

C:\Windows\SysWOW64\Efncicpm.exe

MD5 dfc6d3a24c7729f6992e314ed3cfe10a
SHA1 384be439a6fadbff235f4b9d8d7e26aad4d4188f
SHA256 94ae09fc7624466ad89e6599c6b42b0d5e55034622ac8606640a6c509aedabde
SHA512 a1c790a0d0163f3bcf8a3034dcbad7de81bb7e4e64baf3133c8369be3c770a4273e571cb57711a1a2346b018e8ec3c711478273d87b9ef64544c39ac7dafe235

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 31f2863c5fc69f84c61f534d9fdb4459
SHA1 fbea211dd066634759905c6f461498b6ff4b5e9d
SHA256 1f6f71c87833497833354420f0d9829f48f58dd118dd4ae173534fef0c84e20a
SHA512 1d7170f15d0f95b0123ec95d77079466ef2f78b3b611b12cd21fdf5d7fd16ac8474a1609ca400bda1f63f2f8c127d69d4390d5a846bc083f996bc434f90dfa9a

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 49b29e386503997cd6322a92c973322e
SHA1 d5b483c86ed2a009e309877c55106239c3569423
SHA256 e8483ae67f374a691ec7a8d8d2bac08d60b77a5990ed16c5ccf6b56506401f3d
SHA512 dccaacd1b30698ab2b9b3f69fed2d763b1c522a4b8c0fe8656be1d1eac77425fbe92af02fe25e28332a3da6e4eef07ef4e62af85304274da74b2837e9d38261b

C:\Windows\SysWOW64\Enihne32.exe

MD5 c1971fd89fccffebd8933fcb5486c5e9
SHA1 26ab74c8d1e50d37a897523b25ff65fce97d98db
SHA256 1b12216cde2f953a01725004c0f7c236a3bf5802a27710b867a61c08437d0090
SHA512 2375f54825f921aa089d4581fc2511aff10947a385607bad9ead91c42babdebbab6b22d6a756eb0e00bdc699e57383459e6c9e6053a06946c1351edf394b3c84

C:\Windows\SysWOW64\Efppoc32.exe

MD5 fa9c4118f7aebd2fc128d7bce707b383
SHA1 9b8322a4fc0c9c9d503160ed02f1132f851ff73c
SHA256 ec017e4ce4b10d90b999fa24d5e28b7a3b5e4dcbdc27d2aad124416506245c86
SHA512 c59dac0debbc6e3ea4d5798f104da4286226125edd50dd5d5bd279fcdaf8faf664e6ba723ec63f1fbbfc2e5e5984839528cb572299079691f41ea1f551350441

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 79b07c2d9db5a600d6ecd8d7265a35ed
SHA1 4cddc87af9f0727ac7aff4e0aef08b0be65240d0
SHA256 2a268f04b00702ed2a27d993e15fd45e37d1106b41dd56bc1df70ced64bfabdb
SHA512 5ffccef58f21620bd9f9984a018750cd52668add9456a49340b5a372289d0456be0e274e4d79cfa290c7429bf02e9b4d5f51cc7405cdd5c55f3d48ee4d265053

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 15af9f0f244e2e3196444a15b006c72b
SHA1 df5ba6a6f38c339720ad1b669682b7e62f552b8e
SHA256 320f71ba73b5093ccc89d8c0c3659462ac301958feac3a68b1f572b8978f733e
SHA512 003e072807bbb435342929f82fe2734f6de97c47760965a798114eb8919d744f6e9ba7b0f8f1d2ea7feff183e8831f9ec86ce532968bba554989471ab258d58b

C:\Windows\SysWOW64\Epieghdk.exe

MD5 457e8f4b568b391a48d68d03e45ed956
SHA1 562aa589ef26cbb56c3c3380939beab7226d287d
SHA256 4fc07f8d85b434e792ddb43193089efde4eca92691b9b7676f8b97bbb5568c42
SHA512 e32892891e8b48a61e295fb471ee89f0ca41d5d9bd9deed43a4b1eb834ded82c78affbbc99ff54afd243d3e561cc1516a00f215c99db975d4b52f450c96bfdbe

C:\Windows\SysWOW64\Ebgacddo.exe

MD5 14eab55ba4726db751e57ece1222497f
SHA1 4c3a9c2890d6772aac06871c883dedb7d7d13d9e
SHA256 4f1d3e12efe2d8ee9ba1cd8862ed01a9c776d57e16e45ab8eb7a9956a31bb508
SHA512 c3296517c02ab2c17be719526c488fb28f2df709ba4de511f1a6801fcb9068c4440fbf15d43d33e3baecc9c36219db6b6e29fb360c3eeaac100528bfd7400662

C:\Windows\SysWOW64\Eeempocb.exe

MD5 03d0fe68ab36b2df009d2345631efe98
SHA1 d13ac6bf3209e55a2c057d1b9976cbe23c8d6ff7
SHA256 1979ebf621d17c3592dbc31822a386abf5f8affe0dc8d0a0950cd61429bfb7ef
SHA512 e3f4790b57a7fdb5968c84838249d41ca74125161c4d38e1fe2030e1cea09cf63a825befb9bfcd1ceb6166194b09d3cfefd8a386b1bc82df73ea28366c494304

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 ea55d33e360c3e1011d58472adf6e286
SHA1 dbccbfbde3ad4121ff50f26252d59048e90a31cb
SHA256 550f8c6d82424b546bb45760a702d357b1343d6771d54a529e6ddf9e0a4b0ba4
SHA512 a297d2b20ca662948efdfdb574935cf8df9edd02146c0d1948ea7d065f8a35a6689cdea22909b4c24e9f28548b85a133ce4ab215e1b9ff257e75f7293f607527

C:\Windows\SysWOW64\Eloemi32.exe

MD5 3631be126b7cd0cf0b16b85fe6bbe751
SHA1 fe485ebdf4cc5656d16d192c583a895b83c0072b
SHA256 8f525cf2d5e52d962a65098802a47ed314bbdf579aa5b5be655383befc57d29d
SHA512 d8a6f355caa5891816cd77ddb98c2a1c0ff6bd6a5baf7f7452baafd03e3d26233c903b542e522fcb46ca54e9f4f7f403666c49f6a810c7f6ba810dc711635d5d

C:\Windows\SysWOW64\Ennaieib.exe

MD5 41e9e702f95a7153430bec3945bc3bde
SHA1 a18673847dd3475b5a36b0c529108f09d7a652d8
SHA256 1a5cdab27168bcf1753355fe5e0944d537059cf8e60502835bd706464eda0c3c
SHA512 bd53b8d12c2fd62aad58e262f990e9c0598db8c88626a0dadba340a6a2819460f28d228c855eff3da8d0ede7b5a46fe8adec94366268617d363d7ec4d766e031

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 4ec5d8084ce8a6c31723933b0796ed0f
SHA1 f4de1a61b9e6c4d23b6d7740c8a6f6d25c19e52b
SHA256 01ff076b98db6c10d41f7b49c9bc19965947c9d0b266eaa4056d3b0fa92c082c
SHA512 5ed68b9570113ebdec828be552b9a3424185c186f9791552e48bf0325fad1e68dba3109bb817374beb718e7e4a68983ab450764c6d9f00eac72558bb18f4fb16

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 106aa208ec9409859f0d36fc68f86fb9
SHA1 082f5a1be6f163b15f06d3975f5ecb22bb547972
SHA256 0beb5208aa25e37d27a395000cc20519b34d646eb8fba4256b9b105feb95437f
SHA512 d3650e1acd62826d993f264b334340f3d0b5925ab7592485b5c34167454dff1c31a83e3f1d3d8b520ac7387212326e8e9f59c54f20d86580505b681ee43a5b4b

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 748dd2d6c674d6ba93edeec4f5937fc0
SHA1 4f15ac315d510040f35b2120020bfd1ec8c30fa1
SHA256 ab93b030575fc605cc02e4cf831fbfdbbd90fcd0d2dac418b3d521ca044361e8
SHA512 70d4c646fcb913e39601d706f938143bb4cc8494dc35820e336378c8272ed755288a764d50e21c0b10504a296e22adf6052d37fb7cb9d1d684c4421057b91395

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 d0d04f427eec39507508885bdd3bed7b
SHA1 47e377b1b7df9d596eaeba42daa78938dffc05cc
SHA256 d61d2e2fd151125007d2e5e14acfd5326aea1a5ff2cad8765601793e5209962e
SHA512 699e821df5b3cc10b7067668430bf274a10e8aa095968af3f50871df8bc5bb4427544f3753c3f33865cee64121c76905646030b01915d3aef0d0ae0a2da21e08

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 55d31075f56ab9fcbe910be25bf17c06
SHA1 67cb8c893efdf046becd5ed94adae2b887c02be8
SHA256 4d3ed94e994822a3876da508e1b24db84ab991250077136655d0421a3b3cc07f
SHA512 d4dd57f47b6d0bdc6130ffa6cb8a4744a7cc4f91b293943ff42068217fe8c3b72a64d745a32e00b09d2e6684889cc3d39f67f1b014f0189fc45d5523da456d8c

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 c4de554a37fe1dea873c223db04f34e1
SHA1 36bb54547b781f75af90b0e2bd3bc87e9177fe75
SHA256 b4d08c1852de2903f19f3947b089f57e3651157609c29cd8e035ea1a178a1c7f
SHA512 31c121544bac826eb51a84c5aeb2115bda5950cdb8372cb850227cc3e9c29ed662bb6dc2b18f9aff1a9de6300fae4a83c5ac8f967879737c33fd97d2bec3b2eb

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 677c47535e9a64db4bb9c1903ac27164
SHA1 9537000228adf56fbaa9668c8321bfcf7b5b7826
SHA256 fb53e69b67d172306e7edc9e8284c7a43c7c96894c5117919a95ba8545ddc738
SHA512 05171460781246d542d2ab8cc39e58d1dff2687f65eaf6cf765f6ae8dc28df57678dd6becddeeaeb2d2214ab2a5c05136eb4b6a570f10ee2a5fa6da99d75f8ab

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 5903b0b768dbc22e90d934af01ffa112
SHA1 60af310780d5aa7170eb03c61bb8f2482b15563a
SHA256 173c347ae7df595384824db464ea3e2408fda096ec18f8f5e38865a14346cd01
SHA512 bfc8990ace89ad6aaf48834b179a0cdd8e7208f01b7ddcd8ba771bc2356d88c584d8799a28061558dd761eac1bee1c5ce55f719dc118aa36db9060f6ef0b22aa

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 5dac56d6609894790ac21093eebd5dc5
SHA1 a22b5f4ce6cc95f708f783a4e3ad0aa5ab227a09
SHA256 8b3200e4ef8cb996109f6185a304a52f62f7949bf1b0877df4a9f4eca9d695e4
SHA512 919fc9af3e402f9b45ae86b56c4b96b0d5ccbab64994835f0ff36d2f6aecbb222732647b3f121655ec7636c6643c782539904b334c5451d11273cdc0d246a02c

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 0e6ebc48048f184b685cee54fe4cdc69
SHA1 495573f329be9b1293a12d9bd1f9918c2eeb81be
SHA256 dd4002788f84e099e5f7658c288ea922a79ece7b2039acd176b5ff969c7748f6
SHA512 bea946e906278cde3aa49f544721ef8b9060d083e0e396115a704b083dd943b73d0bbd2d145d4c8e0cc6b05de62b83a593509547e489843ae2c983ab4892316c

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 1a38a1b99235d250026fdc073f8ae0b3
SHA1 c15a1bbfdba0f3ffc4018e46c45e61adc2511de5
SHA256 e4c26e8c1dbe43f6a4359786214cfe23aec2fb5d0d253c7679a4826b4292c757
SHA512 af2ef0c3f2b5e72bf8816cc8afaf5467d81f76be12237cd8803245d52ea4c9cfecd73a20ffd5fd11d491a4b9773b9c1f4e4270dfdf480b53551fb71014f4af31

C:\Windows\SysWOW64\Fjilieka.exe

MD5 af179e061cd312790096e67f99b3d79a
SHA1 8d1148fdd71d6f1155c38c6313ead7aaa1639adc
SHA256 3d204dbedc76a8cf64093b85862fa366bf0a0be3561f2cc5b43bea50c6980e20
SHA512 d82cab09324c5db822628a6ce2c7f22bc0a8bc34b07375001dffda632c6dae335344a570a48ccc74bd60081edc3236beede809dfe01ecf5b3266a3baf0510a40

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 f0e27d3d83b432a9b9dc1a89878f47c1
SHA1 954c2d4ff83c6d5537fd5d1807e4b0867b7c6f75
SHA256 a5706f9a00358b5bda568110ef3877abe113704073c0491a56274ba2430b6115
SHA512 de6cc829761b6fd2eee5e2b52a017201c347d5401df75ffa684c7b01785e32c959034f41be3589b38d0c391083f4b46958906d0e063c3682eec1836bfd7706f9

C:\Windows\SysWOW64\Facdeo32.exe

MD5 32fb49c3b5b6a302b90076d818b886b7
SHA1 fa5a915f5e134f024a259b38c5e55de2bd3e39c5
SHA256 c40c682607770a4ce9da69af43d8374436b00bffb4aaf9c76c2edc881eb77d37
SHA512 cd961b2282fb102ecfbadb224a5118f0de69494f3387b10e996e2ab58c89f33a68fcf29e1f5ace0f450ad0646fc7353be70a8b4be95819e70e376754a67f2070

C:\Windows\SysWOW64\Fdapak32.exe

MD5 e6a922921b4101ac7111c8285a30056a
SHA1 5e019bd004d27d0ecdc9b46422837715f46c6c00
SHA256 b99e7b915488eb721e7ee23b252b4e7069f3356473e25f235db8f675b50c3ca2
SHA512 68176e144c6d2ba8e0d87337ae7df0296d409973074697eed86965cd225b0ac55c08a1b10d5ed86c653966db1eea8324924c75b199d7fce642e0a9e050c86a88

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 52fbf857be97bd5c1f03c771afc57933
SHA1 6a20d1cdbfe36d0c414bdd097df4a480d86d038a
SHA256 40600de93f667492d16ffe37775101633282d13867cb14b1dc62436ec6c94f71
SHA512 c000d4ce6933c89d029dd3a437649544069dbeaace9c1fcfd668d64b8d9311bd9372c5c4bb7569220462717d21fd147b79afb1722aa45c1e31ebd9ea7771b8a1

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 a1f3be1f54c7cc57fbf92674f107055d
SHA1 9127dbc4feada429bc67309abc0ecde85ae7e670
SHA256 774b730edc5f1132549c214d501f7bdc3324c08a0d746854cbebbe5464672233
SHA512 88726659c583884d3d0dc7e41ded6717a2d6af0db39973e88f1fd68cfcc9e55ac66d9550da8913b835fcf4050e4154ba30686d09ce0425bc51b35290f6b6d27c

C:\Windows\SysWOW64\Flmefm32.exe

MD5 9e68d90aebf5819632f31872f608d2f3
SHA1 4b416e593ed3018c7d2909aaa3e7f52e1d902ce8
SHA256 c4011fcbe2c5c970b07b165c1d1560946c1ba7bf572ff868e4dc975de7560d1d
SHA512 db8826c5ca2b5e45ef928f1e107a3e81bea76ba42bda39ff3c72573f85d6a3c38c9ca9563648d78c613610a16b86ae93addf39ef2603bb1f33ca69a40b1fd16c

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 a9b9bed10baa22a1ccb23110cc22e197
SHA1 35dbbb33d329f5da89ee5cadc048d906ce132959
SHA256 874915b8b0fc86bf2f4200d5e3b56ae502f19ad1a264f3b70e9db71e773d9589
SHA512 74f29c51f4016a597b35a08402e354b376057805e83b89caf97dbd75e5a47dc658e37f91e52d34cddd9e82ab2d58e177a9321dbf447c4d01d04a5cff25087013

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 75758dbe753973755bbe630ccd599459
SHA1 078b7a6b242b3249d6f86b2982d90a4c17942a51
SHA256 e31dabc19235c07ed9d082118d9e17adff8b0dea7f06bd6dbf3e33025ff75933
SHA512 c9cef3f2d8f503fa9099e411e251b7396a5d61b57c4d135a1131f1d8beb4162c3e6108750c11ef63c682ac6bdd31294a30a7d4485766b86b7891290868148d53

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 e305bbf4d98e489dadbf23e2cc4277e4
SHA1 7f9e62eacc19a55e6ec13754623f686afcf3f404
SHA256 478f4221a5414e4e58bfe79b0493aa4a2e137460795751d49a59996b05a81097
SHA512 269d4690711034fb273e4f8d0431ce8ac3271bbdc7edb808cf7cc9e249e91d840bd54eccdee93a220728b8255bab5c59d15c9228a81b426e2819ab3819b1dcba

C:\Windows\SysWOW64\Globlmmj.exe

MD5 fe4ee8d1df3d840c86322dad4ec65f80
SHA1 eed798f49ab480e8876e0ee3e5aa437c39f6d240
SHA256 22d51f3659cf7ed6b9cb125d17cb726aa29a9926272e93be1e13b166b134b67b
SHA512 83c99f9b545ec8757343b4e3022e890686ab0d971698fbbf1ac0b5e42eed8c95269832ee6d1f2dd11845a82feda35d7f2093e51511d2010b2c315a08261bd05d

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 414cdce0e15172ef0320dbee3039624c
SHA1 c91256e55bedff3f9030fc0f940d471e63097a73
SHA256 46550c2ed2021f79f8518ec9ab5346694bedb43e3c7e45977b5d99f30f566950
SHA512 c7212cd6b29e748c626e37c4316506e77de73704a86819b92550b4e28ce182bac2bba21fccf7d435a289c2c37219a043970b12c19fdb7a3dc4cd3aeff8c04d92

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 ccc5f2057c690544a758993f6016a5ad
SHA1 0ee9fa57b7af874b9f3c54adc0567bf674d2606a
SHA256 4ccb3c0b9f3e47bdb234a3c29199d18f0f54f324ab655016e384688dcd3ebc01
SHA512 5604b85a022ca1cbbf1d0bd2b0b4b91447bdbdc5acf50bd845861f1fffead9dcf529ba1a7b1cac5695321badb921f215b16e197d8ecf54dc2b9a7f7a2d77ec10

C:\Windows\SysWOW64\Gicbeald.exe

MD5 b6f94c95cb8e6699e9e21b36c0424681
SHA1 3a12f5a2ed6bcdf4dc5035784340ae5196b5ef76
SHA256 b4657b06f2395cee8800a2a97c583b48d9af94c648ef71de587dd03da804db21
SHA512 ca13c18d6c1865c43ad166ef6453dd248e3bea71bac7fd8fab79c7138634232d2e976ce108f43de56427a9874500e78065762f95cbfcb4cbfa455fd0f4a91133

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 2bd6ac70323f6fde738045f456a489dd
SHA1 fd02e140d14dd0ca22dcc7e6c4dd59e1c0e7848b
SHA256 bc90b5041576f777ad515ed65135925410d68199a5f5a732a3a10975113b4328
SHA512 0cf8410ee5ad5bd0d23da0fa5959f0871af416fb8589cc187a9d82ad61de08f30e798cfc72e603cdf24c3cbc09f9aa1746ea62bf0712711aae3adcd5f8d5a1ce

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 9540f348fa7081f8b8bb6436ebb0859c
SHA1 9828092f94044a2ddb95ff5426653e1684c6f02f
SHA256 f4706d358e382ee3ad40554c3254271d0f7e7c913cf70fe948983553eff39f42
SHA512 40d97559de82e4989395ddf5058fe0948a659ec69cc2fc40e6f0f092b4fa3a8596ec9abb55036dac618916d4ac8ec4008884529951aa8df2672949d8541c8f8e

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 9b17a8cb4d2ed5d3a99509687d3bd332
SHA1 1282be77aed514f9c3e6e4207135aba2378fcd9e
SHA256 e47a40992937c7d12a6ec61408617a58ccc299a48ba35f3fbd21e4f9b3b3ae45
SHA512 fc302c451716c5b5dafdea496e28ba28a84a33141d0687263c83c8455e39e238eedb526830c6531e0d0460627e63e9b87945c5fa10cd172711d85f68b37693a4

C:\Windows\SysWOW64\Gieojq32.exe

MD5 27c94806da4c03b0129985e2c004a525
SHA1 23a36662f3cda4d475635c76b7c75ec175834d56
SHA256 7e52884fbf7896a2196b7dbd2c96c0c6c685a2f0cd1aae1d5317d1440bf72392
SHA512 66118373004a12c3075f0b4fe6988f824ab90df98af5a2327eaa5fe4c95a5025f5846ccb2756bad8662c9c74605fe3d3a766bc1b7c6bf81f6ff413f303642a3e

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 630e625db074d82c21c059bc115034f7
SHA1 34345a2e79ae3aa63877e1b0986c3e0855ab573a
SHA256 c5c837ede37dde5af5db9b01815ab3d1695117ffe801ec48633099a4f16d02b6
SHA512 b578b44b728589ccb2841e2985cb4f7d92f7c92bc3093aff1eb45ce8ef695e5999cd63899aa285ac932bd8e602905965f0ef83784fbce3ba782c9d61520a5736

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 740267bfb87d3f3bb4f6921c2afaebab
SHA1 ec342924d8c0d447b1aad0b34e26b4a76f6c9ce6
SHA256 a8e51268bc1791424456c1ab13b875afb088e22a21d9405f581b32c3bec88f9f
SHA512 5237bf1a297df5f2720e68be4616a3a85c292892c06116de3de2bf3ea2c76f6ed2f2c2e7c9293c0eda43141e8b5f30c2a69d0566854a43f047cb9ab27bbc718b

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 d7496e16d673df6d2fef694d99a7570b
SHA1 9261785c0ddfa483f3aad52aeb9941ce651a77be
SHA256 53a77b8592f311e710af7ba2ecd245fc4e87fb5a0efde20883ec07bb911e3d87
SHA512 0149b5680dae71d6eb451e5650344695a646bceaa078f7b54d93b19d0613d6725630385a99dfcbccf0da30ed64f90b289c2132a78e0d0f6736d23efbb16bd15c

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 55155458b734d3443c16fba6b54480a6
SHA1 a7395ba7e108859cfe04cec7a19d342f7948de10
SHA256 e12f46f040e6ee078761507d84651102176fbbfe289c3a5b1f582d1bda7a9440
SHA512 b59b59483050121d075329233487a93487b07c4575fe147903b7608a1200c077421c94edb8a542d6578bd641ddb5d85ffaabbcf65e5344812e1e14d216668871

C:\Windows\SysWOW64\Glfhll32.exe

MD5 e4c75dc7349067f4d83880d75c82c94f
SHA1 74d7e06186ef41f0ad1e283f8a78e56cc7149fb0
SHA256 89cc85350de7cbbedc64e70e67a6bdb34e5fb29f48d944f81ba6da555b0b787a
SHA512 df899e1038d1a815915be0edf114b6c5f057a5c14b86a40173358beaab2f49b3d58b2df958862017edd4b1e5ce9aca791aef830e6497e9f75b3dd18afd93a36b

C:\Windows\SysWOW64\Goddhg32.exe

MD5 accae9c3885146d0b20de17942cc42ea
SHA1 2b601238ae8eceb384f32270bab518889f6d106a
SHA256 6fd1f25436154e1a8c864091710cf4aaa5437ae5724f26f7bd5a67fbc2d4619f
SHA512 45c8ec43e62521d15954c2d5bd4d160f2bbc756f07393a56276c589bcafbbe69697840e3c3a4d371eabc1685f15d28592af08d7b22b9aa0d161e4bd9a86c287b

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 2fb3b721e7590a7029aef1e096a4dc51
SHA1 63c67b1cdf6b57f3dec86fc7cd68f8b35b973725
SHA256 5bd45654d6e8908d069904bc24e4fef457120a77a1458eeafc89f9a9893784ef
SHA512 7f7e3b6d8967b3d703722a9241cb1c0e61aa1be8da252effca36bbc88d682b7cf5d13b7935b98c07e166d55f3d247a5c1350d41867771156a5c2a8d14e83e51d

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 f43cbf4de5f4b281e880c7aa1c4dc864
SHA1 5056356d9cc40b790c326929236a5c4319c60d24
SHA256 ed801ffe02c72cf1928b808228768df26535a093d48fa291525836131669fd74
SHA512 1ec3bf2f5f0a7fb64a50a530289104c3baa8dd232f461c450328b669f5a2883dcce53f16b11eb4d1dd9486b0c80649606f2813dd29970fa54812b835ad65ac17

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 222c795efef648b387f12eec9cc9853b
SHA1 899ff8253a555b0ac2079ec832f69a9959b87b44
SHA256 717eb6adca8aa93de0cc03050c8ee515476b948b3cc9e4f7c6a1527178bbb8bd
SHA512 4c329a3a0c5b77cc96605a14863316591332baae02d176ea3f4d4c8c94c47a839b45998b9485afce656f143538de7072169876440e0ac58dc92d80a406c051b6

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 ceae4c1aed5ca6ed5506dc2193603925
SHA1 4a7f0dd74375bb246026e4f0133b6d98784567df
SHA256 b610fb7d63c58f9096d6088db45cea8abe45e44ce688bca61312726729a2869b
SHA512 5f66f410a13cbce40d2b7e867cf451a6079c3372120ab74a59d7f1643efd018bb29ab03eaf9b57bbdbfd31f37252959ddec21602fdb8d78964438d362ddfc94c

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 a86dc18ed6a5aafe6d12c873f0c2266e
SHA1 a3a2c00eb5e3fb7f5d0b718ab0dc3fdbd94c0fd7
SHA256 6097a56cd6a591112483d21b30680e11d047919607f3969f83ba953d12943531
SHA512 97a7fabf8119179321bc87a270c920cc064647ca1cb975acd55711b4b5e831af29e4ab38799209231e8531f645b7b294d299a6d613bf04d27da9f3876d9e811e

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 11629cd2b15f83f60c81bf614a5bf349
SHA1 2f43e7ddc8ff78e074652c7a8e25bfdb2c457222
SHA256 be4f60895ca7388f991c7cf7ebbbe5e5ec2a4a776d5c04ccffffec2373544651
SHA512 08c85fdb9c7c631839e0e5d7c8fd8792e45f4c8885a618d6d8632d13d3673d4030056fee89e36b1b829d7e11abe3b9e155b8cffdccfd896e7cdb379f1e602170

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 1e97de493fda1cca8f2d8cc6743fdae6
SHA1 991c213f55345361635158f65f7defed0b222b50
SHA256 1f63306e12efd276fd3751ecf83b70f4ce6ed0aa6024b117fe37fac07e28400b
SHA512 8a3545b4a51d0384fd571a9f593f1345bdca0cab881d6e18a9962848b9bbaa509061b5369b4c442b0d69a061ed04f88456ac316256ed06f00ac9ac33900aac90

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 d465ad8f1c2d303d921928585e41d427
SHA1 b83779e4417324a4a45ac4bd473b3a86e43538bf
SHA256 2761c3e2ab4ba252c555aa26667a6920403e1c1e8f13ee7c14a1cebd1ae5a8cf
SHA512 49bf0a27123d23a5053e9e1adfb97708dea3f8f98a3da742f6ad720f222d1f2bae13468ca1f2f71b07e544451b526bed3f6570b0f2f89a0f4f908a216eaf3336

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 21f98b5a31f24a59bfdf47c1c827e08c
SHA1 d055f9c6776d6109a21f658cfe5cdce8b2b5364a
SHA256 ca9a4375b522790d487e2506dff3365988014d475aaeabce18901cf1edfcd414
SHA512 a547b68d1bc5480b73903835927e657e578fee9c75346e1ceea54bba97a049daec73366d26215d2534584ebcc60b8f4969977390a7bc9c6b94aaca0f10b1dc88

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 ec2c68764ec9b42ba8f55f7562f211a3
SHA1 e35ea02737e4e064bd72b9559afd3400622d5fd7
SHA256 79e7872cdfb6b61832d106f5372c89413eebd497add9083cadb61a05e282a447
SHA512 9502de91e19dbbfc8868888c285a14ea3fc68d743a2a4b0d4bb75b4dbbcd7aea90de7310ca50a69bf87cb8cdc8dc756877a028ee66e85bce630090015cadab60

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 8a66730d27ac2fec019360d5c6542ec4
SHA1 1a57ad18b6e52fe127bd18711cf19d024f861e75
SHA256 ea9dbe8520ddd5f3e0dcbf53779bc8395b3f8c1042ef9b5537757d825224b28e
SHA512 668b3a0fd64bb37157e89a89a6cb7f558ad2b4a529900b578486e2d56c0785f352b6dc158c3dc1370c5f2fc07cfb03b157272a63054eb19a016ab6f0804b412e

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 34f59ed85f1d19bcc799bc7c471ed9f7
SHA1 9ad9d2d1e2419d189b9cd2d086011f3a07f84d22
SHA256 5072709078491cde3b55cd65b98a4743e52c399b2b60069d70cf5ec7681de9c4
SHA512 b4c7e4fa1ccc270a8a6347a170b5ebcc481ac2c2a6306a1c9451f414c14cdb39ef3ec7eb321b6e3dbc7db780219286efd452602961747e8b660800745655da6e

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 f4193e24ad2a04e11b42bd05daeeffc3
SHA1 b47a8c0d0484353058206d9d7a08f9d5788e173d
SHA256 93be63098f08af6e86a9ef9fc315e61f9b5b740f93e8a18810eeff9050a3eb80
SHA512 a1e977033b841b6804d324dca8f860ca5eb49c9df583f4ffd36a08f0d22409e971eb8edbaf825c8644684eb8836b49c29ce8213b5d2976990b73bbffa96b4e69

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 4f642d6bccb751651a91b0aa27da1f4c
SHA1 6b6955a68a343c7a9351ce1f23ed1c47fb8e67a3
SHA256 44ec767f60e02e5a0c596c9089a6a2c6200ca94d5c73ec473f2fa741885645aa
SHA512 a2df9d8b374146aa4e167e3037f651a2decac5d89232e009aede4e8101e17809b83d979dd6b0969005a7efa59b28d2b6d6c3bfef300cdb0311cb582cba015199

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 fe26b4780767ce064bb397af3ea02b75
SHA1 d6f720823ebd457a11191ee576bbcea877895453
SHA256 394ef4fd5d65c9e9e78e0e549c79b2cbdd976755bc8c55d43aaacd93d228570d
SHA512 d7876dc522ec126adf8468edf3ca6f7a5fd61f241458d622ce190e78740368f572618b51444c636200d2956d248751bacdddd99108cea87831167905098d3840

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 e0bb8a6ef6aaf2e31cab4b5c0c025e5d
SHA1 f92ab14b44f734814887e75b5d44025eba7e17e9
SHA256 003691455cd81ccc96241e2eb5f6eae066b7842fc325de4af4f7af8b1179805e
SHA512 f479527a801c90632f05f967fc672fe554afb3d908dac36fd2b58ff9b148a2b4634f5877e798e89fefac00928cc01f902f7799b8ba61b507dbdd6b8f6adb741f

C:\Windows\SysWOW64\Hiekid32.exe

MD5 d6eb4cb1580611417766dd669cd0ee2a
SHA1 8bf68f59093fec1fd4ea415fc47e662a90b22c8c
SHA256 4351f824178160ffc10969339d74de462634dd973e6696ba27501f2dbc728e53
SHA512 8df8ceb093123a02710aa4fca60dc733a844055a8f15e8e0041cf9f3a68b0e3f2c872d2621ec0f7cf2f6a787d1e215a499a81731f2f3c1a128cdf5f5fe5cf4bc

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 80301134504c37a88ca2a7d6b08e411c
SHA1 7f1047a744d451eb645e37cbf5a17f2a0605f9da
SHA256 004f7517ffe32213648e5de2acc5b0dd0f25745994a25b3a90a230b0da45bfb8
SHA512 77717f2b3d8876437ab88ed5afaefed69f95362375230a0ec04a95fbc386690c0bc9bed6fafde906cb199475cd4e6b319d10353550194a5e394b6c1c487c679f

C:\Windows\SysWOW64\Hobcak32.exe

MD5 7d170ff6dfc112660b46ccc28ab858d4
SHA1 a32903cb3048423e72eb8558dc9c5eead8e7b45c
SHA256 3240561365e10b9e7a6fb762f54da6785d249f369265ce55a280c6d808db94a2
SHA512 4fdbac0b880d93d147def46e8831d555de9b6fd97de26bbc009113c3ec38ed1732a0aba33eb6ebffb46ddfbc0fe619fffaf4efe82e6b604015436d79a71fbe2d

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 52e74ff92b5b7ad7d49be18ec93c18ca
SHA1 8ccdd58458860ffd1267f9eb31bd37b65500feb8
SHA256 a1b1282d39b71c9416b7b2e229ee76ce2852a518a21befb65b6e421249b343c1
SHA512 ee10a409c32f7228c3066cabc84f5b341ff51af086b2b2f719b88c1157333ed45e2983cf1270c223dec74569efd1dd06f64eab17566c69c2ef5dc2ec7fd4c4df

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 c9f335978ef502c6ba17503b9bbe0a03
SHA1 15d9dda323d4b0f0a8b68a733c1f46a50e2b33dd
SHA256 12faee2d9b4377a20d10cb30bccd47838bd99d565128560b9809c65ca10b77c6
SHA512 a9817313e76ad04e5e4341221ed18f5b21a55ff7f56b2efb898f7ac05c15277eaabd7842d1367fd4840554a16b62e7ca59d0b68a98087358351c6d295bad2aaf

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 a37f0b2359a102a25689247934209bb4
SHA1 511a1535c58cae6b12a4754a0937f37169700ce2
SHA256 c9babf44e25b05c870c042d2d53db3d61a097bb254db8f4a5084987481bcacf8
SHA512 fa15983972ecfdeed7314f1e67be87ee78ec3f6cb74ca94509adbf02b068c9d83bbc677761b153ace57e94fbf5148dd0546aa8228ffcacf37c1a867afd190bae

C:\Windows\SysWOW64\Hpapln32.exe

MD5 91b5672e6aabf332d88eaea641067212
SHA1 23dc140669eef2d9866604b992687da1c1be75dd
SHA256 49db137f8a646601941113cdede634d9d6fb16043874b42842d2601c253c7a54
SHA512 2b4f797b0706b6792480b37cf0e4f20925475c8d75297329af2d94ca3f4a49d0e985fa1ac9479a7103b7edd0ba6339674b68e027a067997675587aaf81c622ce

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 657a1d75b1c388b09d4674c7d377457b
SHA1 2c807e8f2d752cd8acd38594b6276f3fe6b24796
SHA256 d998a186c3a76288e381c27ba2c5ebd0850aa8f220e35079f61d11c393fa7dd6
SHA512 90e02acf29d42739d5d4e15831b48154eca3f70670768ce257e34f08e8935110c2c68181ba1df1f2dce93ce5aac135777f9b44664711e67d5d0423693c6ca0ff

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 3ef4d3ecd55b76436ab21dce601e03ad
SHA1 3a1db2f7ed7ab31954a804b263d169d2d8fa111a
SHA256 ad4f5df9908b90c0545c68ce8355d1f2929ef6e428fd6d0d9bca6eaa2033c33e
SHA512 fe44a41f79ec3bdbd6a26772d34ab5b4fa323235524777a4fd81b26e8881063bcd10138eebdc09c7faf3812e5ba7f81fe802622864e3fe7ea5fffc9a374f457f

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 047c5ecb9eda0b760656fcceb6d6bfee
SHA1 b5690d484a2c692ae2c28ce5efc5391e71f363fa
SHA256 a2c70476bb6a6115d1f84e0023aada97a09ed29f68dda2fb15afe40c1fb435cf
SHA512 2e3fe17f209f83396640aa44a34cb7d001fa62a7c15a47bb2ebc84351a98815fd10894b517714078ffdebdc94dfb3227ffd452c80b0975530b31a903c8c420d9

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 c814a241db14fd1e897b4d80c3973838
SHA1 d8b2fff5342193063af4d5bf9998e87025371048
SHA256 4abe19cde788ae56fc4db335c76e6a418a9a892eacdcd89fdc8b902b8fe5189e
SHA512 6fef2fc597d49c21c827e3dcc2b057b644a7804d83f6c8808b5d5d45f306c5ccb149477bac8b13ba73ee0cd7995201edb7d5dfa6c343156a1460baebd1a14352

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 504913f2999f72d2bb3636374069ec68
SHA1 886dc40a3177b6f381278ce6e9a2f4a4c39933ba
SHA256 4f8c0af090bed5c374a2b69692208a66fa07ea91be63e55f844dadd5516c08ff
SHA512 c20234df2af534bd81bb6bd1077c5cbbbc574f14adf41bbe97e1dfca2d6ca9cfa5cda624101171215d5e7f644b40be55c38c291c38c6c54f82cc17fd4e444f92

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 4282624102be2c36ed7a55291aa1fbee
SHA1 ce2a1a3ca32d9e73fa73e06053f56396916a8713
SHA256 9f979c4c4c4c411ee677baeaaf9887f3ccb858a7c540f95d8cfa374b6a1e11a5
SHA512 c2e5a66dc133a3b35285faa8bf437a64a05254bcff4991c70fb5bf008048764d884294a9909cd6a9faacf14c4f82ea7e6f40710f73f354f66f3cb82dece4d686

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 5c04ddc189d8c80b3fd55d974d32d90b
SHA1 8f2997ee333bbb18981b7bcd6e2b9d4d4a069aa7
SHA256 c15876dbd2ee3350b244fa2c5368969d5c0b39591dd2a51df7bb65e948e3f6fb
SHA512 cf8f40c3449818dcaa87031256b13506e3caf86ff3342b5f14e8c21a8f07cb81a33df1e216e0c76bfceda18ed31d07aded88ec47b81d7245ee37f732bf9d80dc

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 310de81880d6deb334ab06de31456c51
SHA1 15b50e30e9035f6effaa2cc543e2493e29cae0c9
SHA256 5e8dc24c71112eb9b93fd29bb1af37bb4f00ccd9b61e653ab0ebdd7dbac3e7fe
SHA512 0c7c09dabb2c1c596d914bfc3782e616431f905be4af1bf5cb04e1e4b0cd561542258513c10dc8ab0435b8af7621f39cf8b363d55bc8991243f3449a975c9692

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 c8f770c099865fb9ad6f918638ed86ee
SHA1 12d18b1a8d9ddc8164e413d55225dbc48c1c9dc1
SHA256 4c0c12cbd63b402aecca4d2a5d174df3d9f6dc10c58face550bcb590b6fa1b05
SHA512 7873ac5990dc04bd2d4ae4791ae8a406e83eaef85e6f001f80dc1e75d75a069d8c1c2e8b0ec3a83b736e6c197ececd4f91173e473567de09f0bfda59087770d5

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 657319dc02ef9504ec4003ab1c4e867d
SHA1 9833f8c6e53d97049dcbdc098a800164537b8927
SHA256 a68922980c48c00dbf7e22b4124904676025c6e51148fe1f020e938f0c564a56
SHA512 e84abf33bbcc07356404d57779e059ccb344a907b84e0b8bf4783d96e4e9e93836a02fe5c6beeab4a3ee5d2bcbfe8e3413744c803f53c309e7b80571fae8571a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 05:10

Reported

2024-05-23 05:12

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbhdmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jibeql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imihfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifopiajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdcijcke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkbkamnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hippdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkpnlm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jplmmfmi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lddbqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldohebqh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdmcidam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laciofpa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbhdmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjfihc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmdedo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjolnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kagichjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hclakimb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Haggelfd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmioonpn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kacphh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lalcng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjhfnccl.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hclakimb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdedo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhfnccl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Habnjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmioonpn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbeghene.exe N/A
N/A N/A C:\Windows\SysWOW64\Hippdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Haggelfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbhdmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjolnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipldfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iffmccbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Impepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipnalhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifhiib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imbaemhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqnahgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiibkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipckgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifmcdblq.exe N/A
N/A N/A C:\Windows\SysWOW64\Iikopmkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipegmg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifopiajn.exe N/A
N/A N/A C:\Windows\SysWOW64\Imihfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdcpcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiphkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpjqhgol.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jibeql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jplmmfmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbkjjblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpojcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbmfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdnpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jangmibi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdmcidam.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaqcbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdopod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgmlkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmgdgjek.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdaldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kinemkko.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdcijcke.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kipabjil.exe N/A
N/A N/A C:\Windows\SysWOW64\Kagichjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpnlm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkamnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lalcng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkojb32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Ppaaagol.dll C:\Windows\SysWOW64\Kdcijcke.exe N/A
File opened for modification C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kkpnlm32.exe N/A
File created C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Ipckgh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Imihfl32.exe N/A
File created C:\Windows\SysWOW64\Haggelfd.exe C:\Windows\SysWOW64\Hippdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Ipldfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmfbjnbp.exe C:\Windows\SysWOW64\Hjhfnccl.exe N/A
File created C:\Windows\SysWOW64\Hmioonpn.exe C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
File created C:\Windows\SysWOW64\Anmklllo.dll C:\Windows\SysWOW64\Jjbako32.exe N/A
File created C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File created C:\Windows\SysWOW64\Gcgqhjop.dll C:\Windows\SysWOW64\Lgikfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Ldohebqh.exe N/A
File created C:\Windows\SysWOW64\Mecaoggc.dll C:\Windows\SysWOW64\Lddbqa32.exe N/A
File created C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Habnjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipegmg32.exe C:\Windows\SysWOW64\Iikopmkd.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Bkankc32.dll C:\Windows\SysWOW64\Mjcgohig.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Onkhkpho.dll C:\Windows\SysWOW64\Ipldfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File created C:\Windows\SysWOW64\Jplmmfmi.exe C:\Windows\SysWOW64\Jibeql32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kaqcbi32.exe C:\Windows\SysWOW64\Jkfkfohj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Njljefql.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhfnccl.exe C:\Windows\SysWOW64\Hmdedo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Ifmcdblq.exe N/A
File created C:\Windows\SysWOW64\Bpcbnd32.dll C:\Windows\SysWOW64\Kkpnlm32.exe N/A
File created C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lgpagm32.exe N/A
File created C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Codhke32.dll C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Legdcg32.dll C:\Windows\SysWOW64\Njljefql.exe N/A
File created C:\Windows\SysWOW64\Lgabcngj.dll C:\Windows\SysWOW64\Hclakimb.exe N/A
File created C:\Windows\SysWOW64\Jbkjjblm.exe C:\Windows\SysWOW64\Jplmmfmi.exe N/A
File created C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ifhiib32.exe N/A
File created C:\Windows\SysWOW64\Kflflhfg.dll C:\Windows\SysWOW64\Iikopmkd.exe N/A
File created C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Kmgdgjek.exe C:\Windows\SysWOW64\Kgmlkp32.exe N/A
File created C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mamleegg.exe N/A
File created C:\Windows\SysWOW64\Fhpdhp32.dll C:\Windows\SysWOW64\Mnfipekh.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmdedo32.exe C:\Windows\SysWOW64\Hjfihc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Haggelfd.exe C:\Windows\SysWOW64\Hippdo32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ncldnkae.exe N/A
File opened for modification C:\Windows\SysWOW64\Kipabjil.exe C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Ipegmg32.exe C:\Windows\SysWOW64\Iikopmkd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kinemkko.exe N/A
File created C:\Windows\SysWOW64\Mdemcacc.dll C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Hippdo32.exe C:\Windows\SysWOW64\Hbeghene.exe N/A
File created C:\Windows\SysWOW64\Jifkeoll.dll C:\Windows\SysWOW64\Lalcng32.exe N/A
File created C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kaemnhla.exe N/A
File created C:\Windows\SysWOW64\Kipabjil.exe C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jdcpcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdmcidam.exe C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Lihoogdd.dll C:\Windows\SysWOW64\Ifmcdblq.exe N/A
File created C:\Windows\SysWOW64\Eilljncf.dll C:\Windows\SysWOW64\Jdmcidam.exe N/A
File created C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Dlddhggk.dll C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File opened for modification C:\Windows\SysWOW64\Habnjm32.exe C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
File created C:\Windows\SysWOW64\Cdcbljie.dll C:\Windows\SysWOW64\Ifhiib32.exe N/A
File created C:\Windows\SysWOW64\Eeecjqkd.dll C:\Windows\SysWOW64\Kcifkp32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" C:\Windows\SysWOW64\Lcdegnep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldkojb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldohebqh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lilanioo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdfofakp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll" C:\Windows\SysWOW64\Lpappc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll" C:\Windows\SysWOW64\Ldohebqh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifhiib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Imbaemhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hmdedo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll" C:\Windows\SysWOW64\Hmdedo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjhfnccl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" C:\Windows\SysWOW64\Imbaemhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iiibkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll" C:\Windows\SysWOW64\Imihfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipldfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjbako32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgpagm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lddbqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipqnahgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kinemkko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hclakimb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll" C:\Windows\SysWOW64\Ipldfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Impepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" C:\Windows\SysWOW64\Mgghhlhq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Hclakimb.exe
PID 3780 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Hclakimb.exe
PID 3780 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Hclakimb.exe
PID 4740 wrote to memory of 700 N/A C:\Windows\SysWOW64\Hclakimb.exe C:\Windows\SysWOW64\Hjfihc32.exe
PID 4740 wrote to memory of 700 N/A C:\Windows\SysWOW64\Hclakimb.exe C:\Windows\SysWOW64\Hjfihc32.exe
PID 4740 wrote to memory of 700 N/A C:\Windows\SysWOW64\Hclakimb.exe C:\Windows\SysWOW64\Hjfihc32.exe
PID 700 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hmdedo32.exe
PID 700 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hmdedo32.exe
PID 700 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Hjfihc32.exe C:\Windows\SysWOW64\Hmdedo32.exe
PID 1548 wrote to memory of 1552 N/A C:\Windows\SysWOW64\Hmdedo32.exe C:\Windows\SysWOW64\Hjhfnccl.exe
PID 1548 wrote to memory of 1552 N/A C:\Windows\SysWOW64\Hmdedo32.exe C:\Windows\SysWOW64\Hjhfnccl.exe
PID 1548 wrote to memory of 1552 N/A C:\Windows\SysWOW64\Hmdedo32.exe C:\Windows\SysWOW64\Hjhfnccl.exe
PID 1552 wrote to memory of 3596 N/A C:\Windows\SysWOW64\Hjhfnccl.exe C:\Windows\SysWOW64\Hmfbjnbp.exe
PID 1552 wrote to memory of 3596 N/A C:\Windows\SysWOW64\Hjhfnccl.exe C:\Windows\SysWOW64\Hmfbjnbp.exe
PID 1552 wrote to memory of 3596 N/A C:\Windows\SysWOW64\Hjhfnccl.exe C:\Windows\SysWOW64\Hmfbjnbp.exe
PID 3596 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Hmfbjnbp.exe C:\Windows\SysWOW64\Habnjm32.exe
PID 3596 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Hmfbjnbp.exe C:\Windows\SysWOW64\Habnjm32.exe
PID 3596 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Hmfbjnbp.exe C:\Windows\SysWOW64\Habnjm32.exe
PID 4404 wrote to memory of 3836 N/A C:\Windows\SysWOW64\Habnjm32.exe C:\Windows\SysWOW64\Hjjbcbqj.exe
PID 4404 wrote to memory of 3836 N/A C:\Windows\SysWOW64\Habnjm32.exe C:\Windows\SysWOW64\Hjjbcbqj.exe
PID 4404 wrote to memory of 3836 N/A C:\Windows\SysWOW64\Habnjm32.exe C:\Windows\SysWOW64\Hjjbcbqj.exe
PID 3836 wrote to memory of 1112 N/A C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Hmioonpn.exe
PID 3836 wrote to memory of 1112 N/A C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Hmioonpn.exe
PID 3836 wrote to memory of 1112 N/A C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Hmioonpn.exe
PID 1112 wrote to memory of 3316 N/A C:\Windows\SysWOW64\Hmioonpn.exe C:\Windows\SysWOW64\Hbeghene.exe
PID 1112 wrote to memory of 3316 N/A C:\Windows\SysWOW64\Hmioonpn.exe C:\Windows\SysWOW64\Hbeghene.exe
PID 1112 wrote to memory of 3316 N/A C:\Windows\SysWOW64\Hmioonpn.exe C:\Windows\SysWOW64\Hbeghene.exe
PID 3316 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hippdo32.exe
PID 3316 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hippdo32.exe
PID 3316 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hippdo32.exe
PID 4916 wrote to memory of 4724 N/A C:\Windows\SysWOW64\Hippdo32.exe C:\Windows\SysWOW64\Haggelfd.exe
PID 4916 wrote to memory of 4724 N/A C:\Windows\SysWOW64\Hippdo32.exe C:\Windows\SysWOW64\Haggelfd.exe
PID 4916 wrote to memory of 4724 N/A C:\Windows\SysWOW64\Hippdo32.exe C:\Windows\SysWOW64\Haggelfd.exe
PID 4724 wrote to memory of 4384 N/A C:\Windows\SysWOW64\Haggelfd.exe C:\Windows\SysWOW64\Hbhdmd32.exe
PID 4724 wrote to memory of 4384 N/A C:\Windows\SysWOW64\Haggelfd.exe C:\Windows\SysWOW64\Hbhdmd32.exe
PID 4724 wrote to memory of 4384 N/A C:\Windows\SysWOW64\Haggelfd.exe C:\Windows\SysWOW64\Hbhdmd32.exe
PID 4384 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Hbhdmd32.exe C:\Windows\SysWOW64\Hjolnb32.exe
PID 4384 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Hbhdmd32.exe C:\Windows\SysWOW64\Hjolnb32.exe
PID 4384 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Hbhdmd32.exe C:\Windows\SysWOW64\Hjolnb32.exe
PID 4988 wrote to memory of 692 N/A C:\Windows\SysWOW64\Hjolnb32.exe C:\Windows\SysWOW64\Ipldfi32.exe
PID 4988 wrote to memory of 692 N/A C:\Windows\SysWOW64\Hjolnb32.exe C:\Windows\SysWOW64\Ipldfi32.exe
PID 4988 wrote to memory of 692 N/A C:\Windows\SysWOW64\Hjolnb32.exe C:\Windows\SysWOW64\Ipldfi32.exe
PID 692 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Ipldfi32.exe C:\Windows\SysWOW64\Iffmccbi.exe
PID 692 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Ipldfi32.exe C:\Windows\SysWOW64\Iffmccbi.exe
PID 692 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Ipldfi32.exe C:\Windows\SysWOW64\Iffmccbi.exe
PID 4824 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Impepm32.exe
PID 4824 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Impepm32.exe
PID 4824 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Impepm32.exe
PID 2952 wrote to memory of 3840 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 2952 wrote to memory of 3840 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 2952 wrote to memory of 3840 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 3840 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Ifhiib32.exe
PID 3840 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Ifhiib32.exe
PID 3840 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Ifhiib32.exe
PID 3384 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Imbaemhc.exe
PID 3384 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Imbaemhc.exe
PID 3384 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Imbaemhc.exe
PID 4744 wrote to memory of 876 N/A C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 4744 wrote to memory of 876 N/A C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 4744 wrote to memory of 876 N/A C:\Windows\SysWOW64\Imbaemhc.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 876 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Iiibkn32.exe
PID 876 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Iiibkn32.exe
PID 876 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Iiibkn32.exe
PID 4832 wrote to memory of 3628 N/A C:\Windows\SysWOW64\Iiibkn32.exe C:\Windows\SysWOW64\Ipckgh32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\87b0ad31508842022120123f5386a3a0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Hclakimb.exe

C:\Windows\system32\Hclakimb.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hmdedo32.exe

C:\Windows\system32\Hmdedo32.exe

C:\Windows\SysWOW64\Hjhfnccl.exe

C:\Windows\system32\Hjhfnccl.exe

C:\Windows\SysWOW64\Hmfbjnbp.exe

C:\Windows\system32\Hmfbjnbp.exe

C:\Windows\SysWOW64\Habnjm32.exe

C:\Windows\system32\Habnjm32.exe

C:\Windows\SysWOW64\Hjjbcbqj.exe

C:\Windows\system32\Hjjbcbqj.exe

C:\Windows\SysWOW64\Hmioonpn.exe

C:\Windows\system32\Hmioonpn.exe

C:\Windows\SysWOW64\Hbeghene.exe

C:\Windows\system32\Hbeghene.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Haggelfd.exe

C:\Windows\system32\Haggelfd.exe

C:\Windows\SysWOW64\Hbhdmd32.exe

C:\Windows\system32\Hbhdmd32.exe

C:\Windows\SysWOW64\Hjolnb32.exe

C:\Windows\system32\Hjolnb32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Impepm32.exe

C:\Windows\system32\Impepm32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Ifhiib32.exe

C:\Windows\system32\Ifhiib32.exe

C:\Windows\SysWOW64\Imbaemhc.exe

C:\Windows\system32\Imbaemhc.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Ipckgh32.exe

C:\Windows\system32\Ipckgh32.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jdcpcf32.exe

C:\Windows\system32\Jdcpcf32.exe

C:\Windows\SysWOW64\Jiphkm32.exe

C:\Windows\system32\Jiphkm32.exe

C:\Windows\SysWOW64\Jpjqhgol.exe

C:\Windows\system32\Jpjqhgol.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jplmmfmi.exe

C:\Windows\system32\Jplmmfmi.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5968 -ip 5968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/3780-0-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3780-5-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hclakimb.exe

MD5 8273a0a36966d1f6e17c6749f8b087f8
SHA1 3baff9a8878dc7d0c84f1936ebf407020fecd896
SHA256 d2d1350ec600da425e4be3e469b64192e221f9d3088decd5a9843311f830bb9f
SHA512 b821559e2562dcbe21c1bf240e51725c973b18bb2ffa7b6fd4fc76ed2e38fb72f2d5925a3329b35b04a427295b29374d9dcbe2fce561dfd4c397d008430cece7

memory/4740-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/700-21-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hjfihc32.exe

MD5 a2f9b0c76e888255adbcc5b013ee4c39
SHA1 5d725434965b9f94dd4ebb8d1662f7a7e17a3812
SHA256 1e90a20f554d26b99a6011788aaaa59605f46a80383d8071b90d1005a607423b
SHA512 e818d291221507e6e5e2d0177cebeccb19f116a7d3c95d59755fac50ae4f54fcecb43b2d434c360801393994b168ad31349d95b6492b77de40ddfbb9773b2989

memory/1548-25-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hmdedo32.exe

MD5 c895b14a23f5f9b0b03fa59a012699f0
SHA1 375d3d51bf73cd4ccb38fda3f54965de56d0d393
SHA256 48a9216512f148505d7ba084e1f908939f157bc3dc95b647bea4ea76a853ac62
SHA512 db94b6e11e865087c13860de9f4aa263d2f872d50f7ce09177d3e33cb2e53a73f10bd19012c29383b0eae01a6296257f5a66083b527989f3de5a4b117263e8bb

memory/1552-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hjhfnccl.exe

MD5 d46056792400c67fdfc7c60ed8e7c7c1
SHA1 878c6c794c9d151ff75c1b7f32884df4f4a8759e
SHA256 e58a73e308ca1b9892558e531456511dfc1ef40c7342d9c081e90f5aabcae10b
SHA512 7ab44fc1ac0ee56ea2f53be1c4b957bda9589caa1d4d59fda50e744765191bcd51b8fcd8fcd3656cb32404106c4ca780560b2004a99ba1b401517a49898899a3

memory/3596-45-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Habnjm32.exe

MD5 1ee0baacad57affafa84d05a0637a5d4
SHA1 3a9c3d2b8f733ce6263b0393c4cf7b742c7b59ce
SHA256 6e9d9f4062a9488cdff8e6d7626e8ad44f497a7330cc7d7ebb0f7d2ff3805af1
SHA512 3bd107b686adda4f270bfb9379aadceab03b9bc00417b6a3bd28166a52dc7f69be2373487641f6d96a0b55adf57afdd29f375d6d77938e217d93358e0c5293b0

C:\Windows\SysWOW64\Hmfbjnbp.exe

MD5 ab54041b3e565c36156b30a3b0504a41
SHA1 51ea1aed713a4c8d3a7a6fb3974d17c38f57c275
SHA256 7ae10217b821dab3b363900eeae3d93f4e75b2f56146b9ae115a39e5aebdc7c3
SHA512 45ff9eed44ed9e25dcf377c364acf9b602fa9854bb2b36829a6f050a05978d8feda480fe313c6fdb07133cc847e91037afca276e69f259d38e3da4cc651cce62

memory/4404-49-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hjjbcbqj.exe

MD5 e0d43ee53f506db1546947fbe0376c16
SHA1 54312982cd7c20fa37d79a212a93c0a518d7d747
SHA256 6a6cfb4582abc343beaaf7598c5a3d87e9cdf112d695556ddd6bc3b25eb039b0
SHA512 6200b1588ad932ee48b03085351e43ea927eaa6e5a7888c795d29e5a78e85a3248e522817763585854d3296bc5131c6228d14b97d5ea297594a6545f7da33dd4

memory/3836-57-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hmioonpn.exe

MD5 aed2ad3a557e2ee9ec168b2d5398a039
SHA1 ecb1b9a55c50a0567bb37a7542de6a8448af9cfc
SHA256 74d8fc5d4e72e9368a67df9d4225df41100afa756d2fe08c5a21892cab5066fa
SHA512 70fc0258b60734deef65838bb8e5609747b93cb103728c1e7a519bbffc94591080cf653fde8aaac1b769a6e7972a2e45206066a967c5b17ce840c68c2b799fff

memory/1112-64-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hbeghene.exe

MD5 b815f915beb5f7ee176e39022482d408
SHA1 1c37fa85e9f6274797cf556f982722b22494ac56
SHA256 697ab4895d7915425336642d795a1516b0be97ad736e076552b0b36f008242f5
SHA512 850ad1461e856e133abe7679fc2a40fd182c2d98eb7f83c2e328602272188689090fc9229ad29a873fc85d1ac3bbf649d49ee2a5e384eea48065353a44150357

memory/3316-72-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hippdo32.exe

MD5 a661950bc56138c582838625855caa39
SHA1 9671d9405a6886ea60d922e185473c1d2907dec5
SHA256 23d30151ebe45c80ae139b8febf651443cbc3c55cc1bf7b2657f74f140a94557
SHA512 16d54fcf1d67711b868bf29efabdd1131f743a681693bbd9687c81fc3d487fdd3c695374ff2f79ad15872e576b2a7e202daaae0745299875ae13ef311a5b37fb

memory/4916-81-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Haggelfd.exe

MD5 f2313aba4def0a37d1db940a9f3ad58f
SHA1 8dff842498bf27945ec77ea21dd33327f0488716
SHA256 f709d8800cf2c95d516c3bb770376a94f66c22422289c4958573c89b8180a05a
SHA512 8371c804921f60302aab1261837291e8df6e735f4c7509311e0f5bb2541950d51859ab855f8044ea9c5362c227058162109f08cebe3be06460c8a92ae2621376

memory/4724-89-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hbhdmd32.exe

MD5 c53b908b70be85625cc34212d7f24ffb
SHA1 004c1f7ca469e3ac162f4a5bdfde57b53b54a333
SHA256 e2bdc5638baee7cdd1fe167a264062dab52e6838dc95013e7e12856e361f6edf
SHA512 d4be5e29ce621e27b9ed89d47dd084cf2b9f3884e203d79dd8d9e46ccd108616ea5edfe9d4cf5b48c425c44f7e928cc0d7016fb3983cd6e54620e62ce1cfc400

memory/4384-97-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hjolnb32.exe

MD5 087c1088b11e86750130d8280547ad65
SHA1 e23097d6db59f8b4f7cc281856df50a21acd17cb
SHA256 bc146b3dfdc652205b04d908cee60f8efda77e28d0798716edbe965bbdafa7a3
SHA512 9399f318dc867dc5a7cb7269ecb127e1ea8ac3be9cb3c1c1fef8d0ffbb922467e89209b1cff8bbde8431e625cc402343a5872d296c707bfd33c19b9256d27c1f

memory/4988-105-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipldfi32.exe

MD5 88cd81e76a69e8cc44d1ab60fd9c0674
SHA1 4c17ade28c33ba5cd81846a92a6c1194b125c322
SHA256 6b8832d88b3123bb2170893acf38de234fbfdb1f9c687531f61718715bc1c3f6
SHA512 6f3fb5b59b7682ed8919e7e826f67b4d9124f923ea91bbd2c907a8d8eaa94ca5f820eed0ec3deb34bd347d171ea1ae20245939061db78049cdc2cfd71b456772

memory/692-113-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iffmccbi.exe

MD5 317dd2730f20e3c474dcd97ec64d32d5
SHA1 fc353be254eeecf4c64aff260fc4318caafcade9
SHA256 b002f079f5ea023b8f61f00a5719db54ed1529ce2ac54811e5e7c5e2422f117d
SHA512 c879a22ba0a046ae42dd3d551fbb759c2b9691ff4f3ebfcbe89e9cc08f94402668cbf6712a4444c54d66e470a4f3fc5e7dc5dbfc84046823598c63a5f81f5da0

memory/4824-120-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Impepm32.exe

MD5 61fc9b1d1e5d63dd51a5fe4d0924ba53
SHA1 00a7fb476a1195e9baea011a5fb3cfe4c874634b
SHA256 3ee3b1514aea526cab4c482f2c76b427c35a8a5b83a5267dc15520b54ddf3de8
SHA512 3fe5e2fd4f72b1909599e4b8dd9592389221ea6a03074633086734721e65d10055a0ddec5a4f2fec6975938481aad76428b55a6ccff64e92167ecc1b9e49522c

memory/2952-129-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipnalhii.exe

MD5 e49a0dbf83120ccf57eecf461ff032ea
SHA1 f810db00c0d1f26d7ff9f77fc0b52776773050c5
SHA256 3f0bf00aaf5e2ae5f6b1f2c806e681429a8747e54ce4bacd39e951c23a820369
SHA512 a1c327d5d04e98183b20700b82e52227ceb6c8219682b467284aefd76a309ccf200588134b7a183938a82cdb573e4ae0317ae0b02890f2bea5a3ff7426b5db57

memory/3840-137-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ifhiib32.exe

MD5 3e5e5c1f7373c1c2252a46ecbab83a6e
SHA1 1f1f172596e7f3b53d3997322effd58d4781f68b
SHA256 92ef803c68668220fb4238b3a1016b3cbef22b734558e82ab75b5b10c91cd971
SHA512 d94b89eab75d1878238b8328ab2cae80152de52a3c21aeb4f3f1f4beabfb81aa232bdd212ed39ec94d36e5bc8ce718ba65b61daa140eeaa83bf8388bf48b6cc1

memory/3384-145-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipqnahgf.exe

MD5 ee81084a21fc488cfc6c0045d0abe7fd
SHA1 041aefe53fed39d33a27dd258f7c019d97f4a236
SHA256 712fab14da70719c9535e04b3dfe6f78e930b08b6fbe8d573010569481363855
SHA512 34351b9dea27bbade101c948b06a3f9c840a47414a91921fe9301b0bafe270a695b8b1ebc41802d3dffd19dce335a0dcb83956e7a439a9c342005c8e23cbe315

memory/4744-153-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipqnahgf.exe

MD5 3879b4363bb2fc0f105b61332ee7f842
SHA1 d36220cf34dd128045248f89ddbb8faab9835021
SHA256 ce42a453c13f31e091ba2a98d56de7966ce773bd4a8c978ac746753bd7a88ce6
SHA512 02bfe2e4e3bc1d842b19795471308dc766d6ab93a10fdf77bfba8cf9b41bdbf680d90eb895fb9b14c7b576edbec210bce4275b9d0f784963c1224ab87edb781c

memory/876-161-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iiibkn32.exe

MD5 9141bd8ddcf16c78e74eba3eaa5653ea
SHA1 5ec840a4d4d8edc587daeed187179a3a77d789a0
SHA256 a8dfe9f309a4123633e40e26743cbfc155e803be969e885fd607a427f4cf042b
SHA512 a2ce890ed7a3847f75ad9786c3f07abe0652d0ae9c0f4cb0f9ce8daea16c97c1945149f0aca9687f10a27636f21958ac3a13ff77aed8ba9d4491f84e5e38d736

memory/4832-168-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipckgh32.exe

MD5 f9961d2ddaf3ad5b9341e5617a4a7de5
SHA1 1eb5e6b2fbd6fcbec658aea169d8ddbbcab729af
SHA256 a9150ea6887fe581e1b31c4b11eaf9301129e74078e4d60c56f51936ac65cdcf
SHA512 fce099423c5628768892b65837bdef099ccf301142be964dff6c6a4abfdf9dde59b4a449c67fd1e0837d26106ef8142c92ae8cde3257d0a01fb62c8a0cd1e707

memory/3628-176-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ifmcdblq.exe

MD5 de6ac3d5e5cb7aeb84b2f466816111ed
SHA1 4890a99b12170428ca05e05152bbb704665244b2
SHA256 d2112ff33b014c7ec6bced584b586465d97e5227b526f7cf1d7ab99186c3d007
SHA512 a5e967a8d993a27c0b88d155f8845970ef579d7b4790db82d935b6b70deef1fcfaa3c390d4b9b639e6f13bb6dccef5e9766c7846a52db1d5cf80ccd72b429e46

memory/3376-184-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Iikopmkd.exe

MD5 c1dd6a649b43240a1f5ccdb803ab26eb
SHA1 fb0beda36c556e7bd1cf968d03f3e8429b545fbd
SHA256 f3a8168a6d070f7dedbaf9d7e462c7f42d5335f720f4934b803621a45896b75d
SHA512 35e8e7078f8fef057efbb23f27a5cf7d2268eb09476344fa72472daeefe4eff48a90b50d67c29f4828443c5a6454d435482e38c2a2564544f166f9f9e07fb1e0

memory/2756-193-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipegmg32.exe

MD5 aea6ae8763ad138e3d1cef15ff9927d9
SHA1 a2cab5c2f83206744e03e4317f3ce2873780f8be
SHA256 17e4550287e050246247ea9a30080145383dcec3d12a6672232225b60ef5bccf
SHA512 1eb3ecddf692df210552dd8a0b0345c84e1f07077f60649347cd0d6db722c6b14f0aa5060568b485b6c094f97ac0c13f6d6da1adb6b5a825e956c7ee167ca775

memory/4892-201-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ifopiajn.exe

MD5 fe3eddd262581a9200e00e5177d9149c
SHA1 4a4ba639f8bb73bfc572ebb324f46f78fba5a335
SHA256 b77cccf0d1e7f166f8768609e99cda091b4feb9a38f5e8524a1a91dfd38bb33c
SHA512 f0ccd317aa01433e30f0dcff2d4553b085534452ac7ff9fbb55de8ef79a679acb2c9c36901465de2dafc40e042fbe8ceac51434fd753e329800eed171f1fef22

memory/1160-213-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Imihfl32.exe

MD5 766782c79738d5fcc542b0bc05ce9ba4
SHA1 7f4a355a8c97f45f883e673515f206a0c6f33661
SHA256 c0f36108de4ed07e99fe4c2c6ecd6ad81383797f4dcc1660ce4fdb7f0d129f12
SHA512 6b013feecda76a8f679610fef8888795edf197205730bbfc826e8acb17511785cb69b86242f65bcd51b3bce6ef147102244c96b76480b1fa2168fd3e0d606bdb

memory/4460-217-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jdcpcf32.exe

MD5 d91015636b2b68e48269fdbb4681b82a
SHA1 f6305696c8a94c0850fa3568850fd53e90cecc12
SHA256 ae929b145151d05ed43c4df56f941347befecaa49f5f888af0e1520e8f42c590
SHA512 da73e6c30d30e0fb5305ef565f8439ac24a6188d2a871392fadce77d9592fb57c4ef7f6c189cdf80a292c88d478393926194b968cc7c674ccad7a9055c6fa7fb

memory/2472-225-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jiphkm32.exe

MD5 b120523aa0e49a158e89f4cdf0e9cc58
SHA1 4590c911c461b3e12765c72b9c29332267cae1e1
SHA256 c7428f986b90216b4eb8b19fe313437284bc3c11548b3ba93f1375eb9a4b231a
SHA512 baef0efbe41f4d89dd2c96bc088a9c55f4ab9628ab583ccb4f6a8c9b475298e16bd1b6fd2916d67631eb7e37dca67e056fb5670710c1f5557abef2fe428bcfa4

memory/3808-233-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jpjqhgol.exe

MD5 7d224c96633886c2a4681fb0ac9889ce
SHA1 8d7eac788805ce1e48e27953d1edca6373bf3dff
SHA256 7efe6bdeda61eee96d9c67e37f48dd251bd409f74c30263f0524195aadfd07ab
SHA512 b95767a8eccd6308f2dbd4cfc56168f4788d30e576cd347076d0a2c0261db88254f5fba737ff9bc57d6616201312e4308332e232534f49fc9b6769d62b1f9029

memory/1284-245-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jbhmdbnp.exe

MD5 2b930810b6b14b185cf31ce9e92485e4
SHA1 32362095971062ac278da744cd4c3e45c8f07727
SHA256 b5e00d5c87627d85410e2122535beac048c42c05d6091afa2730839ff56c9f28
SHA512 ccf1b818c9fe9a32ed293d1de7928aa4c5511da9c84ba0f5083eefccc63235dbbb8a2e97d84460e2ce96d981c3233848319591445d6daff3137583e54718ea5b

memory/1484-249-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jibeql32.exe

MD5 a0c5a489e8fa2f018402da8f862aa983
SHA1 319708fd80c6d5bc5d5e5c88ce9848698f6b255b
SHA256 a434d8d16c3a55811758e8042c1a8cd685baf65e9964b6adb7f11b3ddc528588
SHA512 993ebf0c06eab9c55bfa5b8d579a34eb7299b9d44a8bf08bb6386722b5ebe7ebbaff49175ab7ea0975d5d79923149e78e0013ecc4d4d50f767432a1b55c271a3

memory/2548-257-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1928-263-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4688-273-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4220-275-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3100-281-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3708-291-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4488-296-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2728-304-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2620-305-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1044-311-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1240-317-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2316-327-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4664-335-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4500-334-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4524-345-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1012-351-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2116-353-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4036-359-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3640-367-0x0000000000400000-0x0000000000442000-memory.dmp

memory/228-372-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-377-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3416-383-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1968-393-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4960-400-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4432-401-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4668-412-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3980-418-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1132-419-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3648-430-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3996-431-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4544-437-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3868-443-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1588-451-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2196-459-0x0000000000400000-0x0000000000442000-memory.dmp

memory/920-461-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3948-467-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1460-473-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3612-479-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1140-485-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5044-491-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4920-498-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Laciofpa.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1556-508-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3884-514-0x0000000000400000-0x0000000000442000-memory.dmp

memory/64-519-0x0000000000400000-0x0000000000442000-memory.dmp

memory/516-521-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1444-531-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-537-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4032-540-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3780-539-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2324-546-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1656-552-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5060-558-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1548-564-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2044-565-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2788-576-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1552-571-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-583-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4404-584-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1324-585-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3836-591-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2304-592-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3040-599-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1112-598-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mnfipekh.exe

MD5 3be72ddb7cd4d2556d5cd6a24d2add5d
SHA1 0351e8923fa015ea6040de78b50583df0dba6d4f
SHA256 cf2e247a9c45a2e19c60fbe0d400a7e05e5697ecafb8badf98d96ee031918a45
SHA512 83e0c579cd4cf03081ce9b52c681e30f1198bf2f630cfdb5a5a852395f68ae312fec94948a85128e1fb9c7b6defb78b9a77508003878a0818a1b19be29a61ded

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 35024e3c2afc1515c94ac97284d3c68c
SHA1 bc8f6a14c788e73d418658ed18ac1fc9159f674c
SHA256 5e15d07eed9b122a6035b3648a6ec4f0f32485876013bd49f10dfeae6f789294
SHA512 ac9470fa412397d13fdf49018ff7f13e1a01f3c5c87f8802fa59732ef32e2f1d6124fbc8867b6777c737e576ead98019cf9ef43b59d8a4f68d859c2f05efcb28