Malware Analysis Report

2025-01-23 05:53

Sample ID 240523-gsefaafh33
Target cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe
SHA256 a4696769bb36471e52d9aac44a733f2d4cdaf119289b47fb2a523fda92f2f085
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4696769bb36471e52d9aac44a733f2d4cdaf119289b47fb2a523fda92f2f085

Threat Level: Known bad

The file cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 06:03

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 06:03

Reported

2024-05-23 06:06

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dbehoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bokphdld.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qlhnbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfefiemq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fphafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckignd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Adeplhib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adjigg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbehoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnefdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ckignd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efncicpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qlhnbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bommnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adeplhib.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gfefiemq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qdccfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnbjopoi.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qlhnbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adjigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bommnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmekoalh.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fphafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlhnbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlhnbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adjigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adjigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambmpmln.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bommnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bommnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balijo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Lgahch32.dll C:\Windows\SysWOW64\Fmekoalh.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Faagpp32.exe N/A
File created C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Ebedndfa.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fejgko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Dqlafm32.exe N/A
File created C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File opened for modification C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File created C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Oiahfd32.dll C:\Windows\SysWOW64\Apcfahio.exe N/A
File created C:\Windows\SysWOW64\Bnbjopoi.exe C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
File created C:\Windows\SysWOW64\Khejeajg.dll C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gddifnbk.exe N/A
File created C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Apcfahio.exe N/A
File created C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bnbjopoi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Ndejjf32.dll C:\Windows\SysWOW64\Adeplhib.exe N/A
File created C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Cndbcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe C:\Windows\SysWOW64\Fhhcgj32.exe N/A
File created C:\Windows\SysWOW64\Clphjpmh.dll C:\Windows\SysWOW64\Facdeo32.exe N/A
File created C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Ghhofmql.exe N/A
File created C:\Windows\SysWOW64\Kkjjld32.dll C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dnlidb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Lefmambf.dll C:\Windows\SysWOW64\Dnlidb32.exe N/A
File created C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bokphdld.exe N/A
File created C:\Windows\SysWOW64\Lilchoah.dll C:\Windows\SysWOW64\Bhcdaibd.exe N/A
File created C:\Windows\SysWOW64\Aoipdkgg.dll C:\Windows\SysWOW64\Bpafkknm.exe N/A
File created C:\Windows\SysWOW64\Hfbenjka.dll C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Dqlafm32.exe N/A
File created C:\Windows\SysWOW64\Ajlppdeb.dll C:\Windows\SysWOW64\Ennaieib.exe N/A
File created C:\Windows\SysWOW64\Kleiio32.dll C:\Windows\SysWOW64\Gfefiemq.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Andkhh32.dll C:\Windows\SysWOW64\Adjigg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Aljgfioc.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Ennaieib.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Gfefiemq.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dodonf32.exe N/A
File created C:\Windows\SysWOW64\Lbidmekh.dll C:\Windows\SysWOW64\Epieghdk.exe N/A
File created C:\Windows\SysWOW64\Iebpge32.dll C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File created C:\Windows\SysWOW64\Dbnkge32.dll C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hlhaqogk.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdccfh32.exe C:\Windows\SysWOW64\Qlhnbf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Ddcdkl32.exe N/A
File created C:\Windows\SysWOW64\Ikeogmlj.dll C:\Windows\SysWOW64\Bdjefj32.exe N/A
File created C:\Windows\SysWOW64\Ddflckmp.dll C:\Windows\SysWOW64\Bhhnli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckignd32.exe C:\Windows\SysWOW64\Bcaomf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dbehoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Epfhbign.exe N/A
File created C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File opened for modification C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Apcfahio.exe N/A
File created C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bdjefj32.exe N/A
File created C:\Windows\SysWOW64\Eqpofkjo.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Inljnfkg.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File opened for modification C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe C:\Windows\SysWOW64\Fbgmbg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" C:\Windows\SysWOW64\Balijo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Djnpnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aplpai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bokphdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnefdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memeaofm.dll" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahfd32.dll" C:\Windows\SysWOW64\Apcfahio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bommnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ambmpmln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Goddhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" C:\Windows\SysWOW64\Ambmpmln.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qlhnbf32.exe
PID 1196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qlhnbf32.exe
PID 1196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qlhnbf32.exe
PID 1196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Qlhnbf32.exe
PID 2936 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Qlhnbf32.exe C:\Windows\SysWOW64\Qdccfh32.exe
PID 2936 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Qlhnbf32.exe C:\Windows\SysWOW64\Qdccfh32.exe
PID 2936 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Qlhnbf32.exe C:\Windows\SysWOW64\Qdccfh32.exe
PID 2936 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Qlhnbf32.exe C:\Windows\SysWOW64\Qdccfh32.exe
PID 1812 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Qdccfh32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 1812 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Qdccfh32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 1812 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Qdccfh32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 1812 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Qdccfh32.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2892 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2572 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Adjigg32.exe
PID 2572 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Adjigg32.exe
PID 2572 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Adjigg32.exe
PID 2572 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Adjigg32.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Adjigg32.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Adjigg32.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Adjigg32.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Adjigg32.exe C:\Windows\SysWOW64\Ambmpmln.exe
PID 2716 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 2716 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 2716 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 2716 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Ambmpmln.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 2708 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2708 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2708 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2708 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2524 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2524 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2524 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2524 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2384 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2384 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2384 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2384 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 1696 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1696 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1696 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1696 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2352 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bommnc32.exe
PID 2352 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bommnc32.exe
PID 2352 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bommnc32.exe
PID 2352 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bommnc32.exe
PID 2744 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Bommnc32.exe C:\Windows\SysWOW64\Balijo32.exe
PID 2744 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Bommnc32.exe C:\Windows\SysWOW64\Balijo32.exe
PID 2744 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Bommnc32.exe C:\Windows\SysWOW64\Balijo32.exe
PID 2744 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Bommnc32.exe C:\Windows\SysWOW64\Balijo32.exe
PID 2768 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2768 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2768 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2768 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Balijo32.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2408 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2408 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2408 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2408 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bkdmcdoe.exe
PID 2236 wrote to memory of 992 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 2236 wrote to memory of 992 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 2236 wrote to memory of 992 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 2236 wrote to memory of 992 N/A C:\Windows\SysWOW64\Bkdmcdoe.exe C:\Windows\SysWOW64\Bnbjopoi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Qlhnbf32.exe

C:\Windows\system32\Qlhnbf32.exe

C:\Windows\SysWOW64\Qdccfh32.exe

C:\Windows\system32\Qdccfh32.exe

C:\Windows\SysWOW64\Adeplhib.exe

C:\Windows\system32\Adeplhib.exe

C:\Windows\SysWOW64\Aplpai32.exe

C:\Windows\system32\Aplpai32.exe

C:\Windows\SysWOW64\Adjigg32.exe

C:\Windows\system32\Adjigg32.exe

C:\Windows\SysWOW64\Ambmpmln.exe

C:\Windows\system32\Ambmpmln.exe

C:\Windows\SysWOW64\Apcfahio.exe

C:\Windows\system32\Apcfahio.exe

C:\Windows\SysWOW64\Aljgfioc.exe

C:\Windows\system32\Aljgfioc.exe

C:\Windows\SysWOW64\Bingpmnl.exe

C:\Windows\system32\Bingpmnl.exe

C:\Windows\SysWOW64\Bokphdld.exe

C:\Windows\system32\Bokphdld.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Bommnc32.exe

C:\Windows\system32\Bommnc32.exe

C:\Windows\SysWOW64\Balijo32.exe

C:\Windows\system32\Balijo32.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bkdmcdoe.exe

C:\Windows\system32\Bkdmcdoe.exe

C:\Windows\SysWOW64\Bnbjopoi.exe

C:\Windows\system32\Bnbjopoi.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bnefdp32.exe

C:\Windows\system32\Bnefdp32.exe

C:\Windows\SysWOW64\Bpcbqk32.exe

C:\Windows\system32\Bpcbqk32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Ckignd32.exe

C:\Windows\system32\Ckignd32.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dbehoa32.exe

C:\Windows\system32\Dbehoa32.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Inljnfkg.exe

C:\Windows\system32\Inljnfkg.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 140

Network

N/A

Files

memory/1196-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Qlhnbf32.exe

MD5 8d00b2a2ae78e2238e2f3ab72b9c1230
SHA1 0ae1f605767812cac5cd6525d8a0e1f48bd5ad85
SHA256 9ebbddb211496e0c32ced3c26a7c72f50d52503a1b81aae8b5e466a8d5adf341
SHA512 49ba8b53b20aa641554bb75496c28b358da46c82a421fe89768a6e3beb8c7a6233b9d09b724f43289205b56856eb1b9445880e8dfb72f293dbc78755377b5b06

memory/1196-6-0x00000000002A0000-0x00000000002D4000-memory.dmp

\Windows\SysWOW64\Qdccfh32.exe

MD5 1a014abb0c39c4d3fdb48539e3bb1963
SHA1 3c229e0aa8b356df3a8db75b89a3f9d7e2ebcff4
SHA256 bf06dbe649949b9fbd65c32740af2dbb0eecbb6470c82c97e44a025697605321
SHA512 81b895e5eca1fba3abf04d910153c8c3164fa6a3484c3087eae9b88521228a020fcdea7869a512fb838344acd33caf0daa755c29b588166b92f243f7080338bf

memory/2936-20-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2936-25-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Adeplhib.exe

MD5 cd4e8dd633d8fc4369bb045cecf4b324
SHA1 d62c62a43ee942bf89016d0ce2b5ee9e08ba706f
SHA256 55cd6af141a16729c9793546d618bfe8e8de9cec4eb08296bb4f6ad47e6b281e
SHA512 85c51addfb67ed2fcade152e2f08c923ea3a89815f69949fbf61f81b2aa60fa3cffff72b7e6abfd2977bd99056180be48e3fcf5c2028d9ff4feff1eaed9ec0ff

memory/1812-33-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Aplpai32.exe

MD5 5b42579e7dd0f54bd84db29cf929ae9c
SHA1 b1bb298277d8bf4fc7270157ff0ec56f87693229
SHA256 bc8cd98e685aef7e600a2d1b87c58513783726366afccbc714ef9bda5b7065a8
SHA512 8d6b2b77e74530b1b3cf65bfad53073e6322df1646771717cd892be396fbe82a1027b791c1b2cdebd860e0bc5633e55a769004805fe200f1a9ac4ded35bba83a

memory/2572-53-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2892-52-0x0000000000260000-0x0000000000294000-memory.dmp

C:\Windows\SysWOW64\Jngohf32.dll

MD5 467410cc87e618cc89e38483c41220c5
SHA1 3c2ed54416437f329b4f4bad04dff2ac02768d50
SHA256 6e9d7cd95e2a053658366472244989fa6c6cbf8726b0dc5c4534c05e04ae652f
SHA512 972bf29fe53b730f4283b4bbdcd4dc76a431bf6646396161bf274a77351c1a820bdabaf0b507dc9804970e5894ae708a2bb2d3ff2435dd1c3e964fe2b9ea5f0f

\Windows\SysWOW64\Adjigg32.exe

MD5 4ed1a5758e727c08780aae9821093dfb
SHA1 ffa8f85a865f8e21875b92c1d4bca342709544b7
SHA256 924469a2455d9e5df80a88c989028a8259af3423bbf35f7adab56ca8ad4346f2
SHA512 79553ffaa0776f426997b2ee0873ec61917a515a66e136ef9345c8c05978f3d7476946e382969ca1d43bb13220feab4880961011897b0acb49f398d4b7a13b16

memory/2572-60-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2788-67-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2716-80-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ambmpmln.exe

MD5 a08626e2e943b3e0dec0d22eab662323
SHA1 477716d5ab3d88e0646af276955218027322ba60
SHA256 1417886db4d51a7ec87cfda320ca55225f1b5729c8fac7ab53e8fb0cca2b2cfa
SHA512 72ca146acd763b9e3cba18ade47c11659cabd618611be6d54eb34681ad0de56ce44e4acfcf4204f5e1e43459b6ded8272c80d4178f84442c4d48f493fdb50f69

\Windows\SysWOW64\Apcfahio.exe

MD5 db39ff22b46fe1294bae8d520c1fbbe6
SHA1 d0339004820f3f14850740fba4a288d8e673ad67
SHA256 93430f6b651b036fcde9f2174f8b11b72580ca95e102eb81a7062ec60c682f07
SHA512 2e4da6cf25dffeefb58b20261276c755f2bd5abbd068ee5bc5389d9d5d0d1ee6cf2383cd21fbd367d32be2a214323bf227f1d497907d438e67f52f20e00314c7

memory/2716-89-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Aljgfioc.exe

MD5 44a36c505ddbc59d2a35b1ae768d0bf9
SHA1 7843ac42042c823d43f34373ef7a9b4640ebbb9d
SHA256 a08eae709bc8fdac98bb0bd4f12f39b8ab77970c936ed53a79257b13555fddb3
SHA512 e43811c1e6adb29c85a4bcaffb5998bdd220777cce07cd42b6fd5edccb0da3b08be1099844d572c790aa3b75d8e81112f43ecabcf2783f08592fbc93ecd27083

memory/2524-107-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2708-106-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Bingpmnl.exe

MD5 de85d191a6339b14bb2023a29aba69e5
SHA1 73ae247282bb662e70a9a2ba10dd7168b3a2be88
SHA256 4ef0aacf4c9ff17e1d79f5bbfde4b949bb641da314521b619ef70a8dfa43b9a4
SHA512 773361f0e7e09494b813d6e15b29fbae1adb1923b5a1099a377b3fe29401043a041e83f9b97eebfd9102f7d54c042420423d5b676cc8b5aec86ccf1154d4ebc8

memory/2384-121-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-120-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Bokphdld.exe

MD5 8146ba11822b3a07bba9d0238dfcd9c2
SHA1 8ac40826f19d837d7876daa82b00ea1124ed42b9
SHA256 c175891b914e353f1a30f7a57a2277f4f0a41854ca98e31a8f6a08c5f0b6ded5
SHA512 93bf2a34742d10558114c50b690b923207ca59bc4940a5db8490cc020c88be3781505a39c79cdb4eb316eaf2d737f677e119c90be3b2a7a632eeacb9aa6ce443

memory/1696-135-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2384-134-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Bhcdaibd.exe

MD5 9a04ea842570490fa2678cd15e007edb
SHA1 afe9980f9c1cdfd3007086a587eb1f86d99938bf
SHA256 d3257762c03e4171291e62917e820eb08cf63344140ce5fe76480a12a5f2ae3f
SHA512 51f95856b9017182f78ad9a8c95a0c854dddc1b9ad40c2e20129f5dabbffee93e9832b0f5cc6953648f46034faba21e022873406ec544770da5692c4f91a47a1

memory/2352-150-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2744-163-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2768-176-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2408-189-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2236-205-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bnbjopoi.exe

MD5 60941ad34b369cb31850b25e8a798347
SHA1 5149bbd5aa7e363d4b10db6d1e649d19bd3cc390
SHA256 3452c6058ae32b2b7b418c7660c98cd5f3400e16f58c278e0974e94d002b28ae
SHA512 87e225cc95325f110d7010e96abb79a050efaf496e885582a8cbdee2ba41e4cc302fdf7c82308fa69a5f1eec571b95551d25e92d094393f9722f2de39fb83476

memory/1920-224-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2428-233-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1316-266-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1384-279-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1316-275-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Bcaomf32.exe

MD5 ca395f7e5f6956b7da10e8cc4881a5f3
SHA1 219ad6b700915e383c4293c1ceea4ff2ff512ee9
SHA256 dcb0f1998bcf999284abc71d7d36e114f51467d5f00e987021657725606dc873
SHA512 9b8231b17e0ba0238ab8684d6cd51b1f14349e5f2b8e7da9e053a23aec8a64fff5b39613f968c6e39441ad4629561744b670a5c617aeb054e0db186dde6f7edc

memory/1144-265-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/1144-264-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Bpcbqk32.exe

MD5 fd5389cfcdbb5925dbbe2a474b38f7e1
SHA1 50276785ca4309e9547e91cbccec263ed0b044f4
SHA256 b069c37f559985523f9fb91e2c18ba3d7c7ccd2df717c7ea83453ce6196fc9e6
SHA512 58696055c9893d30f2ab83011f75aff5df4acbb6ef7adf8c0b6e43f923ee68bc1d8350c9e43dce1e52974ef55e6f6dc481af3ff242dfc3f7cee9e48b8134e362

memory/1144-255-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1128-254-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/1128-253-0x0000000000280000-0x00000000002B4000-memory.dmp

C:\Windows\SysWOW64\Bnefdp32.exe

MD5 481d05fffbca23a9df10d6937c42d6f6
SHA1 d3c7c2ec440c10a0d06f4f5edc8e05e82728b2a3
SHA256 8e59345a22072ed6db832bf7371e9f7b93a17445aab5799017bf23b152ebbedd
SHA512 90187e541dc2142c3f7c5e181819137d00a3d6cd021f701d6d6255f3f36f7b9ffe502b15e32812fdee1abfef430f1ab7dd05b0e7ae90b0c713d0ef3e156be182

memory/1128-244-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2428-243-0x0000000000260000-0x0000000000294000-memory.dmp

memory/2428-242-0x0000000000260000-0x0000000000294000-memory.dmp

C:\Windows\SysWOW64\Bkfjhd32.exe

MD5 855a12ac041c354efe8507a13546b622
SHA1 f47b575a87efff7e2edd28df8ff1ba493d2acef4
SHA256 4f8762cd36f18158ce0093c6c5636601900a32eb4237b10c82ad24f571eb8d85
SHA512 731a28f7aef77cc67a13ac268ccffc2dbb4627ad65a18eb73b171d880a418ae4a0f4d3f90e46e832958c1250d0f798f44cdbba2179c2fa51b5c1783ee3268b03

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 1bfbb522d0b52ac34f0bd9df2c773c16
SHA1 e8e61dcc91472cc3b4812a02850321f56b92871c
SHA256 3657a647be8015c3a521117e624f17c12796f6b702d88c108241ce03b10a8b57
SHA512 bc03712c07ec512a893099c7a63a00477c1a478e7eb17a301a5c9c4cf84c86087775a9d38c1eb3609e5882d82420e514777909725fc64adeaaaf79e16b329ff5

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 f2293781e887d068e8da437de57828bf
SHA1 198996aebadfef2e8eca5010c0a620a26a7ecf85
SHA256 11c28bc3fda7137783805f061938c4d20afa264f6aef74b4b49a86eaf102631c
SHA512 aa4749cd28c8a23cabc9636bf2546883413904dfe417afbc2e17b6cde76f48be955f7462df50b7c5d3898a55f8a61d6be2aad16a565e5e85fc7e82891bb58c69

memory/992-214-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bkdmcdoe.exe

MD5 242dcb5f2012b793505d2592b9b3d456
SHA1 8bda28cf5d2875346725284b02c4caeb6e9b9423
SHA256 ae522bf192929edcb0265809c439602cc9eb755eaa2611ac6ea4cb938818a277
SHA512 73518242c74ff8845bb3949ebf37b7cd37026ac497201bc76ce61573f71485d764d515560529d08d1d05547ed880ac233df8578135a818c04d5ac3062b0527b1

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 bb2ec82beb4a2b9c0f158f3c470e10d4
SHA1 013d89da376a4674743d2dd44d525cd1dafe03dd
SHA256 7d77bcf641dcf64427694f403f6e877435cb485b0e0e89fe5e8922775eee772b
SHA512 25528908cb23cb7308f0e6c3f302da466744a98b483f1b5e594dbc10b3a2f3563783a1ca4b1d5e2a8226e67864855ff41e14ca41f495e35344af32e6fc41d5e2

C:\Windows\SysWOW64\Balijo32.exe

MD5 7df09ca9392a0ba6157dd2b578cb2e05
SHA1 13355e3e7f922918e3692e2a542b45ed453ad24f
SHA256 6707d47cd41086870a8cfa4806b847c9e889ce45ea97995f4de9ba15cbb64062
SHA512 c190f25493601436d9734fd82f9291219987a0d74c34981d23aefe33165d363049308cb924fa125d4bdc7a12bd56441aa806b6ea194f5650ae61a7de669aebd1

C:\Windows\SysWOW64\Bommnc32.exe

MD5 48cc6287cb604676cbe90b0ea21f7b85
SHA1 2f482de1ca4e4ee2743e6f570ed017627c76d679
SHA256 7506a653a8543eb7f0ade5d514f324fb35002c45ee9a2f4d2aff6cfc1534070d
SHA512 d2827da0a299e9b5d5b47ee1edd114bf700e25d457dc193c873ef9103a79df3f50cd2e466f6b4f5ee76f26eaebdfc8ae807f18aa40c3e676daf092b62638889c

memory/1696-149-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Ckignd32.exe

MD5 4594dfea16bd855d08277a5e184a88bb
SHA1 2669616ce93bc0cc3f455bbc0652ddc916a9a78f
SHA256 aab5b1faf1be121c685cd09db30be905200e60e477582229abde4d9289c3bb64
SHA512 2ebc31c5a13e6eeb4f27c10818a3e61224189ebc4ac1b5186e93e38df7331529e3e50c137e8e4635ef8b3f9a972f8ae310ddede42956488012785dfeeaa764d3

memory/1384-285-0x0000000000330000-0x0000000000364000-memory.dmp

memory/2108-286-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 5658705ab1c01977eeefe277713f3dd4
SHA1 e9d6e66100cbb953f9d2c2599a0baad6fa59612e
SHA256 180682e9c4e84519dd9b9a065ed0abbfac785737ed73208b353b28c28b931386
SHA512 a00599d258f23950289f3a29a83ed5c06ab394c7f5075b4fc580e10f617edd9faaddffc14a65c175f5900b19b9e5bb2a67aec0e7ea6ff9c66c4d7ff786d5c6b5

memory/3040-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2108-295-0x0000000000270000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 c521ea95e4ee9e6223d4116336b37f34
SHA1 b3602e6bca85ac93b280095808336b620d0a818f
SHA256 7c737c0d2fc6c505c422fed6f21500c8162dffd7546b8cb5bcccee3b4bb22522
SHA512 0998f207a570e8067f2b7c06cd769cfd0da129a26ff5e4110a77d79bc01da6ecba562d680be3a09dabba75d4de3efabd9821e37ed6316097935838599916d7c3

memory/620-310-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3040-309-0x00000000005D0000-0x0000000000604000-memory.dmp

C:\Windows\SysWOW64\Dodonf32.exe

MD5 0ce7bf12c95ef7b4e5f64064bf6cb917
SHA1 9f9632c6bf9a34eb4eb8eb745863fdc294a31537
SHA256 01ef3cac6c49a7b9bdac047f6784560b0eb91aba3f11d761c80939860e7f4ca4
SHA512 e59282941881d4a8d9fdec72b1d0a90db0095243aa0ccc63fdbb7abb681b17f75cdc3a3b0842845c51303802ec91072f3f6322777d60a5eb0c7452b53d9ae8cb

memory/620-316-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/620-315-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2960-317-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 be4cab44d94bb1beb84658e957d9f046
SHA1 41eef95bb749e99acfff19ae868525ddbe304df9
SHA256 7c5b09ccc92a471883e13bcb4b3584b404da3f1d7b2d77dd04dc917294802a91
SHA512 eeb5f36e5d51c6fc6068c5b81dfed5950f6d2dd8107016b9355d31584672cb7bedb063fd9bb6c338c21bcd9af3a73d018929956ca7245d25638fb906395c90e6

memory/1592-339-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1452-338-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1452-337-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1452-334-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dbehoa32.exe

MD5 79693274eca908eb95ca7effe12042b0
SHA1 16875f8344caec1cc70b3d6f42162a3c73c6fee2
SHA256 26512963eadafd9c304330541a6f133a19da8bb14de68f6937497628e524fd72
SHA512 5f5ef84009690681b096853d9ef213fe69de77ea590b60239e1a2ceb2b1b37ca3563d639ec50c9039e3580b879d60f64f4d113289649b2284247130e28d30c09

memory/2960-332-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2960-331-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 61883b0aeab8d3d66f3cf8c99a79cc45
SHA1 cdd8d38b7c9e22ed6a3ac6dd269906f25e90172b
SHA256 f62db1c6a48554893e147d8941ae0aeff5304a9950e611a9908abb385ed824c4
SHA512 a869a092a982d4c9f167c66f20a0edb056ee3d5f9c9039ba7c8f863090c8b9edc9f500ca0b02bfb534aad01df38ecab641f44e622affd7332618f2d641d2a32e

memory/1592-349-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/1592-348-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/292-353-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 3fe6e947e8974ed3261d4457eb48816c
SHA1 2623f90a0ee690ecbcd9f54695824afc338d1d09
SHA256 a1ffe8f6501f929b66f5fce75ce0a13603d7f9f9c10659276b4263241beed766
SHA512 18174ad5ff0512c786465cf8b5b472f26d78581d63c6bd66483262994577cd67f0872da8806ba0484febf27da3b603ade129d7d569cd570adcbad9a48ef1ae87

memory/1508-361-0x0000000000400000-0x0000000000434000-memory.dmp

memory/292-360-0x0000000000250000-0x0000000000284000-memory.dmp

memory/292-359-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2592-372-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1508-371-0x0000000000440000-0x0000000000474000-memory.dmp

memory/1508-370-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 f47bd54556245a9711b441203fc0e452
SHA1 f127dc2910ea062c1ac630c02c8f358654c8a497
SHA256 297f84288ed8b6cc8e54d04906b7d0c3018be9f22a14f2cb517237a6f7707f0b
SHA512 2ceff37b3eb3105d66e60050454e4b917bcb6ddeb4b15d5a82a4edc3d9c3484a2ce19301f26d400f018ec46ea6501048cb004d120bb9933ca3cb350cb1b0840b

C:\Windows\SysWOW64\Dmafennb.exe

MD5 e0c8ef97486c61d833f71195ae85cba3
SHA1 57ab166ea98bfb13ee58cc7dd89d1300adeb737c
SHA256 456161b20611e4058f2355651e979e912bc0efb896624a52c4b1d7e16a5ae461
SHA512 9ac813e11f9f4de0ce84551fc4f389719070ac38cf6c2ab32b0c97a9ecae2f11389fccf318eb15995368361581e9c536b6c9b8c0846c1adc34a284868846a083

memory/2796-383-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2592-382-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2592-381-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 adb16f30994419222959c7ce70d2391c
SHA1 f75426dc2f9168795cb8fc11c5b143ed9e8b79df
SHA256 f2b1f771c354296d5ff59967cceedd22f64e1248c69c6a3d21fd33058f031d71
SHA512 46e3a72d2a65a5f850847e168890bf16ba66845eb5749ca9628933306d189861850d43819e931fc96e2797205576989451cb28703d24bfd365586e0debe3e108

memory/2496-393-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2796-392-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 1ebdccad4a5056b4a8802f0be399a799
SHA1 c6e1c70ffb6dc2b99d8d9fdd61c0601c2ddfcfbf
SHA256 c8914a9427d2f2b40491bd6c8b6e036f80b9c35176f0bb3061d1e39832de5084
SHA512 cd37d2a39ac1bb01d76c036246e23ba418a9c0d6c54dcc57f546c49b6c126b12ce48b33f51b0e44665e89ab81bb1d2737366a631e8768916654a3c8ee30d73c9

memory/2944-404-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2496-403-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2496-399-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2944-414-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2944-413-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 7deeb7aad2508cb6cc25f61af72cbde2
SHA1 2e4658c7e514ad43a8335a3037882d86ed64ebc2
SHA256 c9902cb25f741fb9e5b8f3e8fb36cb3636cfa58b47b7aac531e35d687714a9d2
SHA512 f34fc68f9c44f74546ad3b97c7a044f3fcbbaca61f9b18411e5a9d1b3f1ddb084a58a73cd0e3e2e7e36f5a59b771ec36d99dec29010468cd7c3f1e8b9049dfa5

memory/2632-426-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2476-425-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/2476-424-0x0000000000270000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 3fc3472aa52bf2af8ffd66f49d41a041
SHA1 d210020b050f0b6b66d0e79cc5cc885b500d93c1
SHA256 101ea02cc03cbfd6f2b8ee99e473521bb038a6d3a4c8465fdeba7e8222120139
SHA512 8e15f2e30bc85640607a7ad53116e60219cbd811412b9deb3f16e4eced35f9f5245e9ba211bfe974be38893ecd4f02baf0102b98df711b78f2944acc6711c402

memory/2476-415-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ebbgid32.exe

MD5 04da049d3a5b4078140b4da3480f9d8c
SHA1 a2d93838d2595d854e0be51d17e90e88e839995f
SHA256 68f602ecbdb02ee18b825869ab784b42c304fb0487d3103a937df59d1d6bc4d9
SHA512 2c1989de9f7755e5781cb0517f389d719d46d97e97b4ae0ec90467d2303511d49f7c976a836e10797f8658cf720a35e44e9d43caaafb8b70cd3afd2eed5c6c9e

memory/1280-448-0x0000000000400000-0x0000000000434000-memory.dmp

memory/848-447-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/848-446-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 858f9e378bf3f4c109f0f3c06355c3e7
SHA1 8a7d488f3c88d922a177e0290394df31b7654561
SHA256 a18bffd6b38961c86b592e0aa4ca614f85d696cab57861937eceaeefc7caab88
SHA512 0c780b680403888947a9e1eb63e26b935598ed75d35796c1c914dba695d77d7ef3240e0c35bcfd9ccb680856e08932f032c98930b5fe38b6e39190d88b217573

memory/848-441-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2632-436-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2632-435-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 46ae2ed3f66ba527dc92b5fa4de93390
SHA1 4a3dd4c68bcac68fbfea969f6d4fe4a5c334e9bb
SHA256 db80c570e68835aa0d6eda589765426b16c7d5cf1ab7edc4c80f833d46ad6b08
SHA512 9f4a711d47b26994a37573a8f9a5cc30173bb97d338a152026345e8ef12f2b156ebd33f1d73fba8af834e1200cb516446c3bfa2fd9db2e860cde638e520225d9

memory/2692-463-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1280-462-0x0000000000440000-0x0000000000474000-memory.dmp

memory/1280-461-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 345b1aa096410706a9a36e8696b63568
SHA1 3a344703f9b4071347cf70b3208d53280953ce3d
SHA256 946d78db31382bf1377ad54dd2ea29134c2ef6ae6d3fd9d800f078bc6cf66962
SHA512 8b6e1ff6e9ce81c391d0602a097a30765300037cdc6c0f439f8c300ab9ef6a4251517620a8fefab2ff4534febfb25c2af7f00c96763b005eda702568a64fb964

memory/2760-470-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2692-469-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2692-468-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1924-491-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-490-0x0000000000270000-0x00000000002A4000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 71ed6660a283a04302c006d18ef8108d
SHA1 565a55d6f0026b7ec53c11f71d5a45bfad613850
SHA256 22621c0bf5d0162bf5105129ec476a2d7ff3b13ebd7b7cd890d86344dc0c2885
SHA512 be2ae4b751c1f31aef4b411cc2dfaf966f0293cb77c19019372f080a3dc2ee92f7b66578056ea9a9dc87fee4da14aa72c361317880fdadbb02b91b5ddc153165

memory/776-484-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2760-480-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Epieghdk.exe

MD5 453685d7d271da925f580c70ec211039
SHA1 f879fb4490db27a7e7452d20d19d286f9f4d16c5
SHA256 2df1638e2ed98a6c685d923e7f156f0eaf5fd3edf26a36a3c9411132490eaf08
SHA512 56ee804602430fd93653c8dbdb29d8ad15a318fd47eb9cf9177485f1f11806983e8fa8192d3c833407717d4e6205f3d2f97d6076cd736d75298b6db744383082

memory/2760-479-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 25a1cf2af53a5b2ef258ce3b3e31d582
SHA1 7a1ff6a7d7e22e6b729baab858a5d19780bf6d49
SHA256 e948f4967dd2ed36c930b298b55e0be47e1dc3971c5ff322ac066e028dfbee80
SHA512 b176a6ca02ec956f80ef7daa3de1898aa2dabbf5ced691546118c46b54a0a2d0d48f614ba42495ab6c8428e0cf17ff5b044ff4d3a75982124a6ff1b72d8d058c

memory/908-511-0x0000000000250000-0x0000000000284000-memory.dmp

memory/908-510-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1924-509-0x0000000000300000-0x0000000000334000-memory.dmp

memory/1924-508-0x0000000000300000-0x0000000000334000-memory.dmp

C:\Windows\SysWOW64\Eloemi32.exe

MD5 6a5660008c0fedfc52c067049b2301c9
SHA1 40262629a0abd830b574949915f0337ef7f9bad6
SHA256 f110d4e08e6f69ff93f0b00e5557512e0673c98317899bdcd3a39dc0bb74265e
SHA512 e4d945487652a78686e766baf6b2f8ef30be06c52522e2a70c3bf858c1d02c3381a65d46f81ffbb714741e2eb0e53fd46a224941bf71f787d67deecd5caf96f4

C:\Windows\SysWOW64\Ennaieib.exe

MD5 b33172717f78fa71d2d4d7b89a45c104
SHA1 85109704f797c6afde28f4d10c9c8b808f06c51d
SHA256 0ece4eaf32e6227ffa238571b825f7b6082b1c89491e5bf6010ca4482daf7fa1
SHA512 d2e79a59f71af08ec16d3f11a20e0fea3b3c10bba1f9093d5b48f3a0275e8f66347920f3d44c6d38298affc099db9736de0f2f8731a04bf6dc21c16313d0ef29

C:\Windows\SysWOW64\Flabbihl.exe

MD5 806bab4dbfa507a75899ab5aed8bd4ce
SHA1 67bc200caaa65ff9ac06d5d174c065736df62466
SHA256 3499bfc60cc7753741725069c910198a96edf52e060baebae8dd3903170b6790
SHA512 1d7521752484c692623db75d297f115a0cd95a1bd2c8d5bd32ba894264d1b4221dbdacd762764ba62a64a21630c89d0c91060b9af8b190c576fdedc9b650e206

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 b52819f4b84aab1a109971c7a84adf90
SHA1 6420cd59927f261302df0ca32182534c7635426a
SHA256 d0f21e6f2be3bacb6a8c794d501f65ed36be52a8cb864065cc6bb6f56671825e
SHA512 705d5724216c22f30f797bdf154510f6c3066f5806348424717b8021ee878b40e8257aac3b942cfe22db81a08a6b3b00b4db9ff26ddcc0cb9e77978b2ac7eb6a

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 1b47515588b00f944d5818b8d82c3f04
SHA1 731632f83d7c9bb9e79d56d0091bdbe5a24fc321
SHA256 bb52b5d37d76063eb731acb3254e188444d33b8561504b0aba8af3adcb2316f8
SHA512 a76220f35df04314b448274f92c5993d9034649d64664add09ee8926b42031a8102a33abeaf1f743b96681f65fc2e92199ef6f11e4e1c7d4cac4ee5940ed2848

C:\Windows\SysWOW64\Fejgko32.exe

MD5 af136bfdd69ddfd0b2153325d1f36a4a
SHA1 4a673a9e7280758ee6ce4a4fff41e79d4bad6440
SHA256 82c482b89236eab0420a1c338b7add86ecbda142a160bd489b62f39a025270c2
SHA512 444b35ac119198f203c7950c8aa43fffc1a8fe1921ba665d55a01915e0706cd4cafbf0c8a7247741b074594fb6f429cc2e8e7042eeb6f0275bced8375f1a1e89

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 d4afbe420b3293af8d37dc1c66c20a5f
SHA1 bf5682729789a66884504762fe57cf46f72489d0
SHA256 bfba1862b421da054f62d42f3d659dbd72b4a5c0272478fd029c366f7548365c
SHA512 61052dcbf87f6de41f78469f24d6957b685d2e3bf271aad8034f29a09dfdeb19bac7783c1d82a2cbf17f11b85c2630c1ed653d3419dd52c360ece66eaea1a5ec

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 b9d8c4a816e3fa041c3f548573b0b907
SHA1 3a83f34c48cdf8df3b6b667597acccdb9961ea86
SHA256 a60c6cc7640a436820030730d6bedc1b621a691b776fa1d56276f5886af7b49a
SHA512 0610e5907f22efc8e40c3b02fdd76586c069fd19358b2907e8ffc8a42f71c8f1fe91cd910c397d249e15fa180dcd22f512f11dcbdc7cc2bdbd6e4b40bf4fdf1a

C:\Windows\SysWOW64\Faagpp32.exe

MD5 80b9f72649095487fced1ca45b9c200f
SHA1 88363c1276d7ce74276399c920fa0bf7fe3ad736
SHA256 671700a61085893c454cc9aec2cf672d0c9164c4cc1bc4a32ac8d263795709e4
SHA512 9f82b0597aa322f39f00ed7c04f795ca27efc190c680627528544d4782a3d0bcf03fefdf176f34a2db2f6d26f621349124b5a4583dbc7cffc1c73b6edbb8cd9d

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 f74770609ff595bf09e1f64e985751d7
SHA1 a1efe71406b88c2be000561088e443549381c82d
SHA256 8ffa50e1a9999143a5c07735528aeec57c9e0c4f61686f0900387e613bd9cad0
SHA512 d93f403692451b41e0907db9878ff4231db2b98d3b3db46b1a2d5a7ba8814a87c1a8e643b648126f8b7274a7ad4d08fee1ac03c3f660ae912510c6845817342d

C:\Windows\SysWOW64\Filldb32.exe

MD5 7532d58c785b11a19e1d0472285696d1
SHA1 0e7061365f80d0a4078fce715bed9fea9e47f816
SHA256 7cba4ab7ab110f6a03a6a251cb7d18db2955d8a3053d1b15a215bdb813b0ff1a
SHA512 1aa08002d4c19069c75f529a9b9e34442348d84eadc44029fb94a2e26f759c4122bc5561c0fe0ec1b87be7e86d48872c1a4c93e858199e52afdb3e080baba8bf

C:\Windows\SysWOW64\Facdeo32.exe

MD5 be57c69c0c05c00d28e8eaa3d09bfde0
SHA1 9c4379a9e7006aff29d318d53e5ab3e8609c4207
SHA256 4e25f45ca020b66b618e6168ddaea2f1a587185f6ec6d544c5ca086c5f2a1392
SHA512 d46ab507e8987c51d6668a38c4fc81f1dbe6e0ae30e5dde995f16fffc468026a81745449f662e868ad3f7f7b8c379b28b29b4a524b09ab8a10db93b6c7e25bd6

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 2459f79f04fff69183baf3ef540aee25
SHA1 c0a72d78e24395d9b0e58a1c657b88918687df6a
SHA256 e1c7d0463f6e8d66b867d0207b035b2a1b65f58f3d2ca953401c1232e09de864
SHA512 e9525389ac5276f7e779ab3435b41f8fd9a6a589a7104251ae3a1cd439b89e2d612e5afb2c215594fb8947bf648851807cf62b1ddcc5334b7cc63fe99aa995e6

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 1036caced5150cdcd7cd04adc4691086
SHA1 74289535a86da1907777e08344a318227982a74d
SHA256 531a7c72c5251da4a47854c350eca23e5a655167f05f0c1d541481e3b3dc231e
SHA512 d32925ed2dd8eeb0184827c90297e794809e101051039e90b854ff10f35396c9b1c8aedcf932a358710aa1217cc80000ca4e93829f959ca5cc727c8929e15b91

C:\Windows\SysWOW64\Fphafl32.exe

MD5 58bb3aea00d6d3ab022251ac7654fcc7
SHA1 2c8b6f8e65196d265edb6425ebd8cb1334f996b4
SHA256 f771f79eb17a296c94bd8343442788c3c95a15b84fb7e22ed3e7906fe07df3d5
SHA512 ef6e64b683ec6e5233dbabbd5b35c096661a054173b48ade77347775aa7849c9de1693299e6e517b7ae8b529564e6ca003b4a0be76003b1d5c40e1d1411a463e

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 a451323774d1afdf9e52e3acb67a13cc
SHA1 4c4b11453c14410277055f7004be5a6e29b070f1
SHA256 97330283ab881eed20416c88ecaba026217c43df03ce12bf774ea3c5e8919fee
SHA512 3f313d9625ac1b6c7717c6401ebdbf0e5151beee08b72ce2f3a9223ad79f629ce20e719cbae158b6fd751f8f718eede845489aba5813d05fc29538811818b10a

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 abd5e632d046fadb054eb018808a7b7b
SHA1 48510273ebcfffdc4e918bebac8293037f2bcee5
SHA256 88d653366a2a6310d90975d4b4764ec71f3c812d097fde46536cb68b5185a323
SHA512 6ef51167e8f61bc0bab53f1b9dce5bf8ba2f4c09d962b91ba476fe56d966da20c77c4e55ed7c18c7facb1aeddd913bbf7f305b32dd1a45ee4936f2bc26626c4c

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 ecb9c8bec65fbd0539c602cdf94fee54
SHA1 fd286a6e67465d6b33027cf0833f20c41c5d9417
SHA256 9ea7e6105a8c194324ef64cbde3c3a745c695ddd0fd887402f498fb18234c8b5
SHA512 9e083b7f2e030615267301af3bd184e66dc6d0e84638b95c68d97f9a92e9a1f7989a32c751fb9021c331cc117d32c9ea19da06e83638ab53f75d81f436e064c3

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 0dd9e65db9a5e0edbad9248ec693daee
SHA1 f91383fe2f9083fce5b3b760212f7450f4c6e7c4
SHA256 1da3ff950b2b1d87fa325fd62898d0c7aff3cd4dd13ca89f30320f3870a68471
SHA512 5afe797a4d1606a76b995a697b656c1c85073ea97b225e07ae8b3d0a6d21661619a5e364e9730519d4c63f068204fe1b7299c822864db35df6478fd34a5bd9d9

C:\Windows\SysWOW64\Gicbeald.exe

MD5 f940e96e02f0a4344633da7bad25f664
SHA1 2d7b0794d28207e829a02cc92c56fd64d6316358
SHA256 c386c668014e4aeba4312b8a12b16cb2979cbbe6d366bf82826778155ea4c51a
SHA512 50249ae292cb2699b39c9b65282a5b874b6b60410e86945ee0fcb3208621a51e360cb192eda46964f450d8d36c43cdbe3c6eed2ea4d46d129987b90bd390e62a

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 79475ae22dc1a01ba562a90346b7693d
SHA1 b32d33f573e29641c8675fae3e3e9854c962484b
SHA256 08ae4a82e60b086c7927c048d0cec6d9096e3ef3d2b532ee579629b0e5c70d68
SHA512 67b73cfa1301d2d51c9d514c4ec2d9892ee28d31dde1aeed385225c30ecd6a72d7185e752279cc37c6747f2663b6ae52c134660bed623db1b36b1659f51a4db1

C:\Windows\SysWOW64\Gangic32.exe

MD5 45add15a6bc831cf01a1d16e54e35d62
SHA1 65abcf4eab5bed499e4809fe13f6870d6f69d759
SHA256 bbf4046e34cefc4ff19d50310e04d1833d73f9f624a2949e9e4a67a0eeb9e985
SHA512 7a4c902e0ba6e0a4864ccfbf7ccf956e2d828e04b7348d9fd3c5b4724f8ab83b876b3e4a0a5359b68390257a7c54a854f8432505525be66854c7fc033110447e

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 c8e2973be84513a67507909c8f722a3c
SHA1 821bc853e4f792f7fff6b8c4107a6e333a436134
SHA256 605b803d1aad978c99d6205a94edff61f2438257705b71c5852e27bfcd5c2978
SHA512 729242f54c604022794ee1ed32ea20f09a5b98b76b62cb09334ec716da7f9cb8f06340013ff34b9cd2d9ac0dd8110079ee2d7c94712bf78ef4301aa67bc379ee

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 2d00bf76e81a45ffefc3b320e345f378
SHA1 ecca3a2c3bb1121a7f245048b31154cf484247e6
SHA256 81a671119704c1f3ebd8e79e3853108a859a117dbc90a51814cdbd3533bb003e
SHA512 8b057d12b60475cac2c0ad4373b5295b57ffd40228d39054884f2a3826ac14c22e3a178c0dbf9e49b53199e23fece1b2968ad642aae299759ae206bfdfd3be66

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 8162b7aa16730e667532a651437e85fd
SHA1 aeea9e521515b1303f0ad79d53f87aff56347a47
SHA256 ac8e09f94e55f8a1812e25874a5b171bceecbd4708ec5266fd17424192eff50a
SHA512 c1b019441439830a0c681a57ae98327a82d021318af372d73156bc15e1e066956938e287693e4ad774f19c1b20eb101f596c02853c13dd575d7fd953ee821ed0

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 a56bebef2b65b9fa417d331bd9e36aab
SHA1 7e7713da8763eefdeaee0352aaa73ff2ad7f6bda
SHA256 fccfcbec98650721a71664bae6faa33a0e4018617e87ffa402236e68e59a3a0d
SHA512 682417eb005d46a7e124ee6d94ea5609e96795f63c10aff10bd11a8e18f1599bba9d7fa79ff0a2fdec1829e63c54d7352ae02ae91a695734ab36c3cda0b75d4f

C:\Windows\SysWOW64\Goddhg32.exe

MD5 6458efa91ff4d38a7ee43c6a8b3aa0ac
SHA1 f7ffc3badaf068225aad3f8b713931dd3e75fbe7
SHA256 a836ea965aba6bea0630ba3413bbfabbc7f5d371ec847e9e989659bf55bf083c
SHA512 a26ccea485f2210c4d8d75a956f282ee3bed730d704f9e0a145056871983f80ac439385e0031c4eeefe40a7dd2938fe9978d0eb967a11bbf69149e6d9c3ff0cb

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 4507a022bd6579ac54a439e29fb33218
SHA1 719c9139fa44fd8c84e8915f176485f299a6b06f
SHA256 738e7cd361df4cf3266ef9db2999e18fee19f96f66c6d117dc441ba0afc2f3a2
SHA512 6d050dc538f4c4cc61a12345fd66411768658ea81a3e1d53fd194a559eaccb72681aeddd635f2f974342cc54699adee677cf1903a7cfc5fab400985096bd3008

C:\Windows\SysWOW64\Geolea32.exe

MD5 b4b0da95e833b1632b9090f636ad7e62
SHA1 e070cef2a7c02f1ae9e4c9320ab940deaa6ce859
SHA256 670e4a6b9ffad9f17641939f1a2c246286efca7f2f64a221ef96a09cf1d88d9a
SHA512 a97252cef3698fa7eb0e3f506da7e79b9f5f1a154a959645312c5c0f1519bff8b8642bc7cc12f73d29331360b1d6385c749f61224cc2d2e1c2c351577b0494f3

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 215548ba4f1a154c2300694957617481
SHA1 f2c572daf0e3da7eb5a4e8fcacb3707dabc5064a
SHA256 be52a7ff38748da51e9abaa5776895de822b4170acb881ce63e2c72584cb9df9
SHA512 fea8422ef882b8e02d4562bc7d7ef8a9fb815dcf1c0c171bb56d92514c4abcd844055d1a254b5b2b999f62b1ca1c898d67329d7d2706ce4242ca3f0fe8d6f410

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 8291973795af4f65bb94649054ee15c5
SHA1 3bb2eb74e49c2bcb0ce83395787d9a79249b990e
SHA256 162fcb00f8332d9b246b1d7b0f9b564e6fb46477e9f3651e5bdd84cb5d942b6d
SHA512 79cd19673125edc299007eb3fdc04a799f8557614284956908d1879dded23ab10fdd960bf47b0582eeda6133a3f46e80cf41324737d06ae5c982ba3926a6c7fb

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 d4a42226b0eb96ec2afe69ec731c8518
SHA1 b5de4b3a6362c64873221969beee17d01591f7ea
SHA256 250fefb51c060d51294d70cf56f273bf4633e4e66495a59740fbb8176c3bbc02
SHA512 e0531dcc9274ffb94d2ac5158440eb8d17c8c53df7890676cd383c5912106089e2544544fc67d13180a0add7bbc291700206d20c845782908be04a0dc005ff79

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 6e23c658c6b64ff779ef23929ad34ddd
SHA1 93b59007213bfda310423a3edba9727194707ec1
SHA256 b5e4ef2b05109fa67b195c38387b0245e914374db35ee50a3f69590afed0f0d3
SHA512 5d7e1972ffef17e1ab6d659b45864f2419c270dc2539ac7eca736cd1129e3c3555031cab49ee4f2811cdba0f8a491b2a3b77f50464987e9ea6f76dbccacf3d39

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 92fb2bcff60d07879514dac4bb95bc57
SHA1 6a75eff107250882d56b684463e5efd217008ee5
SHA256 b48d7f8bd95636de494f8a3422eac3b771b77ad997804184d6f1a27aa2281949
SHA512 15ee56792bd900f49bd42971cad2e205ce032b8d3db953938e2af8e59e2630f3fcd1b6de131f8a16ff77f80ae0a037fa08ebdacbd630824beb73024aaf6f0e23

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 b0584a79b77c9f9a772a8a1a34580361
SHA1 43873a241c3344b83aa6c45c5e34b7f94cec56ba
SHA256 37eea30451b517b34d3896fcb8064cc6360b83fbb2bde3cfe69d290513f9f6f2
SHA512 047e607d644efd9d64e11b704fa186ab4389f8496d421171cbf350e4673291c1912f180eb88cbca382a46e2edc68f877dd4056d8dac57a53c2f6a8daded15e1a

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 a038b74f8dd6aef4d09c891344d825da
SHA1 31b84aac19d70a3e3a24c3d2451d9654f5d627a8
SHA256 b6b1b9c08e0d82470a01c21a07e72664637863e5b17ff51a749105bc12544466
SHA512 bf6f553fbd1e08a270deea0df8c676a7ad4527a44f1097a9b01a0f7cd09bdeca15dc81cffca8fe318c59e1bc63951facafc554eaa55078d996fd5a69c25dda6a

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 b3a10302450d659b6a5ce3cd59c8c189
SHA1 658954a6dd9f067c17a97d4bad64eccccbf95c53
SHA256 cea1b477884d9ca470f2906832fe586977c2983bcc2127071944840bc8a1e0c3
SHA512 be6995a854f9282eb02dce452b2216905231059ac884a6c7fe35248b563809964598895de7bc2e17ab8b39c495ec39999c013af0fcb31596fd1d442500f25a96

C:\Windows\SysWOW64\Hggomh32.exe

MD5 1aec8ad9a1d26e3967794faaef15ae00
SHA1 f77db786756d77c268d83ce0aa9da11330d64864
SHA256 e670bca0afb53320a6d7bfa30b986cb231ae224168b6f9e06c22815033bd0ab2
SHA512 129148c976d148bc6f2f31f4b2f7abbeafe15fbd3291c90f46c58878750a8cf16bcfbc5b323554066d4d013470dde54f71d721921a3ff090bd0b2326199f3d37

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 91e31541341ced330291ce86e014214f
SHA1 4be3617c9d6db0494913acfce0ad1e6827b92a5b
SHA256 e483d39def26e84d50717d412635b815135ef609ea87635f166c31115f5887a1
SHA512 d649055bf79eb83b814b4be397d69f7b2a66aec21e6ed1f86bb1ced2fd7e595d400d9132fec48c203f910d787526b6ff3a3f1a7a7df0adf416142671f271684a

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 fb70b3ef86acea4ff1238f2762e60d81
SHA1 587fc73451e7022fe92e9bb1e777456a7a723d0c
SHA256 cc8ffaf509db80a2efa8fc16e42d32e01ea38d513752e692d090af0f0ea33a47
SHA512 b3a3a0d4efb43ac726e1d0e1696ad997256be7e76d1a9795d230346a2ea2f9f177385820f1c0136cba86e65bf0fdeb85a3c38279ee60d592c9d1ff10f3414d43

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 e46b4285d401203faed36c842a38c1d1
SHA1 0490aed3026c3d487869f6760090cb094e5d0c28
SHA256 c668ebdde25160a71ce919931e3c79572788fbf3986e5c1b081fae55d560f752
SHA512 b1c80cd3178525b4a0a2bbc620c6ac6f291d91b50b51f302e5c6b3dd94d285962edd5e68f65480faf40fe290a9e6a8c707f3002a5ac06413900ed119104e92cb

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 0554163e4c107372c79685fcec1841c1
SHA1 7e1a2bed5870a1f09c0e96b004cc553863cd1c01
SHA256 09bba14450727577a9f19e75f1044c0a92dae04c8170fcbc25374badbb7bca8e
SHA512 6147454819645393a900b379045e5274719101c02a1c701eae2a1b14792b31628177f92327732daa5065818d19d2bf24b43c9c732fd1764dccfe1a48607109de

C:\Windows\SysWOW64\Hpapln32.exe

MD5 285a64b12f3209e6bb101017e14deec6
SHA1 ef6d8e83e77a9e6d31ded9d00e6e74f4eda9ae1e
SHA256 57934a12983f9770b3d5f4d9f2d4208b2aa2eb9a3299c4abd7435889eeb10258
SHA512 5d2fb5cf4e175621d27d7fc9bac157d5adbaf8a3c9a3ef48d0ee1d864bfef97d49e7aa1f0399f781e1bf1bd9c29e12fa20ef2ef544972a3596fa820b89fd26ef

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 583ec3ec3d559da6f5eb10d5e8714b68
SHA1 0891a6df17953afb6a7ebcad2968482600cdab84
SHA256 aa14eb7aea3da02c0da5e29ef8a18b9bd5d94c9829d4998434dec70125ee0bf6
SHA512 a5c43d784dac9152b4628bb38128350716de3020b6b771060c1cdf7686793a5f9a9175b713a57b04cab7c5b08a66cf14b16a20a0d2b86636e4a2e69b9c8c73b4

C:\Windows\SysWOW64\Henidd32.exe

MD5 a29597909f02b963db7e868b250b8037
SHA1 73ab4a3dc8da20efaa558ab5a11072f8346c9897
SHA256 c4c44aecf590d57a20fd766ad34627b05a29e86808e9665e0671aedb5d71d756
SHA512 ef0a40f00506c7ab09681bf87a6e04d1d9ddef6e0793662a2cae1d4bce8f04734f6f694929596d82fb25462554928d184f0866ff100861bf4497cce86a65dd26

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 2fed88792535aecad6a3eb7206c1a294
SHA1 523b2c33b597e0afe08f67cc8a4471e2b8688c34
SHA256 3049a9c4b41f20376e806cabc69571dd21cfa515add7ed072132fb55093ff92f
SHA512 699c93814a2e532140e7611d704040e686ef9ce400292bfdf79666029fa0f6492aa2237661728f70d7a52c8fab21e8280242dd39204b0854cd7518e5d053c8a1

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 729b0278b9148f16a8b4856d779a568c
SHA1 6b82252c2812d666468a2e40d07720d8b263441e
SHA256 82d361c5002c0e516cd40d9fa79b44b602875a879bc6ca74f80023a1275a50cc
SHA512 8f743630e1c9a9fb98c172342630fe5a648cd1e17a7dcce2c9a159c0bc5737aefb57b31ab1995aba852b1fc077797114080f8253552d0ec5242a0b67d4d2d484

C:\Windows\SysWOW64\Idceea32.exe

MD5 4551ffa47411aafe1b8cb301295ef47f
SHA1 aa799d9e97f710c00ef7fe2d9bac8e9bb4d9dcb4
SHA256 28f6013d811a84d3466b93ed2468c007c9bd0d069264b6746d805e1669da7c53
SHA512 9977c52eb2424ba732475c6d1335fe3bac7ddf6ed645222da13ee6d71f0912e402b95d0f073887fccf0d0d54a6283fba8cbe3324ace4b30f7492bd2928f2f269

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 12eff18e2dcbad5d320e3a96cd8a6055
SHA1 16c4ce895b79e937c9a97844aeb8f4ddfae7ee78
SHA256 be3b8aa2a05ffd1c58b0097c1c7f94d9367a775f8b3081d61374fe477cf22db4
SHA512 a5cbb861e5ecfa3e2c8bce161ff1a40668098c622f2e6ade2746ca6322b897ccb46b3e977a79181fec73a598b30c0a39b44a3f2fbcf1ffc44e4d1871cef2e6fc

C:\Windows\SysWOW64\Inljnfkg.exe

MD5 1e6347c3973478ef3caf62b9af68b72d
SHA1 ec62a99c443b796c22ba5641c13e3b16dbdadeea
SHA256 9d7a443c1b7dab18b795f928d21d6010d3feaf39c1ed91802dff706861a3c865
SHA512 8607dd255cdf369dbda2d725fb67e1cdc937b414e569f23f132121a1afdfb936296148ac48abbe1e1d1af65c90f4c934496ce05466535e1c5a7c86bec0e46787

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 9d1bbcfc550d8c29ea391a9fc832da4a
SHA1 b298aa646d6ff564451c3725528ca1a9a3512cf2
SHA256 74dccf9d3e4909d321b73f846df68810f6012b34f2f0f18c7f9fdaf1d4fff66e
SHA512 d7c27c9cb187afac1f22dccc15d3e224633711dec267e342c5ac267d48e0976b177bcd00870a89079b946ae96404292eb243e2d982820fadbb4394fef3101055

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 06:03

Reported

2024-05-23 06:06

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gokdeeec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Heapdjlp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbbgnpgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhpjkojk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odnnnnfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dllfkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fooeif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Migjoaaf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpnlpnih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncnadk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Llemdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jblpek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mlampmdo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mckemg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aadifclh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fcckif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gkkojgao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahkobekf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhnnep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ecandfpd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibcmom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kibgmdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Meiaib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olfobjbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkhoae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abkjdnoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Olcbmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aacckjaf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdcbom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajkhdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdhfhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ehedfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jedeph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lekehdgp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aniajnnn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnbbbabh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jfcbjk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jefbfgig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kfankifm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpablkhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pbpjhp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgddhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ocegdjij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kmkfhc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjghpn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pgemphmn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaepqjpd.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mciobn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcgohig.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpolqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgidml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maaepd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbahlip.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbnboqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqiogp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njacpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhkac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngedij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfmke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnadk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odnnnnfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Onfbfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqgkhnjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocegdjij.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojopad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqihnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okolkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmhgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqkdcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcjapi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgemphmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjdilcla.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnpemb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqnaim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Peimil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pclneicb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pghieg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkceffcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbbbabh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbmncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpnombl.exe N/A
N/A N/A C:\Windows\SysWOW64\Peljol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgjfkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfblfab.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhbgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpjhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabkdmpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pengdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgmcqggf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkhoae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjkombfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnfkma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbbgnpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Peqcjkfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgopffec.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnihcq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbddcoei.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecppkdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcepkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgallfcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmhlekj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnkdhpjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbgqio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeemej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qchmagie.exe N/A
N/A N/A C:\Windows\SysWOW64\Qloebdig.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnnanphk.exe N/A
N/A N/A C:\Windows\SysWOW64\Abkjdnoa.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Chdkoa32.exe C:\Windows\SysWOW64\Cefoce32.exe N/A
File created C:\Windows\SysWOW64\Dmamoe32.dll C:\Windows\SysWOW64\Jefbfgig.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Meiaib32.exe N/A
File created C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Mnebeogl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Efpmmmoo.dll C:\Windows\SysWOW64\Ckedalaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dekhneap.exe C:\Windows\SysWOW64\Dbllbibl.exe N/A
File created C:\Windows\SysWOW64\Iihkpg32.exe C:\Windows\SysWOW64\Ifjodl32.exe N/A
File created C:\Windows\SysWOW64\Qjkmdp32.dll C:\Windows\SysWOW64\Ndaggimg.exe N/A
File created C:\Windows\SysWOW64\Bdjinlko.dll C:\Windows\SysWOW64\Pmoahijl.exe N/A
File created C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Qgcbgo32.exe N/A
File created C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Ajfoiqll.exe C:\Windows\SysWOW64\Abkjdnoa.exe N/A
File created C:\Windows\SysWOW64\Hcmgfbhd.exe C:\Windows\SysWOW64\Hihbijhn.exe N/A
File created C:\Windows\SysWOW64\Fhccdhqf.dll C:\Windows\SysWOW64\Kfankifm.exe N/A
File created C:\Windows\SysWOW64\Eohipl32.dll C:\Windows\SysWOW64\Nnlhfn32.exe N/A
File created C:\Windows\SysWOW64\Gpaekf32.dll C:\Windows\SysWOW64\Olkhmi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Qgcbgo32.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Oijgnaaa.dll C:\Windows\SysWOW64\Fdlnbm32.exe N/A
File created C:\Windows\SysWOW64\Pjcbnbmg.dll C:\Windows\SysWOW64\Nckndeni.exe N/A
File created C:\Windows\SysWOW64\Hjfgfh32.dll C:\Windows\SysWOW64\Qqijje32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aeniabfd.exe N/A
File created C:\Windows\SysWOW64\Peljol32.exe C:\Windows\SysWOW64\Pqpnombl.exe N/A
File created C:\Windows\SysWOW64\Hnicfelf.dll C:\Windows\SysWOW64\Qecppkdm.exe N/A
File created C:\Windows\SysWOW64\Edihepnm.exe C:\Windows\SysWOW64\Echknh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jifhaenk.exe C:\Windows\SysWOW64\Jeklag32.exe N/A
File created C:\Windows\SysWOW64\Bapolp32.dll C:\Windows\SysWOW64\Dohfbj32.exe N/A
File created C:\Windows\SysWOW64\Ekemhj32.exe C:\Windows\SysWOW64\Edkdkplj.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmppcbjd.exe C:\Windows\SysWOW64\Liddbc32.exe N/A
File created C:\Windows\SysWOW64\Njciko32.exe C:\Windows\SysWOW64\Ncianepl.exe N/A
File created C:\Windows\SysWOW64\Qeobam32.dll C:\Windows\SysWOW64\Qgcbgo32.exe N/A
File created C:\Windows\SysWOW64\Omocan32.dll C:\Windows\SysWOW64\Chmndlge.exe N/A
File created C:\Windows\SysWOW64\Mciobn32.exe C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Njacpf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Clkndpag.exe C:\Windows\SysWOW64\Cogmkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dldpkoil.exe C:\Windows\SysWOW64\Dhidjpqc.exe N/A
File created C:\Windows\SysWOW64\Kmdqgd32.exe C:\Windows\SysWOW64\Kemhff32.exe N/A
File created C:\Windows\SysWOW64\Odegmceb.dll C:\Windows\SysWOW64\Mnapdf32.exe N/A
File created C:\Windows\SysWOW64\Fkalchij.exe C:\Windows\SysWOW64\Fhcpgmjf.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Ibcmom32.exe N/A
File created C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Meiaib32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pdfjifjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File created C:\Windows\SysWOW64\Lcfcfldc.dll C:\Windows\SysWOW64\Qnnanphk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hckjacjg.exe C:\Windows\SysWOW64\Hkdbpe32.exe N/A
File created C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Lgokmgjm.exe N/A
File opened for modification C:\Windows\SysWOW64\Nepgjaeg.exe C:\Windows\SysWOW64\Ngmgne32.exe N/A
File created C:\Windows\SysWOW64\Jdeflhhf.dll C:\Windows\SysWOW64\Nfjjppmm.exe N/A
File created C:\Windows\SysWOW64\Beeflhdh.exe C:\Windows\SysWOW64\Bbgipldd.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgjfkg32.exe C:\Windows\SysWOW64\Peljol32.exe N/A
File created C:\Windows\SysWOW64\Cleqadmh.dll C:\Windows\SysWOW64\Aacckjaf.exe N/A
File created C:\Windows\SysWOW64\Echknh32.exe C:\Windows\SysWOW64\Dhbgqohi.exe N/A
File created C:\Windows\SysWOW64\Jmnoof32.dll C:\Windows\SysWOW64\Gcimkc32.exe N/A
File created C:\Windows\SysWOW64\Khchklef.dll C:\Windows\SysWOW64\Jcioiood.exe N/A
File created C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Ligqhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekjfcipa.exe C:\Windows\SysWOW64\Edpnfo32.exe N/A
File created C:\Windows\SysWOW64\Ffhoqj32.dll C:\Windows\SysWOW64\Kimnbd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qddfkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Ckedalaj.exe C:\Windows\SysWOW64\Chghdqbf.exe N/A
File created C:\Windows\SysWOW64\Dohfbj32.exe C:\Windows\SysWOW64\Dkljak32.exe N/A
File created C:\Windows\SysWOW64\Bnmqkjel.dll C:\Windows\SysWOW64\Fcckif32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bbgipldd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdhfhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckpjfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll" C:\Windows\SysWOW64\Cbgbgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehedfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiefcj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hcbpab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Njnpppkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ncianepl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" C:\Windows\SysWOW64\Ofeilobp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll" C:\Windows\SysWOW64\Kbaipkbi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hbgmcnhf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pkfblfab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceipnc32.dll" C:\Windows\SysWOW64\Qnkdhpjn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhkhibmc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fhemmlhc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jcioiood.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipnbb32.dll" C:\Windows\SysWOW64\Njfmke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Peljol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qnnanphk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmlbfod.dll" C:\Windows\SysWOW64\Fomhdg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcllonma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdhdajea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdjagjco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafdghob.dll" C:\Windows\SysWOW64\Pclneicb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpbmco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlopkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll" C:\Windows\SysWOW64\Ndfqbhia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll" C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ffimfqgm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ckpjfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdpie32.dll" C:\Windows\SysWOW64\Beeflhdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoholen.dll" C:\Windows\SysWOW64\Ehimanbq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmqkjel.dll" C:\Windows\SysWOW64\Fcckif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jioaqfcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" C:\Windows\SysWOW64\Liddbc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eamhodmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmljl32.dll" C:\Windows\SysWOW64\Alhhhcal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bnlnon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Demecd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajolcjk.dll" C:\Windows\SysWOW64\Ecandfpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Glhonj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnaemnl.dll" C:\Windows\SysWOW64\Hoiafcic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll" C:\Windows\SysWOW64\Npcoakfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbllbm32.dll" C:\Windows\SysWOW64\Pbmncp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fhcpgmjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll" C:\Windows\SysWOW64\Lenamdem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" C:\Windows\SysWOW64\Amddjegd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qloebdig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekcnknf.dll" C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll" C:\Windows\SysWOW64\Lpnlpnih.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Olfobjbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" C:\Windows\SysWOW64\Dopigd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nqiogp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ekemhj32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 2732 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 2732 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 4480 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 4480 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 4480 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 3216 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mnapdf32.exe
PID 3216 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mnapdf32.exe
PID 3216 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mnapdf32.exe
PID 1432 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 1432 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 1432 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 3224 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mgidml32.exe
PID 3224 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mgidml32.exe
PID 3224 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mgidml32.exe
PID 2696 wrote to memory of 3408 N/A C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Maaepd32.exe
PID 2696 wrote to memory of 3408 N/A C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Maaepd32.exe
PID 2696 wrote to memory of 3408 N/A C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Maaepd32.exe
PID 3408 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 3408 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 3408 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 4772 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Ndbnboqb.exe
PID 4772 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Ndbnboqb.exe
PID 4772 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Ndbnboqb.exe
PID 4356 wrote to memory of 3968 N/A C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nqiogp32.exe
PID 4356 wrote to memory of 3968 N/A C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nqiogp32.exe
PID 4356 wrote to memory of 3968 N/A C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nqiogp32.exe
PID 3968 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Njacpf32.exe
PID 3968 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Njacpf32.exe
PID 3968 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Njacpf32.exe
PID 4380 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 4380 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 4380 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 4616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 4616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 4616 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 2552 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 2552 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 2552 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 3276 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ncnadk32.exe
PID 3276 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ncnadk32.exe
PID 3276 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ncnadk32.exe
PID 4792 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Ncnadk32.exe C:\Windows\SysWOW64\Odnnnnfe.exe
PID 4792 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Ncnadk32.exe C:\Windows\SysWOW64\Odnnnnfe.exe
PID 4792 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Ncnadk32.exe C:\Windows\SysWOW64\Odnnnnfe.exe
PID 3324 wrote to memory of 2376 N/A C:\Windows\SysWOW64\Odnnnnfe.exe C:\Windows\SysWOW64\Onfbfc32.exe
PID 3324 wrote to memory of 2376 N/A C:\Windows\SysWOW64\Odnnnnfe.exe C:\Windows\SysWOW64\Onfbfc32.exe
PID 3324 wrote to memory of 2376 N/A C:\Windows\SysWOW64\Odnnnnfe.exe C:\Windows\SysWOW64\Onfbfc32.exe
PID 2376 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Onfbfc32.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 2376 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Onfbfc32.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 2376 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Onfbfc32.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 4832 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Ocegdjij.exe
PID 4832 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Ocegdjij.exe
PID 4832 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Ocegdjij.exe
PID 1128 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Ocegdjij.exe C:\Windows\SysWOW64\Ojopad32.exe
PID 1128 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Ocegdjij.exe C:\Windows\SysWOW64\Ojopad32.exe
PID 1128 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Ocegdjij.exe C:\Windows\SysWOW64\Ojopad32.exe
PID 3852 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Oqihnn32.exe
PID 3852 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Oqihnn32.exe
PID 3852 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Oqihnn32.exe
PID 2124 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Oqihnn32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 2124 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Oqihnn32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 2124 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Oqihnn32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 3044 wrote to memory of 3228 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Onmhgb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf9d11295694eb3cb4b29c9211968ab0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Ncnadk32.exe

C:\Windows\system32\Ncnadk32.exe

C:\Windows\SysWOW64\Odnnnnfe.exe

C:\Windows\system32\Odnnnnfe.exe

C:\Windows\SysWOW64\Onfbfc32.exe

C:\Windows\system32\Onfbfc32.exe

C:\Windows\SysWOW64\Oqgkhnjf.exe

C:\Windows\system32\Oqgkhnjf.exe

C:\Windows\SysWOW64\Ocegdjij.exe

C:\Windows\system32\Ocegdjij.exe

C:\Windows\SysWOW64\Ojopad32.exe

C:\Windows\system32\Ojopad32.exe

C:\Windows\SysWOW64\Oqihnn32.exe

C:\Windows\system32\Oqihnn32.exe

C:\Windows\SysWOW64\Okolkg32.exe

C:\Windows\system32\Okolkg32.exe

C:\Windows\SysWOW64\Onmhgb32.exe

C:\Windows\system32\Onmhgb32.exe

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Pcjapi32.exe

C:\Windows\system32\Pcjapi32.exe

C:\Windows\SysWOW64\Pgemphmn.exe

C:\Windows\system32\Pgemphmn.exe

C:\Windows\SysWOW64\Pjdilcla.exe

C:\Windows\system32\Pjdilcla.exe

C:\Windows\SysWOW64\Pnpemb32.exe

C:\Windows\system32\Pnpemb32.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Peimil32.exe

C:\Windows\system32\Peimil32.exe

C:\Windows\SysWOW64\Pclneicb.exe

C:\Windows\system32\Pclneicb.exe

C:\Windows\SysWOW64\Pghieg32.exe

C:\Windows\system32\Pghieg32.exe

C:\Windows\SysWOW64\Pkceffcd.exe

C:\Windows\system32\Pkceffcd.exe

C:\Windows\SysWOW64\Pnbbbabh.exe

C:\Windows\system32\Pnbbbabh.exe

C:\Windows\SysWOW64\Pbmncp32.exe

C:\Windows\system32\Pbmncp32.exe

C:\Windows\SysWOW64\Pqpnombl.exe

C:\Windows\system32\Pqpnombl.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pgjfkg32.exe

C:\Windows\system32\Pgjfkg32.exe

C:\Windows\SysWOW64\Pkfblfab.exe

C:\Windows\system32\Pkfblfab.exe

C:\Windows\SysWOW64\Pjhbgb32.exe

C:\Windows\system32\Pjhbgb32.exe

C:\Windows\SysWOW64\Pbpjhp32.exe

C:\Windows\system32\Pbpjhp32.exe

C:\Windows\SysWOW64\Pabkdmpi.exe

C:\Windows\system32\Pabkdmpi.exe

C:\Windows\SysWOW64\Pengdk32.exe

C:\Windows\system32\Pengdk32.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pkhoae32.exe

C:\Windows\system32\Pkhoae32.exe

C:\Windows\SysWOW64\Pjkombfj.exe

C:\Windows\system32\Pjkombfj.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Pbbgnpgl.exe

C:\Windows\system32\Pbbgnpgl.exe

C:\Windows\SysWOW64\Peqcjkfp.exe

C:\Windows\system32\Peqcjkfp.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pgopffec.exe

C:\Windows\system32\Pgopffec.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Pnihcq32.exe

C:\Windows\system32\Pnihcq32.exe

C:\Windows\SysWOW64\Pbddcoei.exe

C:\Windows\system32\Pbddcoei.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qcepkg32.exe

C:\Windows\system32\Qcepkg32.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qkmhlekj.exe

C:\Windows\system32\Qkmhlekj.exe

C:\Windows\SysWOW64\Qnkdhpjn.exe

C:\Windows\system32\Qnkdhpjn.exe

C:\Windows\SysWOW64\Qbgqio32.exe

C:\Windows\system32\Qbgqio32.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qchmagie.exe

C:\Windows\system32\Qchmagie.exe

C:\Windows\SysWOW64\Qloebdig.exe

C:\Windows\system32\Qloebdig.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Abkjdnoa.exe

C:\Windows\system32\Abkjdnoa.exe

C:\Windows\SysWOW64\Ajfoiqll.exe

C:\Windows\system32\Ajfoiqll.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aaqgek32.exe

C:\Windows\system32\Aaqgek32.exe

C:\Windows\SysWOW64\Aelcfilb.exe

C:\Windows\system32\Aelcfilb.exe

C:\Windows\SysWOW64\Acocaf32.exe

C:\Windows\system32\Acocaf32.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Ajiknpjj.exe

C:\Windows\system32\Ajiknpjj.exe

C:\Windows\SysWOW64\Andgoobc.exe

C:\Windows\system32\Andgoobc.exe

C:\Windows\SysWOW64\Aacckjaf.exe

C:\Windows\system32\Aacckjaf.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Adapgfqj.exe

C:\Windows\system32\Adapgfqj.exe

C:\Windows\SysWOW64\Alhhhcal.exe

C:\Windows\system32\Alhhhcal.exe

C:\Windows\SysWOW64\Ajkhdp32.exe

C:\Windows\system32\Ajkhdp32.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Adcmmeog.exe

C:\Windows\system32\Adcmmeog.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Ajneip32.exe

C:\Windows\system32\Ajneip32.exe

C:\Windows\SysWOW64\Aniajnnn.exe

C:\Windows\system32\Aniajnnn.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bnlnon32.exe

C:\Windows\system32\Bnlnon32.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bdhfhe32.exe

C:\Windows\system32\Bdhfhe32.exe

C:\Windows\SysWOW64\Bhdbhcck.exe

C:\Windows\system32\Bhdbhcck.exe

C:\Windows\SysWOW64\Bjbndobo.exe

C:\Windows\system32\Bjbndobo.exe

C:\Windows\SysWOW64\Bnnjen32.exe

C:\Windows\system32\Bnnjen32.exe

C:\Windows\SysWOW64\Balfaiil.exe

C:\Windows\system32\Balfaiil.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Bobcpmfc.exe

C:\Windows\system32\Bobcpmfc.exe

C:\Windows\SysWOW64\Bemlmgnp.exe

C:\Windows\system32\Bemlmgnp.exe

C:\Windows\SysWOW64\Bhkhibmc.exe

C:\Windows\system32\Bhkhibmc.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Clkndpag.exe

C:\Windows\system32\Clkndpag.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cahfmgoo.exe

C:\Windows\system32\Cahfmgoo.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Cbgbgj32.exe

C:\Windows\system32\Cbgbgj32.exe

C:\Windows\SysWOW64\Cefoce32.exe

C:\Windows\system32\Cefoce32.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Clpgpp32.exe

C:\Windows\system32\Clpgpp32.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cbjoljdo.exe

C:\Windows\system32\Cbjoljdo.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Chghdqbf.exe

C:\Windows\system32\Chghdqbf.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Dldpkoil.exe

C:\Windows\system32\Dldpkoil.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Dbaemi32.exe

C:\Windows\system32\Dbaemi32.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dkljak32.exe

C:\Windows\system32\Dkljak32.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dllfkn32.exe

C:\Windows\system32\Dllfkn32.exe

C:\Windows\SysWOW64\Dceohhja.exe

C:\Windows\system32\Dceohhja.exe

C:\Windows\SysWOW64\Dedkdcie.exe

C:\Windows\system32\Dedkdcie.exe

C:\Windows\SysWOW64\Dhbgqohi.exe

C:\Windows\system32\Dhbgqohi.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Ehedfo32.exe

C:\Windows\system32\Ehedfo32.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Ekemhj32.exe

C:\Windows\system32\Ekemhj32.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Ekhjmiad.exe

C:\Windows\system32\Ekhjmiad.exe

C:\Windows\SysWOW64\Eocenh32.exe

C:\Windows\system32\Eocenh32.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Ekjfcipa.exe

C:\Windows\system32\Ekjfcipa.exe

C:\Windows\SysWOW64\Ecandfpd.exe

C:\Windows\system32\Ecandfpd.exe

C:\Windows\SysWOW64\Eepjpb32.exe

C:\Windows\system32\Eepjpb32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fdegandp.exe

C:\Windows\system32\Fdegandp.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Ffddka32.exe

C:\Windows\system32\Ffddka32.exe

C:\Windows\SysWOW64\Fhcpgmjf.exe

C:\Windows\system32\Fhcpgmjf.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Fkciihgg.exe

C:\Windows\system32\Fkciihgg.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Ffimfqgm.exe

C:\Windows\system32\Ffimfqgm.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Fkffog32.exe

C:\Windows\system32\Fkffog32.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Fdnjgmle.exe

C:\Windows\system32\Fdnjgmle.exe

C:\Windows\SysWOW64\Glebhjlg.exe

C:\Windows\system32\Glebhjlg.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gcojed32.exe

C:\Windows\system32\Gcojed32.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Glhonj32.exe

C:\Windows\system32\Glhonj32.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Ghopckpi.exe

C:\Windows\system32\Ghopckpi.exe

C:\Windows\SysWOW64\Gkmlofol.exe

C:\Windows\system32\Gkmlofol.exe

C:\Windows\SysWOW64\Gcddpdpo.exe

C:\Windows\system32\Gcddpdpo.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Gkoiefmj.exe

C:\Windows\system32\Gkoiefmj.exe

C:\Windows\SysWOW64\Gokdeeec.exe

C:\Windows\system32\Gokdeeec.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hfifmnij.exe

C:\Windows\system32\Hfifmnij.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hbbdholl.exe

C:\Windows\system32\Hbbdholl.exe

C:\Windows\SysWOW64\Heapdjlp.exe

C:\Windows\system32\Heapdjlp.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Ifgbnlmj.exe

C:\Windows\system32\Ifgbnlmj.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Iihkpg32.exe

C:\Windows\system32\Iihkpg32.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ifllil32.exe

C:\Windows\system32\Ifllil32.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jefbfgig.exe

C:\Windows\system32\Jefbfgig.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jidklf32.exe

C:\Windows\system32\Jidklf32.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jpppnp32.exe

C:\Windows\system32\Jpppnp32.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kemhff32.exe

C:\Windows\system32\Kemhff32.exe

C:\Windows\SysWOW64\Kmdqgd32.exe

C:\Windows\system32\Kmdqgd32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kepelfam.exe

C:\Windows\system32\Kepelfam.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kfoafi32.exe

C:\Windows\system32\Kfoafi32.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Lffhfh32.exe

C:\Windows\system32\Lffhfh32.exe

C:\Windows\SysWOW64\Liddbc32.exe

C:\Windows\system32\Liddbc32.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Lpnlpnih.exe

C:\Windows\system32\Lpnlpnih.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lepncd32.exe

C:\Windows\system32\Lepncd32.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Migjoaaf.exe

C:\Windows\system32\Migjoaaf.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Npcoakfp.exe

C:\Windows\system32\Npcoakfp.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Chmndlge.exe

C:\Windows\system32\Chmndlge.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 11152 -ip 11152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11152 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2732-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mciobn32.exe

MD5 992c62b1833dda71d9ecf57ff19c58ed
SHA1 b173b36ab63bb1addcfeca81dbb975cd785ef4f9
SHA256 4bc9d7cdff0a87da5caadd3da1f5d06516a1bcf414d0279de742be690da50aa0
SHA512 dfa9feaf10dd6fb0ac3c28aa832079566f221a9f2d607cc7d52b4bac0bb6f79d883945b5a7337e0b0d018a15abba6545f6adc08e9f3e2107f31c49cc9b8c1ef4

memory/4480-7-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mjcgohig.exe

MD5 7b87c171fcfbb41029b96857f5a8da6f
SHA1 27387eef82ff50d700ba341a99b749535ee250fb
SHA256 52e6dacecea38629067d509bd5d8e8aba6189337ac56cb5016249dd15c09f31b
SHA512 49718f1336afc782bf9532565bde7eb1399ffe0b8df19f8a8b7573619f16cc3a1ea9870ff1b8ce654d6bb9cab2a0a08a0918fd4ea3dfcee546aef7d85f622ebe

memory/3216-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 6f19b1786bfed8a745a19e84f86cfbb5
SHA1 ffcfd4b1a572655a2cc86ce440352c9bc7f56b06
SHA256 13cda45bf88e1785876beafa61b55e392bc68e4851201b7c5b1903fe6f63e6ee
SHA512 6ac092e16ecf39ee1ee070ae9e15a9f819b758cec26865af97af01c676f40fbc26384e1982d8a38a75414e574cd967844bd41ad061dd2b6901f124e954a283ca

memory/1432-27-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mpolqa32.exe

MD5 1adf2265b111c4121e1fcda8bfc6e1de
SHA1 6c75b9282ecb45ac53de69907e071e5089477936
SHA256 be063c5167f5d1a9952a02c0cdbfd88088c5105b8468f52bdd289edbe7fbcea8
SHA512 06fcdd32799fef2e1a1d17a3461d4d471c28a83a8a33bcb8d82ea518c4c1d759f5e274004f85309020577234bc59132156c444b1f423395b82cd1f86c5dd16ce

memory/3224-34-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cnacjn32.dll

MD5 37686dbd1338c3c5280e3588e3a77a7a
SHA1 20a1068b21ce29101039244ad5b63ffa8360dc92
SHA256 71f023d02669201083cdfc703d420a9ed5729e75dfdeb510d278c06d1c5414e3
SHA512 5dec79f5474b98e165eef625764654931e66dcb26cb0afac34f832a2005c05d618ff4ae2afe5d1f1c90e6d61444f89c075f9ac9cfcbbadf1e700f116a3dbe615

C:\Windows\SysWOW64\Mgidml32.exe

MD5 049a1a993d587da4dc16d910cc182155
SHA1 a29d5f2a8dbcec13869001144568f300086da94c
SHA256 86e7efd1faf366f2001b9345eacbbb72a90a40c1218579bc74c2aab30f8426f9
SHA512 fa7babaee2d26f379fa25be6bcfc0f2d37a43a7a5227b9844ffdcae2d11c65f38fed1c808a2e8e225d0111f5c2b20f0d32c90c00e58e6cb0799cea6d855678d2

memory/2696-40-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Maaepd32.exe

MD5 5d77eefab6afea606f10a3f93c01af48
SHA1 f5d328bb8f999a3bf4954aa99606a216d933a617
SHA256 3686a7cd3d904e8233f5b1230d60b6e680db2ceb5b4954520c6070ad47cd3708
SHA512 f4b4ec6b5808c6a33fc276ddd60129a7730ecd6508138d3dea3f1075065ac2c363f680ed8cb107b89053f9064471511b30ca0106fa063e4b2cbd93fbe26ea7b7

memory/3408-48-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mcbahlip.exe

MD5 bcf78c94369664eabdf377e28adbe376
SHA1 ef5e0fcd34fb4a39efb2b332a6d5d6caea280f29
SHA256 cb5f2308b6a291cb3bc143bedafee5393ba0959c16003466ed169a8bd07401fb
SHA512 e829614c508c21b530b5a3a6df0e49ef07ad9fdaa855d4d9963a957da2da6843d69a21e78358efe3104d4179c4ddf5ef5e2c51050708e7adab9ce958d47d8178

memory/4772-55-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ndbnboqb.exe

MD5 58ff799ea8d2fedbf2728e024945171e
SHA1 d607fd8437410423bfddfc0ff5ff4dd338a11448
SHA256 c392a213587d89c0d41f40df1512572061140c8e810da514f0de093bb75117a2
SHA512 98a683cea333fdfb05066c3ecb6c84828b2109cb00a5d0b4c1aca866b7e08166cc557963b9ccfc7430fcc416233926e0fad06c4eca85cba967082206e1833dc6

memory/4356-63-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nqiogp32.exe

MD5 3ac4905e8729e12f3517d59341309114
SHA1 2a81edb032ce97b9815b9497c007fada3e8a7bbf
SHA256 c9142244fcb90356ab07a8536939e33d4973bca119b86a5d8c0c03ac5bac68e2
SHA512 dba13b9825e3711f4d195005b711a6526e6b681e346aac8521895ae733849ebdfea7554f0b4bba09d26bbe54b6eff0e54cece1b52801e3d8e12ff1d0e2114ce8

memory/3968-71-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njacpf32.exe

MD5 3a805a1cdcedd0f44c65aa006bda9a13
SHA1 fb7f9d77aee116f0ce58e71875f8f31acd9dfa42
SHA256 cd47a22e001d2538be1dbfd2a53799d49ad185c5cce0358bc0315c7443f16934
SHA512 91319ad813a6d438edd27243ba8fbb75777a4db0b3831c37be3c706830a421c7926c685f92d0087b48b07e07a75fe4982c43fb52d9d19529a7f821d8d6c18aa3

memory/4380-80-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 e3153588bb436dda0c9facafae51cbc1
SHA1 a9e75b19b27efde54c443a1def1d8aaa70580380
SHA256 a222d6f2673d2428e780c8f8df0395e76aa1cd9877fb4986c4316511f58eaeac
SHA512 794dd566483dfd6c0c4c9a30ccea37ae77272d388371b8113257bd81318a97e21ee85b6caac6a66efafce6cd02ee12a40724f7e1af0e45271fb612aaad5c9b94

memory/4616-88-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ngedij32.exe

MD5 d569616bc168e9ff55c80c210e60afaf
SHA1 8e43c510422c5b785e11fc7c7fd261b42066675d
SHA256 af86d01fd15aba317212696a8a382756eed7770a1a536e870568c39661855aab
SHA512 725432cb011709829ef3dbbb2968b900b415dfd14b67f0a510ab766229e7e2fbc77f3a29be241f886edd6bdf71a3640539a9213d55686085bb7af0b835a54fb1

memory/2552-95-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njfmke32.exe

MD5 f008f2c238aaae56f3157b931216cb2a
SHA1 cb21eb328fe84bb428074d3767a697aaa5fdaf6d
SHA256 811cb2bc662ef947fd60a069d4747f8240a1cb7330f399a07401692cba55a9ab
SHA512 e7aaa5c4910b0d04d072e1427a2f18b265864d727311860e2f59c85e725beaf312bdb63c86bdee71ea91df9c0f88813ec2e4747dd22cbd3c21732250a7fbc201

memory/3276-104-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ncnadk32.exe

MD5 a5597070dcdf22edbef870afe5e400b9
SHA1 71204e044ac79dd9b19bf1158fa939d863763eb1
SHA256 93d2a6416ab1d4448c6359c3b3bc4f763ae3e6ff2458371b8af34f540aedb793
SHA512 7b1101161dd9366fc34e3cfa22c9f8c3aca6e47f45fc7a562671c4929e4943db7a8badfdb57167496d002260990e4b06c368a6db13fb50d8bf39479768615fdd

memory/4792-112-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Odnnnnfe.exe

MD5 d9ca571f7a60899e37b6b043f1a0deb6
SHA1 d2909685a6ffcae068710b068c7f5255644b2b11
SHA256 04ef4c6b715d6866bf254993d2b110699f36454dc7433feccb4352a02b433ac6
SHA512 be485d96dd393a5ec5be0155d7c9fd953b692b6ecf418950193acf902294e75f8d453e612b429466477c55a7707da0fb3106662472629a40d74e35cc7bbec0b5

memory/3324-124-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Onfbfc32.exe

MD5 fc6aa1867fe94e987f6338c6466ae714
SHA1 b5656f7a9f24e17b8570c160a685afc751253548
SHA256 72ecf9667ba4793698adbada0b47f88964a557caaf93b3e9bacdddaed2803a9c
SHA512 e5da56e0bfdc7cdc4f7664eb1fa077bb549be031804c72f0342994192a79c8711e35e267e2cbb5cee99397af0ac2f324d17f74dd86652f2acf1c0a4d9c79f6c3

memory/2376-127-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Oqgkhnjf.exe

MD5 5e05c5c65e2fe66befae13602da5583a
SHA1 616fa6cbaf3b4a7c4db58d126d7047608b957ad6
SHA256 b92d873a40de64f72eeee4db575ebdfd8372e848e59bc21d1d822d4d8d9a1655
SHA512 67e27bd95f6711610c9863957d9f02191b58abbacc839ed966838530a4e871b9d43b3fe07c1d2281d2a5b63edb60bd131ea192273fdcc75fad3bd892ac94858a

memory/4832-136-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ocegdjij.exe

MD5 0d7bd035ecdf5f78e6e5888e3d44f55b
SHA1 99694f9299eee6c556c7d61ba1f9a7dd67f0ad8f
SHA256 82e22a6a9680255bfb55561b8b8187714419be7181eb0f450446d7934739e3f8
SHA512 0bd64cb770f4e21d4dd5565df5cc6e2c06319d0615422694e479d7c52689d528ad6a3c667ced292a13a1c1271e1a4b1040ac411266bd572c361a114a7a9ad001

memory/1128-144-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ojopad32.exe

MD5 25916932bac894690b79bb7e70c0258b
SHA1 1b6f22b58a7ba6d4969103bbed43ff94fddb468e
SHA256 e67bbbabaf08e9a8d90cd734f908e8ee1147dcd33745c77fdabd272ddc6ec72f
SHA512 af2b15202395ca4445b8b9a4e397fa637e8c7c41c0a99187dd1dea7f6b246a0cc5af6afe706e1b3668d8e9d81cd33fb445bf08e2bc0dfd81cb3324f07633593d

C:\Windows\SysWOW64\Oqihnn32.exe

MD5 a4af1917cc6621bcf36944232a4ca6dd
SHA1 b29e6c446181e19edb1ca826c708a396373adfc9
SHA256 b0af4354c533cd207287af51649fa51ad017d2b1470652c06fdaf67d5d8afbb6
SHA512 7d0135fde16586e5b63d252cc8b6edfe4476832fe74c96394fcc75edd677a7883aeaf490de7a84691411cded56b656d14794a82cf1274702c26b75f0773f82db

memory/2124-164-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Okolkg32.exe

MD5 05f419fd0b225339cc9f600d6aef1446
SHA1 8ccbbf49bbfa5f373493dd050aeb079fb3664bea
SHA256 83b7f137e7ed3f2fa7ce5149b0e207984af0ef271b6e4ff273bc8784d1b80f4f
SHA512 6e4c7d0914838c45236449ea56a8d460fa8b015ecb8ffc55d97120ec001bc9091b63d25476e00ea694192ad877101248a502fce0d746b4257773bd91bef759be

C:\Windows\SysWOW64\Onmhgb32.exe

MD5 d3c9d965a54c072dcffcf6f5c1d2f24a
SHA1 b29ae31a7159e7c559a921feba6e21b311846080
SHA256 c60a1fb3103596cfc3aa156253ad8af2651244f5228ca82af00ffa89939cae1e
SHA512 7ac139376f0f75a015d0fe49a220f9ecb5cf5ceac92f64c76c84c5154855480f34d3233cca7d9b7c31b39ba18717b677c03d1656231ed8614ebb408e6ca42f7b

C:\Windows\SysWOW64\Pcjapi32.exe

MD5 20a65825c77415cb3502ef5b6e4bbb13
SHA1 90e649552b122487ce6a2ca06148e0ad4bc8ca65
SHA256 568321a1106e5ff7be2aa36caf60a2004bb8ab711926c4cb6c69e94350d70d87
SHA512 72a2363e7c4a4c74bc69e5d7ae43badcef6fcd26bc35265d131f1ecfafe9e5642e6cdc0920f50947bce74f214722573dd0aacd275369b71f6dfa54a6e49e5071

C:\Windows\SysWOW64\Pgemphmn.exe

MD5 7e1bc160a70a2d6237d0f1d20f4568eb
SHA1 768f34b2d07c877347343f0be9e41bbc21c1814c
SHA256 cef1b43ad67513cec31c1a0ffa4777914da5aea0886db40b46f94be32a926b26
SHA512 82e2a76fba14dc5740a18b921066392406d58ff0c51c8d2a4ba73f456cddb96f202e0b7678bf42d75b02348b20c1eeb19509ba295274b30bf5769966d37b2dd7

C:\Windows\SysWOW64\Pclneicb.exe

MD5 9f4c2771eb4dc779fe55ce8a48a82edc
SHA1 f55492c842972acc885b2579b941734aaa653bc6
SHA256 7b645b5fe6d747da4011b3beea988ad7a043006eb8a883c15b738fcc54762d09
SHA512 2bd83df876a43ea285749ed348032e148538e3a9ee03cb201389a9ac91b07ca343d98e420b3b8d94d4b6ec5b3e72b3486f8c7cf98650a7ae7a5f69838568f604

memory/3228-396-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4656-417-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4512-427-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3672-429-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2040-431-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1052-442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4192-441-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1268-566-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2392-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2380-567-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3916-563-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2736-562-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4788-561-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3032-560-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1192-559-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4808-558-0x0000000000400000-0x0000000000434000-memory.dmp

memory/528-555-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-552-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1080-551-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2504-550-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3636-549-0x0000000000400000-0x0000000000434000-memory.dmp

memory/412-548-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3432-440-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-439-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1472-438-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4064-437-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4408-436-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2264-435-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1464-434-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3572-433-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2416-432-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3800-430-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1420-426-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4284-425-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2636-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3076-423-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4664-422-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4592-421-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1460-420-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4812-419-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1176-418-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3956-416-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2052-415-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4768-413-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3272-412-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4960-411-0x0000000000400000-0x0000000000434000-memory.dmp

memory/752-410-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5068-409-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3576-407-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2844-403-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4620-402-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3180-401-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3260-400-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4532-399-0x0000000000400000-0x0000000000434000-memory.dmp

memory/960-398-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4184-397-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3096-428-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pkceffcd.exe

MD5 c4a1d39d757967193ad0129331d9bca2
SHA1 9d6da3272f57a2342798b18be8f51d0bb40518ce
SHA256 ccbec350d0f8e2b10156c82885573be97095317122421bb100782d8542de652f
SHA512 0880b02ff2e7e6b239262f01b89179aaca878a5d4c5e424e7fad9c9161cb4025c16537633d38a4b0f03b96cc1e181901862f667458415b9e75f43ceef91a0fcc

C:\Windows\SysWOW64\Pghieg32.exe

MD5 113a279e4b807c54abf8460ac9f990c5
SHA1 e30b99b061fadb43bf0b7b953cddf1599577980d
SHA256 1b6a34096fe25b1028ad34a409e22f5ca448d7cc2960b048bb8bfa90c586ba55
SHA512 5a6774e11be0d9ffa636917f810828103f6913354d6d1115a731bb1e1642ecd75295d64794705626edac3e61697fa8d9dbde0e59e538ed16190c1221b4879130

C:\Windows\SysWOW64\Peimil32.exe

MD5 950bcfd7d6fc7091057a71df1cec805b
SHA1 52ddcec7c71f31f2d790e3cc85664419c1dfb10e
SHA256 686b589e20c68ce6b4be9508f07e2b2faad7012c073989a96935a88b6a2ff852
SHA512 1dd06fdcfedc59c7b03be0a7cd8a571fb2b9cf924ac7c8aea13f91955de2a0b39040f592b42dbe9fcc395ae06197c5a974f41734a85f00324b5e87ab8ee41f03

C:\Windows\SysWOW64\Pqnaim32.exe

MD5 ad450eb63a4df3305b51949609e09726
SHA1 ec6ba7efead52b0afed2793cd5d239af6cb3152a
SHA256 ee40324fe92a4932ce8412a8bf3d8737b9c7341c96ae90f5802af5ade1e126da
SHA512 ab28c6c0c2ac085718b46f31c9a883ee90c4dc241b810536d68d5e43e9e102dbd327ab948de5b1da26e2f0214695d375075f38da027367307d54e252d522f121

C:\Windows\SysWOW64\Pnpemb32.exe

MD5 ad0cb3369e1f4277104c31977d349b0a
SHA1 6c34486febe417d34d2104589226f7f7ce0560a5
SHA256 b62b380e666cf165bf5e74c1790bbf62d023bb3e49b0d6e1a42207a07e7dd44d
SHA512 509140620ddf3c46ca05c0476964b7aacaf0360ec85abda3245fd709a0a2006a08b83d8e96f3a45701b6ec0768aa2f3a0f4925145e9cc55397765f919b5404df

C:\Windows\SysWOW64\Pjdilcla.exe

MD5 e06f9c0bde9d8c1a0edbf4135c3e4529
SHA1 f9504c3f9871c0d51411bb21cda4ef1a1dd40783
SHA256 2f3aa27809fd2ec9c6e50638907c007cb2c68c123c3e1e5f565727e08b4126c7
SHA512 66d9d57901d4d513dd091b11877da6824e57fef3c9498ce9ff3e28c8557c43026bbd79460dc988a218e7d56575f3a4ceaa211678a47f86d899f8277f06ec57e7

C:\Windows\SysWOW64\Oqkdcn32.exe

MD5 4a71be9401dff3b69ce7143a2ee2dfb6
SHA1 420969a1494a09309cbc95a31bf1714d44e91f61
SHA256 4dc8fd9a4c1ebd5d0d660d857b7b25a7d035c25107d5adb028e4c907f190bc04
SHA512 559fdf22818e882b454959b7ed56a6a3d9c5ebe06027770413d19411355dc6d3378a526e81a7fa7014c67a7e21b74a4d4fe0d2acea94795ad8ccdaae454b47bf

memory/5440-623-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5308-622-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5268-621-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5236-620-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5196-617-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5164-614-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5124-613-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3044-173-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5380-633-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5724-632-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5692-631-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5656-630-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5620-628-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5580-627-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5548-626-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5508-625-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5476-624-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5792-634-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3852-157-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cbqlfkmi.exe

MD5 b0ff16ec9bb05a151a184a5059decf20
SHA1 105b40561fddd5c7329e842ab63544415927d856
SHA256 4a1d85433cea8cab3d4ef55500a1299b23afa6147f2ce22ce9d5ba78235a533c
SHA512 0a0326b7694b0e2e6e51c46b21ce32179de07a0c4c665c607c1789343ef1d35ea05c70c8217dec4ab99da9724c1da3ce97b43a6032af16197243095e1512c5f6

C:\Windows\SysWOW64\Cahfmgoo.exe

MD5 3d41b17c45d7fe6603b2dae373504c43
SHA1 de3eb50d501ff24e481c9f2a73416e83daad40b4
SHA256 91fd15a5fdf5ee03302e2f02e46706987c8550d3e7b1910672a70e21ce63713f
SHA512 fb164c5d9dbb6073f094de8e0a1cb3df3127480ae1815709d05bd50bed34cebf0928ed1c032b543f1171750ec3914a1538712ea3d26763aa5af9d84d2395a16e

C:\Windows\SysWOW64\Dllfkn32.exe

MD5 c7c93ec8354fea095336a7a7f190b1e7
SHA1 3258cf23c404118573653674d2bdb9497ba42ef0
SHA256 1851a18547b0ec39f30e9ea4b208005692f64d4a1e3b4d12b70ef091efc0ee46
SHA512 5cdeebecaf74674813bcd49b0b33cd0d64e630fe5ba312ad3f29796c2cad35b7f2420380ef2cc863e85ebed7159beab5c984edf8b1aa5b21badeb69d944e8937

C:\Windows\SysWOW64\Edkdkplj.exe

MD5 66fa0394ddbe5ca5bee367a14809e7b8
SHA1 48ed8bff012599d70aa5b0887f4eaff1f96ef1e7
SHA256 193e5df42552962e5c6beb6f3c3080a4339ff00e80f8a902ad2479a2f003748f
SHA512 3010dd3f02e70e46013fecb7813bab5a778a34b33035785325c9cf9b1d9bcc425f9e8fca868e69a691b463df23562822a7445c6cfe985f376238fe289ae7306b

C:\Windows\SysWOW64\Ecmeig32.exe

MD5 a961868f4e21b6700515a60ff34a1465
SHA1 b354261531603784e047af09e6e0aa554595b732
SHA256 df0a2f6d048d908f38a5ff7381dab22174f1de85ff7ec8ecac40d74a802b3a47
SHA512 f84b1084dec69edad099ee6c4d04bbe59c0774b0efd42bdf27c4e92f31018d460ba9f8e8e01b65129618d462bc930215bad0ad8aaeed051e0c3d69c79bfafb53

C:\Windows\SysWOW64\Edpnfo32.exe

MD5 af43982029dd995e3e45ecd4fd9e3648
SHA1 73d2a12cc74600f92b6ab404abbca55ef3c57d7f
SHA256 1bdc61664cb5add56f7245d695b2a7b2a76b932bceff31613d3abc28d8002f3b
SHA512 3de3bc8bb61a66759c9dca8a07b19fc5f1c0bbc7c824eb2a90967cc87dc55136661b9052068099f9ec044a24ce1166e4ca0705bec5a056200333635fe5aff5d0

C:\Windows\SysWOW64\Fdegandp.exe

MD5 d93272002c186c9eb21fe49e6f6cad4e
SHA1 2f54d0590d6a0d26b1aeee31c07fc8df5a5e9577
SHA256 53cf2999e7b3211da7ea949b57d8c04ad4073e37004de523aa46288f18a1ebd9
SHA512 bcc9365ce0beb91bb7e884abcdf56d6f17ff6a17f60fb070d5df65f5a083b4840ccbe87e9426de2d771a339f8af5f9f9f1a1b1ffd072659d229a253c06479e77

C:\Windows\SysWOW64\Hcbpab32.exe

MD5 58fd36a3d8ccc44d1893606980a8e3f6
SHA1 5f09121af31a09d33b0c4236b5322f65cc4ce7bc
SHA256 0626e9928e7478026b196a2a3a4d19dc69a9fb668101ad1580d7dca7833919aa
SHA512 5dbf1a6e2cd0d8814281481c7ec29b3a024ecf27efe84396ace82aa44895ff87b460dd19df6a5df20266e47ba9b8c0f5ba50ee88d8aa2743a61153eaf6ead6d7

C:\Windows\SysWOW64\Hioiji32.exe

MD5 b50cdccd191aa01e38efc05dedbb9af4
SHA1 8dc0ea3dcc05e482d7a68843ffdbe7e1d6a85239
SHA256 0a9a7ab9864f0b50eb609f82eea4484df2e507e88dcf2485244b9401ff141a41
SHA512 69ade716cf65b998a635ae7fe37e1e04ba727bf6c8d1fafeb3994a0b5fefd9aba2dcadb451d8b25f8908b6512753b128ae49bee2cd68364a1250c0122c26830f

C:\Windows\SysWOW64\Iefioj32.exe

MD5 c95e35fa42af9155af5691ddefd1eec2
SHA1 02b8de8b9e7f57801ea676fa1a78188910aeeed5
SHA256 fbebaf1eb875c0ca7942b1f82f8c3e03d0741da2fba67600d66cd04c4308013e
SHA512 cb635d2dabc4e9e701316efbe51e236416c94d881d34e336c1c548bebd194dc89af5d245fa0aad7ff92d236b033615f67cb917c1ec1114abb1a75dfc176fb769

C:\Windows\SysWOW64\Ibcmom32.exe

MD5 a964125dbf138a0c89a0c267c234112c
SHA1 ac4161520fb95c869f6da384da02cf2cba860443
SHA256 75fba3ebaa778dfa49b118d7f5ce9abc69ad58aca78fa280b4d89c9567d97f06
SHA512 bd8c2b62ed5f50f252601367f2bdef0b165d9ed8580ae8e2b333588f2f023c3719d58e35bca97080568f3602f512fda38d308e9f420a827932d37d88a376a664

C:\Windows\SysWOW64\Jcllonma.exe

MD5 063372f971c0c992a7c6f20ff4c210af
SHA1 67ea8a8a78793e59cb6d533c9ff0e049c11ca6a5
SHA256 88b5bbf88da11243e580ff57227e90860e02303f6bb64de4810635c73da179c4
SHA512 919c097de86436379e2f9ab1c38ae745c3a14e299926ae798b2f1a2796e9561202915a528d296ed32c6df4485168ddd48bb7622a7ff7f163e7a6a4026be3381f

C:\Windows\SysWOW64\Kpeiioac.exe

MD5 a40a34c8047e5b610e42b257f350ca7c
SHA1 8ef5aa0d36ea32cc88eeaa0e03689fbf7b3be97d
SHA256 fafe1bc9e4653b654ea5ef45220b8a715749122f1944c6697e184a90af346562
SHA512 390147bccb826e70cf1b3c214198ccdeeb62134c22d258f1f57e39b630ab21795e3a63027dacf0402039618b1769e95915aa7cdc011786f8420b0a9acbb168d5

C:\Windows\SysWOW64\Kdcbom32.exe

MD5 0c4e15aa5a074b31876275add690e4e8
SHA1 10992f3f014cb4a379348d50ccdecd3589d54b46
SHA256 f0e67c0d368bfdbfae25f16ef7b88bb7ad8f2fb50887a2a49be46bac01ae2f71
SHA512 f6a15700c89958e3bea5ce44c8ba8edca90a7638339150586164064aff23c3a559ec9c43a1ec451b0568626ce9312810fa320d6f9bc933b0db5b0e3b15f695df

C:\Windows\SysWOW64\Kbhoqj32.exe

MD5 49bc4701869cb18e236e2b5a096f5fc9
SHA1 075d89b8e50ac7075e63d4c05a49997fabc8568b
SHA256 0b34efc52164b490c6763a02828324ab88e985c4ce969bbcc55f91b4c0dfcb3a
SHA512 ecd2437acda9ea6121004a6c5c8bd786c149b21302eb59ec9c59811562efe5f80c84783cc3cc030326961d1c3e9cebd501f59d6a6665e342b6bede0d065ff53c

C:\Windows\SysWOW64\Lpnlpnih.exe

MD5 965fadd05581313261a716a049c4ca90
SHA1 5e95999848848bc95d0954c603bbce3567409016
SHA256 1cdd18555cf3327f4a99611f8d45ab94c2bfbd187b2ca8c1bb8ebc70aa110c5e
SHA512 155c320e565c8f58319e8fdb4d5b66f3175267d030dd3c0628c7f277d06d797f51c07e6b02c7d16cf37b240be39972efb63301ac42b076ab8831a717e4e90ebb

C:\Windows\SysWOW64\Ldoaklml.exe

MD5 28a0eca2928ade06d3bb4c3e92586f5d
SHA1 3b02d8a8a47f03f6a6184561b8439ce08dc8d2bf
SHA256 722baa5b06dacae89ec1486567117a1750694b9bedc9f6c8ec0881deea3f3341
SHA512 5fbea8d932c4820069e5681fc3456b28990b2a8dbd727c97daf689f6c96b9e33fdb51c99aba99562764231cf281f6c00f93dd085aa4d3301d5e68dd1e1f9586e

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 550f32f932c98cf32dfff98e3d3a6df7
SHA1 c37ebb016d14f6c3af8a4d43b2c280874e4c8924
SHA256 6920ce3b6735e465140fcf96e05f39ebec5fe355f172b35d2ad209b8e2facc60
SHA512 82974ad242ed98621ca9393ee5aed1ff4a2e12381eeca0912bf30434f8d33243c877a6885d3018eac84e24c877f709498d705f39fff6bfbba0c8950b126eca6a

C:\Windows\SysWOW64\Mmpijp32.exe

MD5 d64b720afd40e58147f151b4a7e4baaa
SHA1 90c0f5d841d4fe3967d7839541ff91521d603401
SHA256 1682ca8762ecdeb5f0e0fc88b461916163b3fab3f621238bde65d2bb51ed1d3f
SHA512 5936c3d7dc7a8a3662c856163cd5ae068fd46d69ad8ab7402a73d544cfa8d16d8c8d8fc7ca11469d5a386fd6d8369d0ead32aba39fb13c9e09c9d80f1a49c268

C:\Windows\SysWOW64\Migjoaaf.exe

MD5 ab66b1a497a5034ee5920ecd14dd933a
SHA1 f002e78fd9e3fbefa535d062c08c72290183fc74
SHA256 915337c84bb4fd575e14381051481150221e32c37be0a959715f58b512bb40da
SHA512 124ffa0227b152490e26d113c9759e98cf776972b5fe8272c5cfe404ac1eb69960611a5da77f8d61bedd69e042bc36d496fd3d7562fa8888e1efed5123afb869

C:\Windows\SysWOW64\Mcpnhfhf.exe

MD5 f0ead314611e9fc20693ecfe9f212593
SHA1 0835f886b4bf879bf25f996fad636da74a914dfe
SHA256 5631c73cc2fa071950d6112aef888b453ef3873eae16e21babac3934f0abd3ec
SHA512 96baeba5aba50c60d824561fafb6edf5588c19bcd84bde3bb2409c5f0fbf6fe1abbb6092c4c056f96e265dd4c5ae716119f92ac3fff68bcad5c14c5d5fa506ee

C:\Windows\SysWOW64\Ndcdmikd.exe

MD5 fbcd794970dbb31a01b0d3ea9c675918
SHA1 30f1df293f7e2f20765a661ad25d80eadd08b859
SHA256 16c0349d52184673b6da4709500b0a1cfca95540f576e230134d9db5ebe01ff1
SHA512 8cdaf27ba173ff7dc886a5936c2dfa019c6af7c7106dfd3c2a1b70083bbd83ef2469816c2cd017620f848e3069a9f6977dab0f8e5aa2bc809b70a2b65f0d9514

C:\Windows\SysWOW64\Ncianepl.exe

MD5 79b5bc30bb6d370a3f40338471e9bf56
SHA1 1c3201e620c5839885e1f839270c4f599586f81c
SHA256 7f5c5f457ba8e5d4c436eebd71ed273a30d5fb80edee42bfd669461983856908
SHA512 cbcc6366f7c34bcce268cff236ae9c92c2eea7d52cb1554214d1647d2eea2bf4fa0bed313991ccd9706263782fc910c07015868c51bd7bb840e4ff35cfbd5a7b

C:\Windows\SysWOW64\Olcbmj32.exe

MD5 b0d948b26d99c9f64061248092d450c5
SHA1 34ccd57f53e81b72bac3273a633af156154932de
SHA256 9b7378415f84e28b2e67af56dea51644aabdfedb6b00b1f97e343349bb724c94
SHA512 632f28771856333370ad05ec785c26ef49a4d1ff7a3d13be10ec546686e4d2f9a708b20b1810c3c38de6317f85912cc54fb7ac04c9556d11df20ffdf98133aff

C:\Windows\SysWOW64\Ocpgod32.exe

MD5 104c1cbf1b37cc3d0ede273f5d5030e0
SHA1 0c5bbf991b0f561a48a07ee58467f57d6a3a61ec
SHA256 de7550591c011762b3d89cb15954cb187f69b9fe4f90a5f6863f678846fa6d9a
SHA512 882efe9d70d9d1941a4627be977ddee52c43d3ebcc89381cbb153f82189913d6b01c9313d32825e2f3951bcb5b6720fe4d0bea282fa04eb93e238b5d0b602a03

C:\Windows\SysWOW64\Pdfjifjo.exe

MD5 876840e6fbd6f53ce7340bab27bfd205
SHA1 f727f98ad81d3e7cfdf2ef906dafb7f4ea921bd2
SHA256 c20725e773489f69100bd8178f3a03455c76fd54e93993aaf1fa198acbe952a1
SHA512 0271a96d356b29fdfec89bb8e392ffaf8cbb70d4d993b00d5d5f9ad50f8735aa92f5de73d12f801c78cf1f3f4785fc026e3362af1522927c3ab11e83d8ad7a66

C:\Windows\SysWOW64\Pqmjog32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Pqbdjfln.exe

MD5 b134b889eef66bea9d1f0cb39df6ee31
SHA1 0f848bd405c2e9f217b547ebfb33f8a3d1182d9b
SHA256 486df935336a96103db7c3907c64535858ffd7df5ef6d5ad828c828ff9fb4d2d
SHA512 36ba492f45c42dbad337313ab873a1210688ae24ab97dff9181854eab89305541cd2478f6da7323a852fe8a8d0b23d9411776008cfd0b4ec20ad8ebc49d2aad7

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 d2beeed85ab846cc05b25c02a26d323d
SHA1 513a40fe6e7ec1a268d9b92bff6b53032fcd753b
SHA256 131168db069def258f5c154d7f16ac623c54fc4f119136ee8b503547f97d6810
SHA512 3bf913eabfb7256f1b67473c6ac698115794dac14204f5084e7627c8f5e6e8d0a320124b8f4aa005128f8920ff166447643b0fdfdb3be4a0d2fc1571111349f6

C:\Windows\SysWOW64\Bagflcje.exe

MD5 dd4473aa95894418fb44b26c6a25be50
SHA1 bf04bd09ab87c9c0ca0a0e24dd68a94fe8cf7a4a
SHA256 d56620e1faa01553d1175bd7387d0a38a892d1c0db4edb4732eef4f093ce43d3
SHA512 3070eaee827cca738f18bbab026c8fe1579bfd0030d5835e495d2c40fbdc8f18a5e2311d391795c5dedf020abdfc833ff37ea3f38d4227085845a6518ab12443

C:\Windows\SysWOW64\Balpgb32.exe

MD5 6dfb1d326be969d8da022fa22a7cc893
SHA1 497aeb74bab9314da1931926b89d722f8ac116b7
SHA256 2d8eb9f5f51e344c4777eb479fa8b69e896fd9d195b79dff22063ff76c470f12
SHA512 b92a305b3c555785378ca195079ec2d69936bc27e360210b0d5feeff314717ac79036f687b77047f32b9698a9d3796a39ae60a90828fecfca75d94c265379988

C:\Windows\SysWOW64\Bmbplc32.exe

MD5 c8eaee27c85b1fc226714ad3e493dca4
SHA1 e46ddc9b763ce8819a8fd56784b5fb16e223ea8e
SHA256 398678132287d4858b67a57565949b42e89e4fdd97c159103cfd97f770b79996
SHA512 48d3f5dd48e5fb8bda555a1fe6546508f8a9928ff967e0501e968bb60bc096449ce839c3f4b5c1182bca1318164d0e431c997efa308599837d890253c0ff2ddd

C:\Windows\SysWOW64\Cmiflbel.exe

MD5 4f7b43a6579133175e8f9abccc2c0d54
SHA1 87e098fa13f81ba3a11638913ff947bf932ffa94
SHA256 871a2c81594ee5ab16bfe39d5b5b2ee09ceda09050de7a403441c6e588fecae1
SHA512 fe5419394c89fc998abd0b6a8cf5c7a113fbd3545b0e788c2d3f9f95992eab14c3a183dd4bda610b54e06ad2cd41fac715f118b8364c59657e28a16b2303a6b0

C:\Windows\SysWOW64\Dopigd32.exe

MD5 47de8e0e9697cab6b212a2e96d4eee96
SHA1 9210efd6b54fa32df6e4e0158faf9a00a27ea630
SHA256 6a0f7185faeaf906b402bf3a8c957f1d6318ceadb25903ade1c81cd8cddbce82
SHA512 b1c9b075b6d368289addd2d9d07910bb9f3356b5ba9a38dc659cc0748eebf3bd7527d58699e5c8aae2cf015ee248ea6fcd4c4f6208d6a2c86558d48f659ea0bc

C:\Windows\SysWOW64\Dkifae32.exe

MD5 9b419f64c0a0431410af587834bfa441
SHA1 5ad8fd37cf5fca057211bcb441ed081416a3542c
SHA256 b4f3d281800be3e35d2485785f17cb8fd1d2fd1fa823fa0a1a605000626009b3
SHA512 04669bfeed35e04b3e8febcf06328a99795de0d3de06366734d408640ab566286935047494a3474ccb8c2dd51be8f0e6ab61464db5a6be29f859d43c23d30d45

C:\Windows\SysWOW64\Dogogcpo.exe

MD5 a8923bb18a9728af1aaf0535c5cd4118
SHA1 635bcf2e6c1f73b8a1fdaad7fd58cc811d76f621
SHA256 40107abffb1e5c598c24e1a428beb1a824dce7771d4faaffd48e22a48e0e8b12
SHA512 97ce6766a1578b86e0c81c70e825b9249da150bfb498f25740d180bcaa4d1b041c457b9dd5581fb57763f95545a5f1ebf4eaf3fad90b6daba5fc13fca655c572