Malware Analysis Report

2025-06-16 07:06

Sample ID 240531-tb4easdb8t
Target 37d26997c332454764b1c03854410400_NeikiAnalytics.exe
SHA256 114abe8511cbbe723fdc94ba864a4c714f4959a2d42fecec988bdaf9f5769c58
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

114abe8511cbbe723fdc94ba864a4c714f4959a2d42fecec988bdaf9f5769c58

Threat Level: Known bad

The file 37d26997c332454764b1c03854410400_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 15:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 15:53

Reported

2024-05-31 15:56

Platform

win7-20240221-en

Max time kernel

148s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pimkpfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Emkaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nhkbkc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amhpnkch.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apimacnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blbfjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceodnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kcihlong.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lmolnh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pikkiijf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aemkjiem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Amkpegnj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cojema32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Llkbap32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlkepi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egjpkffe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eojnkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qlkdkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Blbfjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddgjdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pimkpfeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfcampgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dogefd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Obcccl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Onmdoioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pjhknm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alegac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cnaocmmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ebmgcohn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfjbgnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdgafdfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kahojc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omdneebf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Omdneebf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bifgdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkicn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkpagq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjhknm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfadgq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oddpfc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cclkfdnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Egoife32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chnqkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqbddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emkaol32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djklnnaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkiogn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pgeefbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cclkfdnc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pedleg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Djklnnaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlgpgef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ebjglbml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oclilp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bidjnkdg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bppoqeja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dookgcij.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaobdjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bbokmqie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Caknol32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebjglbml.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onjgiiad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jejhecaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgkafo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahojc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcihlong.exe N/A
N/A N/A C:\Windows\SysWOW64\Lemaif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijjoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llkbap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmolnh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamddf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlibjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmhodf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nialog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhfipcid.exe N/A
N/A N/A C:\Windows\SysWOW64\Nocnbmoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkbkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkiogn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onjgiiad.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddpfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmdoioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Oclilp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omdneebf.exe N/A
N/A N/A C:\Windows\SysWOW64\Odobjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obcccl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pimkpfeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pedleg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgeefbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkpagq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfjbgnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnajilng.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhknm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pikkiijf.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjjgclai.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlkdkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amkpegnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Apimacnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aibajhdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aamfnkai.exe N/A
N/A N/A C:\Windows\SysWOW64\Anafhopc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaobdjof.exe N/A
N/A N/A C:\Windows\SysWOW64\Alegac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aemkjiem.exe N/A
N/A N/A C:\Windows\SysWOW64\Amhpnkch.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhndldcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfadgq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bafidiio.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcampgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdgafdfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfenbpec.exe N/A
N/A N/A C:\Windows\SysWOW64\Bidjnkdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Blbfjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boqbfb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bifgdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bppoqeja.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbokmqie.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkdeggl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckjpacfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceodnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chnqkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnkicn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chpmpg32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Jejhecaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jejhecaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgkafo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgkafo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahojc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahojc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcihlong.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcihlong.exe N/A
N/A N/A C:\Windows\SysWOW64\Lemaif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lemaif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijjoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijjoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llkbap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llkbap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmolnh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmolnh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamddf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamddf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlibjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlibjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmhodf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmhodf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nialog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nialog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhfipcid.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhfipcid.exe N/A
N/A N/A C:\Windows\SysWOW64\Nocnbmoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nocnbmoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkbkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkbkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkiogn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkiogn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onjgiiad.exe N/A
N/A N/A C:\Windows\SysWOW64\Onjgiiad.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddpfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddpfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmdoioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmdoioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Oclilp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oclilp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omdneebf.exe N/A
N/A N/A C:\Windows\SysWOW64\Omdneebf.exe N/A
N/A N/A C:\Windows\SysWOW64\Odobjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odobjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obcccl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obcccl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pimkpfeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pimkpfeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pedleg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pedleg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgeefbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgeefbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkpagq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkpagq32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nhokkp32.dll C:\Windows\SysWOW64\Ckjpacfp.exe N/A
File created C:\Windows\SysWOW64\Dpiddoma.dll C:\Windows\SysWOW64\Chnqkg32.exe N/A
File created C:\Windows\SysWOW64\Caknol32.exe C:\Windows\SysWOW64\Cjdfmo32.exe N/A
File created C:\Windows\SysWOW64\Omkepc32.dll C:\Windows\SysWOW64\Nkiogn32.exe N/A
File created C:\Windows\SysWOW64\Ldhnfd32.dll C:\Windows\SysWOW64\Pikkiijf.exe N/A
File created C:\Windows\SysWOW64\Bgmefakc.dll C:\Windows\SysWOW64\Odobjg32.exe N/A
File created C:\Windows\SysWOW64\Amkpegnj.exe C:\Windows\SysWOW64\Qlkdkd32.exe N/A
File created C:\Windows\SysWOW64\Gjpmgg32.dll C:\Windows\SysWOW64\Cdlgpgef.exe N/A
File created C:\Windows\SysWOW64\Dhpiojfb.exe C:\Windows\SysWOW64\Dogefd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgkafo32.exe C:\Windows\SysWOW64\Jejhecaj.exe N/A
File created C:\Windows\SysWOW64\Lemaif32.exe C:\Windows\SysWOW64\Kcihlong.exe N/A
File created C:\Windows\SysWOW64\Fjhlioai.dll C:\Windows\SysWOW64\Bidjnkdg.exe N/A
File created C:\Windows\SysWOW64\Boqbfb32.exe C:\Windows\SysWOW64\Blbfjg32.exe N/A
File created C:\Windows\SysWOW64\Egjbkk32.dll C:\Windows\SysWOW64\Llkbap32.exe N/A
File created C:\Windows\SysWOW64\Pedleg32.exe C:\Windows\SysWOW64\Pimkpfeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbokmqie.exe C:\Windows\SysWOW64\Bppoqeja.exe N/A
File created C:\Windows\SysWOW64\Egjpkffe.exe C:\Windows\SysWOW64\Edkcojga.exe N/A
File created C:\Windows\SysWOW64\Ekhhadmk.exe C:\Windows\SysWOW64\Eqbddk32.exe N/A
File created C:\Windows\SysWOW64\Jknpfqoh.dll C:\Windows\SysWOW64\Mamddf32.exe N/A
File created C:\Windows\SysWOW64\Fqiaclmk.dll C:\Windows\SysWOW64\Obcccl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pikkiijf.exe C:\Windows\SysWOW64\Pjhknm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cppkph32.exe C:\Windows\SysWOW64\Cnaocmmi.exe N/A
File created C:\Windows\SysWOW64\Cdlgpgef.exe C:\Windows\SysWOW64\Cppkph32.exe N/A
File created C:\Windows\SysWOW64\Ckjpacfp.exe C:\Windows\SysWOW64\Bhkdeggl.exe N/A
File opened for modification C:\Windows\SysWOW64\Endhhp32.exe C:\Windows\SysWOW64\Egjpkffe.exe N/A
File created C:\Windows\SysWOW64\Eojnkg32.exe C:\Windows\SysWOW64\Emkaol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kcihlong.exe C:\Windows\SysWOW64\Kahojc32.exe N/A
File created C:\Windows\SysWOW64\Mdqmicng.dll C:\Windows\SysWOW64\Mmhodf32.exe N/A
File created C:\Windows\SysWOW64\Bhkdeggl.exe C:\Windows\SysWOW64\Bbokmqie.exe N/A
File opened for modification C:\Windows\SysWOW64\Cojema32.exe C:\Windows\SysWOW64\Chpmpg32.exe N/A
File created C:\Windows\SysWOW64\Nmnlfg32.dll C:\Windows\SysWOW64\Cojema32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe C:\Windows\SysWOW64\Alegac32.exe N/A
File created C:\Windows\SysWOW64\Chnqkg32.exe C:\Windows\SysWOW64\Ceodnl32.exe N/A
File created C:\Windows\SysWOW64\Cojema32.exe C:\Windows\SysWOW64\Chpmpg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe C:\Windows\SysWOW64\Endhhp32.exe N/A
File created C:\Windows\SysWOW64\Dookgcij.exe C:\Windows\SysWOW64\Dggcffhg.exe N/A
File opened for modification C:\Windows\SysWOW64\Edkcojga.exe C:\Windows\SysWOW64\Ebmgcohn.exe N/A
File created C:\Windows\SysWOW64\Jejhecaj.exe C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmolnh32.exe C:\Windows\SysWOW64\Llkbap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfadgq32.exe C:\Windows\SysWOW64\Bhndldcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Caknol32.exe C:\Windows\SysWOW64\Cjdfmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dndlim32.exe C:\Windows\SysWOW64\Cdlgpgef.exe N/A
File created C:\Windows\SysWOW64\Fljdpbcc.dll C:\Windows\SysWOW64\Nhfipcid.exe N/A
File created C:\Windows\SysWOW64\Onjgiiad.exe C:\Windows\SysWOW64\Ngpolo32.exe N/A
File created C:\Windows\SysWOW64\Abjlmo32.dll C:\Windows\SysWOW64\Amkpegnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Aibajhdn.exe C:\Windows\SysWOW64\Apimacnn.exe N/A
File created C:\Windows\SysWOW64\Ajjmcaea.dll C:\Windows\SysWOW64\Aemkjiem.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe C:\Windows\SysWOW64\Nocnbmoo.exe N/A
File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe C:\Windows\SysWOW64\Oddpfc32.exe N/A
File created C:\Windows\SysWOW64\Alegac32.exe C:\Windows\SysWOW64\Aaobdjof.exe N/A
File created C:\Windows\SysWOW64\Mmnclh32.dll C:\Windows\SysWOW64\Ddgjdk32.exe N/A
File created C:\Windows\SysWOW64\Fdilpjih.dll C:\Windows\SysWOW64\Eojnkg32.exe N/A
File created C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kgnnln32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mamddf32.exe C:\Windows\SysWOW64\Lmolnh32.exe N/A
File created C:\Windows\SysWOW64\Mmceigep.exe C:\Windows\SysWOW64\Mamddf32.exe N/A
File created C:\Windows\SysWOW64\Dpmqjgdc.dll C:\Windows\SysWOW64\Pkpagq32.exe N/A
File created C:\Windows\SysWOW64\Aibajhdn.exe C:\Windows\SysWOW64\Apimacnn.exe N/A
File created C:\Windows\SysWOW64\Aamfnkai.exe C:\Windows\SysWOW64\Aibajhdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkicn32.exe C:\Windows\SysWOW64\Chnqkg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lijjoe32.exe C:\Windows\SysWOW64\Lemaif32.exe N/A
File created C:\Windows\SysWOW64\Lmolnh32.exe C:\Windows\SysWOW64\Llkbap32.exe N/A
File created C:\Windows\SysWOW64\Onmjak32.dll C:\Windows\SysWOW64\Oddpfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfenbpec.exe C:\Windows\SysWOW64\Bdgafdfp.exe N/A
File created C:\Windows\SysWOW64\Lkmkpl32.dll C:\Windows\SysWOW64\Emkaol32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Fkckeh32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" C:\Windows\SysWOW64\Pedleg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll" C:\Windows\SysWOW64\Dlgldibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbhnhp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Caknol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll" C:\Windows\SysWOW64\Edkcojga.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nhfipcid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pkpagq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" C:\Windows\SysWOW64\Pfjbgnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qlkdkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cojema32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" C:\Windows\SysWOW64\Dndlim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" C:\Windows\SysWOW64\Nhfipcid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oclilp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ckjpacfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chnqkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgbhabjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddgjdk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Obcccl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceodnl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eqbddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bppoqeja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dhpiojfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll" C:\Windows\SysWOW64\Ebmgcohn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" C:\Windows\SysWOW64\Bbokmqie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll" C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" C:\Windows\SysWOW64\Qjjgclai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qlkdkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aaobdjof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bbokmqie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eqijej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfqed32.dll" C:\Windows\SysWOW64\Kcihlong.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nocnbmoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnoomqbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Edkcojga.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Apimacnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" C:\Windows\SysWOW64\Aamfnkai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Edkcojga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" C:\Windows\SysWOW64\Ckjpacfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" C:\Windows\SysWOW64\Cdlgpgef.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dndlim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjaonpnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikgeea.dll" C:\Windows\SysWOW64\Nhkbkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgodg32.dll" C:\Windows\SysWOW64\Onmdoioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" C:\Windows\SysWOW64\Bfenbpec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" C:\Windows\SysWOW64\Boqbfb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" C:\Windows\SysWOW64\Bidjnkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" C:\Windows\SysWOW64\Dhpiojfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" C:\Windows\SysWOW64\Fjaonpnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lmolnh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Omdneebf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pjhknm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfcampgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnaocmmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jejhecaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" C:\Windows\SysWOW64\Mamddf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pgeefbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnajilng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhndldcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Boqbfb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Egjpkffe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlibjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" C:\Windows\SysWOW64\Pkpagq32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Jejhecaj.exe
PID 2664 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Jejhecaj.exe
PID 2664 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Jejhecaj.exe
PID 2664 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Jejhecaj.exe
PID 2092 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Jejhecaj.exe C:\Windows\SysWOW64\Kgkafo32.exe
PID 2092 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Jejhecaj.exe C:\Windows\SysWOW64\Kgkafo32.exe
PID 2092 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Jejhecaj.exe C:\Windows\SysWOW64\Kgkafo32.exe
PID 2092 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Jejhecaj.exe C:\Windows\SysWOW64\Kgkafo32.exe
PID 2544 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Kgkafo32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2544 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Kgkafo32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2544 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Kgkafo32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2544 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Kgkafo32.exe C:\Windows\SysWOW64\Kgnnln32.exe
PID 2672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 2672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 2672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 2672 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Kgnnln32.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 1888 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kcihlong.exe
PID 1888 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kcihlong.exe
PID 1888 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kcihlong.exe
PID 1888 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kcihlong.exe
PID 2348 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kcihlong.exe C:\Windows\SysWOW64\Lemaif32.exe
PID 2348 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kcihlong.exe C:\Windows\SysWOW64\Lemaif32.exe
PID 2348 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kcihlong.exe C:\Windows\SysWOW64\Lemaif32.exe
PID 2348 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kcihlong.exe C:\Windows\SysWOW64\Lemaif32.exe
PID 2748 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Lemaif32.exe C:\Windows\SysWOW64\Lijjoe32.exe
PID 2748 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Lemaif32.exe C:\Windows\SysWOW64\Lijjoe32.exe
PID 2748 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Lemaif32.exe C:\Windows\SysWOW64\Lijjoe32.exe
PID 2748 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Lemaif32.exe C:\Windows\SysWOW64\Lijjoe32.exe
PID 2140 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Lijjoe32.exe C:\Windows\SysWOW64\Llkbap32.exe
PID 2140 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Lijjoe32.exe C:\Windows\SysWOW64\Llkbap32.exe
PID 2140 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Lijjoe32.exe C:\Windows\SysWOW64\Llkbap32.exe
PID 2140 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Lijjoe32.exe C:\Windows\SysWOW64\Llkbap32.exe
PID 1480 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Llkbap32.exe C:\Windows\SysWOW64\Lmolnh32.exe
PID 1480 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Llkbap32.exe C:\Windows\SysWOW64\Lmolnh32.exe
PID 1480 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Llkbap32.exe C:\Windows\SysWOW64\Lmolnh32.exe
PID 1480 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Llkbap32.exe C:\Windows\SysWOW64\Lmolnh32.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lmolnh32.exe C:\Windows\SysWOW64\Mamddf32.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lmolnh32.exe C:\Windows\SysWOW64\Mamddf32.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lmolnh32.exe C:\Windows\SysWOW64\Mamddf32.exe
PID 2280 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lmolnh32.exe C:\Windows\SysWOW64\Mamddf32.exe
PID 1360 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mamddf32.exe C:\Windows\SysWOW64\Mmceigep.exe
PID 1360 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mamddf32.exe C:\Windows\SysWOW64\Mmceigep.exe
PID 1360 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mamddf32.exe C:\Windows\SysWOW64\Mmceigep.exe
PID 1360 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mamddf32.exe C:\Windows\SysWOW64\Mmceigep.exe
PID 1792 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Mmceigep.exe C:\Windows\SysWOW64\Mlibjc32.exe
PID 1792 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Mmceigep.exe C:\Windows\SysWOW64\Mlibjc32.exe
PID 1792 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Mmceigep.exe C:\Windows\SysWOW64\Mlibjc32.exe
PID 1792 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Mmceigep.exe C:\Windows\SysWOW64\Mlibjc32.exe
PID 1908 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Mlibjc32.exe C:\Windows\SysWOW64\Mmhodf32.exe
PID 1908 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Mlibjc32.exe C:\Windows\SysWOW64\Mmhodf32.exe
PID 1908 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Mlibjc32.exe C:\Windows\SysWOW64\Mmhodf32.exe
PID 1908 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Mlibjc32.exe C:\Windows\SysWOW64\Mmhodf32.exe
PID 2420 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Mmhodf32.exe C:\Windows\SysWOW64\Nialog32.exe
PID 2420 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Mmhodf32.exe C:\Windows\SysWOW64\Nialog32.exe
PID 2420 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Mmhodf32.exe C:\Windows\SysWOW64\Nialog32.exe
PID 2420 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Mmhodf32.exe C:\Windows\SysWOW64\Nialog32.exe
PID 2692 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Nialog32.exe C:\Windows\SysWOW64\Nhfipcid.exe
PID 2692 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Nialog32.exe C:\Windows\SysWOW64\Nhfipcid.exe
PID 2692 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Nialog32.exe C:\Windows\SysWOW64\Nhfipcid.exe
PID 2692 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Nialog32.exe C:\Windows\SysWOW64\Nhfipcid.exe
PID 1772 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Nhfipcid.exe C:\Windows\SysWOW64\Nocnbmoo.exe
PID 1772 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Nhfipcid.exe C:\Windows\SysWOW64\Nocnbmoo.exe
PID 1772 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Nhfipcid.exe C:\Windows\SysWOW64\Nocnbmoo.exe
PID 1772 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Nhfipcid.exe C:\Windows\SysWOW64\Nocnbmoo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Jejhecaj.exe

C:\Windows\system32\Jejhecaj.exe

C:\Windows\SysWOW64\Kgkafo32.exe

C:\Windows\system32\Kgkafo32.exe

C:\Windows\SysWOW64\Kgnnln32.exe

C:\Windows\system32\Kgnnln32.exe

C:\Windows\SysWOW64\Kahojc32.exe

C:\Windows\system32\Kahojc32.exe

C:\Windows\SysWOW64\Kcihlong.exe

C:\Windows\system32\Kcihlong.exe

C:\Windows\SysWOW64\Lemaif32.exe

C:\Windows\system32\Lemaif32.exe

C:\Windows\SysWOW64\Lijjoe32.exe

C:\Windows\system32\Lijjoe32.exe

C:\Windows\SysWOW64\Llkbap32.exe

C:\Windows\system32\Llkbap32.exe

C:\Windows\SysWOW64\Lmolnh32.exe

C:\Windows\system32\Lmolnh32.exe

C:\Windows\SysWOW64\Mamddf32.exe

C:\Windows\system32\Mamddf32.exe

C:\Windows\SysWOW64\Mmceigep.exe

C:\Windows\system32\Mmceigep.exe

C:\Windows\SysWOW64\Mlibjc32.exe

C:\Windows\system32\Mlibjc32.exe

C:\Windows\SysWOW64\Mmhodf32.exe

C:\Windows\system32\Mmhodf32.exe

C:\Windows\SysWOW64\Nialog32.exe

C:\Windows\system32\Nialog32.exe

C:\Windows\SysWOW64\Nhfipcid.exe

C:\Windows\system32\Nhfipcid.exe

C:\Windows\SysWOW64\Nocnbmoo.exe

C:\Windows\system32\Nocnbmoo.exe

C:\Windows\SysWOW64\Nhkbkc32.exe

C:\Windows\system32\Nhkbkc32.exe

C:\Windows\SysWOW64\Nkiogn32.exe

C:\Windows\system32\Nkiogn32.exe

C:\Windows\SysWOW64\Ngpolo32.exe

C:\Windows\system32\Ngpolo32.exe

C:\Windows\SysWOW64\Onjgiiad.exe

C:\Windows\system32\Onjgiiad.exe

C:\Windows\SysWOW64\Oddpfc32.exe

C:\Windows\system32\Oddpfc32.exe

C:\Windows\SysWOW64\Onmdoioa.exe

C:\Windows\system32\Onmdoioa.exe

C:\Windows\SysWOW64\Oclilp32.exe

C:\Windows\system32\Oclilp32.exe

C:\Windows\SysWOW64\Omdneebf.exe

C:\Windows\system32\Omdneebf.exe

C:\Windows\SysWOW64\Odobjg32.exe

C:\Windows\system32\Odobjg32.exe

C:\Windows\SysWOW64\Obcccl32.exe

C:\Windows\system32\Obcccl32.exe

C:\Windows\SysWOW64\Pimkpfeh.exe

C:\Windows\system32\Pimkpfeh.exe

C:\Windows\SysWOW64\Pedleg32.exe

C:\Windows\system32\Pedleg32.exe

C:\Windows\SysWOW64\Pgbhabjp.exe

C:\Windows\system32\Pgbhabjp.exe

C:\Windows\SysWOW64\Pgeefbhm.exe

C:\Windows\system32\Pgeefbhm.exe

C:\Windows\SysWOW64\Pkpagq32.exe

C:\Windows\system32\Pkpagq32.exe

C:\Windows\SysWOW64\Pfjbgnme.exe

C:\Windows\system32\Pfjbgnme.exe

C:\Windows\SysWOW64\Pnajilng.exe

C:\Windows\system32\Pnajilng.exe

C:\Windows\SysWOW64\Pjhknm32.exe

C:\Windows\system32\Pjhknm32.exe

C:\Windows\SysWOW64\Pikkiijf.exe

C:\Windows\system32\Pikkiijf.exe

C:\Windows\SysWOW64\Qjjgclai.exe

C:\Windows\system32\Qjjgclai.exe

C:\Windows\SysWOW64\Qlkdkd32.exe

C:\Windows\system32\Qlkdkd32.exe

C:\Windows\SysWOW64\Amkpegnj.exe

C:\Windows\system32\Amkpegnj.exe

C:\Windows\SysWOW64\Apimacnn.exe

C:\Windows\system32\Apimacnn.exe

C:\Windows\SysWOW64\Aibajhdn.exe

C:\Windows\system32\Aibajhdn.exe

C:\Windows\SysWOW64\Aamfnkai.exe

C:\Windows\system32\Aamfnkai.exe

C:\Windows\SysWOW64\Anafhopc.exe

C:\Windows\system32\Anafhopc.exe

C:\Windows\SysWOW64\Aaobdjof.exe

C:\Windows\system32\Aaobdjof.exe

C:\Windows\SysWOW64\Alegac32.exe

C:\Windows\system32\Alegac32.exe

C:\Windows\SysWOW64\Aemkjiem.exe

C:\Windows\system32\Aemkjiem.exe

C:\Windows\SysWOW64\Amhpnkch.exe

C:\Windows\system32\Amhpnkch.exe

C:\Windows\SysWOW64\Bhndldcn.exe

C:\Windows\system32\Bhndldcn.exe

C:\Windows\SysWOW64\Bfadgq32.exe

C:\Windows\system32\Bfadgq32.exe

C:\Windows\SysWOW64\Bafidiio.exe

C:\Windows\system32\Bafidiio.exe

C:\Windows\SysWOW64\Bfcampgf.exe

C:\Windows\system32\Bfcampgf.exe

C:\Windows\SysWOW64\Bdgafdfp.exe

C:\Windows\system32\Bdgafdfp.exe

C:\Windows\SysWOW64\Bfenbpec.exe

C:\Windows\system32\Bfenbpec.exe

C:\Windows\SysWOW64\Bidjnkdg.exe

C:\Windows\system32\Bidjnkdg.exe

C:\Windows\SysWOW64\Blbfjg32.exe

C:\Windows\system32\Blbfjg32.exe

C:\Windows\SysWOW64\Boqbfb32.exe

C:\Windows\system32\Boqbfb32.exe

C:\Windows\SysWOW64\Bifgdk32.exe

C:\Windows\system32\Bifgdk32.exe

C:\Windows\SysWOW64\Bppoqeja.exe

C:\Windows\system32\Bppoqeja.exe

C:\Windows\SysWOW64\Bbokmqie.exe

C:\Windows\system32\Bbokmqie.exe

C:\Windows\SysWOW64\Bhkdeggl.exe

C:\Windows\system32\Bhkdeggl.exe

C:\Windows\SysWOW64\Ckjpacfp.exe

C:\Windows\system32\Ckjpacfp.exe

C:\Windows\SysWOW64\Ceodnl32.exe

C:\Windows\system32\Ceodnl32.exe

C:\Windows\SysWOW64\Chnqkg32.exe

C:\Windows\system32\Chnqkg32.exe

C:\Windows\SysWOW64\Cnkicn32.exe

C:\Windows\system32\Cnkicn32.exe

C:\Windows\SysWOW64\Chpmpg32.exe

C:\Windows\system32\Chpmpg32.exe

C:\Windows\SysWOW64\Cojema32.exe

C:\Windows\system32\Cojema32.exe

C:\Windows\SysWOW64\Cdgneh32.exe

C:\Windows\system32\Cdgneh32.exe

C:\Windows\SysWOW64\Cjdfmo32.exe

C:\Windows\system32\Cjdfmo32.exe

C:\Windows\SysWOW64\Caknol32.exe

C:\Windows\system32\Caknol32.exe

C:\Windows\SysWOW64\Cclkfdnc.exe

C:\Windows\system32\Cclkfdnc.exe

C:\Windows\SysWOW64\Cnaocmmi.exe

C:\Windows\system32\Cnaocmmi.exe

C:\Windows\SysWOW64\Cppkph32.exe

C:\Windows\system32\Cppkph32.exe

C:\Windows\SysWOW64\Cdlgpgef.exe

C:\Windows\system32\Cdlgpgef.exe

C:\Windows\SysWOW64\Dndlim32.exe

C:\Windows\system32\Dndlim32.exe

C:\Windows\SysWOW64\Dlgldibq.exe

C:\Windows\system32\Dlgldibq.exe

C:\Windows\SysWOW64\Djklnnaj.exe

C:\Windows\system32\Djklnnaj.exe

C:\Windows\SysWOW64\Dogefd32.exe

C:\Windows\system32\Dogefd32.exe

C:\Windows\SysWOW64\Dhpiojfb.exe

C:\Windows\system32\Dhpiojfb.exe

C:\Windows\SysWOW64\Dlkepi32.exe

C:\Windows\system32\Dlkepi32.exe

C:\Windows\SysWOW64\Dbhnhp32.exe

C:\Windows\system32\Dbhnhp32.exe

C:\Windows\SysWOW64\Ddgjdk32.exe

C:\Windows\system32\Ddgjdk32.exe

C:\Windows\SysWOW64\Dnoomqbg.exe

C:\Windows\system32\Dnoomqbg.exe

C:\Windows\SysWOW64\Dggcffhg.exe

C:\Windows\system32\Dggcffhg.exe

C:\Windows\SysWOW64\Dookgcij.exe

C:\Windows\system32\Dookgcij.exe

C:\Windows\SysWOW64\Ebmgcohn.exe

C:\Windows\system32\Ebmgcohn.exe

C:\Windows\SysWOW64\Edkcojga.exe

C:\Windows\system32\Edkcojga.exe

C:\Windows\SysWOW64\Egjpkffe.exe

C:\Windows\system32\Egjpkffe.exe

C:\Windows\SysWOW64\Endhhp32.exe

C:\Windows\system32\Endhhp32.exe

C:\Windows\SysWOW64\Eqbddk32.exe

C:\Windows\system32\Eqbddk32.exe

C:\Windows\SysWOW64\Ekhhadmk.exe

C:\Windows\system32\Ekhhadmk.exe

C:\Windows\SysWOW64\Egoife32.exe

C:\Windows\system32\Egoife32.exe

C:\Windows\SysWOW64\Emkaol32.exe

C:\Windows\system32\Emkaol32.exe

C:\Windows\SysWOW64\Eojnkg32.exe

C:\Windows\system32\Eojnkg32.exe

C:\Windows\SysWOW64\Efcfga32.exe

C:\Windows\system32\Efcfga32.exe

C:\Windows\SysWOW64\Eibbcm32.exe

C:\Windows\system32\Eibbcm32.exe

C:\Windows\SysWOW64\Eqijej32.exe

C:\Windows\system32\Eqijej32.exe

C:\Windows\SysWOW64\Ebjglbml.exe

C:\Windows\system32\Ebjglbml.exe

C:\Windows\SysWOW64\Fjaonpnn.exe

C:\Windows\system32\Fjaonpnn.exe

C:\Windows\SysWOW64\Fkckeh32.exe

C:\Windows\system32\Fkckeh32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 140

Network

N/A

Files

memory/2664-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jejhecaj.exe

MD5 7240b459c45ccb36af44469205c7a794
SHA1 95f9b5442f2a2dddb4a140b4b53c95628043d32a
SHA256 79ddc9b1f845c0bdf1d6d61551f2b7daab85b5233e839b500d9ac6eea853341e
SHA512 e893a2b242981a31aa00aceec253b80252ea1c5f132a2dc909848920b41b0ebafdab26252365ffc8be160172dbc5119d12c831b11ad004f7aaa235f1d30000ad

memory/2664-6-0x00000000002E0000-0x0000000000313000-memory.dmp

\Windows\SysWOW64\Kgkafo32.exe

MD5 25f205cadd9b4df91fd191dac88f9171
SHA1 b830566ac0a44c1f6c343dbef8ba79246f9c2581
SHA256 0508505bf7702fbe6a7815d723db52087936ad634c72cfbfa92e5edc97257b37
SHA512 c329397d73f192f40d9daebdf04a642905d50241b672751e39576474a91c0d08a0d4dc7a9b6b80b20a885041dadab3e419f3df0d61a62cae839643fd6a2d5489

memory/2092-20-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2544-26-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Kgnnln32.exe

MD5 91cfb7668c74b5a1395d153b949d2a1f
SHA1 45350c14fb0cf14b652e635305d001c0a972cc5b
SHA256 8e29a19a7c67a02f73db77930449cf11b497a123a925228131de0ab2eaffa5ad
SHA512 be8d15afc59535218e4ea7453a2caf091f6df0095966266eb82593fda741837896c4bac057dcf85b16d37e92f9eb6eaa67c5f901fc7f071dc0e2a05cb3183896

memory/2672-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2544-39-0x0000000000280000-0x00000000002B3000-memory.dmp

\Windows\SysWOW64\Kahojc32.exe

MD5 c0f7462b3813f7ed076a8b9eb53de11b
SHA1 76c85b0f343fcfc080157cadf36ee205566de579
SHA256 ded8de5a6a0f5d4dd37de1409cd41095301f122cc5e4d70533de440a664c9f40
SHA512 2b7b97d7ba33a02b6b9186b33d6e47aa9d2a85f732f6784734ba8d1d5a9fdbd5e050c8f411ebef1262fd2dd344412cde5c2f0c9685c248e337ee7eb9ec9a4db0

memory/1888-54-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2672-53-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Konojnki.dll

MD5 e99464eda1cc2f8ccd167ba415fd749e
SHA1 2b439b6898a7bad00ed02057f167546cf6b76fe0
SHA256 495f8efa4f5a178eea86a62c38fdbe2c1759069777c4a6b081f99f9be560ba58
SHA512 960bfbdfa3013df50e003b0b92f90ca339312dc4d5609dfe106c8371bd4e0bd16d74bbff1a42f105b766a67b737e429fb041fc1808d6d2545f1e4577f6f44037

\Windows\SysWOW64\Kcihlong.exe

MD5 aa1c526342c9d44124e78f3cc13d9ab9
SHA1 a7e6eb391a7b47ad3d414ebaa398fd36097713f8
SHA256 3a0caf9ea765e311743da88f6a787b523700d5bbb2eb873b9792aef2c087e4f7
SHA512 1ef17f71071225ed00bd40245829703d491b6f1ac04973518f4f430fc3783b74bd38db1344472009014877b8b26be701aaf767fa69e9adbbc64ff17e63dd2308

memory/2348-68-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1888-67-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Lemaif32.exe

MD5 c09ad42c1e97d62e1a6af63960b452eb
SHA1 b2fcaebcdb4dbd67cd9fc8c470fe4b28f7838f36
SHA256 100f3270edc2b5a5860babf89538f5dbe2aa123dcd7804d3bb78816c2e024cc7
SHA512 928a310d55ca6e5154703be96b1f0dfe73dca26abe14e5637bd04288e328b33d743cdeed493b49a72bd9a26098986c49218e5a15ead65490821708d9face6870

memory/2348-75-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2140-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2748-95-0x0000000000390000-0x00000000003C3000-memory.dmp

memory/2748-94-0x0000000000390000-0x00000000003C3000-memory.dmp

C:\Windows\SysWOW64\Lijjoe32.exe

MD5 439832f68444f73386d19079c43b9490
SHA1 81662d7418a64729625c04f241d5a3215330c599
SHA256 8da80b1783d8db31c963c9d2b9c85f9a25613577549d680b522b43a8413e04c2
SHA512 be125d3a971b1fac63074bfa7cdcb2c1d36b022dd69a666d813925135994d227c7303ad116b436ccd6d4618a6797b4fd86a790a9a5a87cdee5b03cc8bac0f535

C:\Windows\SysWOW64\Llkbap32.exe

MD5 3fc6152518fbc781036ba2ad2bc5ef90
SHA1 dd1f3391b4fbe81bd7ebf3964f4e8786fe90ad4b
SHA256 03f81040ebb3176fc7ab22ad3da182f89e042ccfc01cea6ab4963235e73d07f7
SHA512 84a1ff1169232083cb4dccbbe286048506c575d3794ffdeed60ddb526db838685d79666b76ef03e2f3de7277bcefa188019f845361d9c98250ffcfd4aa7c258c

memory/2140-110-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2140-104-0x0000000000310000-0x0000000000343000-memory.dmp

\Windows\SysWOW64\Lmolnh32.exe

MD5 afc249cee875d93a9f522259e6cab95a
SHA1 f96a9065a11c86e65502caa6b0038cf082cea3a7
SHA256 7b0752333901033542bb1bdaf974728506ac15b292d966c32b5b350f9c4b8d21
SHA512 8a4da757d2b61e39f95f28dd4c2316a5d6898ee3a508e3b6aca21a06e391b4c35c4019c5508c5b0804b9a82cef50915d94792283bbc047335ce98d25ef759185

memory/2280-124-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1480-123-0x0000000000300000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Mamddf32.exe

MD5 6f36f54101bc9168caf6f28401999432
SHA1 28d24400902a551e6c7d9071fba5540b4fb545ac
SHA256 b13d00c4ed67423fec5d0dfa60415dd391423c081af3650ed06e990b0cb244b2
SHA512 c862cec730f4201b849459039e09f0c7a85845538ecde4831ff48af60aab8e11b5f057c65659eaddc4e90d2d47ef1f72ef2d4d268880c2edd43b9a3781957480

memory/2280-131-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1360-142-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Mmceigep.exe

MD5 004c2fd71203263665f1606c35643ebf
SHA1 83f596621cc3f730b48383a5b049a59c7bc16a5e
SHA256 c40c178cd601413ef1759c044b2b5dbed27176dd4456872e168ef9361432f207
SHA512 cf92e202a14b81ea84300e32f497c073857323467b6dcf2c9f27427c27f158b3f0fd7a53faa7f6c61a47c9820d55829477db9008be9143d4900418ea4da7ab42

memory/1360-150-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1792-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mlibjc32.exe

MD5 c955f3ab70eaa7ad869d49d66edfe8ad
SHA1 18eaab61aeb3aae6496b250c2fa4f1abef8feb18
SHA256 5a305ce50aafb4880530ccde5862f5380e43c08ab4fc8721703a2b4a2ce16768
SHA512 032804b456cadba0b9bdda510692e6be7dd4a96975349e254325a53c1c9f738d581693d32f9a1372219f93e02a68e2dee0a22a13e388e796023737367082d7ed

memory/1908-165-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Mmhodf32.exe

MD5 faf7a761f48dcc418d27603eb2d10120
SHA1 f79ffd00c0c0e61bd63739d1a51c53e1b76c12e8
SHA256 44e401eaabd43eefcd46cc2c8788ea04189161fffe9773a59064b5bdd40d4150
SHA512 9d867bbe2357572bbfab4d01c1674a2ff84cba273b840273b72503a64c626f4ef3b0089927737abbd0834f0d8610b4a01d0cc4b5a32bde6c37e234280cd51c6b

memory/2420-180-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1908-179-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1908-178-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Nialog32.exe

MD5 5d73ed39bfeb0cb9a5dabe77371490f9
SHA1 3b1ce31ca5af65364f25bd7225941f9caecf292a
SHA256 498f712be40efc5a706f9eb6b0ffeb4a180482be1491cac67cd38bf142b2ca03
SHA512 9bb02a6dc6f3b472e3625a1a27088c1c00dfa505ec0112a45d842bacf2f305c327e20917ed9264ae8498ccd5cecc2fc4616f488a10cd14e27c706ee8fb432503

memory/2420-188-0x0000000000300000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Nhfipcid.exe

MD5 53eaf90a05d1e67e19f4bf206f12ce67
SHA1 8f31b65bc427d7b49d27bd3dd6d68d696eddb186
SHA256 5ed6239ee7e0cae764528afcbe845b1f2bac5e7a4f69a3a77e935bbdea83fe30
SHA512 18da87e7adcbc4a8c61bbc375503e444f37b62e10efb7f9554ed5de33b1d6e08fb6621cb38aef8571c48f3501f2023ca0a5ec1d896c08da29140ef0d3949f9ab

memory/1772-208-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-207-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2692-206-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Nocnbmoo.exe

MD5 b040de5d9cdcc4c65d59d5da62e3401e
SHA1 6b68e62eaeadefb8326f46410aace3bbcd2ff4e4
SHA256 e1bb28503fa4d86ad01a7ba5340ea035fdc35d51cc027eb5af3dce62af79457a
SHA512 c971ef1eb038f0d68910ca57aafca866130726910b3816fb74ed68d4a346c8dbd9ea4a56572390d1671f27fa3e9fb6b99f7b43a72c3b725ef41ad82601711669

memory/1772-215-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Nhkbkc32.exe

MD5 f00c8e92ea5a6a5931fe35c30627e455
SHA1 2792ead9a42ec5571bb8b85a739ae494ef68a153
SHA256 9fb61ebb0853aba1e2b96c7276bec6abc3ed981b21fb76aa32096ef62c9c74f6
SHA512 60b50f3b4a85a078578ea01f2d2e09b0033627dafcbc6122162a5dbcb5f53ebcfa535a176fa1516a2c15449cf67ac0c9fb79631bc1f37f38f418c346e236f864

memory/2908-222-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1444-236-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-232-0x0000000000250000-0x0000000000283000-memory.dmp

memory/844-242-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nkiogn32.exe

MD5 84b1c2de14a9dd5f72ce4e8eb547221e
SHA1 5db68a5e8668fab15597b27424496323e7d73c96
SHA256 a72130d2d08c35be93acc08381b486cb68b7f9d6a6a59d8e011f759ff67c89c6
SHA512 7ebab13b2566d2da0530899003588e999df8b0dbe3d9b7c515b301082aa9adcdbcf3972201fea8e49b5a3ae8ad7a33c1dd843f8d9b62716363324cef251c0482

C:\Windows\SysWOW64\Ngpolo32.exe

MD5 6479acdb9ae1f1e1beb6986c93559128
SHA1 16a76833795c8cb40e07a1d6a84e5b9bd19c9b47
SHA256 ed556940824025dc0342b0385b2114b350e2be09a88d1bbceede4c373da159fe
SHA512 587c4fa474911b6d8765f8a00b413cfd16c3c3b4f80d1c865cfe3c973d94264c4434f8050f7e38a9f2cf107348653b6c625ff36c8f363dfa46ca01ba0c664287

memory/964-251-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Onjgiiad.exe

MD5 a2d062002358d0dac11628851c4f84bc
SHA1 71a867e1bb18b7433039d3e5c457d8b523fc713f
SHA256 d7ea9a293ab61e6780fba3ea87501ead246f9c92264295ee0c7158d9f6225be1
SHA512 f269cb4737c3d77c3bee1618a2c6c6a2a5a24a4248f7bf61fc7f15a8adbd09783d6a49effaba2736b93cba99f92d30537d93986dc3b6dc403dd032275890f0c1

memory/964-264-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Oddpfc32.exe

MD5 256c73a40a7775749b7be593ec532d56
SHA1 1e60e0ac9f8ad67c10a3ff02c451d784a4ace132
SHA256 481975c22d5f3998dffc9ad912cd00db65b7eb29f9946c5960e6c9241d826ea7
SHA512 b63b3ccbcbc118edc5e085e613d5df2ebf51579b6c590371dfdc53ffe437b6428069028e73ee00ca6fb50d71998a7342deb79acc97dd1d87998d840eb0d5c6a2

memory/2876-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-270-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1456-280-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-279-0x0000000000300000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Onmdoioa.exe

MD5 dfaedc7423866d3e9a4de55e979d1615
SHA1 1f9310f0dea54766e5a6bd19f94319ffb8e2f37a
SHA256 f0de86e77061545407066cefdf93312fd66137a3e091dbfa478fc74ab34736a5
SHA512 07b11481cf5efbf468c129b07c203519e23470ed408d3d23911596cfa3a6666b1da733ce2542878c5e4e65909b779af0141ba743593b6daae3ecd7191c49c724

C:\Windows\SysWOW64\Oclilp32.exe

MD5 fe5a49db4b944a243275aa0eb19584b3
SHA1 62d7bb70720ce8e24dd784ede443a9fca7679623
SHA256 141586d68fc912b33b6e77819a293f2ad9a5da003192886ca72275176e98fc2d
SHA512 227c2471fadf027cab1ac970038e39d5c9448835518d9da2e263c269179ce00c4a9c2f6322c0f29f0c52db09d669cb04a328ba124655b1759ead5e24d9aa65ca

memory/1844-289-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Omdneebf.exe

MD5 2d83ff2993bffedcd79a670c1255fc05
SHA1 dd1a4a03ed093adc3df0b8f36968d3f879f3fd55
SHA256 9d04c945af09a60affe078003279625c7f925caeaab6e5ab0c4910d6de733add
SHA512 7feff5d7471d4b923a00b851754a27e64509ce4aec1e0bcd75265da8d836f16e0a1382dc08ef2130980d2215aa0e873124f1507704fc0b3c1362ead799e77985

memory/2196-300-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1844-299-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1844-298-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Odobjg32.exe

MD5 4acd3dc069533f1f7ffe50ccc87310a3
SHA1 22b4acaed0ecedaca1e71db62cb17659d75f863d
SHA256 d47e75eddc52e7443e57e85fdf55c73036b03906a6bac4f7b1b7d5f0c6a02ea4
SHA512 9e109c7cc9b39588956ec813d0e349ca24296292d89ff92ec03946fc232ef1810bef1f83eabe5d912dd8adc3e90d01a4a06b201a8470e684f2d15bf98777c37d

memory/1672-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2196-310-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2196-309-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Obcccl32.exe

MD5 af4c03e33c84aae66d5ee0faa53b9d9d
SHA1 47cdbedc6c4320597f09f4cb5dd375b8ce1648c6
SHA256 ddebb6e40735e8870b8f4091117e465ea9ce0d1ce138f6636ad9773db2466d2c
SHA512 021e4bf99c7a2fb58b02de648055ab6647e10adffc4d369c52bd778758fc3cebd819da52171131b397f9368032bbf1059607dcba5fccd441398e8717cb0e560e

memory/2996-322-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1672-321-0x0000000000450000-0x0000000000483000-memory.dmp

memory/1672-320-0x0000000000450000-0x0000000000483000-memory.dmp

memory/2996-331-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2996-332-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Pimkpfeh.exe

MD5 cd9812245cef9ae38efd8ec639126d79
SHA1 43e7a22fa5598bbbd96819db5f86fdb2c76628bf
SHA256 c8f961f08074174c473aa7c80d04714a15b8fae3ead0cd433008b1dde981f0c3
SHA512 505a6f44818775b3fe11b5e25bab16b1273bf474aa1224fbb31ccbaf0df063307dd279e6fde4176ae3bce405f76e5dbcc3bf196a17291528491850341552f4d6

memory/2948-333-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pedleg32.exe

MD5 bde7d247052c694bd297c7975abef855
SHA1 a02f364ec041f07d2aa964ba27696b7bd6a294d1
SHA256 dfe5bca93606601fef34548f670f904e24ffed4ee05c72842303dc72e7296ba8
SHA512 b84963240a347a94e4aa3d50ddef0a50d9f74bcba511a0c15d59275bd05e5758648104cba5ec532e586e4151016eb38ecf8f0a8773a409b0cb28be7d30686ed2

memory/2948-346-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/2676-349-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2676-354-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/2676-353-0x00000000002A0000-0x00000000002D3000-memory.dmp

C:\Windows\SysWOW64\Pgbhabjp.exe

MD5 27e7b2a2f2951015bd2b3311dfa1d0e9
SHA1 397db2f5af7b5942e8ae26e1a4b374765d802745
SHA256 92d720344e340807f07a71f0be0fc822906d7560c0e5a908eb0927a9f3c61ce6
SHA512 83b6840bb71913b3ecc6088063a6e6063d9ca3948cc3dff323fc3ab274e20e11e2beec23d93f713781be43d883855cb833ed3a4f10ba09117ce869da6871ae13

memory/2860-355-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2948-347-0x00000000002B0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Pgeefbhm.exe

MD5 b5ad7293488db51e87f5ddeee7f1df46
SHA1 0f211a450cc378c02b46394c0c7fbeac260bfaf2
SHA256 38f29c8d41ab3a5c0d6aa820902722cbebc50af566050ccbf7690b0bbb80be9b
SHA512 8765e2ca0833823a06c9160c108a8c1bfd35e519872c208e31c609ef087339bab00aa6982290397697d2773f94722bd3c57061ec5ae5d9fe07b95eac975d8eff

memory/2516-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2432-374-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Pkpagq32.exe

MD5 74d37dd0cf11e74ee3b7e0c73dabcefa
SHA1 332b664b6265fc96599b717e6d8b41ade1db69f0
SHA256 b9052e3310cfc886a307da4a2dee98d4efc3060ddab13fd269fe817679ca739b
SHA512 4a98d7835906885a939f0ec30ca07c13680b8ed2873bd79e07eaf5358a9b098e7bf8e9889a6d8e74a22d625ae1d5ed47372ba7a107a81eb6952da31c579d3781

memory/2432-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2860-368-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2516-384-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Pfjbgnme.exe

MD5 bd4caaec3c4c28656f5869a17f8bf188
SHA1 f509c75752a5e098b0761ced45d38bb57895bb5f
SHA256 0bac3ddebd3a428415523827a91bb76e6796fa4c83f1d829a7842820b452aceb
SHA512 1b29557ae3164f06b63795b0bb99b1e9ea3af3eee965f927ef93a62260d9c3f48b015b1cfc3539db8f8bef08d5050b619c01e27d98b5c3f4c1546919e20c2ce0

memory/2516-389-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2504-391-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2504-395-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Pnajilng.exe

MD5 abb1cdc4b62ccf370c1ee6df79e8b6d9
SHA1 50048c6e7e4468d0d5f4c66943910b23a7fed1d7
SHA256 87877f48dd5fd4bd23ddacb5586aa0f0645ee98eba3bb880c41ec8d3121d46e8
SHA512 015fec6ccec0c7b865d125c292fc902166ea8da2cdbd69a13a170116a0ca21b83d269c41f48277e184404932fbbaaac03d40620433257c1f5d8313ad1a5c5379

memory/2232-396-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pjhknm32.exe

MD5 aa232f2751d89474d1a4e362c43829f8
SHA1 95ea5193ae0b476814f7b96b01de6af2b2b5c03a
SHA256 645625d5015f5090fd4dd9805abbb45cedca3bba61e078df27db51340262a6f2
SHA512 2a3db43f172ff3053e5c6f9adcb38e148ef3a02f5e09a2892c37be53bf5dc4f956f6c8564d48e6de885c7ee1811c540e02ee046d4455de6a9cb650dd8145aa33

C:\Windows\SysWOW64\Pikkiijf.exe

MD5 83ae26a9b1873ad94179e3e820922f18
SHA1 4507eeb7ba812522f2a19c0a03829a7ef45346c0
SHA256 89607979bd055c351d1b20e17c6ca95d50ea2977cda3836c056dcec949b4d830
SHA512 b3637cd1515b06f29e16684f88683957b9a544ffcc20e8dd3c8611b5eed120eed268dc468a71f7e86170634926075a24561a96e791d4698ee9d728fa537f106d

memory/1552-417-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1552-416-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1556-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1552-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2232-413-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Qjjgclai.exe

MD5 d62d8c6a59de1d8bb75bb9bef6a57904
SHA1 e7c480d7e977d5d884b658457115ff5e11f12564
SHA256 51d3094b65abd14f32ef5a8ad3be5b4bf5dcbf8b6bfbbaf993dad237e0b40d7f
SHA512 0707000a4339fa579e7d18d97221441bf8c9d4593263fff52ab270ea76d2187210f694bf29ee372e8fd764a7582c0300fe870f14af399794569c935b27f72bad

memory/1556-426-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1556-431-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2096-432-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qlkdkd32.exe

MD5 5450242931c8d5bccc394807742c085e
SHA1 498d4ed1700120ab650c529821c6991395f91986
SHA256 672916d8f72387490efb79f7588e07629022cba5e4009697c78daacf17e917a5
SHA512 d7b1605226aa5c981794dbf3eec999eb18515177933d58aa27d7a32a66e0ce8a55fb1196db8edada1a8e13e0f14c438bbf934ae890dbeb410d9cd00322510dac

memory/380-438-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2096-437-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Amkpegnj.exe

MD5 bbf02eeb8c5292533f1fda6262adf6b3
SHA1 9d5ac4a24d2b1bdef750b72c0543dd49a71ac949
SHA256 11261cfabd4b7173ed0df1a081b0215ced1122dd72eb5b5597dc22ea3cfc348e
SHA512 694592603c5de51be89aefbc5f05f15192bd4f20ef374510c78149284703875b6b2d42db48b0e77f1cbd50b6487528a7ecf46ae72b52581aaaff6c2140f55dcb

memory/996-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/380-451-0x0000000000340000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Apimacnn.exe

MD5 9f3a31478862e64e3a62920e6852a883
SHA1 a34cc625dcb13bc5be425ecb4d2eeae22376a575
SHA256 8fdde9d078c7e616656bc6d23a6a86cec14c8cb9a2b54d8fc2a2bad66caff822
SHA512 b320b0a6ca49dc8c7250788f988d1eebcb7f28e1720881831858a3e8dfe890e4229bd6cbc7d38a40f1500ea53e0d7afb70e4227826c637915cde3d4a763c530c

memory/1452-463-0x0000000000400000-0x0000000000433000-memory.dmp

memory/996-460-0x0000000000440000-0x0000000000473000-memory.dmp

memory/996-457-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1452-469-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Aibajhdn.exe

MD5 1c848a52d2e6c8f4ace3840bf0c2f8a4
SHA1 a83e143f374dbfc2c97737e6bfaaf339d1ce62f0
SHA256 64be3267142191e8cedc5c66d801193c20aa01f898285229e355641eb249bcbb
SHA512 92b2677d5ef9b34b270783cd3d0196357af43f30eb2e147a222099cf3df913e779c21f74c424a9727fe2123920007f7fe1d01c150d38057876b0b42bfa15cc5c

memory/1452-465-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1892-470-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1892-476-0x0000000000370000-0x00000000003A3000-memory.dmp

C:\Windows\SysWOW64\Aamfnkai.exe

MD5 57cc8d0a16176559b0ec9fdcca3f5019
SHA1 07eb1ef6b404a149c6c49c18cb0668e0ed41f736
SHA256 5a3a1cfc357b00dc670e035d212eb2b024d036e649df2131cf0e9931c6019f0f
SHA512 8036d0e6add3e9cdf3516034337d35137cdbed972bd510bf8f56c2a3cb1029d1f17a8052a84bcf26e30e73f06576099385d40f00fa112677f22ebbc3b3c41951

memory/2312-481-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1892-480-0x0000000000370000-0x00000000003A3000-memory.dmp

C:\Windows\SysWOW64\Anafhopc.exe

MD5 e5bdc118751d9d4d09d22fa04683de0e
SHA1 bb0c569e9722e3ab0ee29f16b04db3a995d8e4d7
SHA256 a0d94142ec249f4f5365067de2d42675f26dfbb322c23885687d289701af9da8
SHA512 580091ee910079a65f6311b12505ffe84a1fa32a34d5397580f8c4454a4d7582b2045fbd5535b0bfde11a32dc5f89b3c8568d79d19b0cd85eb4506d5c0e7ce6a

memory/2312-494-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2312-493-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Aaobdjof.exe

MD5 36c84745bc63ab1ea02700b993722698
SHA1 7d536d635309b3dc15e516a914e9a2c9c89b8a5a
SHA256 d1b014a15887b82239e99843efad2449e71ecdeeecfddf075a35c52267832b60
SHA512 cf5ea01af64123ef0f5a0a9093344ed0eeb84edcb55561892172c76bb403f96249632bdedf64ea8318635bfcd8cc62a84c7abe7a8ed58ea9fc90e966ab2904f7

memory/1732-495-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1716-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1732-502-0x0000000000340000-0x0000000000373000-memory.dmp

memory/1732-501-0x0000000000340000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Alegac32.exe

MD5 012d1cef0a36f44c22535a537d574bff
SHA1 eaa83d15439ed846890a78933c58518b7309b2a9
SHA256 6c78b430bab75b275c4373f90e42d38891f785481172fb0b3f88d891d7a22fc6
SHA512 5c0f6d5557499cc9a1e96334b983cbed16bad0e7ce45472c13f4c66b653cdbcc4e5be20529f36df4cfe9a63811753701e10a53b7f070bc0489f1da2b6ef0e569

C:\Windows\SysWOW64\Aemkjiem.exe

MD5 9988b25e6a107f05b6458165ff6dc36e
SHA1 c543eac10425c93ffb01e31c0d49dee03d87cd88
SHA256 a0f4df0a69a5d319bf1a671c8ea8ac2bb8ea8e384d026b8beb69fbbdeb0afdc0
SHA512 2d46c7cc5a2764f20193938a83a2691e52e12f3e6fb3d132c899e6e6342e1558c64d0cbefb27d89d02d9bbb9864a9a8b479a292b809d0e6625ca49ffa7f5e853

C:\Windows\SysWOW64\Amhpnkch.exe

MD5 63ed232beccb30bf877ddc4d2e5aeb52
SHA1 b51072cf8652f0c32418c326f4638c804d4b6e26
SHA256 1bed6187709f34056e46a0ed3f5546df3788233d398318ba155f02bdb5ca4db7
SHA512 a59f08d94fa089a4510f4d491e1b13e5d60a96b4b2516f8d103d08e5552cf42af4c54cfc5398368b889ec315dfd5331b3bd97b9163afadb48af9df1085363818

C:\Windows\SysWOW64\Bhndldcn.exe

MD5 3e98e4f4644d68a32c78ea61808fd5b9
SHA1 fbebdf7d963e93bf6fcacbd96908b1e8aa582cd5
SHA256 9255084ec84528495d74d433d70b5e1a1a299644ba6dab396397ab71566c3f15
SHA512 c27e0ed57b7c72af9a5f27dd82875884386794db6ca0d3c03aae34a55e96a3a2d2b126e7a625f2558e34bda58fdf02171360ed1eb7dc03b3636bec080e84452d

C:\Windows\SysWOW64\Bfadgq32.exe

MD5 5a23edf27b7bed07ec346f839c889a1c
SHA1 7464bec99794288058bd09a97a873f9f17ebf440
SHA256 f427884ee4cacb33b4c2040cce7298fb5bf4481eb1c29f968f27213a3c25ef53
SHA512 6044eaf6d317b21d3b44f9c8f6e22941b4ee453e1f94c3fb5d5c0d913400a6ad170efa4951acd26e569f067f39bb98af04f1669d705f61b971c4e383c942820c

C:\Windows\SysWOW64\Bafidiio.exe

MD5 2d4e65b77f7c1b5287ad50f85ee1b0a7
SHA1 73a7fc38b73e4c996f2423c9d9b5fe31c1aafe36
SHA256 fb5311fcbf069bc39d4b7865c69b456092e971d1f237bf9b5b8a4ae582136c2f
SHA512 c7aa0a5223ea07b3d2b4ffeef69ad7a28db519d5c855fa25c2a50e9c5e15b8d4e6285d2b965bdce25e7acfcd0e4da129e8d4041d6fe84166ed3aa9b53fa7ad44

C:\Windows\SysWOW64\Bfcampgf.exe

MD5 b796545a4cbd4b3216f4db5fc24b218b
SHA1 30130cc102e54e9c868fda24445c24876c37d3f7
SHA256 b96bc444ede48e4c999e2a69db709a710aaee1b45ae3c63b1fcd4aec51dd359d
SHA512 2b3e26dd2b789b832424714e359872b000d439e11a4b5b9a1f723e0120e1fea77102bb588d6794830d50b37078f7d1d5d17fbef6cddb2dae18ccd92cd40bfcb3

C:\Windows\SysWOW64\Bdgafdfp.exe

MD5 53832a6d4d40d3c3fc3a21131ea823e1
SHA1 c02219a55a52c22afabb102e2ec73277834e9682
SHA256 cee723494b3b9b8bb248feb90aaa2f43b0203d823864550e3a512d2c0a4a5899
SHA512 2f822ccf65760703c238fe2f5df96a05cbd8ffa2ddc005308a227d51093638c536f6b216d4acb1774349480c82be6118ffed5b09c0975d6a59a641ee9d0b8eab

C:\Windows\SysWOW64\Bfenbpec.exe

MD5 de96ad3175d9569105ca9691ba6c1048
SHA1 aaefe3323da076d40e5584422bcce00e8a5ff49f
SHA256 51d81060e1772b85565a3fa2e97c52251b3e69ce417cfffba62ce0bc7e335c4a
SHA512 629ce786203fafcced74db5f6eea3d0eb13798810b15afde09b4dcd0e2c2dd29d48b28c1ee9b7b7eee53001454b062fc1fc42c57c5d53f3e9cdc3aeca2463236

C:\Windows\SysWOW64\Bidjnkdg.exe

MD5 f3bb4588c77b28ac92c1daadc2f056a0
SHA1 3424674739e6eef84574a39486f6ed2de69402d7
SHA256 8e9e6f124c8ed7176fae643e72857f41c5f8ed4127c7e3815acfdf022343e4fa
SHA512 889b1238901a1a84abc64dfe3f5c375281bf1f1296333cd751e4c9188fa2c5a33f88f7939aac8fb0a05f78821d9df6ea181a8c29f788f2abd0219e45e9d3d4a9

C:\Windows\SysWOW64\Blbfjg32.exe

MD5 5b21c89d9435c3e8316a5f9f9501546c
SHA1 18dcd97edb95775d43f6c8ba89bcd2520bf5a8f5
SHA256 e9cee7c40b88bcf53777bf9b5eddcf7acb016139941815995f017892b55ed889
SHA512 143506430ac6cd1dc123a97ffd6a0f31d1ea311355c0f26422b2d2bc759b6d65643c2d29557308da2891035920e279467a79e27bc8cdf9705f4b8cabdd5a98c5

C:\Windows\SysWOW64\Boqbfb32.exe

MD5 bfaee770703b21482f58c068d814ad1e
SHA1 e67f29ba398ef388cf5c09666e82d3749886c932
SHA256 6af0dcbb5192bb6d5ef76a6e5c2b9b0ed23e12ae971a0d8fe3c7fb677e9fff07
SHA512 abe93973e262af95487d58f2171bbe27b00d2e05351267751640491d19d388ab63261fa5acd0fdeaf6764eba8662bf583a5bec2e39ae1efa6e27f723707ec15c

C:\Windows\SysWOW64\Bifgdk32.exe

MD5 eaf5d3e8d26d5bf7d49ab98fa066db27
SHA1 976ee7593f126b368bce4d598a5fa8b9c58342ec
SHA256 df88005730724bff4da13d86421012df04da4c321959e8cf435634d9f8738f66
SHA512 483c7e75605ba99c4638ba7b37b4336219249f6c2f7dd45a0a4cbbe20a59a55079b950dc66f060e395123af77dd479b1c9153684a9e57ac1edf637b4cddb0c21

C:\Windows\SysWOW64\Bppoqeja.exe

MD5 177bf2400aa92ff7c24181275e7d3ee6
SHA1 90c44e600230dd71e75c253eb5095ee500a0727a
SHA256 058bd01d37aedffbe0b97df73c7e1d26a02c8b5931fcfb1784a7725bad1efc61
SHA512 51fb1d9c5dff8c3919540bba5fc35544a7bc6934fbce04acb6764e3359a9e72f55c527413518b6775579fa222594ac13dd614d18db39e086ccb90da4e1ebb603

C:\Windows\SysWOW64\Bbokmqie.exe

MD5 79ed8b481e9ab525af9f2eb1cd801349
SHA1 34f34af78ef02612d089d2c4845a27b91ad970f5
SHA256 cc9a3a60a0289a249adef23bad36a9dd24ac5596a66e1fe7d06cb6d01387ce4a
SHA512 53760d8e7560d64d26e829095512e7b41170103dde32d1197f380c8f96a72c6c446c4d44f07b31324d651199c8b15a3bd80c38f3328ac4a72c857fc009212721

C:\Windows\SysWOW64\Bhkdeggl.exe

MD5 bad42ae38a1961c006b07e5e3b474994
SHA1 a5574459277bca5bbd34559884c387999837d3b0
SHA256 50963db9f6164041e2b51e101184f63178474f4e00266f424635a2cba43d9434
SHA512 1f214144244cdc9462c01ce8e90430f865defe6dde2dcfe773002d09c0fecec800f058ad7f8e11238d2cb2ca3427191a1f21ebe1e28979c3573a735769184214

C:\Windows\SysWOW64\Ckjpacfp.exe

MD5 d5f1fcf96cf403c8938f0fa6d424b6e6
SHA1 ca7d02056217e6aeaafb6c7e1dd6abf450f386ef
SHA256 8bde1072285e62c19b8cbd0dd304a1fa0798bf5004770da255f26f14793a593e
SHA512 bc863e78a09038d9a10e65bdf248c9d759bd91c4f48bef4664a13f85d33095c3433c48beedb0a9174d475a0a11a6aa51d4563322b104d2f61591c845e1806e9a

C:\Windows\SysWOW64\Ceodnl32.exe

MD5 05b97bd69f4e8a0ad2da1d79e8a05ede
SHA1 19b22ca235f7c1c766b0ab72f985168a7e63a630
SHA256 112e32d45b799b61ad5067e74abdd5e8be32e3e9c8ef60318b86a1d17ab2b6a2
SHA512 9ddb56d0600b6d2fbae18abe95627931355bf5627ce7679b09ca0578341f23d20d9603c3f7533d0be92bb1475cae0ce8e652ed89a6a705edb9ccdea985caa32b

C:\Windows\SysWOW64\Chnqkg32.exe

MD5 b9dea1064c5cdd6d09718d4290d4f350
SHA1 145179d1d75c60e7224b92765d97eaf26859a7bc
SHA256 b3f5e3ec014682e82888514a881754bd85098a0df911373f3f786d562ed525d2
SHA512 e1542115b59389faea46f6358a290d31940a7d473d68dceb49ca604f900ffac4844ee879d6d1eb6415b1476c129432b15910aba0b0163a5bb48dfbcaaf13f0d4

C:\Windows\SysWOW64\Cnkicn32.exe

MD5 b1b39cd0eba1f0cf555b2d537a3008ad
SHA1 1ab5aa5f82e4ed9f77c1d064e659cc30c2bd2751
SHA256 daff3427ea7f3fff7c256b895dcc03a01b1f2ff246a3a3518af6d0264dafb880
SHA512 5dca93420c89d1437ecfb51f045f3e23cebec0b213777176e9f6aeaf48414f3187aaafa21830bf4675d817b9563054ee7cb464c69bf495a75c5a1489bd0a4191

C:\Windows\SysWOW64\Chpmpg32.exe

MD5 d7b7347ab63affc6b26a645b64f4a380
SHA1 423f1f73070d037ad70afd262bb47786d7d3ae46
SHA256 519d0651c46bdced90b778354423eccdacd2213f495fa9f380ef3585bccf88c7
SHA512 893ee6f7c7838d03ab020b1f7857c1f396d0542e330c5df74dbfe367ec13bd24a7fc6e40e05de17d5ec8036face190ad3389babd0899ee021461da3921d8a06f

C:\Windows\SysWOW64\Cojema32.exe

MD5 1dbb2e70ed67c4e09f7f8f0092ffa66d
SHA1 e57cc241e36ab2b5e629e849671bca177c765ea9
SHA256 e7b2b2e1ddf73041dcef9723940d945da06b9ebde7ed582bdbdc2ebd3d71f04c
SHA512 a55f22d41157c6a5fd17f3c6e43f0e9872ea47bfa6ac1d79c2ed615038a26620b6e85414655046bb690cf7f11036fe6e28c3df037d0878dc49f6416388737532

C:\Windows\SysWOW64\Cdgneh32.exe

MD5 be65a37ee9c7f4d85ead3211ea401b7c
SHA1 1bbc9a8ad5ccde66ecf6382a5462ed1aa498c683
SHA256 8aad733e1c43db77a82a053b3a1240371806db2d9e1b7e8362bf21db28303ce1
SHA512 c8c4041adb0add1ef006a84ed677aa00047ac6dc360c35fdd2064a7197bab55eb420699d5f302e3839192ed9dffc1f4241d8ac16541df9d6a7cf2bc8ed63803f

C:\Windows\SysWOW64\Cjdfmo32.exe

MD5 e6ea390b1654c558873eedc06e029967
SHA1 1d57935c270b32f6906df5720721ab1dce3e5fda
SHA256 72c78d8eba9ddff45daae8424d5bf17c3ba5dc0b4f0c469d7a2543b3fc5380ed
SHA512 c117a882b7ecd8a10fd699edfb5337bc4ef92f4240252dcf3423493cfa423d165c0c4f5ab2212f714ed25d2339914f62828f8540aa90fb832ee4ca1225f33813

C:\Windows\SysWOW64\Caknol32.exe

MD5 f55f4dc58c406dab7694974493095fde
SHA1 95eedd6334443ae5f956db7d4fe682dffc925f3c
SHA256 aa91f5430456293d6a122d5df06df58ac2fb289b5e089204b82ba275206885f1
SHA512 1737b15b1c6fab80fadca3e7893bdf13537da1d1eb621a6b15a28cfc05325f1db66afbd427c70d0288f5d3a29718aa0c87585f58ac7366452550a2ab052b2af8

C:\Windows\SysWOW64\Cclkfdnc.exe

MD5 14e20417969c92d30058dc27b1a5ca48
SHA1 7ba9e89f9c1e7a9590542672d528227102940bc4
SHA256 8ba52dfc61eece01b9713c6c311d287f48db383d0763a530cadd9cdba53e0a62
SHA512 f242ec47ce7b2e9b3e8f5ec6769e32c7f11500a54dd56fc4697d53c15379bfc78d521744e6191c0ed7aae5750ea502f3c9c0ef214c3e290cd6e8b8bed4b6f6eb

C:\Windows\SysWOW64\Cnaocmmi.exe

MD5 bd35e1ce1791b86314db76031bdccbb8
SHA1 fd39d9433720bdab5168f27a93393d84af1165e1
SHA256 344d4644f6a86e1aae049b9657166b02762fb7ee1ac18a53444c0a0a28d7cf2b
SHA512 7d98041e2baef0d88f3dd9f53e42a98a05035c58d1190fd90ac6aee0ec77b109c231fc0c52dfb74bddcf75d0339e45d382c6a21dd057c40755753b14e6501747

C:\Windows\SysWOW64\Cppkph32.exe

MD5 bc4e66b9cc84c36d2ab40566d69aecda
SHA1 f5122d1e15d293a9112196fe50a22146c0d23fae
SHA256 f3e3d31b07d42ada79ea69d8a29464297588d866d60918f9744bcfc7c2720c38
SHA512 a9590d7835ee309d2a50ba4f9c77a74551997267236b5ec4a3f0903e86578d2ddb2b0196e88d069baeec6d8bad2cdb28c7150bef68c8c512203447b173a477db

C:\Windows\SysWOW64\Cdlgpgef.exe

MD5 db64d75a85f58293cf455545fed4a70f
SHA1 afaaf85d842c93d2718711837cfae98d85426731
SHA256 939223197cf68f70611bf3aef9e792a827b2ab5dd0aaa4a68f53dfe989f2c2dd
SHA512 b7e6bc65229acea81568537a0400a8d025b7300a38828e67690de73818a788b72e9a70deca5a4fb558be1d3320bd71ee425a03b07a5b95ef4eb993e3565e9dfd

C:\Windows\SysWOW64\Dndlim32.exe

MD5 56a416c18938d393575688b0e1bd43e1
SHA1 0c55c8d474b20134a934aa2e966b377d179d362e
SHA256 f0ab1f72a46916abad43e4413f8038dccb79b7a71224b62c64d61667641dd059
SHA512 e3d8ad56f5d0df5a37f6e9fe080e8b46ae1990e6ec935bc5ed84ba908ac1841c5afdcdc698c47ecb28bb7d93338b5f72836364c155eebbe2246ffe790fca4e7a

C:\Windows\SysWOW64\Dlgldibq.exe

MD5 152b1514a6ae63aaa04e4c51d53a8bd5
SHA1 d652ba9fbbb19bb14c6dea47403b43eeca0bced6
SHA256 79f85117e8a4175ab2c76be6331a8950d33de3f64f9fca62774dc68009fb018f
SHA512 e4bcb6dc76e3441c1d4006a1caeaa23b47a19ef8216f3b644058ec9a96a77dd9fbb2aa4659915cfdd6600f80bb663b356aa74c92c3a4ef4a0b6c7519f201e61e

C:\Windows\SysWOW64\Djklnnaj.exe

MD5 b1f71041d13b2b9e252e45be681cf556
SHA1 fd70d8c604be206097d5bc73569681cf4458a4b6
SHA256 f47d5ab3dbc3ad7ded2b3def0f95def0a87f82b93c3aac3e68af6b90a88f860c
SHA512 19b2d741c158c3ac867add6e6bcb813366a47176e3fe82316a304513811f42cf2e2f58ff2cc729c1fd3305bf49c8e6137c4b3aaf262d406a9ccbbeb27d3e9de3

C:\Windows\SysWOW64\Dhpiojfb.exe

MD5 77301211ab2ebfa48dde8f58ab87dd6f
SHA1 f1b218bb8d46272e088f412e87701bbdb51495c7
SHA256 d3b2a41b1bc228c01740a3510c971064a7630cf8efb09ddb08903b1d2c80e921
SHA512 2ca749f925dd02036bde1f9ff337615e4a0bd6388d2434e5b145f39256d94dfa308195cb8c9cef493935e4eebb3844e665d979992946105f2437d4d5e38956b2

C:\Windows\SysWOW64\Dogefd32.exe

MD5 782dc7d9c1b42fd111fd936af0856c4c
SHA1 7b3b85a41e858cd47784934a3fffe3819bc200f2
SHA256 8d4dc83047d9c1b51a116758d17c437e02257b2d49507a81835f86dcd405b598
SHA512 80b010bea33533f8915678bbdba2af8b8ea1fe30b8fea25fad4fa842632fec67dca32febbfe0f323faf32097d8304efa0aa5e0c53736ee786a1376694fb38365

C:\Windows\SysWOW64\Dlkepi32.exe

MD5 6c009d4d2a053db483df32b5cb579ffe
SHA1 99bddc0349756fb35c59424ffb4f5391507aaac8
SHA256 46e9202350c37ffd10115092423939622d8ee1b47ab0ca0b7ee132e4a1519b38
SHA512 43cd88bb193a0bb2e6d6262c5c9a7e21e443de740654e6846566f278472c46bc7d3e0075ba8f476fa9409d9322c06a23c49636872fb50f3f12c9bab7e4e86ca9

C:\Windows\SysWOW64\Dbhnhp32.exe

MD5 37ac7d0639452f7cac9ce6b0c0eaf081
SHA1 8fc927976b23f20f4ef70b3932a9dd9e3e22fd75
SHA256 f09315ed33fa3f577d6232a118923f36c6d1a852e7cd4b3efc7136665f894df4
SHA512 fc79af2dc0d55d4ab755633aa0cb695e49b9ffa6ecfc16044a1c13e2326443be1cdd151b5d2a32f4c6c57f7a9ff6eb983c0aae451d3b090916769527bd8d0a69

C:\Windows\SysWOW64\Ddgjdk32.exe

MD5 13cbf6f567e537efeaecac6ce292558d
SHA1 08ac2d62d7a2d3e20b2d9308193e2d2fc4f6a61c
SHA256 68391fdb5cb408f5a782fc54074a93f96f3ff697796fb48295516d4abb1d42bb
SHA512 b575291df5ed48657433e24d078c0d9743904a7fc291064145260ea1d449d46b590dd77a43c5be047e57b77b083c6f188af4fd17dd8fffb428cac1bf052783e0

C:\Windows\SysWOW64\Dnoomqbg.exe

MD5 089f98aff4b14d9ea9830905e3929e58
SHA1 83634f5f2a04c7912a0193ecfd5eb15cb6f345bc
SHA256 7d468007b778bc88a5b8dcae12473a0c38e773f10074dd874b513b02a8e3fb41
SHA512 e1059f2b73d51cdc8c8a5eaf9b49c719724847feccda0f6b9380072490f82eb72af2470907a3492289592fbba1fa621d99b28d213865277699149020f61cf8e3

C:\Windows\SysWOW64\Dggcffhg.exe

MD5 8c4f24dade34e94d86910d7ee4bf0e47
SHA1 5cc48efa31e39fbd97b24402a187934383d6c7f3
SHA256 9651f97cdb2ef225e9b2c791761354b616d622424a2caf113d946b5137384b97
SHA512 ff186df0458aa8429fe8dd1ea7f397ae243ce1c44928609b38ad208f87508de86724e2d63db5dce8cb2e4d7fea2fff68f14ea7513644eb3303a84dc84789423a

C:\Windows\SysWOW64\Dookgcij.exe

MD5 66dc9b781368011794be5c5ec4462023
SHA1 03ec3cde2191b552a7ca9edbc87c7e8fac7c7725
SHA256 936bef22607eb2460f7b0c39fb8fc932971abb8010827ecbd321c185e4e2881b
SHA512 df99de4f4f92fa024d304105efc74c9b35a35ada544e76a02f3aea5d2fcc3c89062dc8a51ebc690c81a16482ff881cd03da619cf7bb3a68c47831c2124dd7935

C:\Windows\SysWOW64\Ebmgcohn.exe

MD5 f98d2af53acc013fa1e990ae3719750a
SHA1 b0f08a5fc48ca39f4f0f076f285762c7dd46066c
SHA256 827bad801abc8ad7c033c1a398a5141bc2bf68dff7c67131f3bccf4b400c4ca5
SHA512 a2617613f90ba91748b6df47e734c2b70826365a85ac7ce198aef6338dfce4ddb1ac24882176c825eca5ef8b12cde1b9015d5059a533fb88693e378aa14c831e

C:\Windows\SysWOW64\Edkcojga.exe

MD5 a343b801e75ac6991d82ba13679935c7
SHA1 5dfd226b603c4248ec21c7369ed16bee4a0ba1cc
SHA256 3a0348d364fba9f04b899936efc1a64e8a4f0bbfd9c27ebe931c25628d41af3b
SHA512 62049b418b5aaa447d2aac8b7ccb762357f6e63be111db4757c9319ccce3a1b36ab9042e30eb34ec05173804f1ee139f719452f407d794f2f64d8ba66dd0ad60

C:\Windows\SysWOW64\Egjpkffe.exe

MD5 c3cfdf600bc4270518d859cdb53162b4
SHA1 72825de04b7842b6db43c9c8418e24cce8d334c6
SHA256 55bd7b870d9f9cb474b0573b8a6158a95f088186a3e85202af96e3d0e72e634c
SHA512 0b0df171e2e70a1f48823f00ce155cd148f9dffdd279d2862c0b76449565c886df41cc9b96e1dc134489d960567c195eef492d0088967ffe8280044938acc006

C:\Windows\SysWOW64\Endhhp32.exe

MD5 0170ad30155a60e74241ac6f5bdab73c
SHA1 cb460e8311f79142b81c407bfd12ac343675bc6c
SHA256 3544a55bb44e099a9fa213a8e6621c9cf532afefcd4c18741a7b03b5c7b45bb1
SHA512 39b87492dd83227bcee4d9393e0a385f9c0efb178d531dbda9a315aab7a686aef5b8f3b695c5bdd4846fc7e28ece57a4b344b51193ce4edd42c533f8699a4ab8

C:\Windows\SysWOW64\Eqbddk32.exe

MD5 0abaa1b41dcd2122f7418d8b58587ab6
SHA1 efed35f13ad6ff3449d442b5902f58bf5452771d
SHA256 aa2dfdb107f9f7f89a9f30998b4615554ae8f9c5cbfd34df8ead68bd34ebd929
SHA512 9b82f6530921b2be8134b8358c21838462d0a537065a5e5a6b2c858d54d0780ab49d57d7b260baef6cbd6277ce39212721949ac7cec92f6b0e55e03fd9816a51

C:\Windows\SysWOW64\Ekhhadmk.exe

MD5 30304da03aa0fb75428b46607cbcf4b6
SHA1 6b893fc13a14d24e9a4d41313206b42fc5acc967
SHA256 058e785265824137dcc39b7ef9e692f891040d720f7d2334d0a2ef4012705c4d
SHA512 3848528f033d2d496e05a90cc0c082edba3001702943db75d75177bf5a38352a3959d8e3af3ffa459757a634758e7631ab1971a9a5c0883bea7277774a5b5e80

C:\Windows\SysWOW64\Egoife32.exe

MD5 a694b83bc4c389db42a68202c793a5a9
SHA1 47dc6cd4c78e98dd1ec2b5f8ab712eaaf106c37f
SHA256 5493eb9eeeaa166690ec6217a23d80cd9c6c8783b2463a29f8cc71f5205bb5d2
SHA512 8e28ad2117bc251e2899ae773f68cd27da8785f834af79faf97a8d3119ca9269a14ac10d123b1d97e836b7863a04d080bdd7298a4f17bf104cfebfd18b1c80b6

C:\Windows\SysWOW64\Emkaol32.exe

MD5 e8bc09e006ec78241401e3eda3338d07
SHA1 aee4a1475d1b905f92b358448d0b7a9fdeea03c2
SHA256 817d18e01dccefc888b528b32216211da41db52bd7aa2121d2c0dfae68206b68
SHA512 2a7b4d0c92c70d98fe9b1293a2b536fabeb8cf95e6412b45411867faffc1b785ae05844af0408743dd02bd53f39c697cddc3b257ac938ccf5d69ae183ef4ff89

C:\Windows\SysWOW64\Eojnkg32.exe

MD5 c97162916f31cce1260960b8567ad53d
SHA1 486fdfdb54410a5b9b49cbbf77215186f373c974
SHA256 d224951ec4bf66e98ae8bf395bdb9e5e6b00e1e0575fe6c412cb793b702c4265
SHA512 68d21087a6be6f9865bfa76552abcf586fbfb449c86f503f6a45eabb27525016359e835ff8f2c2fdfaae6310f017e0d854988f56efd50352c26e8c92474735bd

C:\Windows\SysWOW64\Efcfga32.exe

MD5 6233cbb1b73d178e8d9ca19bef21dea5
SHA1 3f8b9dc9e75737c5f3c62657e08d41de41c4b497
SHA256 d6d072834e7f8cdd9516bf21cf26365f3808792edc0a5b1dd45eef6f429a3b81
SHA512 f9db9c5e78298d0a32c59147c879b07af8930558339b4742bf6a9491eb5510de06ccf9a54f109e09d11b65f7c67dfa63c6692f074e73f2044b064cfd61b86e19

C:\Windows\SysWOW64\Eibbcm32.exe

MD5 635d7de7173160947c0b72d83a740c5c
SHA1 a22a87c65824660af542eb57a36778bb75353f56
SHA256 f4545dc692b61b08c9a017af752a173ed16f9479eabb42f55d6558f11457efcf
SHA512 36d107cdbc47e183aab96f9a5b517736ab436e6dc5b23a367175369a60e210101b7e2f7530ec9ea87570f1c346768e6953dd901964b90cb32e54bb315b15f6f8

C:\Windows\SysWOW64\Eqijej32.exe

MD5 ab8d9e51a887111e996247c9f7c21c32
SHA1 c77fc5e0dbd57423a0032ac313b634838e73f8f2
SHA256 f9e37fdddf2905cb3447e5277acbc7cdce4a26483c55cee31e4934c7dc25aa07
SHA512 a5a3f57ec2cd3dabe746277aa16c7f2801cb6744da529663db79e53e8e40b3ee05fbb4d7ffa6020a8aa41f0868aa011c8570491e959dc14d59e16def65430513

C:\Windows\SysWOW64\Ebjglbml.exe

MD5 c81386ce154d15621b665aa0a5874bd7
SHA1 807377e87485dc48055e8d07d2a24e1681465bc0
SHA256 0656baea40719e1dd54337d3fbf7116f308b5a4330ddcaa25697770e18d7914b
SHA512 1937eeb5757321e75f46fd72d60eeb74a100cc7ff3be8a4426e7bf37a78fe7fd2fa735111cf7c9b8d1ac4c1c6e82969594b4af1ce50d8dc18847c84ef1fee87c

C:\Windows\SysWOW64\Fjaonpnn.exe

MD5 8e57399ba6fe86e6fd16467a4789975b
SHA1 7b36328cab82e049c94d49aa467441377015f740
SHA256 3bba334f13bbf38d91a679518ac8c8d4f8580bc1b28dc8654a8839fa5a32e3b6
SHA512 a3f652aa1d858c46840601ad74375165329a528b6353b706e0fa651a49b67c1f32d0e64acaa9e018a5265b2a1bfd5264d1a9a18497b77ea84e03a72c1184d7ad

C:\Windows\SysWOW64\Fkckeh32.exe

MD5 e13f4ef6e80c2faf37198f1b3dfd64da
SHA1 ec8e21a57113bceb92efe41e64371df259f00dcc
SHA256 aec8f7616c991e54237a94bce199150cf7c803ed59fbf6c0760cefa26a2cfd81
SHA512 9ac25300d1ad3bb2a03be41997f796dc04a24e05dcaae37de914308496847860a53f38eb3d0da27ed64910465dd0a85101cc0b90aa1029846fe6a2457874924a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 15:53

Reported

2024-05-31 15:56

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oaplqh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbojlfdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mljmhflh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogekbb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiekog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fqppci32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ahpmjejp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcanll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iimcma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbplml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmpjoloh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckjbhmad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dflfac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fihnomjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcdciiec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkmfolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lhqefjpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbanq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkaobnio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eicedn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ljqhkckn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahaceo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbhboolf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jblmgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnkbcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hekgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qikbaaml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pcgdhkem.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekmhejao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmlfqh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hihibbjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ofgdcipq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkibgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hpkknmgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kiphjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aidehpea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mfchlbfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cajjjk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qacameaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ddifgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfglfdkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbjoeojc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iomoenej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jokkgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kpjgaoqm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kegpifod.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjjkaabc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aehgnied.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdbnjdfg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gemkelcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hfaajnfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pjkmomfn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhckcgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jedccfqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kpoalo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnplfj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kamjda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpgdai32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pehngkcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Plbfdekd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdmkhgho.exe N/A
N/A N/A C:\Windows\SysWOW64\Pocpfphe.exe N/A
N/A N/A C:\Windows\SysWOW64\Qaalblgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkipkani.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdbdcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qklmpalf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeaanjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpmjejp.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfnofpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Akqfkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aefjii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alpbecod.exe N/A
N/A N/A C:\Windows\SysWOW64\Aehgnied.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahgcjddh.exe N/A
N/A N/A C:\Windows\SysWOW64\Adndoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akglloai.exe N/A
N/A N/A C:\Windows\SysWOW64\Bemqih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Badanigc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bklfgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bojomm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdgged32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaobnio.exe N/A
N/A N/A C:\Windows\SysWOW64\Bffcpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckclhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Camddhoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlqqcnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndeii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cleegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnfaohbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckjbhmad.exe N/A
N/A N/A C:\Windows\SysWOW64\Cofnik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbdjeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdbfab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljobphg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cohkokgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbfgkffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdecgbfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmlkhofd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnmhpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhclmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnpdegjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfglfdkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmadco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnbakghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddligq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmcain32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dndnpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflfac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmennnni.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbffdlq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiloco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekkkoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiokinbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekmhejao.exe N/A
N/A N/A C:\Windows\SysWOW64\Efblbbqd.exe N/A
N/A N/A C:\Windows\SysWOW64\Emmdom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eokqkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebimgcfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Eicedn32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Anafep32.dll C:\Windows\SysWOW64\Mcoljagj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdgged32.exe C:\Windows\SysWOW64\Bojomm32.exe N/A
File created C:\Windows\SysWOW64\Aablof32.dll C:\Windows\SysWOW64\Kgiiiidd.exe N/A
File created C:\Windows\SysWOW64\Bogkmgba.exe C:\Windows\SysWOW64\Bhmbqm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emanjldl.exe C:\Windows\SysWOW64\Efgemb32.exe N/A
File created C:\Windows\SysWOW64\Elekoe32.dll C:\Windows\SysWOW64\Bdlfjh32.exe N/A
File created C:\Windows\SysWOW64\Kjgeedch.exe C:\Windows\SysWOW64\Kgiiiidd.exe N/A
File created C:\Windows\SysWOW64\Amhmnagf.dll C:\Windows\SysWOW64\Johggfha.exe N/A
File created C:\Windows\SysWOW64\Oiagde32.exe C:\Windows\SysWOW64\Obgohklm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpcgpihi.exe C:\Windows\SysWOW64\Bdlfjh32.exe N/A
File created C:\Windows\SysWOW64\Bohgljdl.dll C:\Windows\SysWOW64\Kgkfnh32.exe N/A
File created C:\Windows\SysWOW64\Kkbfan32.dll C:\Windows\SysWOW64\Nadleilm.exe N/A
File opened for modification C:\Windows\SysWOW64\Qklmpalf.exe C:\Windows\SysWOW64\Qdbdcg32.exe N/A
File created C:\Windows\SysWOW64\Dndgfpbo.exe C:\Windows\SysWOW64\Dkekjdck.exe N/A
File created C:\Windows\SysWOW64\Gifffn32.dll C:\Windows\SysWOW64\Hbldphde.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe C:\Windows\SysWOW64\Ljhnlb32.exe N/A
File created C:\Windows\SysWOW64\Oqoefand.exe C:\Windows\SysWOW64\Ockdmmoj.exe N/A
File created C:\Windows\SysWOW64\Oonnoglh.dll C:\Windows\SysWOW64\Llodgnja.exe N/A
File created C:\Windows\SysWOW64\Njfkmphe.exe C:\Windows\SysWOW64\Nfjola32.exe N/A
File created C:\Windows\SysWOW64\Ihbponja.exe C:\Windows\SysWOW64\Iahgad32.exe N/A
File created C:\Windows\SysWOW64\Ddipic32.dll C:\Windows\SysWOW64\Hbhboolf.exe N/A
File created C:\Windows\SysWOW64\Mqkiok32.exe C:\Windows\SysWOW64\Mnmmboed.exe N/A
File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe C:\Windows\SysWOW64\Afpjel32.exe N/A
File created C:\Windows\SysWOW64\Chnidloo.dll C:\Windows\SysWOW64\Bffcpg32.exe N/A
File created C:\Windows\SysWOW64\Ehcplf32.dll C:\Windows\SysWOW64\Dnpdegjp.exe N/A
File created C:\Windows\SysWOW64\Akkeajoj.dll C:\Windows\SysWOW64\Mqimikfj.exe N/A
File created C:\Windows\SysWOW64\Mpolbbim.dll C:\Windows\SysWOW64\Nmdgikhi.exe N/A
File created C:\Windows\SysWOW64\Hbldphde.exe C:\Windows\SysWOW64\Hlblcn32.exe N/A
File created C:\Windows\SysWOW64\Lhqefjpo.exe C:\Windows\SysWOW64\Lebijnak.exe N/A
File opened for modification C:\Windows\SysWOW64\Iipfmggc.exe C:\Windows\SysWOW64\Iojbpo32.exe N/A
File created C:\Windows\SysWOW64\Onnnbnbp.dll C:\Windows\SysWOW64\Pmkofa32.exe N/A
File created C:\Windows\SysWOW64\Mhldbh32.exe C:\Windows\SysWOW64\Mjidgkog.exe N/A
File created C:\Windows\SysWOW64\Hhjhdagb.dll C:\Windows\SysWOW64\Hfhgkmpj.exe N/A
File created C:\Windows\SysWOW64\Dagdgfkf.dll C:\Windows\SysWOW64\Ipgkjlmg.exe N/A
File created C:\Windows\SysWOW64\Mqhfoebo.exe C:\Windows\SysWOW64\Mlljnf32.exe N/A
File created C:\Windows\SysWOW64\Gpmomo32.exe C:\Windows\SysWOW64\Galoohke.exe N/A
File created C:\Windows\SysWOW64\Eiloco32.exe C:\Windows\SysWOW64\Dbbffdlq.exe N/A
File created C:\Windows\SysWOW64\Emanjldl.exe C:\Windows\SysWOW64\Efgemb32.exe N/A
File created C:\Windows\SysWOW64\Bjdlfi32.dll C:\Windows\SysWOW64\Fbgihaji.exe N/A
File created C:\Windows\SysWOW64\Hihibbjo.exe C:\Windows\SysWOW64\Hbnaeh32.exe N/A
File created C:\Windows\SysWOW64\Cpfoag32.dll C:\Windows\SysWOW64\Ckgohf32.exe N/A
File created C:\Windows\SysWOW64\Bdepoj32.dll C:\Windows\SysWOW64\Enmjlojd.exe N/A
File created C:\Windows\SysWOW64\Fbpcnkaj.dll C:\Windows\SysWOW64\Gldglf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe C:\Windows\SysWOW64\Coqncejg.exe N/A
File created C:\Windows\SysWOW64\Ojqcnhkl.exe C:\Windows\SysWOW64\Ookoaokf.exe N/A
File created C:\Windows\SysWOW64\Fohfbpgi.exe C:\Windows\SysWOW64\Fecadghc.exe N/A
File opened for modification C:\Windows\SysWOW64\Fealin32.exe C:\Windows\SysWOW64\Ffnknafg.exe N/A
File created C:\Windows\SysWOW64\Jilpfgkh.dll C:\Windows\SysWOW64\Dkndie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njmqnobn.exe C:\Windows\SysWOW64\Nfaemp32.exe N/A
File created C:\Windows\SysWOW64\Ejphhm32.dll C:\Windows\SysWOW64\Amlogfel.exe N/A
File created C:\Windows\SysWOW64\Fgjhpcmo.exe C:\Windows\SysWOW64\Fdlkdhnk.exe N/A
File created C:\Windows\SysWOW64\Bgagea32.dll C:\Windows\SysWOW64\Nnfpinmi.exe N/A
File created C:\Windows\SysWOW64\Ekkkoj32.exe C:\Windows\SysWOW64\Eiloco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocgbld32.exe C:\Windows\SysWOW64\Oaifpi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gngeik32.exe C:\Windows\SysWOW64\Ggmmlamj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljbnfleo.exe C:\Windows\SysWOW64\Lchfib32.exe N/A
File created C:\Windows\SysWOW64\Bbdcakkc.dll C:\Windows\SysWOW64\Fiqjke32.exe N/A
File created C:\Windows\SysWOW64\Kjmejc32.dll C:\Windows\SysWOW64\Dkekjdck.exe N/A
File opened for modification C:\Windows\SysWOW64\Geanfelc.exe C:\Windows\SysWOW64\Gngeik32.exe N/A
File created C:\Windows\SysWOW64\Ifmqfm32.exe C:\Windows\SysWOW64\Hoeieolb.exe N/A
File created C:\Windows\SysWOW64\Nadleilm.exe C:\Windows\SysWOW64\Nnfpinmi.exe N/A
File created C:\Windows\SysWOW64\Cpmapodj.exe C:\Windows\SysWOW64\Bnoddcef.exe N/A
File created C:\Windows\SysWOW64\Cjijid32.dll C:\Windows\SysWOW64\Nqbpojnp.exe N/A
File created C:\Windows\SysWOW64\Dkhgod32.exe C:\Windows\SysWOW64\Dhikci32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Diqnjl32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjbcplpe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jblmgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mqimikfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nglhld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll" C:\Windows\SysWOW64\Nceefd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onapdl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll" C:\Windows\SysWOW64\Jhgiim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gghdaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcoljagj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" C:\Windows\SysWOW64\Jcfggkac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmkdcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll" C:\Windows\SysWOW64\Pjbcplpe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgidjfjk.dll" C:\Windows\SysWOW64\Pjcikejg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll" C:\Windows\SysWOW64\Nfaemp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" C:\Windows\SysWOW64\Pnplfj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mljmhflh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oqmhqapg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lomqcjie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fecadghc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjinf32.dll" C:\Windows\SysWOW64\Gncchb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" C:\Windows\SysWOW64\Nncccnol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" C:\Windows\SysWOW64\Qhjmdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jhgiim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll" C:\Windows\SysWOW64\Lljdai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Camddhoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll" C:\Windows\SysWOW64\Mqdcnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" C:\Windows\SysWOW64\Qodeajbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll" C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pocpfphe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll" C:\Windows\SysWOW64\Amnlme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dggbcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dfglfdkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dmennnni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" C:\Windows\SysWOW64\Bkphhgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begfqa32.dll" C:\Windows\SysWOW64\Eiekog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgqlcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enfckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojqcnhkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll" C:\Windows\SysWOW64\Efgemb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll" C:\Windows\SysWOW64\Lnoaaaad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll" C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll" C:\Windows\SysWOW64\Amkhmoap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcckk32.dll" C:\Windows\SysWOW64\Jocefm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jcanll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckgohf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oqoefand.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hiipmhmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mcelpggq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdepoj32.dll" C:\Windows\SysWOW64\Enmjlojd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll" C:\Windows\SysWOW64\Jllokajf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpoalo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mqhfoebo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll" C:\Windows\SysWOW64\Feqeog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hicpgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll" C:\Windows\SysWOW64\Ooibkpmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaioi32.dll" C:\Windows\SysWOW64\Dndnpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" C:\Windows\SysWOW64\Lcgpni32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oqklkbbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqdpgk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hhimhobl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nimmifgo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ooibkpmi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Pehngkcg.exe
PID 2140 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Pehngkcg.exe
PID 2140 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe C:\Windows\SysWOW64\Pehngkcg.exe
PID 3172 wrote to memory of 4224 N/A C:\Windows\SysWOW64\Pehngkcg.exe C:\Windows\SysWOW64\Plbfdekd.exe
PID 3172 wrote to memory of 4224 N/A C:\Windows\SysWOW64\Pehngkcg.exe C:\Windows\SysWOW64\Plbfdekd.exe
PID 3172 wrote to memory of 4224 N/A C:\Windows\SysWOW64\Pehngkcg.exe C:\Windows\SysWOW64\Plbfdekd.exe
PID 4224 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Plbfdekd.exe C:\Windows\SysWOW64\Pdmkhgho.exe
PID 4224 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Plbfdekd.exe C:\Windows\SysWOW64\Pdmkhgho.exe
PID 4224 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Plbfdekd.exe C:\Windows\SysWOW64\Pdmkhgho.exe
PID 3732 wrote to memory of 800 N/A C:\Windows\SysWOW64\Pdmkhgho.exe C:\Windows\SysWOW64\Pocpfphe.exe
PID 3732 wrote to memory of 800 N/A C:\Windows\SysWOW64\Pdmkhgho.exe C:\Windows\SysWOW64\Pocpfphe.exe
PID 3732 wrote to memory of 800 N/A C:\Windows\SysWOW64\Pdmkhgho.exe C:\Windows\SysWOW64\Pocpfphe.exe
PID 800 wrote to memory of 4160 N/A C:\Windows\SysWOW64\Pocpfphe.exe C:\Windows\SysWOW64\Qaalblgi.exe
PID 800 wrote to memory of 4160 N/A C:\Windows\SysWOW64\Pocpfphe.exe C:\Windows\SysWOW64\Qaalblgi.exe
PID 800 wrote to memory of 4160 N/A C:\Windows\SysWOW64\Pocpfphe.exe C:\Windows\SysWOW64\Qaalblgi.exe
PID 4160 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Qaalblgi.exe C:\Windows\SysWOW64\Qkipkani.exe
PID 4160 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Qaalblgi.exe C:\Windows\SysWOW64\Qkipkani.exe
PID 4160 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Qaalblgi.exe C:\Windows\SysWOW64\Qkipkani.exe
PID 3272 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Qkipkani.exe C:\Windows\SysWOW64\Qdbdcg32.exe
PID 3272 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Qkipkani.exe C:\Windows\SysWOW64\Qdbdcg32.exe
PID 3272 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Qkipkani.exe C:\Windows\SysWOW64\Qdbdcg32.exe
PID 1456 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Qdbdcg32.exe C:\Windows\SysWOW64\Qklmpalf.exe
PID 1456 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Qdbdcg32.exe C:\Windows\SysWOW64\Qklmpalf.exe
PID 1456 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Qdbdcg32.exe C:\Windows\SysWOW64\Qklmpalf.exe
PID 1648 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Qklmpalf.exe C:\Windows\SysWOW64\Aeaanjkl.exe
PID 1648 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Qklmpalf.exe C:\Windows\SysWOW64\Aeaanjkl.exe
PID 1648 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Qklmpalf.exe C:\Windows\SysWOW64\Aeaanjkl.exe
PID 1856 wrote to memory of 3876 N/A C:\Windows\SysWOW64\Aeaanjkl.exe C:\Windows\SysWOW64\Ahpmjejp.exe
PID 1856 wrote to memory of 3876 N/A C:\Windows\SysWOW64\Aeaanjkl.exe C:\Windows\SysWOW64\Ahpmjejp.exe
PID 1856 wrote to memory of 3876 N/A C:\Windows\SysWOW64\Aeaanjkl.exe C:\Windows\SysWOW64\Ahpmjejp.exe
PID 3876 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Ahpmjejp.exe C:\Windows\SysWOW64\Adfnofpd.exe
PID 3876 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Ahpmjejp.exe C:\Windows\SysWOW64\Adfnofpd.exe
PID 3876 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Ahpmjejp.exe C:\Windows\SysWOW64\Adfnofpd.exe
PID 2004 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Adfnofpd.exe C:\Windows\SysWOW64\Akqfkp32.exe
PID 2004 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Adfnofpd.exe C:\Windows\SysWOW64\Akqfkp32.exe
PID 2004 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Adfnofpd.exe C:\Windows\SysWOW64\Akqfkp32.exe
PID 3032 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Akqfkp32.exe C:\Windows\SysWOW64\Aefjii32.exe
PID 3032 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Akqfkp32.exe C:\Windows\SysWOW64\Aefjii32.exe
PID 3032 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Akqfkp32.exe C:\Windows\SysWOW64\Aefjii32.exe
PID 4928 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Alpbecod.exe
PID 4928 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Alpbecod.exe
PID 4928 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Alpbecod.exe
PID 4484 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Alpbecod.exe C:\Windows\SysWOW64\Aehgnied.exe
PID 4484 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Alpbecod.exe C:\Windows\SysWOW64\Aehgnied.exe
PID 4484 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Alpbecod.exe C:\Windows\SysWOW64\Aehgnied.exe
PID 3152 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Aehgnied.exe C:\Windows\SysWOW64\Ahgcjddh.exe
PID 3152 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Aehgnied.exe C:\Windows\SysWOW64\Ahgcjddh.exe
PID 3152 wrote to memory of 4940 N/A C:\Windows\SysWOW64\Aehgnied.exe C:\Windows\SysWOW64\Ahgcjddh.exe
PID 4940 wrote to memory of 4612 N/A C:\Windows\SysWOW64\Ahgcjddh.exe C:\Windows\SysWOW64\Adndoe32.exe
PID 4940 wrote to memory of 4612 N/A C:\Windows\SysWOW64\Ahgcjddh.exe C:\Windows\SysWOW64\Adndoe32.exe
PID 4940 wrote to memory of 4612 N/A C:\Windows\SysWOW64\Ahgcjddh.exe C:\Windows\SysWOW64\Adndoe32.exe
PID 4612 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Adndoe32.exe C:\Windows\SysWOW64\Akglloai.exe
PID 4612 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Adndoe32.exe C:\Windows\SysWOW64\Akglloai.exe
PID 4612 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Adndoe32.exe C:\Windows\SysWOW64\Akglloai.exe
PID 2368 wrote to memory of 4596 N/A C:\Windows\SysWOW64\Akglloai.exe C:\Windows\SysWOW64\Bemqih32.exe
PID 2368 wrote to memory of 4596 N/A C:\Windows\SysWOW64\Akglloai.exe C:\Windows\SysWOW64\Bemqih32.exe
PID 2368 wrote to memory of 4596 N/A C:\Windows\SysWOW64\Akglloai.exe C:\Windows\SysWOW64\Bemqih32.exe
PID 4596 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Bemqih32.exe C:\Windows\SysWOW64\Bhkmec32.exe
PID 4596 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Bemqih32.exe C:\Windows\SysWOW64\Bhkmec32.exe
PID 4596 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Bemqih32.exe C:\Windows\SysWOW64\Bhkmec32.exe
PID 4588 wrote to memory of 5112 N/A C:\Windows\SysWOW64\Bhkmec32.exe C:\Windows\SysWOW64\Badanigc.exe
PID 4588 wrote to memory of 5112 N/A C:\Windows\SysWOW64\Bhkmec32.exe C:\Windows\SysWOW64\Badanigc.exe
PID 4588 wrote to memory of 5112 N/A C:\Windows\SysWOW64\Bhkmec32.exe C:\Windows\SysWOW64\Badanigc.exe
PID 4340 wrote to memory of 3668 N/A C:\Windows\SysWOW64\Bdbnjdfg.exe C:\Windows\SysWOW64\Bklfgo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\37d26997c332454764b1c03854410400_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Pehngkcg.exe

C:\Windows\system32\Pehngkcg.exe

C:\Windows\SysWOW64\Plbfdekd.exe

C:\Windows\system32\Plbfdekd.exe

C:\Windows\SysWOW64\Pdmkhgho.exe

C:\Windows\system32\Pdmkhgho.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qaalblgi.exe

C:\Windows\system32\Qaalblgi.exe

C:\Windows\SysWOW64\Qkipkani.exe

C:\Windows\system32\Qkipkani.exe

C:\Windows\SysWOW64\Qdbdcg32.exe

C:\Windows\system32\Qdbdcg32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Ahpmjejp.exe

C:\Windows\system32\Ahpmjejp.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Akqfkp32.exe

C:\Windows\system32\Akqfkp32.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Ahgcjddh.exe

C:\Windows\system32\Ahgcjddh.exe

C:\Windows\SysWOW64\Adndoe32.exe

C:\Windows\system32\Adndoe32.exe

C:\Windows\SysWOW64\Akglloai.exe

C:\Windows\system32\Akglloai.exe

C:\Windows\SysWOW64\Bemqih32.exe

C:\Windows\system32\Bemqih32.exe

C:\Windows\SysWOW64\Bhkmec32.exe

C:\Windows\system32\Bhkmec32.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bnkbcj32.exe

C:\Windows\system32\Bnkbcj32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Camddhoi.exe

C:\Windows\system32\Camddhoi.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cnfaohbj.exe

C:\Windows\system32\Cnfaohbj.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Ckjbhmad.exe

C:\Windows\system32\Ckjbhmad.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cljobphg.exe

C:\Windows\system32\Cljobphg.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Cdecgbfa.exe

C:\Windows\system32\Cdecgbfa.exe

C:\Windows\SysWOW64\Dmlkhofd.exe

C:\Windows\system32\Dmlkhofd.exe

C:\Windows\SysWOW64\Dnmhpg32.exe

C:\Windows\system32\Dnmhpg32.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Dfglfdkb.exe

C:\Windows\system32\Dfglfdkb.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dnbakghm.exe

C:\Windows\system32\Dnbakghm.exe

C:\Windows\SysWOW64\Ddligq32.exe

C:\Windows\system32\Ddligq32.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Dbbffdlq.exe

C:\Windows\system32\Dbbffdlq.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Ekkkoj32.exe

C:\Windows\system32\Ekkkoj32.exe

C:\Windows\SysWOW64\Eiokinbk.exe

C:\Windows\system32\Eiokinbk.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Eokqkh32.exe

C:\Windows\system32\Eokqkh32.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Efgemb32.exe

C:\Windows\system32\Efgemb32.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Eppjfgcp.exe

C:\Windows\system32\Eppjfgcp.exe

C:\Windows\SysWOW64\Ebnfbcbc.exe

C:\Windows\system32\Ebnfbcbc.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fneggdhg.exe

C:\Windows\system32\Fneggdhg.exe

C:\Windows\SysWOW64\Feoodn32.exe

C:\Windows\system32\Feoodn32.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Ffqhcq32.exe

C:\Windows\system32\Ffqhcq32.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Ffceip32.exe

C:\Windows\system32\Ffceip32.exe

C:\Windows\SysWOW64\Fiaael32.exe

C:\Windows\system32\Fiaael32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Gpnfge32.exe

C:\Windows\system32\Gpnfge32.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gldglf32.exe

C:\Windows\system32\Gldglf32.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Geohklaa.exe

C:\Windows\system32\Geohklaa.exe

C:\Windows\SysWOW64\Gikdkj32.exe

C:\Windows\system32\Gikdkj32.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Goglcahb.exe

C:\Windows\system32\Goglcahb.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hfaajnfb.exe

C:\Windows\system32\Hfaajnfb.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Hpiecd32.exe

C:\Windows\system32\Hpiecd32.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hlpfhe32.exe

C:\Windows\system32\Hlpfhe32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hfjdqmng.exe

C:\Windows\system32\Hfjdqmng.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Hoeieolb.exe

C:\Windows\system32\Hoeieolb.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Iikmbh32.exe

C:\Windows\system32\Iikmbh32.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Ilnbicff.exe

C:\Windows\system32\Ilnbicff.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ickglm32.exe

C:\Windows\system32\Ickglm32.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Impliekg.exe

C:\Windows\system32\Impliekg.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jiglnf32.exe

C:\Windows\system32\Jiglnf32.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jiiicf32.exe

C:\Windows\system32\Jiiicf32.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jcanll32.exe

C:\Windows\system32\Jcanll32.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Jpenfp32.exe

C:\Windows\system32\Jpenfp32.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jllokajf.exe

C:\Windows\system32\Jllokajf.exe

C:\Windows\SysWOW64\Jokkgl32.exe

C:\Windows\system32\Jokkgl32.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jedccfqg.exe

C:\Windows\system32\Jedccfqg.exe

C:\Windows\SysWOW64\Jlolpq32.exe

C:\Windows\system32\Jlolpq32.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kcidmkpq.exe

C:\Windows\system32\Kcidmkpq.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Knnhjcog.exe

C:\Windows\system32\Knnhjcog.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Kckqbj32.exe

C:\Windows\system32\Kckqbj32.exe

C:\Windows\SysWOW64\Keimof32.exe

C:\Windows\system32\Keimof32.exe

C:\Windows\SysWOW64\Knqepc32.exe

C:\Windows\system32\Knqepc32.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Kjgeedch.exe

C:\Windows\system32\Kjgeedch.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kodnmkap.exe

C:\Windows\system32\Kodnmkap.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kjjbjd32.exe

C:\Windows\system32\Kjjbjd32.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kgnbdh32.exe

C:\Windows\system32\Kgnbdh32.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Lqhdbm32.exe

C:\Windows\system32\Lqhdbm32.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Lfgipd32.exe

C:\Windows\system32\Lfgipd32.exe

C:\Windows\SysWOW64\Lnoaaaad.exe

C:\Windows\system32\Lnoaaaad.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Ljeafb32.exe

C:\Windows\system32\Ljeafb32.exe

C:\Windows\SysWOW64\Lmdnbn32.exe

C:\Windows\system32\Lmdnbn32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Modgdicm.exe

C:\Windows\system32\Modgdicm.exe

C:\Windows\SysWOW64\Mgloefco.exe

C:\Windows\system32\Mgloefco.exe

C:\Windows\SysWOW64\Mjjkaabc.exe

C:\Windows\system32\Mjjkaabc.exe

C:\Windows\SysWOW64\Mqdcnl32.exe

C:\Windows\system32\Mqdcnl32.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mcelpggq.exe

C:\Windows\system32\Mcelpggq.exe

C:\Windows\SysWOW64\Mfchlbfd.exe

C:\Windows\system32\Mfchlbfd.exe

C:\Windows\SysWOW64\Mnjqmpgg.exe

C:\Windows\system32\Mnjqmpgg.exe

C:\Windows\SysWOW64\Mqimikfj.exe

C:\Windows\system32\Mqimikfj.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Nncccnol.exe

C:\Windows\system32\Nncccnol.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Nadleilm.exe

C:\Windows\system32\Nadleilm.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Njmqnobn.exe

C:\Windows\system32\Njmqnobn.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nagiji32.exe

C:\Windows\system32\Nagiji32.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Oaifpi32.exe

C:\Windows\system32\Oaifpi32.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Offnhpfo.exe

C:\Windows\system32\Offnhpfo.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Opqofe32.exe

C:\Windows\system32\Opqofe32.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Onapdl32.exe

C:\Windows\system32\Onapdl32.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Omgmeigd.exe

C:\Windows\system32\Omgmeigd.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pjkmomfn.exe

C:\Windows\system32\Pjkmomfn.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Paiogf32.exe

C:\Windows\system32\Paiogf32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Pmpolgoi.exe

C:\Windows\system32\Pmpolgoi.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qfmmplad.exe

C:\Windows\system32\Qfmmplad.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qacameaj.exe

C:\Windows\system32\Qacameaj.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Afbgkl32.exe

C:\Windows\system32\Afbgkl32.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Amlogfel.exe

C:\Windows\system32\Amlogfel.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Akpoaj32.exe

C:\Windows\system32\Akpoaj32.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Ahdpjn32.exe

C:\Windows\system32\Ahdpjn32.exe

C:\Windows\SysWOW64\Akblfj32.exe

C:\Windows\system32\Akblfj32.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Aaldccip.exe

C:\Windows\system32\Aaldccip.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bgkiaj32.exe

C:\Windows\system32\Bgkiaj32.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Bkibgh32.exe

C:\Windows\system32\Bkibgh32.exe

C:\Windows\SysWOW64\Bmhocd32.exe

C:\Windows\system32\Bmhocd32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cponen32.exe

C:\Windows\system32\Cponen32.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cdbpgl32.exe

C:\Windows\system32\Cdbpgl32.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dolmodpi.exe

C:\Windows\system32\Dolmodpi.exe

C:\Windows\SysWOW64\Dakikoom.exe

C:\Windows\system32\Dakikoom.exe

C:\Windows\SysWOW64\Ddifgk32.exe

C:\Windows\system32\Ddifgk32.exe

C:\Windows\SysWOW64\Dggbcf32.exe

C:\Windows\system32\Dggbcf32.exe

C:\Windows\SysWOW64\Dkcndeen.exe

C:\Windows\system32\Dkcndeen.exe

C:\Windows\SysWOW64\Dnajppda.exe

C:\Windows\system32\Dnajppda.exe

C:\Windows\SysWOW64\Dqpfmlce.exe

C:\Windows\system32\Dqpfmlce.exe

C:\Windows\SysWOW64\Dhgonidg.exe

C:\Windows\system32\Dhgonidg.exe

C:\Windows\SysWOW64\Dkekjdck.exe

C:\Windows\system32\Dkekjdck.exe

C:\Windows\SysWOW64\Dndgfpbo.exe

C:\Windows\system32\Dndgfpbo.exe

C:\Windows\SysWOW64\Dqbcbkab.exe

C:\Windows\system32\Dqbcbkab.exe

C:\Windows\SysWOW64\Dhikci32.exe

C:\Windows\system32\Dhikci32.exe

C:\Windows\SysWOW64\Dkhgod32.exe

C:\Windows\system32\Dkhgod32.exe

C:\Windows\SysWOW64\Enfckp32.exe

C:\Windows\system32\Enfckp32.exe

C:\Windows\SysWOW64\Eqdpgk32.exe

C:\Windows\system32\Eqdpgk32.exe

C:\Windows\SysWOW64\Ehlhih32.exe

C:\Windows\system32\Ehlhih32.exe

C:\Windows\SysWOW64\Egohdegl.exe

C:\Windows\system32\Egohdegl.exe

C:\Windows\SysWOW64\Ebdlangb.exe

C:\Windows\system32\Ebdlangb.exe

C:\Windows\SysWOW64\Ehndnh32.exe

C:\Windows\system32\Ehndnh32.exe

C:\Windows\SysWOW64\Eklajcmc.exe

C:\Windows\system32\Eklajcmc.exe

C:\Windows\SysWOW64\Enkmfolf.exe

C:\Windows\system32\Enkmfolf.exe

C:\Windows\SysWOW64\Edeeci32.exe

C:\Windows\system32\Edeeci32.exe

C:\Windows\SysWOW64\Egcaod32.exe

C:\Windows\system32\Egcaod32.exe

C:\Windows\SysWOW64\Eojiqb32.exe

C:\Windows\system32\Eojiqb32.exe

C:\Windows\SysWOW64\Enmjlojd.exe

C:\Windows\system32\Enmjlojd.exe

C:\Windows\SysWOW64\Edgbii32.exe

C:\Windows\system32\Edgbii32.exe

C:\Windows\SysWOW64\Egened32.exe

C:\Windows\system32\Egened32.exe

C:\Windows\SysWOW64\Eomffaag.exe

C:\Windows\system32\Eomffaag.exe

C:\Windows\SysWOW64\Ebkbbmqj.exe

C:\Windows\system32\Ebkbbmqj.exe

C:\Windows\SysWOW64\Edionhpn.exe

C:\Windows\system32\Edionhpn.exe

C:\Windows\SysWOW64\Eiekog32.exe

C:\Windows\system32\Eiekog32.exe

C:\Windows\SysWOW64\Ekcgkb32.exe

C:\Windows\system32\Ekcgkb32.exe

C:\Windows\SysWOW64\Fnbcgn32.exe

C:\Windows\system32\Fnbcgn32.exe

C:\Windows\SysWOW64\Fqppci32.exe

C:\Windows\system32\Fqppci32.exe

C:\Windows\SysWOW64\Fdlkdhnk.exe

C:\Windows\system32\Fdlkdhnk.exe

C:\Windows\SysWOW64\Fgjhpcmo.exe

C:\Windows\system32\Fgjhpcmo.exe

C:\Windows\SysWOW64\Foapaa32.exe

C:\Windows\system32\Foapaa32.exe

C:\Windows\SysWOW64\Fbplml32.exe

C:\Windows\system32\Fbplml32.exe

C:\Windows\SysWOW64\Fqbliicp.exe

C:\Windows\system32\Fqbliicp.exe

C:\Windows\SysWOW64\Fgmdec32.exe

C:\Windows\system32\Fgmdec32.exe

C:\Windows\SysWOW64\Foclgq32.exe

C:\Windows\system32\Foclgq32.exe

C:\Windows\SysWOW64\Fbbicl32.exe

C:\Windows\system32\Fbbicl32.exe

C:\Windows\SysWOW64\Feqeog32.exe

C:\Windows\system32\Feqeog32.exe

C:\Windows\SysWOW64\Fkjmlaac.exe

C:\Windows\system32\Fkjmlaac.exe

C:\Windows\SysWOW64\Fbdehlip.exe

C:\Windows\system32\Fbdehlip.exe

C:\Windows\SysWOW64\Fecadghc.exe

C:\Windows\system32\Fecadghc.exe

C:\Windows\SysWOW64\Fohfbpgi.exe

C:\Windows\system32\Fohfbpgi.exe

C:\Windows\SysWOW64\Fiqjke32.exe

C:\Windows\system32\Fiqjke32.exe

C:\Windows\SysWOW64\Gbiockdj.exe

C:\Windows\system32\Gbiockdj.exe

C:\Windows\SysWOW64\Galoohke.exe

C:\Windows\system32\Galoohke.exe

C:\Windows\SysWOW64\Gpmomo32.exe

C:\Windows\system32\Gpmomo32.exe

C:\Windows\SysWOW64\Ganldgib.exe

C:\Windows\system32\Ganldgib.exe

C:\Windows\SysWOW64\Gejhef32.exe

C:\Windows\system32\Gejhef32.exe

C:\Windows\SysWOW64\Gghdaa32.exe

C:\Windows\system32\Gghdaa32.exe

C:\Windows\SysWOW64\Gnblnlhl.exe

C:\Windows\system32\Gnblnlhl.exe

C:\Windows\SysWOW64\Gihpkd32.exe

C:\Windows\system32\Gihpkd32.exe

C:\Windows\SysWOW64\Glfmgp32.exe

C:\Windows\system32\Glfmgp32.exe

C:\Windows\SysWOW64\Gndick32.exe

C:\Windows\system32\Gndick32.exe

C:\Windows\SysWOW64\Gacepg32.exe

C:\Windows\system32\Gacepg32.exe

C:\Windows\SysWOW64\Ggmmlamj.exe

C:\Windows\system32\Ggmmlamj.exe

C:\Windows\SysWOW64\Gngeik32.exe

C:\Windows\system32\Gngeik32.exe

C:\Windows\SysWOW64\Geanfelc.exe

C:\Windows\system32\Geanfelc.exe

C:\Windows\SysWOW64\Ghojbq32.exe

C:\Windows\system32\Ghojbq32.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hlmchoan.exe

C:\Windows\system32\Hlmchoan.exe

C:\Windows\SysWOW64\Heegad32.exe

C:\Windows\system32\Heegad32.exe

C:\Windows\SysWOW64\Hiacacpg.exe

C:\Windows\system32\Hiacacpg.exe

C:\Windows\SysWOW64\Hpkknmgd.exe

C:\Windows\system32\Hpkknmgd.exe

C:\Windows\SysWOW64\Hicpgc32.exe

C:\Windows\system32\Hicpgc32.exe

C:\Windows\SysWOW64\Hlblcn32.exe

C:\Windows\system32\Hlblcn32.exe

C:\Windows\SysWOW64\Hbldphde.exe

C:\Windows\system32\Hbldphde.exe

C:\Windows\SysWOW64\Hhimhobl.exe

C:\Windows\system32\Hhimhobl.exe

C:\Windows\SysWOW64\Hbnaeh32.exe

C:\Windows\system32\Hbnaeh32.exe

C:\Windows\SysWOW64\Hihibbjo.exe

C:\Windows\system32\Hihibbjo.exe

C:\Windows\SysWOW64\Ilfennic.exe

C:\Windows\system32\Ilfennic.exe

C:\Windows\SysWOW64\Ibqnkh32.exe

C:\Windows\system32\Ibqnkh32.exe

C:\Windows\SysWOW64\Ihmfco32.exe

C:\Windows\system32\Ihmfco32.exe

C:\Windows\SysWOW64\Iogopi32.exe

C:\Windows\system32\Iogopi32.exe

C:\Windows\SysWOW64\Iimcma32.exe

C:\Windows\system32\Iimcma32.exe

C:\Windows\SysWOW64\Ipgkjlmg.exe

C:\Windows\system32\Ipgkjlmg.exe

C:\Windows\SysWOW64\Iahgad32.exe

C:\Windows\system32\Iahgad32.exe

C:\Windows\SysWOW64\Ihbponja.exe

C:\Windows\system32\Ihbponja.exe

C:\Windows\SysWOW64\Ibgdlg32.exe

C:\Windows\system32\Ibgdlg32.exe

C:\Windows\SysWOW64\Iialhaad.exe

C:\Windows\system32\Iialhaad.exe

C:\Windows\SysWOW64\Ilphdlqh.exe

C:\Windows\system32\Ilphdlqh.exe

C:\Windows\SysWOW64\Ibjqaf32.exe

C:\Windows\system32\Ibjqaf32.exe

C:\Windows\SysWOW64\Jhgiim32.exe

C:\Windows\system32\Jhgiim32.exe

C:\Windows\SysWOW64\Jpnakk32.exe

C:\Windows\system32\Jpnakk32.exe

C:\Windows\SysWOW64\Jblmgf32.exe

C:\Windows\system32\Jblmgf32.exe

C:\Windows\SysWOW64\Jhifomdj.exe

C:\Windows\system32\Jhifomdj.exe

C:\Windows\SysWOW64\Jbojlfdp.exe

C:\Windows\system32\Jbojlfdp.exe

C:\Windows\SysWOW64\Jemfhacc.exe

C:\Windows\system32\Jemfhacc.exe

C:\Windows\SysWOW64\Jpbjfjci.exe

C:\Windows\system32\Jpbjfjci.exe

C:\Windows\SysWOW64\Jbagbebm.exe

C:\Windows\system32\Jbagbebm.exe

C:\Windows\SysWOW64\Jikoopij.exe

C:\Windows\system32\Jikoopij.exe

C:\Windows\SysWOW64\Johggfha.exe

C:\Windows\system32\Johggfha.exe

C:\Windows\SysWOW64\Jafdcbge.exe

C:\Windows\system32\Jafdcbge.exe

C:\Windows\SysWOW64\Jpgdai32.exe

C:\Windows\system32\Jpgdai32.exe

C:\Windows\SysWOW64\Jbepme32.exe

C:\Windows\system32\Jbepme32.exe

C:\Windows\SysWOW64\Kiphjo32.exe

C:\Windows\system32\Kiphjo32.exe

C:\Windows\SysWOW64\Klndfj32.exe

C:\Windows\system32\Klndfj32.exe

C:\Windows\SysWOW64\Kolabf32.exe

C:\Windows\system32\Kolabf32.exe

C:\Windows\SysWOW64\Kakmna32.exe

C:\Windows\system32\Kakmna32.exe

C:\Windows\SysWOW64\Kheekkjl.exe

C:\Windows\system32\Kheekkjl.exe

C:\Windows\SysWOW64\Kamjda32.exe

C:\Windows\system32\Kamjda32.exe

C:\Windows\SysWOW64\Khgbqkhj.exe

C:\Windows\system32\Khgbqkhj.exe

C:\Windows\SysWOW64\Kapfiqoj.exe

C:\Windows\system32\Kapfiqoj.exe

C:\Windows\SysWOW64\Kpqggh32.exe

C:\Windows\system32\Kpqggh32.exe

C:\Windows\SysWOW64\Kcoccc32.exe

C:\Windows\system32\Kcoccc32.exe

C:\Windows\SysWOW64\Kemooo32.exe

C:\Windows\system32\Kemooo32.exe

C:\Windows\SysWOW64\Klggli32.exe

C:\Windows\system32\Klggli32.exe

C:\Windows\SysWOW64\Kcapicdj.exe

C:\Windows\system32\Kcapicdj.exe

C:\Windows\SysWOW64\Lljdai32.exe

C:\Windows\system32\Lljdai32.exe

C:\Windows\SysWOW64\Lcclncbh.exe

C:\Windows\system32\Lcclncbh.exe

C:\Windows\SysWOW64\Lebijnak.exe

C:\Windows\system32\Lebijnak.exe

C:\Windows\SysWOW64\Lhqefjpo.exe

C:\Windows\system32\Lhqefjpo.exe

C:\Windows\SysWOW64\Laiipofp.exe

C:\Windows\system32\Laiipofp.exe

C:\Windows\SysWOW64\Lhcali32.exe

C:\Windows\system32\Lhcali32.exe

C:\Windows\SysWOW64\Lomjicei.exe

C:\Windows\system32\Lomjicei.exe

C:\Windows\SysWOW64\Lchfib32.exe

C:\Windows\system32\Lchfib32.exe

C:\Windows\SysWOW64\Ljbnfleo.exe

C:\Windows\system32\Ljbnfleo.exe

C:\Windows\SysWOW64\Loofnccf.exe

C:\Windows\system32\Loofnccf.exe

C:\Windows\SysWOW64\Lckboblp.exe

C:\Windows\system32\Lckboblp.exe

C:\Windows\SysWOW64\Ljdkll32.exe

C:\Windows\system32\Ljdkll32.exe

C:\Windows\SysWOW64\Mapppn32.exe

C:\Windows\system32\Mapppn32.exe

C:\Windows\SysWOW64\Mjggal32.exe

C:\Windows\system32\Mjggal32.exe

C:\Windows\SysWOW64\Mcoljagj.exe

C:\Windows\system32\Mcoljagj.exe

C:\Windows\SysWOW64\Mjidgkog.exe

C:\Windows\system32\Mjidgkog.exe

C:\Windows\SysWOW64\Mhldbh32.exe

C:\Windows\system32\Mhldbh32.exe

C:\Windows\SysWOW64\Mcaipa32.exe

C:\Windows\system32\Mcaipa32.exe

C:\Windows\SysWOW64\Mljmhflh.exe

C:\Windows\system32\Mljmhflh.exe

C:\Windows\SysWOW64\Mbgeqmjp.exe

C:\Windows\system32\Mbgeqmjp.exe

C:\Windows\SysWOW64\Mlljnf32.exe

C:\Windows\system32\Mlljnf32.exe

C:\Windows\SysWOW64\Mqhfoebo.exe

C:\Windows\system32\Mqhfoebo.exe

C:\Windows\SysWOW64\Mhckcgpj.exe

C:\Windows\system32\Mhckcgpj.exe

C:\Windows\SysWOW64\Njbgmjgl.exe

C:\Windows\system32\Njbgmjgl.exe

C:\Windows\SysWOW64\Nmaciefp.exe

C:\Windows\system32\Nmaciefp.exe

C:\Windows\SysWOW64\Nckkfp32.exe

C:\Windows\system32\Nckkfp32.exe

C:\Windows\SysWOW64\Noblkqca.exe

C:\Windows\system32\Noblkqca.exe

C:\Windows\SysWOW64\Nbphglbe.exe

C:\Windows\system32\Nbphglbe.exe

C:\Windows\SysWOW64\Nqaiecjd.exe

C:\Windows\system32\Nqaiecjd.exe

C:\Windows\SysWOW64\Nfnamjhk.exe

C:\Windows\system32\Nfnamjhk.exe

C:\Windows\SysWOW64\Nimmifgo.exe

C:\Windows\system32\Nimmifgo.exe

C:\Windows\SysWOW64\Nqcejcha.exe

C:\Windows\system32\Nqcejcha.exe

C:\Windows\SysWOW64\Njljch32.exe

C:\Windows\system32\Njljch32.exe

C:\Windows\SysWOW64\Ooibkpmi.exe

C:\Windows\system32\Ooibkpmi.exe

C:\Windows\SysWOW64\Obgohklm.exe

C:\Windows\system32\Obgohklm.exe

C:\Windows\SysWOW64\Oiagde32.exe

C:\Windows\system32\Oiagde32.exe

C:\Windows\SysWOW64\Ookoaokf.exe

C:\Windows\system32\Ookoaokf.exe

C:\Windows\SysWOW64\Ojqcnhkl.exe

C:\Windows\system32\Ojqcnhkl.exe

C:\Windows\SysWOW64\Oqklkbbi.exe

C:\Windows\system32\Oqklkbbi.exe

C:\Windows\SysWOW64\Ofgdcipq.exe

C:\Windows\system32\Ofgdcipq.exe

C:\Windows\SysWOW64\Oifppdpd.exe

C:\Windows\system32\Oifppdpd.exe

C:\Windows\SysWOW64\Oqmhqapg.exe

C:\Windows\system32\Oqmhqapg.exe

C:\Windows\SysWOW64\Ockdmmoj.exe

C:\Windows\system32\Ockdmmoj.exe

C:\Windows\SysWOW64\Oqoefand.exe

C:\Windows\system32\Oqoefand.exe

C:\Windows\SysWOW64\Oflmnh32.exe

C:\Windows\system32\Oflmnh32.exe

C:\Windows\SysWOW64\Oikjkc32.exe

C:\Windows\system32\Oikjkc32.exe

C:\Windows\SysWOW64\Pbcncibp.exe

C:\Windows\system32\Pbcncibp.exe

C:\Windows\SysWOW64\Padnaq32.exe

C:\Windows\system32\Padnaq32.exe

C:\Windows\SysWOW64\Pcbkml32.exe

C:\Windows\system32\Pcbkml32.exe

C:\Windows\SysWOW64\Pmkofa32.exe

C:\Windows\system32\Pmkofa32.exe

C:\Windows\SysWOW64\Pcegclgp.exe

C:\Windows\system32\Pcegclgp.exe

C:\Windows\SysWOW64\Piapkbeg.exe

C:\Windows\system32\Piapkbeg.exe

C:\Windows\SysWOW64\Pcgdhkem.exe

C:\Windows\system32\Pcgdhkem.exe

C:\Windows\SysWOW64\Pidlqb32.exe

C:\Windows\system32\Pidlqb32.exe

C:\Windows\SysWOW64\Pjcikejg.exe

C:\Windows\system32\Pjcikejg.exe

C:\Windows\SysWOW64\Qmdblp32.exe

C:\Windows\system32\Qmdblp32.exe

C:\Windows\SysWOW64\Qcnjijoe.exe

C:\Windows\system32\Qcnjijoe.exe

C:\Windows\SysWOW64\Qikbaaml.exe

C:\Windows\system32\Qikbaaml.exe

C:\Windows\SysWOW64\Abcgjg32.exe

C:\Windows\system32\Abcgjg32.exe

C:\Windows\SysWOW64\Aimogakj.exe

C:\Windows\system32\Aimogakj.exe

C:\Windows\SysWOW64\Apggckbf.exe

C:\Windows\system32\Apggckbf.exe

C:\Windows\SysWOW64\Amkhmoap.exe

C:\Windows\system32\Amkhmoap.exe

C:\Windows\SysWOW64\Apjdikqd.exe

C:\Windows\system32\Apjdikqd.exe

C:\Windows\SysWOW64\Aaiqcnhg.exe

C:\Windows\system32\Aaiqcnhg.exe

C:\Windows\SysWOW64\Aidehpea.exe

C:\Windows\system32\Aidehpea.exe

C:\Windows\SysWOW64\Abmjqe32.exe

C:\Windows\system32\Abmjqe32.exe

C:\Windows\SysWOW64\Bdlfjh32.exe

C:\Windows\system32\Bdlfjh32.exe

C:\Windows\SysWOW64\Bpcgpihi.exe

C:\Windows\system32\Bpcgpihi.exe

C:\Windows\SysWOW64\Bfmolc32.exe

C:\Windows\system32\Bfmolc32.exe

C:\Windows\SysWOW64\Bpedeiff.exe

C:\Windows\system32\Bpedeiff.exe

C:\Windows\SysWOW64\Baepolni.exe

C:\Windows\system32\Baepolni.exe

C:\Windows\SysWOW64\Bmladm32.exe

C:\Windows\system32\Bmladm32.exe

C:\Windows\SysWOW64\Bdeiqgkj.exe

C:\Windows\system32\Bdeiqgkj.exe

C:\Windows\SysWOW64\Cajjjk32.exe

C:\Windows\system32\Cajjjk32.exe

C:\Windows\SysWOW64\Cmpjoloh.exe

C:\Windows\system32\Cmpjoloh.exe

C:\Windows\SysWOW64\Cdjblf32.exe

C:\Windows\system32\Cdjblf32.exe

C:\Windows\SysWOW64\Cmbgdl32.exe

C:\Windows\system32\Cmbgdl32.exe

C:\Windows\SysWOW64\Caqpkjcl.exe

C:\Windows\system32\Caqpkjcl.exe

C:\Windows\SysWOW64\Cpfmlghd.exe

C:\Windows\system32\Cpfmlghd.exe

C:\Windows\SysWOW64\Dinael32.exe

C:\Windows\system32\Dinael32.exe

C:\Windows\SysWOW64\Ddcebe32.exe

C:\Windows\system32\Ddcebe32.exe

C:\Windows\SysWOW64\Dgbanq32.exe

C:\Windows\system32\Dgbanq32.exe

C:\Windows\SysWOW64\Diqnjl32.exe

C:\Windows\system32\Diqnjl32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 12480 -ip 12480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12480 -s 420

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2140-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pehngkcg.exe

MD5 0fff76b4ca26b41211db818142747e6e
SHA1 4d66b0619140074a1f20a55af562ce72c24da531
SHA256 46a1553664c7b087d95a1445411851851685bae4b7a47f51d33efd19eb1b347e
SHA512 e7270b54be4424fad168dea29ed8ff4073f640577f53c755ccddbbf2e4eb8e8276a8be93b2388359b97ef45347222349a230b10d6e405c3ec4179a8adca835e8

memory/3172-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Plbfdekd.exe

MD5 9672463c05999e65c5c39cf27210395b
SHA1 5687b02c039f5186437c09e368c4ed112dd1574f
SHA256 82611292bdc19271392137ed88385222b5fdbec4f749e8ff6bb35c6350ad60b2
SHA512 12ad441847c0757baabd52b2c7bc3cc34b8a70a2ac4d607ab77fdd9c8128d366d24b66e20a372746957026b3adaf46b2a3f2bcaacd12f75557433f0511b1bd29

memory/4224-16-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pdmkhgho.exe

MD5 f3584000efdb19360d272956b2b30a14
SHA1 0ab51c91c003bc832ffcf84f816f1b7c210bd471
SHA256 443c5ff0be5154e5bbddedc3e3306173832f228693f3c098a6e5d49cb17da9af
SHA512 ea6063a36df5c5aced00692bc5f93af5ce1703b972e3581a1332f6625872c18bb2148bd53a3231c0d93f55f0d414fbbf33ae689a8fd1ad6bacc7f67aca96c555

memory/3732-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pocpfphe.exe

MD5 437e6c6e2bd4e4220b84100af19e0a38
SHA1 d28af4dcb4c3848361f09b890ef5f6fdcccacc82
SHA256 b53c801e6f53059b065537cbb30af0b734ea3f11944c81d347d8a04f2559f024
SHA512 11edc3340ba8a7435dd0bdcceee7709cb2ae9d47d6770530aa916e566577e8aa23e5fee6f64b9fa934d8c97cb46953e8ea865ad4bbb1fd7bd248223c8e13a16d

memory/800-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jocgnlha.dll

MD5 1ae2f6c662faed32ec7a716fda5fb713
SHA1 fcfcc460dbfdcfca808d54e8aa2d6f31d49c3296
SHA256 a84f4e0254ac207c0ef8ef50b6bee1c3956771792cfb762099ff608debc4ee2e
SHA512 4d2cc95807ced8bb855dade5c38e509ef57c7676d86603942cf26a317cb01be75bb5e08a1e1abb5e4ef7efafec4eb53b0f7c7d54ced48ce219d5212077787b4c

C:\Windows\SysWOW64\Qaalblgi.exe

MD5 73911b7e5a4b1929acec93ab609728b7
SHA1 c7965fc849c33fbdf098233354e767c3b2dca813
SHA256 d54ce655d19a1fc1c3b47d9904a810c185bb04ced9f2f699e67a0c6cf79ec4a6
SHA512 1218891f04620370ac61806d550923515692eb434d8bea86f4ecf4cd3883897249f44d0ec6125db04166d2b5f5c719db51e34029e4a2146082f7fda4e48eec69

memory/4160-39-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qkipkani.exe

MD5 c233fd623bab42089f0a42d0c429babb
SHA1 b4d2f86081115e3eb9a54043d8887ccae6c187da
SHA256 c88f4c40ec6fd96dcd5b79849cb20c677431601be2952c237b546a4b3ec8a0d1
SHA512 18d28bc1edcde40cac017b10743ce501c30d7de8074135484cdc0dac165f5672e3072c3d761cf0c14f69bb2503aa19d30b27f4a359480c086a210d345fd85c95

memory/3272-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qdbdcg32.exe

MD5 58aafaefe28aa56549a0d6e7d59c19dc
SHA1 d29c84e746e4214829e57f004e5c477f764a98e1
SHA256 832c4a49fb80f39303c71b2da40e02ee6fe6e939ede1c868a0492304add0c661
SHA512 fb9a47b3b409e663e19d2f194b47946dcf2461ebeb21ae334e1d835d223ffa714633eaad9f8b59d193390ab49c8977eef83aeac875ce2ee7ebdfbda149518127

memory/1456-55-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qklmpalf.exe

MD5 422ae4c18fbda28be0c8f98e7918a403
SHA1 af380837c651a50bd318879b5e79e6b46c924597
SHA256 c80bdbb624327b472aaa7881c3c72ac661b9f17bc848fdd01a1240e10d0d186a
SHA512 d9fcb476e8c63c05a69be1bca475c80480457e8b18e57c46c685ba87a8f43bdb99fe4f87cfea78785cac364a33f2765133139afee12cc667569a4e92069685f3

memory/1648-63-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aeaanjkl.exe

MD5 271fa00f48a8d7d8f78036c682e816ea
SHA1 9007632b1d858f128888302aba7b902b757d6c23
SHA256 b56719420875dda10fc5fb5bafb4f025aed48d6cf7f2b908394fc1ad8316c807
SHA512 1b4f69967e9d0e2bad5c8697c4cebd81e26621ce1f78b8f79f0ec276e0a235811e3653099247c961d65e9d7e6c2e31421d1b8af9ea74abda68af57a2752bf451

memory/1856-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ahpmjejp.exe

MD5 0c4c7a94ebf9f21cfa7f40e88ed1a466
SHA1 01a524d533501365703fb180d90e0a76a6c3167f
SHA256 6760fbd7f863039e26af0821b3afdd1126184f96eed9cf1752ce8610cecfd7e1
SHA512 aace6158bf5b60788bcfa8ea45aa13000c9590bf4e9b2bc53c30a5c1dea3d09397bdb2d4d8e3a6a22c591d35e6630423582c31d632f8ef9325c60cc1d9384551

memory/3876-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Adfnofpd.exe

MD5 c29b3fe7ed8c8a4c7f7b9e37020590e7
SHA1 1560f288bc1bbfc8d2c45c582bdae807b62744af
SHA256 48480a6f9ee64dd1ac20f2390485034680449ebc909d891ec08cf2cd9b4b03cb
SHA512 a9f5b436720cc7c7a1e37ad11cf51352c22c3178a928657c0c7fc0ba8d47f128f1b98195923be6bf2deb20c18bbfa33be56b13c1cddffa419ee52512b2389c25

C:\Windows\SysWOW64\Adfnofpd.exe

MD5 f372e94b631a4e5c2dace20a91963cec
SHA1 06f59b72be03d5b5fa5f02a0afe32ec3d9e9a2c9
SHA256 416a1523663b6aa750480a5ded5e278f4933414315af4dbe8aa14a9668afc06c
SHA512 dd7a37de0d1c68c3b58571310d9cf33c5dea4a057ae5fdb201db516ab67e080f2694ad503f03e30ec28e129d4169c3b03c072a9cfa3a889d2db0f8f0438de7fe

memory/2004-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Akqfkp32.exe

MD5 2f68dba9636567774a4edfcc8bda0064
SHA1 eb1aa6289e0373096dd190c824ee208ec14ed252
SHA256 630867ced8652ed79e134b134354f9a84b9c6c0e7be0adad22b187659d04e5f0
SHA512 491a779267600e668bcc4c0391e9fac77888e56b24ecff612017ce47cadd0a1d72989bd82623c8071d746375d13363461cd893f1abea6f37d8a22ededa53a1a8

memory/3032-96-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aefjii32.exe

MD5 903881d8b12aa6ae6bc871bb4f287b27
SHA1 9226fc63347dce9ec17a6451085a81b2367d8f83
SHA256 5ab43803031608bb428ef7e060bac65dfb1a55bc288d7a22b1d1038d7c168f96
SHA512 dae542209665f7a1eb8ce110feb4fb5f2a85b362eff065e9cd0e1f96e88145cca241de4b05847c7de98171ec540f3b5af679a69c7296d7c06ce4be208ed83118

memory/4928-104-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alpbecod.exe

MD5 c6c35772699b5a232e41f029ceebd46e
SHA1 7ff18d267105c0f65f0ae895ee96fc8298641220
SHA256 f4e90ae85bb32ba2e1f56b7aaf50fe0513810b2515d07cc07a86e76211e64234
SHA512 810113b87f1cadf56647fab092f1fc9b4aad8ad4ac763adaab24211cf981edc4d85fe64627b7edd718945f86bdb41f3a82b12fbe9fdba376f8d2b78a95a996de

memory/4484-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aehgnied.exe

MD5 9592cb1709c4a5332703890faded7856
SHA1 83efc58b10da2229bbf8192fb7a25aefcef88a9a
SHA256 437b179500a71af6ee470736f6f776850261f2d28cd6406ca26ed9d76076c32a
SHA512 be7da9d83dad4ddd0ed88bd9d53dacb227968bad6ae5229375deddb0a28dab7b1c1abdf3b79fc4e1fadd7ff03eb80853797d6590c1aa4796c9816e3ad1f66430

memory/3152-125-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ahgcjddh.exe

MD5 69191f56a58cd9389a8c0fdd82412a80
SHA1 1ba89760b5348e918a2ee982b70d63cafa0cc1c8
SHA256 c0c248d31553cdb9fd858705734040975565edb0dc34c653437f4306a20a3561
SHA512 b59c94e5c5da93d92424f991f6789168f8580defd2c979849d6ca28ac3045ab9df2f1fb8ab0e6e35795bd286a8b2318f6f84ff61b98fd9e31c4ae673e6917735

memory/4940-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Adndoe32.exe

MD5 6b9aaeac38d7dbdfd17be8653917edc4
SHA1 4e18a8ad5643876bbd316c5fc7cfb6718072a53a
SHA256 73a5c7274eec3b6731beaa80310c5c0c477be7a821d5d7abb01a4b9014966095
SHA512 b76bf6a5010ee9173f5599603109e884f84dbaf1afcd15e7fb6436d2267bcb22d14fdc6106f489e71f546b76e0019c306b1bbe9a054728338763c9fb254718ea

memory/4612-135-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Akglloai.exe

MD5 bad8064fd3a54da6f2d26979f73cbdea
SHA1 dac597e48dccfa7e7b0343f1e6dfea45819c3c00
SHA256 59832efd6dd6b80c3f1ed358319eff5e33e9a1dc1ed2e04eeba03a92a31e136e
SHA512 1681b9a38c1f99ccc6bc2dbe21bde96c444d1ce0e70f60f32e49f9770af0f4d5e38b88a794dd59b5ca4e414774d7274047b60f248a8a4d56b876dd7a9130e250

memory/2368-143-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bemqih32.exe

MD5 fd75e84351398e2b43aef45129374eb9
SHA1 dfbec8f08496793e89478863723ecbaee0bd92b0
SHA256 3d5948bd208fff7cadf1c2c31bc960aa4750740a2aa8b7e1251b3be1115e92ca
SHA512 0cf95593424ce339fcd9a2cf5c3c62aa9d6bb29be6126f1ff6d34052d89c4b20ac0a5d3f1c2b8e3b79e7c4734fabf7f28c696c95c5c900fef3dcaeb11ee9a3f6

memory/4596-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bhkmec32.exe

MD5 afb5eb73c8355aea05a106fe993628fb
SHA1 6742a5caef2eeeaa494b701800f6be1d8b000d92
SHA256 0364f925cd895f911537fa7a8d157dc0e2e7bf2cf95bd01b4b386fa14570ff88
SHA512 d1277329c974cc27b4d49a5f5e99bab7504bfd27bca32719cd70c851dcc1a7b38aef7eed115e0d28d196788f0b8038be0b776b9cf5b185165ece8dc47f197f58

memory/4588-159-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Badanigc.exe

MD5 e3f69b84b75e8db8bcddf17f3c50cacd
SHA1 ef3228ea2f4a9907613799926983c3d5acd6f52d
SHA256 b516639fd57e4646a78bcc3341d1a4dda4caa41a55687bc873cc048b7a35a025
SHA512 dcae2f2834810565235b897590eae314883c653fd43a4e58f6ffd528c1965e4c9edb0a2a98a51c44d303a298a1b98140019200243590ee316046f3690e760af8

memory/5112-167-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bklfgo32.exe

MD5 d26b595e80d9ae258cb04fccc58aee6b
SHA1 a64bff25ddd2c8d62494ea46fe9f6b7a54268aea
SHA256 4a067ad47a732f74da6a0f070d3de4e7b09f0065894589f6e575c610d29c66ae
SHA512 4a0eaec4cb21676251adc1f7495daa0a8ca913482e5cf75cf395b8808d7bbf8806797c25af76c89422612ff9f86a0f0b5b42e0f73a2484fc412ca26aaa43c1e0

memory/4340-172-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3668-176-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4244-183-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnkbcj32.exe

MD5 ea64cfb7e414b05394ac70011ea29aac
SHA1 1390fd5be8edb94839d7103843e1c83360e09563
SHA256 642d0784fa384b16f18fc271a486cfea8c4fb4904641e8e65429776d6ffb561c
SHA512 61ba393c94b3206f5fac3883b2a34fabb95a75db079b7141b8118a3a9439a321ddd9a9c7e51e5f980188541b574ccf31364ba821674416daceaa3fb5abb8a4ba

C:\Windows\SysWOW64\Bojomm32.exe

MD5 f6f9fa1d2c4ab4fb374d2f12d1f7ec8e
SHA1 b92486600369756cefadcdbc850d2e1ebe570055
SHA256 d1c4376971b7bb9a55d665f75e5d19e9676164bb4cf6da7edad53e09fe276feb
SHA512 1442e6971b6909e514286f23e7e93529b45e6c8f222214b70fb105b5e3f1e6c991a7f400baaa8a7783fa63cc697d7872e77cc5b7168048f013655a36275161ce

memory/5072-191-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bdgged32.exe

MD5 1c2e67a3009d76be7263f33bd5079b7c
SHA1 e01b7f39e118d52ef4503c1c7399ef384729f131
SHA256 b1049fdb05f384410aa4c95f0bfcd2c2ed2ac50327a5851d365b2839f113470b
SHA512 8533d1854e1f79485db8d40fcdfd90c7a4c106bae2db0d576672b341213a3d212012c55828b74324b0cd03b6d15952fb73e269953ad4d650de49ce9b232d6ea5

memory/4960-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bkaobnio.exe

MD5 143cb1c3726dcbe7a8cbb7ffc4b171f3
SHA1 22b526d7d7ad7d609b062a1a0774f29e9fee60aa
SHA256 c04c1cbe914333b9f2d3aeeac885bea473d59eee3429aeb559c04519d4925575
SHA512 f1356d481246e5075390bc4f5e86bdab95d52af0378a15f27636e695c661c0c22564ac3ff3df0995a8236151c2ad74b3c18b52e94606fec816bcb8b4bbd50ca8

memory/1760-207-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bffcpg32.exe

MD5 30d57ec5f054387595bb78e43aa3f388
SHA1 7910bec1d4562038be2dc75fe33c363b29560b83
SHA256 d58a4fe0457abd7745b99396f21f20d86284900cd0521e838aad12b35c01cb63
SHA512 de41a58d32e1982d1684df843bb75867d2279596da00870c9235c1a3eebfaf5c3861b5d2607793daafdb7f28ce3f5fbe19f0492cb830dcfa3562e4cbdc8611ef

memory/2560-215-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ckclhn32.exe

MD5 f5dfe7c32de696b3797815f7c0cc4202
SHA1 a341a6f84c2d0496d09b6f2d65fdfd70189b625e
SHA256 47cf80a3035d281f9dfa05f7ef8e794d85b306d1daa1328a944212b56ebb61fd
SHA512 903fc5f2ae12ea535e4ebefe20f8895ceaebd494fdeb221c7309c753b7f27a14ee14da14dc30ec2fed62919cd5eda784b123486506f04150a640dc9dc62d553a

memory/2632-224-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Camddhoi.exe

MD5 a093185c26e45a5af2c54c2d134cf402
SHA1 8605bdc9911c7cd54aa8936de6ed842869d3a559
SHA256 7a676a3bf27c2fe01072b44be3728d8a28497c7b92586843f370e2baad1b921c
SHA512 a4db064a852426cb71a6165de749fcd31a1f5a527f5a8ab0c76f383517ec21b8015f2d417d7f19b9580fd14f3a6ace8f74fc6fe94556e700c1e22f23a3b70b3d

memory/3400-236-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cdlqqcnl.exe

MD5 55f4e977340023a10822e4d3899e8bd0
SHA1 3e3f4594cd766208d5cf260165a7e021f69c8af9
SHA256 139fbd86569de13f72784f894a9811c9e58fd81f1dfc676050bf6e6b23127fd3
SHA512 93c1829a7cb49b605b66439088e3e1a91bfce04a8cb950d1ba290fcd5ec91f16f4d1108955a58a6b6efb7ef0f80c2467abe10309d9e2c959a95e9213f1335a45

memory/1764-240-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cndeii32.exe

MD5 59e35e6d99061a4f35268e661d56e494
SHA1 778923a3d8e29a15f80e537ce312b87d2822c224
SHA256 d50594f2600da638e7b1f0f3be67da4e510478b7d9c79e2576501a2149b5615c
SHA512 d28c9af4e19bd9dfc4db4ff3e6ef26f5488a7be81d236be15a52f04cd561ab70642db241bb86c0f26631a994379465a5cfce9f40d656d79f2375b903287d0f39

memory/3660-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cleegp32.exe

MD5 5ec1ca3bf0d9b14d7dd667f8fa22cdcc
SHA1 0661496e05c46feaa2c1a5c467111e8c3a23adb6
SHA256 9eb3ed2089b0ff48e9cac73fdad968d2b902bab45184584cbe8bc6d88bc38ee9
SHA512 ce9b3bd304ac6eb123a2fe45000fa951a9f998e8d1d991a231317e92d4c3f918fc5f4fba4e216d6067007b15e4f3b2ec304e9f951333a5866534da156ecc6bfe

memory/4840-255-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cnfaohbj.exe

MD5 8d7fdf9103da97b7e061916c952d19dc
SHA1 858ef012a6266876da6a5c4c5c70ee750a6f49ab
SHA256 a4b674d32059f1015fa7ba7334e6774e119a7ae94e28587a9faf02da95ada881
SHA512 33b0d7a2b9b04ed341b9b0233411accbeb5b572a753f9c4854e98d11a97f6ec2a98e0b20eafdf62034ac411cce1e87617cdc818aca9bc69c5973489a9371f3be

memory/4428-267-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2592-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1836-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1152-281-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2256-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4684-293-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cljobphg.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2988-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5020-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4860-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2008-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1692-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4744-329-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dhclmp32.exe

MD5 fdda75f75dca4f7abf97cf4a25c2f393
SHA1 6c41d26b3f2165c010206d9d29df8ee1fc9ae7dc
SHA256 51f0cdb9fbbb86bd0848a237234f6c485a61da64411933f8e69e2de0938a8b92
SHA512 d26d81429ff3bee13cb740b0f35b6da69a99e526986077ba1ba8d1a6002df3016b1ade206951c677032578dd11b02b2a4a7b09732e259fcf8348862ac1ddb90c

memory/5116-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2000-341-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dfglfdkb.exe

MD5 03ebad81931f98f2f66d1f8b480da503
SHA1 84de8b48c006e6fd64e8f0486c4a719d923ec3d9
SHA256 55a99e359ecc331adebc134902d5e88049524d586023ef5a3014ce91fd1b5270
SHA512 20d8a15beca77028f9ac96f68e175be67f3c7e2d0410f4a4d9423ce29d46973405ac20b57ec98345e015b34ec88f6681d5e97ffee648e6b16831db9873409811

memory/228-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4752-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3652-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2744-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3760-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4624-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3016-387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4824-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5040-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2476-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4660-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2036-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/628-419-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efblbbqd.exe

MD5 30f9413114a3c1d1e0c425539ba291d6
SHA1 aeebb80aaff219ba342844037e81d21801af3c07
SHA256 cf74a7ba3c649b729e35a6bb5f15f65d036f29abed126f9d0f600fa6b9a6a107
SHA512 ba56e5163739b225bb379141ef47c62b6ae0cdb7aae5263c65d27787db1548d375c786e48a216eb00f47d4920baf7686990c6951e6699354a78d808dd60675be

memory/2612-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4300-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5136-437-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ebimgcfi.exe

MD5 f6efa0d2043bf63d35d8bccb38317491
SHA1 7ee52b477cb103e23337a60bf6d95a1a0d36ac91
SHA256 d5198eeea024fe830747fa9fea0bd57b388f3968df46b5989131d2fe0a1ad5e0
SHA512 b6aee3700fae05c73281165bcf6edd0ae794be6f8fe2707fe544ca0836bdfea3fb42ff720a352134a1db1988d497ddd4b2f5296746530501c8eaa412ca6c2406

memory/5176-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5216-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5256-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5296-461-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5336-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5372-473-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5416-479-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5456-485-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5496-496-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5532-501-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5572-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5624-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5664-515-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5704-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5752-527-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5792-538-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2140-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5828-544-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5876-547-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3172-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5924-554-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4224-553-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5968-566-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3732-565-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6004-568-0x0000000000400000-0x0000000000433000-memory.dmp

memory/800-567-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6072-580-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-578-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6124-582-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3272-581-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5204-593-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1456-588-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hbhboolf.exe

MD5 bd36b54962ed0655ee13cff463511965
SHA1 2e27c0c6228f12e3eb7cb4043119009d0f65bbe1
SHA256 986814a42fe1b9e188fc11d7fec1cb57d37f5b493590f7fbe6c39994d4a65bba
SHA512 68697c841dc5c9a1c31e229a7f7989d3075ac0d297e1db56dd2076d13e9e0f9396040cb48c56a159062141d2ae0e142137689ed646318bf22ba2784680594a3e

C:\Windows\SysWOW64\Hehkajig.exe

MD5 9dc7d9770bfc8645fa051b3e1004244f
SHA1 02d8e470f9005cbd606ae6398844cd9822c8eb41
SHA256 a0746e70ea41204d95eec972fb8506ea7addc58ddb28e0a6fbebf2d8925bc6e6
SHA512 2ca29a957ded0313bdc7e784dd6f81d33be9d8a4f0f02f00fcb461ca5797e1ee1eaa00c9eb6c08e799420778d9391e677ce8c3b9753d49ef25c2973ccba7205b

C:\Windows\SysWOW64\Hoeieolb.exe

MD5 8ff41b1db4b665a46a4f314ebb561d75
SHA1 514d7fcce6f913211251a5758b6ac6cc5e5bd0f5
SHA256 5d1b60ab3d5f2c953976c9c9cbe423178ae4264023133838f54ca1b040412351
SHA512 b50beaed45c3f1bab89d8deb430248c034f886bb856cca86917a5fc14b5339190cf61398d618bf9dcd93180e26547b8c76f3e9dd654aab8ed3d89889dff3e884

C:\Windows\SysWOW64\Ifmqfm32.exe

MD5 b26be6aa95592b391ac5bd2ea591497c
SHA1 fafe9a03c9c5831d87a8a8d4f53dbf13d9c1d353
SHA256 0b7de44ed64b6c2e49d9f86b962033aca06c65d62f83f636808437eccb01f61b
SHA512 7b89887ddf3d2bbde7c106c4221d1f86ea48dfd5cbde1d6e272cbaea32f51ab3beb8228c42d809bd2a2e2f768d8984da68a8566929990d36df60a9473f438d2f

C:\Windows\SysWOW64\Iojbpo32.exe

MD5 f5fe6ee88a4e113aa5f457b2b2205686
SHA1 8af99c8961b290aba0d12895b71bddc7f86f3c6e
SHA256 3ad0a3750570e893e955ab49d45e1523bd419bed975c98822392fde47d51360a
SHA512 cda57af12eab85b77c6837496e9677840701fe43b122a83574f008b2675b2869d3968ea7e0a4eda39b859a99c781ef9b08dcc128bcb9d833c04f4009319abf1b

C:\Windows\SysWOW64\Igdgglfl.exe

MD5 b9414183ae1b2f3350c8c5e0b8a88891
SHA1 5c16d2748018ac00e29013426cfedad9d17e1213
SHA256 5979da80d394e7002ae0249f6f8f668979e28acba1731c5c193fcedbc7665960
SHA512 b0b5f1a2d78ff5909b30c695accbbf31d5b0659195ac01f52a7082179153ce892ef920d238f7a342bedb5172964e92e6352f2ae3decf4589e787f083b524e6d9

C:\Windows\SysWOW64\Joahqn32.exe

MD5 56bdaec4adc4df7f0fc7192d578da91c
SHA1 ed1a10417d05f9cd61f15226e76e3a1dae7b2ca7
SHA256 f6c399234c32a48632a43893ef379fab9f03c421e79078a4d942f997ab657404
SHA512 a2dc68f441f76a1b940b1007cff4158025b55db0bcc4cf752aca01e31f75bec772f5f23ee724d06c2230db5597a5c8646ff4463f0edcf20fa8a786d55aedff3e

C:\Windows\SysWOW64\Jocefm32.exe

MD5 6d5e5a7ed4980b73caa1730eecaf07f3
SHA1 ae13b4d132e6767caf3e1eed00c44a4b47297174
SHA256 cdb9648fdcb9bc24fe5694c3da7933250f13e87fdbcd2411eae90aad85294280
SHA512 9924aac2ae07d4014b2438cccd316a442abba769e392dc51809e168be9ca5a3e1620b687c1fcada5eb13166517404e4e2f02292d9f86ca5d5d0e836fb20e357f

C:\Windows\SysWOW64\Jedccfqg.exe

MD5 9a1ad91b6511b719f54e300bb6dd702e
SHA1 033611d07628c6506dab0752e18ed60843d83307
SHA256 6c60199df96de8c07336b2cb954601ba657d80d277c35599536ad6eddbba2c7d
SHA512 a6db5612706a2f292b8fdd3322c60f9cba3c49636e71b2780767ac404dd5d88d24f55004d72236907d6508cecab50ea403b18cb039b59933895f7a8b848836e3

C:\Windows\SysWOW64\Kjgeedch.exe

MD5 97b516ea3cc87e6fe2f64e2d52d17277
SHA1 823b092786e95d302ee6807b3dd7c5c484343c97
SHA256 8ece8bd4f480f0c98f8122bac842a3c98830d18cdd7fa40c55f9043703008e91
SHA512 772e31a826fa9aba8467fc23ee763eaa776086bba673a01ce576317f4eaefd338caa85611bfe096f1ba74e4395a77a285b6cf5301261b44200634f1c12f6e4f1

C:\Windows\SysWOW64\Lnjgfb32.exe

MD5 73a6037e1b62773a644bc5820fb4b2e9
SHA1 002e8023d7d45a3e096d154762226bf5ad4ef381
SHA256 2b58fa29304aa7d996c6f55f3d4eb82fb855dff0258a4a5232d701960d56a831
SHA512 02c3f4edb3f814ca60ab009b33f5afab558027459d8bca0171d32bf9c2e9e4642f01981c2cf353591dd2270ad28ce00e086c85236446b8cead810a164c1978d6

C:\Windows\SysWOW64\Lnoaaaad.exe

MD5 9db98d2303b895ce565bacbd6a61d555
SHA1 dbe60498103ec242bb08dd0157e48a063ce29156
SHA256 f3d50ca196f590184661036c8a77fbe1509dcb659d5651767ef4500f3c78224f
SHA512 55de00006867c373f644b842525ebd3495405badb9a31803f9d16ab8c58181c723819d67f36bde938a50a28b1d70d9873991bb516c02ef1d9a46a7bc0cdc5339

C:\Windows\SysWOW64\Ljeafb32.exe

MD5 fe4daad2c51f403a53ea1a08c64c70de
SHA1 4154139af289718fcb82c6d69905e70a43b406d8
SHA256 4bd17d1f69f44a5b023b7dcb73332ab6d14b19963ca4e001038081c44f724321
SHA512 4cb77a3a923bf01ec3201dee5b54c04c2b2ebb8d4a6726f299e85186414b247cb338c6ea5c2c7689285897f0dc665729a61d028e83dc5b4b1b5b7a45d9c2019c

C:\Windows\SysWOW64\Mqdcnl32.exe

MD5 6b1bbbdf26ece4fe027b363e037d5cd1
SHA1 22d2ca1298136399be4d0779379ad36e03c27d33
SHA256 6e9a30536460e262ae25699abd036632198acb132497989e4d60944949413e46
SHA512 bb0adda54fe65272a5c791b808c079583b6acf24670a275d29a6d8eebc195ea9aa635e2a26252e6f196dfe941eaa3491ef52725dea49f119179a305c8126978d

C:\Windows\SysWOW64\Npepkf32.exe

MD5 bb13cbd49225c211df196f75d88e364b
SHA1 15d6b8509c3c0657cafebd182f47aa7de7484efb
SHA256 a9112d13de23ee9a14d1add43b8b5caffc326823d75e2be492c95f8728e9f01b
SHA512 f86bfc3302f321ef1fd8363c88f609ebe1f2eb131c95933ac0e752716a403c22cb2a13e11bbdce0b7202723a2c4b5589f2df4cd97b25b78e200deab58896635c

C:\Windows\SysWOW64\Nnfpinmi.exe

MD5 9a462bafc495ae36db28f5889218ea81
SHA1 315b30f133830d3a264a69d9ef1dfe3c18aed6c0
SHA256 81dc0785dcbd9182c520a1a0cc741777f9d768d3ca7fd89cbf0d2c142b301626
SHA512 2f6cebbe51d48d42ace4c87546ac974bb27d7ce79658be5d971185f31355df6771628a0fa96c105bc012b66e8c297807b7a39735ecfa547a17c7ac3c8ac1220c

C:\Windows\SysWOW64\Ojajin32.exe

MD5 2fdebe7ed68c3f429f8ac5199d0a9fc4
SHA1 48e5d72c26fbbe72388901f4968b4b8f78f34758
SHA256 fbc2a1b4f21400017ef59802911d06f53eaad40fb4192453e78f67ded5c5046f
SHA512 1a58cf224daeb2f4cb6c3a12b51b4023faf04eb7c505211450539428ad506cf9cf9edfe71d32db795ae8a1d0de874486927ad2b20666d78636081bc7fb4b756f

C:\Windows\SysWOW64\Onocomdo.exe

MD5 aa5760659e7a25ad1aed856fcedabfa0
SHA1 10cdc772a0a688ee8f52990807061822140b3c2a
SHA256 1bfdbe53cc272815dafa98b1e3b8cb55099963e1cdfdf8a6bfd61dc53b7ff3fa
SHA512 9bcfed8aa0955c9f34967af1f076a9af86baa79a5e962759076de8e08533c381a65c165265b9d1b54f88965dfd7be287818f964af347d6461792193eb27149d9

C:\Windows\SysWOW64\Ofmdio32.exe

MD5 f4db93598a09ed24c46e12e41bd1a183
SHA1 74799b7b6b6ff311606c1288257dc9a0b124479d
SHA256 6981030541743ef1e3216a32f9b8428d432a2ce6af725debe441bb35a8b0541c
SHA512 cb257876c194feefb14a3ef7e0a62cf779e87de710e6b5d70f4f891b4de0a82890e58539a80e65803338b7f23194abcb644cd77e7d7b9d6657a021b80360923a

C:\Windows\SysWOW64\Pjbcplpe.exe

MD5 28fc67e292454d435365c0ab6f8cd5ce
SHA1 cd5c6f3c9783c58cf56e4875358ddeeb09a4a64c
SHA256 ece3f116f7aeb5370d04131cbdafaf4b5e349dac734684b3f10c3709ad426754
SHA512 1379aabbf25c3066acf61f03613511519528e088e0e60d46ffbdaee6b977254c22dc3a7c0fde414e2f8260de6873821af706839e55d9f65436f50a0f22517043

C:\Windows\SysWOW64\Pmblagmf.exe

MD5 aae0450a9fc5c4d0d43555d90d19abde
SHA1 56a7398ee892efd37a92d491354c875fc14e5a87
SHA256 6e0a1218004a3feea81c4d6edc67cceb3ca3133ff1904795b8cbdaac900461c0
SHA512 5b86aaf20632039c18ad5207614e8d0a0bc6ff027d5290b49e69f6b7a475b99a9e473d8f4fea2c47576e268c5e78ada8d47daec71a08f2355b909458b4d06067

C:\Windows\SysWOW64\Aaenbd32.exe

MD5 040003076839ac7ef21b4ed46065475f
SHA1 fb25d8ec6e1a520b5ca77168b335d5254b58d4ae
SHA256 b0fa6e9db2dcb1fbc9235b9497226984a024bdec8f3e2982ee916b91b9f14697
SHA512 194f610ece1065513af94eeeadd44c8554d6bd4fe5ff723ab0024fd0e2bd1938503666b3796fa7a54125840e871bd1f1528ea11496678d59799007826c8a510c

C:\Windows\SysWOW64\Bhmbqm32.exe

MD5 6e266c1893eaea232df008f0ccdf0d06
SHA1 1f5a8f33fc7c701cea0aac3358f9f9679a7d54ce
SHA256 27cb84bb2e40d87e3c01cd2913f950c95813a6cfc224ecb3af35f588a53e7a80
SHA512 04b495bc9c860a566fc076d164295a439541d7a8008ba766ef2a4ed5dae6e96f2289e6cd87d7483c5d34486debbc6df0578bca83f95897a52184bcd306a44e53

C:\Windows\SysWOW64\Bahdob32.exe

MD5 ba45e9875232ae25f306c42373225afd
SHA1 7534ec24dec0f2dd08fceecc6f620ebe460b1199
SHA256 ea2ed42bce84e197b78e2aaf68005c963f4cd6442b8ae172431f6c3e5e13ffbf
SHA512 43cdeb1dc95feb67220194eee739a3ea345dfbbcbcedee1b0ad83e6593c037b88a8a4c06d572788dabab30dd8b53425bd2fe4a082a220094a74ec971a8ae4e54

C:\Windows\SysWOW64\Cpmapodj.exe

MD5 5f9ac3c63e89ae8214dd265760ae3060
SHA1 ef6ae6a8c91c358f88b32beade4f53afe3bb656d
SHA256 32c2f2fd7a56e6fa66069b7d694aace54884298bf3e284028689de636ec1285c
SHA512 ce59a70b4731425d6f3d1eae7f01bf0260a2032c3420ddd4f6c4023a83906b58f38121bd2eb1cee279fcdfeec1eafc642558e3310bd57669aff74ad1e71e2a2e

C:\Windows\SysWOW64\Coqncejg.exe

MD5 afafb623a778d18917776c61b7813928
SHA1 8baade09ad5201672db02ef03b0ea2131fbd4bd4
SHA256 4a1cb14409a69fc48bbbb9b7a4b34f9a789fa027e811ec4640da0d6fba107ddd
SHA512 cb8844eafa6d439a8ae02801c537a78fc9b798fe232291910f7ae63efe80a23f474dbc431f5a1109def9720043799723e799d363b1cc95b99ac76934b3cbf3b5

C:\Windows\SysWOW64\Cpdgqmnb.exe

MD5 4836d2266a60fe93daffc9d16aac40f3
SHA1 fba98ffb22f00a67dccc7df20e0ae58b6ac6206d
SHA256 845e6046905ca0d3ad8a18496e74603aec932298f1ff3063fc641dda84242599
SHA512 dc5b1c66332b0bacf672812606f3e614ec3425c3614cd85dc3c975b266f48fc0d157e2424f80a97b92a2448c5dc276565e7af277298d5a2157bf4a41a8057932

C:\Windows\SysWOW64\Ckjknfnh.exe

MD5 4523f8baff82f2f5b682c21e14486bc7
SHA1 24d56e1a03c2326d88c79bb8e2f87a914f9d7c14
SHA256 2a1ee4afdfd664847aa4836d1c1127f0a83564540a2585b1e914972ac662ccd6
SHA512 ae768ebab8baf8661e9aa2b899a53e1b0e4d3e292603e63c14ac65eedc7550843bb11135c193ab9defaa6bad06e67372e2a7a71b1680265fe3cc0bb95fb49c06

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 1bcc68764e161ced445d15c982d9eed1
SHA1 80f9574d9665662a8c58513c89a842036f1fd379
SHA256 bf78428a248b7357536a6c996e6101e9e032ce32bddd9ffa43986633d070ad28
SHA512 13223e2d7f5c51a2450e83f41908af2be818cd913219b5d50884675c439a85baded5ecc0283cf1e406c0c65a34d1ab8c5afd7e9dea893a0ad9ba285cd000afcf

C:\Windows\SysWOW64\Ehlhih32.exe

MD5 78f7bb83907114394180f82821c57dba
SHA1 3852015f76bf6fdd45eebe39adebeb693a517e0f
SHA256 e31ca3dde7d324fb10b6a0a2f916ede2c21e863d7733967cef0580359c14d652
SHA512 ea1294bd5bca588e007e81ef0e977c3b01e984cb392fe300f42e9e155b767bebb0ece2740af13065bf9a91cd5f54e316f876ed400169ecfbda8b0eed08f9eb9d

C:\Windows\SysWOW64\Fiqjke32.exe

MD5 48686da9febf33ce83f7fbc43b79014e
SHA1 c6b3aa2900c06dbee619453d9ad506bef49eb6f3
SHA256 c9d5043e7cbca3d798a975dfa4734a1c4bebc3f48eb4803a578fa4b0ea9c4fa0
SHA512 7f429dfdb88ef8dada6c984a860e5113af4282532f6688dcfb223768f9a09b8c3f559bfc76c7426fbf4427ca04365dc56d8ba6a6d5d7968d8a2d3027fffb2f23

C:\Windows\SysWOW64\Gpmomo32.exe

MD5 fb90525ba9419eb78a907308d80f338a
SHA1 f5b883e8c2082fa30c9bbedb9d3d3cf0036c69d5
SHA256 41042721e2ed660a587e969cd90e49338bdb2784609a34e92a6b9888a21da38d
SHA512 8b58386cea4a4413a26d23840eb0331a29ca6e1520542988b5494394af7b905641987865eb5f918c927d9c0f75cf720de0ecbc53a1c66b9c743ec47ad3fc1160

C:\Windows\SysWOW64\Ggmmlamj.exe

MD5 ae8a94b17d4e57fa2535851d8043ca26
SHA1 e26806f0d95b3a3d22608da2b43e83cd82506cb5
SHA256 8eebe68effb49c3d1a6d1917a9927ba25151f39409d7d967321c70e113dac69e
SHA512 ae1246fbf978d9be2fb455288fe3e5cd53b199c01f815ab1676a24ec53b6be5531ef3ca0d68994a7823e9b0b8cbd797a485c3c8822e27e002f4ca42137ed2692

C:\Windows\SysWOW64\Hlmchoan.exe

MD5 0db9e35d5f7bcc1cb15deb2363250839
SHA1 b1eaa0225fba1d7773fbb72d8c123d975a2fa86c
SHA256 a7d3d1eb4696e86fbae585aa8b55945f38457917d65c89444fb0d8636b40c6e4
SHA512 6e01e3221bf665b216c446ba98215d394ad9ed9b42feeb77cb1b5656cc11601178049c681d515c5e165e54ad160c7a62d099b019ee4b81340d62f3dbadb4c3e3

C:\Windows\SysWOW64\Hpkknmgd.exe

MD5 0e52660ea72e04168d84e1883d49e360
SHA1 9fc1d1ac8f1541955f43b032a46baaf545803a6c
SHA256 8c13b4951ba0dd67c16cdbbd407f964c9e9eb289e2ce8d45e3a9e3e69e684fd9
SHA512 3f712291cdf1c5076b6009a90552ad665bae195ee702836ef40f51cd0c2e3aac24de74a597797b9acd379417f10a12ddbef68afa0fca16634af00e514541a67b

C:\Windows\SysWOW64\Hbldphde.exe

MD5 34046c79b55f4fd85129f4c02853ddb9
SHA1 9d8dc7abd61e4216ac21d74f06809bbdbed8d767
SHA256 4dd698cfaf22241aebe387d0b4a7e60111033bcc1366abe8feaa8e600bdff36b
SHA512 5e7d5ca6abf82116dafc29aeff6aeb76bc1b37283d9688642284283e0cdd5b6707fcbef519b44f91fac161586ca156ba5579f98405f1c602e7be584bb09f7786

C:\Windows\SysWOW64\Hbnaeh32.exe

MD5 0d3363e754b685f9142f8e2d4acd3e65
SHA1 3aece36df7b25a32c151ef5e32601744baafe25e
SHA256 2675f003ce1ce80bbda5b1a0627e18e960545a9469d75c2954cdc0c976485a49
SHA512 05e8eba044c296e52411b3d16138da8149dcb84dd7fcf51c368dd08729a281ac801fc830e32e0108e417f1ad8f4d51d187052d7c11c8dcc731ea57ad378b40ec

C:\Windows\SysWOW64\Ibqnkh32.exe

MD5 c03f393bbdec0ac9e51c911649bf1e35
SHA1 b07c3032ee619e7459a1686afb33f0b559a540a5
SHA256 f362ab2e596954ec17fe0fbc3cc01a57a757623801db3665908a0a91e0c0d9d6
SHA512 c73c3988c1676fa9392a6062e37fb4c3e951d8069d8a9b22a47c90318cbdd7a5231a95b84fd93479ae903943ca42bd45161994e6b1bda9253cd29033ca352d49

C:\Windows\SysWOW64\Ipgkjlmg.exe

MD5 bc290b9ca1be92a1e7fedf202754febf
SHA1 105a9f64005836624c9464cafe4d42f0a79c9f2f
SHA256 033b808e1b1640aef533124369225fcec25072d737641f9361028baa5aab4708
SHA512 cbf08ac7b083075974c87c75f28dd140d75176c49bbc3cfd93a3f1555d9f633d241c43bc674e200e205bd88700e52cc06c2fc5afd23021d226c5e81092110561

C:\Windows\SysWOW64\Jikoopij.exe

MD5 5a3139009c9aeb5b94187cd3ff659e4e
SHA1 46670fca95321843648ed1c547e14766aea0e44e
SHA256 b02ba97eb8f45cd4000f85015f7ab592f4cc73259200ded2720869ca25ba0254
SHA512 defbfdbf705ec4ae159d9ef4db6b2f4f9f9d2554e45b548ef371346ef33f3a0d696d0c558cee4ce121819e90aae52cbc23d23f15f4e4b5b97f2d2936963dd31f

C:\Windows\SysWOW64\Kapfiqoj.exe

MD5 59eaaf7c712cdcecdfd1bca28d6e74e5
SHA1 e336e1aa99bd9d8eed09d14090d7a5b9e05987bb
SHA256 1d1c7cb6f52539f59fa33b0f17286aeff4cdb05ff4f3bef4059e569a1867fa3a
SHA512 1f2278106418bf703dc9a7e7341941c062f3306bcf9b6d18b0d31dea4aea5414c42cfd1708166c531b88dabd69dcaa21241b1c088d19bfc0c4228ca3384153ce

C:\Windows\SysWOW64\Kcapicdj.exe

MD5 b98493aa5b63f59247ebc3fcf55a04c1
SHA1 814ea4b87984cc87f290a5d3deeead9d79ea0cb6
SHA256 bc2546b6ffbe715fd7fec92a01fd1e4192c0af9c8961ba0de095b8b328bd4f8d
SHA512 6a1c13d3f67cdebcb83bfa44b74b20bcda303ff590754749836533af80a140a3984a651271116deb7767bd273347b2adcbd8297b00de96b1695c783f26e1aa68

C:\Windows\SysWOW64\Lhqefjpo.exe

MD5 a7f3c56e262830b24903f184fe28ae05
SHA1 d991f27866e3deacb71f683b81c842ac6eb00afa
SHA256 d96d1942a40bd0c7f6c7b4c5704baadf2948c0a8c33e7a9d7c44c097d44344f8
SHA512 5943d6370503d0544f7f7561445c2579144695fb2bd3b7b70d905aef58d365ad2692ac47dc1bb78dc3138fd58245816d46cee5f5524c70f2c92207dc1dbee6d9

C:\Windows\SysWOW64\Ljbnfleo.exe

MD5 e2d135ba8889f259f5884b5c6288ddaf
SHA1 3180312d12f34f87287f4f210472187c50a5d7f5
SHA256 ecb12e0a6e7d939675b4fe3304c56c6fdb0b3fe771ae7d7730d36e104910495d
SHA512 2c45b13287982c7b2e3bf125f401b5d260f3b382287d59b2052867c2d61677cabd7ee91cd687713cc19687862fa7bacb38fe45a66f8dd9b095f1f1307c60c512

C:\Windows\SysWOW64\Ljdkll32.exe

MD5 30e3f9ccbe6ccf1c544caca787d87fb7
SHA1 c229ce352bd0e768322e416cf2fef27c3ba3634f
SHA256 845796e2f9271365381c590988d29f914f1eb62f47d298566a6688c2c80882f3
SHA512 43d6ea525baee80a9b4c074616cbcc52e78eb2ad32c0e1cc1c5db96e63d7fa1c6d41d964f43bcf028760e75c289b9f66ee4c9e33a8a59c0732daacf43110f1dc

C:\Windows\SysWOW64\Mcaipa32.exe

MD5 175ee2a76b584255698a3525f01d6f46
SHA1 b52c3fd19a4e096b09b37918f98f95aee8037cc8
SHA256 233f2310904e318583f5eeb73615edbce35fe41ec8dc8079daaef86e8924d2f8
SHA512 a8caa909e3b4ce0c68a0213d3ef59d4a94c503790ea99b7c4f3eb5e3cc23666113160a05c9aad472c09d41d8938d7dd3f306b88fd06e3b50132b2464fda350bf

C:\Windows\SysWOW64\Mljmhflh.exe

MD5 241d214c23c89de2a96bd4c3e1dc3e95
SHA1 12fb8c15e2ec8b60eeeb49ca167e82b4b4c87226
SHA256 71074f7b27844ecdbbcfde05024320feb8b384f4bb791693b2d4eb485f20075a
SHA512 d99323325714c3f3c6656a43d9a058a2e4e74f6eb0534f644536452be929b822521f9b61fe29e14a9da9659c65a48d59b80047d5b11ade0fcc780fbea033e668

C:\Windows\SysWOW64\Nbphglbe.exe

MD5 ae11323ce3fda2b59ecf44ecb3d7e758
SHA1 d8515171508979d0d9e59fd9ccf8407ac1806f12
SHA256 d20e13151f0b2e1e7f56c19ca0bf289d16e97b9df7f2cb91fd3e660423406152
SHA512 8d9413659436b5cbbcb1f92f4ee389711150bf42566006b7a699c5e7b0a4e434a03979d2aa1a205f4ea9a9498cbba6499676a036b7b021a5a776194d74a2f762

C:\Windows\SysWOW64\Nimmifgo.exe

MD5 294610d74affb25c88835d22c6397a65
SHA1 919ae200097b34314eb65f284e634a6a5fb96bac
SHA256 4a8c298e9beb2c7531a20c66de2ee3d48c5a5d1af20df652a0cd3f85f6e6e873
SHA512 9428f6d18e4e02f87ce7580c5f4513092e3ec3f0fa14a827ecebb7e9e0cfceef96a0a94fc5e752f05283ee8c5744903e3180d2793fb1f3c0a80910627022bb8e

C:\Windows\SysWOW64\Oiagde32.exe

MD5 8a6aa6aa6edb8e739a7f716babd893fd
SHA1 748aa3458f31af9ca31bff0f8a2a0cbe404e93c7
SHA256 cf0b33cf68348cb0e3aaf83c7422ab0ae6b26a88f37541062f7d0f486ac3bfe8
SHA512 1027ba2382f9e7f6a2b2c5cf2749488d5c789b7dda11a9eaec43b52dfcc10e0f0ab87565449bc5d284236db299e54717a5992e22240be312737c1ba35f3c08f3

C:\Windows\SysWOW64\Pbcncibp.exe

MD5 32b55c7d6f320535566997431e78c63f
SHA1 a5443e07bf596714e2fcb3e911786ff5a04b84ec
SHA256 d099bd8d214d5f94a532e659cf1db68881fdf071ae461e3671f704c35eba1ffc
SHA512 47e629f95fff12fc0c605c62619220c8b17e10001c4c7ae91d88907c6ab8e753d4e063f635baba7f40c69453a17c307c1809e7b8d5b030c2dd4be0ff95facca2

C:\Windows\SysWOW64\Pcgdhkem.exe

MD5 4fe4c56732a25947ad3302079188076d
SHA1 7fbb2ad06d5e52fc08e40b7a9f989b16ccc36c65
SHA256 88c99e05af61909c18b2035656f0090ed54a24675149d57a1e6ba16459dee312
SHA512 c46e15aa03eddcc2133197e4f89486a2d344e4373b23a4cf56b69f3d76f389910854800c8cf9f0d721d237fd957f11f8368baf24ea4178ca4686cb86db7c362f

C:\Windows\SysWOW64\Amkhmoap.exe

MD5 9602ba04e32527667e42f5d1c7846dd5
SHA1 464a1fd491afb4da5ade15193943123a79de4d8b
SHA256 dbe6ff0deb1839565af2f9381932d75afb19d9ee07c7f5a75d11a42cf6c0c57d
SHA512 6d57fd744edd04d81937469e270d914348eb8d8a65589b9aff3557c29ef4196672d5cf77e6ae4991a839a06d4fdcdcad42d92352b18f13dc307da4a491e79386

C:\Windows\SysWOW64\Abmjqe32.exe

MD5 a4f5ac71081172f504e02080293af467
SHA1 eee32cf539299c7cb54fd657b48074a0ed09e6e1
SHA256 86ac4fc037226579086285ca0ddfdc8153a8c813b2f4fb9cee64ac43af225fbe
SHA512 be5674a2e5fcbade7948f2796edbad7e9d97196b61867e53a7fed208f89b641eb174291845b3448bd13ce947a648c785ee42d61b7e66226c333125b8a8de0a41

C:\Windows\SysWOW64\Cmbgdl32.exe

MD5 97acdfd0083d01d960ebb5cb4a19a07f
SHA1 1dfcaadbc820c84ce6f925cd4bb7d8bae5af00e6
SHA256 dbc237ca7e8e924731fde1ffd0cf79b3dd3bbac8f2861f00df4ab0fe013b1dc9
SHA512 f203e70a6b07c62ce89cf6a72a08cc94e193a8ad1420d61c95907152a81c80b851879cb19311123385af32e19407e4025b5c97a4045224d0b7cfb778c02a27ba

C:\Windows\SysWOW64\Dinael32.exe

MD5 7eaa00808fe4160e99a74eb9b3b7cdc9
SHA1 f4c6a26e6052a0d2d21c9e95e13c57a08eaa5f10
SHA256 24715dbe017f0f0e7ff01829ecf35ebc6b91b60952adfe01ae44a5c00127c058
SHA512 87c9c03a0b726fd774541a9f1c29ab23cedc9e4325699ee0b76dfb5f3b210c46f59664399f7b577cebaeab47375dbf4317190c94067f3f31ea9eff660707e3ec