Malware Analysis Report

2024-10-16 04:30

Sample ID 240602-an7gyacb2s
Target 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe
SHA256 3ce0c6860a5b9ec98829dbf79b84c7d253562bdb3c2bfad220ac0fc927c49ce7
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ce0c6860a5b9ec98829dbf79b84c7d253562bdb3c2bfad220ac0fc927c49ce7

Threat Level: Known bad

The file 12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 00:22

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 00:22

Reported

2024-06-02 00:25

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Loapim32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ampqjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Loapim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Llnfaffc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Naikkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Admemg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alhjai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpjiajeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nccjhafn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocomlemo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ahakmf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cgbdhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nkaocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Paggai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Abmibdlh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jancafna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Onphoo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbpodagk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cciemedf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onphoo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abmibdlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njgldmdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogjimd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dngoibmo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbpjiphi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qbbfopeg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aenbdoii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnplpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pchpbded.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ampqjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ckignd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkaocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajbdna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epfhbign.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpfcgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mepnpj32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Iqimgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijdnehci.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikggbpgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jagmpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jklanp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jancafna.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbalnnam.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimafop.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibjkgca.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhggmchi.exe N/A
N/A N/A C:\Windows\SysWOW64\Loapim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lekhfgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhjdbcef.exe N/A
N/A N/A C:\Windows\SysWOW64\Llnfaffc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmhiojk.exe N/A
N/A N/A C:\Windows\SysWOW64\Madapkmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mepnpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Naikkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkaocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnplpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nghphaeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Njgldmdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbdnoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nccjhafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoomd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmkio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onphoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjpkihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocomlemo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojkboo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paggai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcfcmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pchpbded.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pelipl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpjiphi.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecoqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbdna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampqjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aenbdoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfcgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdlblj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckignd32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Iqimgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iqimgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijdnehci.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijdnehci.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikggbpgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikggbpgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jagmpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jagmpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jklanp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jklanp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jancafna.exe N/A
N/A N/A C:\Windows\SysWOW64\Jancafna.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbalnnam.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbalnnam.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimafop.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimafop.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibjkgca.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibjkgca.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhggmchi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhggmchi.exe N/A
N/A N/A C:\Windows\SysWOW64\Loapim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loapim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lekhfgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lekhfgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhjdbcef.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhjdbcef.exe N/A
N/A N/A C:\Windows\SysWOW64\Llnfaffc.exe N/A
N/A N/A C:\Windows\SysWOW64\Llnfaffc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmhiojk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmhiojk.exe N/A
N/A N/A C:\Windows\SysWOW64\Madapkmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Madapkmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mepnpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mepnpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Naikkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Naikkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkaocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkaocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnplpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnplpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nghphaeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nghphaeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Njgldmdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Njgldmdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbdnoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbdnoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nccjhafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Nccjhafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoomd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoomd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmkio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmkio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onphoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onphoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjpkihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjpkihg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocomlemo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocomlemo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofpfnqjp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Njdfjjia.dll C:\Windows\SysWOW64\Ocomlemo.exe N/A
File created C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Ghgobd32.dll C:\Windows\SysWOW64\Loapim32.exe N/A
File created C:\Windows\SysWOW64\Clphjpmh.dll C:\Windows\SysWOW64\Filldb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jancafna.exe C:\Windows\SysWOW64\Jklanp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe C:\Windows\SysWOW64\Odjpkihg.exe N/A
File created C:\Windows\SysWOW64\Cllpkl32.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Chcqpmep.exe N/A
File created C:\Windows\SysWOW64\Ojkboo32.exe C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
File created C:\Windows\SysWOW64\Ihomanac.dll C:\Windows\SysWOW64\Bkaqmeah.exe N/A
File opened for modification C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Emeopn32.exe N/A
File created C:\Windows\SysWOW64\Gcaciakh.dll C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Eiikjj32.dll C:\Windows\SysWOW64\Kbalnnam.exe N/A
File created C:\Windows\SysWOW64\Ampqjm32.exe C:\Windows\SysWOW64\Ajbdna32.exe N/A
File created C:\Windows\SysWOW64\Lanfmb32.dll C:\Windows\SysWOW64\Epfhbign.exe N/A
File created C:\Windows\SysWOW64\Mepnpj32.exe C:\Windows\SysWOW64\Madapkmp.exe N/A
File created C:\Windows\SysWOW64\Kedlancd.dll C:\Windows\SysWOW64\Nccjhafn.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bhhnli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikggbpgd.exe C:\Windows\SysWOW64\Ijdnehci.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe C:\Windows\SysWOW64\Dhmcfkme.exe N/A
File created C:\Windows\SysWOW64\Ajbdna32.exe C:\Windows\SysWOW64\Ahakmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Epaogi32.exe N/A
File created C:\Windows\SysWOW64\Cqmnhocj.dll C:\Windows\SysWOW64\Fhffaj32.exe N/A
File created C:\Windows\SysWOW64\Gqpnhgek.dll C:\Windows\SysWOW64\Odjpkihg.exe N/A
File created C:\Windows\SysWOW64\Pmddhkao.dll C:\Windows\SysWOW64\Bpfcgg32.exe N/A
File created C:\Windows\SysWOW64\Ikggbpgd.exe C:\Windows\SysWOW64\Ijdnehci.exe N/A
File created C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bhcdaibd.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Abmibdlh.exe N/A
File created C:\Windows\SysWOW64\Opanhd32.dll C:\Windows\SysWOW64\Bhcdaibd.exe N/A
File created C:\Windows\SysWOW64\Mocaac32.dll C:\Windows\SysWOW64\Bkdmcdoe.exe N/A
File created C:\Windows\SysWOW64\Pkjapnke.dll C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Oecbjjic.dll C:\Windows\SysWOW64\Fiaeoang.exe N/A
File created C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Naikkk32.exe C:\Windows\SysWOW64\Mepnpj32.exe N/A
File created C:\Windows\SysWOW64\Ckignd32.exe C:\Windows\SysWOW64\Bcaomf32.exe N/A
File created C:\Windows\SysWOW64\Fkahhbbj.dll C:\Windows\SysWOW64\Dkkpbgli.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Ckignd32.exe N/A
File created C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Ppiflaho.dll C:\Windows\SysWOW64\Iqimgc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lhjdbcef.exe C:\Windows\SysWOW64\Lekhfgfc.exe N/A
File created C:\Windows\SysWOW64\Ildamhjd.dll C:\Windows\SysWOW64\Nnplpl32.exe N/A
File created C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dcfdgiid.exe N/A
File created C:\Windows\SysWOW64\Olndbg32.dll C:\Windows\SysWOW64\Fnbkddem.exe N/A
File opened for modification C:\Windows\SysWOW64\Nghphaeo.exe C:\Windows\SysWOW64\Nnplpl32.exe N/A
File created C:\Windows\SysWOW64\Liqebf32.dll C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Hokefmej.dll C:\Windows\SysWOW64\Ajbdna32.exe N/A
File created C:\Windows\SysWOW64\Iklefg32.dll C:\Windows\SysWOW64\Abmibdlh.exe N/A
File created C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File created C:\Windows\SysWOW64\Nkaocp32.exe C:\Windows\SysWOW64\Naikkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Lhcecp32.dll C:\Windows\SysWOW64\Ampqjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe C:\Windows\SysWOW64\Bnbjopoi.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eiomkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebinic32.exe C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Bingpmnl.exe N/A
File created C:\Windows\SysWOW64\Cbolpc32.dll C:\Windows\SysWOW64\Dflkdp32.exe N/A
File created C:\Windows\SysWOW64\Epgnljad.dll C:\Windows\SysWOW64\Dcfdgiid.exe N/A
File opened for modification C:\Windows\SysWOW64\Paggai32.exe C:\Windows\SysWOW64\Ojkboo32.exe N/A
File created C:\Windows\SysWOW64\Penfelgm.exe C:\Windows\SysWOW64\Pbpjiphi.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dchali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" C:\Windows\SysWOW64\Fdoclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kmimafop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lekhfgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lekhfgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgocalod.dll" C:\Windows\SysWOW64\Lhjdbcef.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbkpna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aenbdoii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bpfcgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jklanp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ampqjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jancafna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiikjj32.dll" C:\Windows\SysWOW64\Kbalnnam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onphoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbpjiphi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Penfelgm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bingpmnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbpodagk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonfbi32.dll" C:\Windows\SysWOW64\Naikkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" C:\Windows\SysWOW64\Okoomd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" C:\Windows\SysWOW64\Pbkpna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagbha32.dll" C:\Windows\SysWOW64\Mepnpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphhoacd.dll" C:\Windows\SysWOW64\Onmkio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niifne32.dll" C:\Windows\SysWOW64\Chhjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negbaime.dll" C:\Windows\SysWOW64\Llnfaffc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ikggbpgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkndnka.dll" C:\Windows\SysWOW64\Lhggmchi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomjhjmm.dll" C:\Windows\SysWOW64\Ikggbpgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Odjpkihg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Alhjai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Penfelgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obneof32.dll" C:\Windows\SysWOW64\Nkaocp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bcaomf32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Iqimgc32.exe
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Iqimgc32.exe
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Iqimgc32.exe
PID 2188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Iqimgc32.exe
PID 2984 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Iqimgc32.exe C:\Windows\SysWOW64\Ijdnehci.exe
PID 2984 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Iqimgc32.exe C:\Windows\SysWOW64\Ijdnehci.exe
PID 2984 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Iqimgc32.exe C:\Windows\SysWOW64\Ijdnehci.exe
PID 2984 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Iqimgc32.exe C:\Windows\SysWOW64\Ijdnehci.exe
PID 2000 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ijdnehci.exe C:\Windows\SysWOW64\Ikggbpgd.exe
PID 2000 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ijdnehci.exe C:\Windows\SysWOW64\Ikggbpgd.exe
PID 2000 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ijdnehci.exe C:\Windows\SysWOW64\Ikggbpgd.exe
PID 2000 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Ijdnehci.exe C:\Windows\SysWOW64\Ikggbpgd.exe
PID 2680 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ikggbpgd.exe C:\Windows\SysWOW64\Jagmpg32.exe
PID 2680 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ikggbpgd.exe C:\Windows\SysWOW64\Jagmpg32.exe
PID 2680 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ikggbpgd.exe C:\Windows\SysWOW64\Jagmpg32.exe
PID 2680 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ikggbpgd.exe C:\Windows\SysWOW64\Jagmpg32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Jagmpg32.exe C:\Windows\SysWOW64\Jklanp32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Jagmpg32.exe C:\Windows\SysWOW64\Jklanp32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Jagmpg32.exe C:\Windows\SysWOW64\Jklanp32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Jagmpg32.exe C:\Windows\SysWOW64\Jklanp32.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Jklanp32.exe C:\Windows\SysWOW64\Jancafna.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Jklanp32.exe C:\Windows\SysWOW64\Jancafna.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Jklanp32.exe C:\Windows\SysWOW64\Jancafna.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Jklanp32.exe C:\Windows\SysWOW64\Jancafna.exe
PID 2696 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Jancafna.exe C:\Windows\SysWOW64\Kbalnnam.exe
PID 2696 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Jancafna.exe C:\Windows\SysWOW64\Kbalnnam.exe
PID 2696 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Jancafna.exe C:\Windows\SysWOW64\Kbalnnam.exe
PID 2696 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Jancafna.exe C:\Windows\SysWOW64\Kbalnnam.exe
PID 2120 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Kbalnnam.exe C:\Windows\SysWOW64\Kmimafop.exe
PID 2120 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Kbalnnam.exe C:\Windows\SysWOW64\Kmimafop.exe
PID 2120 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Kbalnnam.exe C:\Windows\SysWOW64\Kmimafop.exe
PID 2120 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Kbalnnam.exe C:\Windows\SysWOW64\Kmimafop.exe
PID 1560 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Kmimafop.exe C:\Windows\SysWOW64\Kibjkgca.exe
PID 1560 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Kmimafop.exe C:\Windows\SysWOW64\Kibjkgca.exe
PID 1560 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Kmimafop.exe C:\Windows\SysWOW64\Kibjkgca.exe
PID 1560 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Kmimafop.exe C:\Windows\SysWOW64\Kibjkgca.exe
PID 2460 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Kibjkgca.exe C:\Windows\SysWOW64\Lhggmchi.exe
PID 2460 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Kibjkgca.exe C:\Windows\SysWOW64\Lhggmchi.exe
PID 2460 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Kibjkgca.exe C:\Windows\SysWOW64\Lhggmchi.exe
PID 2460 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Kibjkgca.exe C:\Windows\SysWOW64\Lhggmchi.exe
PID 1248 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhggmchi.exe C:\Windows\SysWOW64\Loapim32.exe
PID 1248 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhggmchi.exe C:\Windows\SysWOW64\Loapim32.exe
PID 1248 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhggmchi.exe C:\Windows\SysWOW64\Loapim32.exe
PID 1248 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhggmchi.exe C:\Windows\SysWOW64\Loapim32.exe
PID 2280 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Loapim32.exe C:\Windows\SysWOW64\Lekhfgfc.exe
PID 2280 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Loapim32.exe C:\Windows\SysWOW64\Lekhfgfc.exe
PID 2280 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Loapim32.exe C:\Windows\SysWOW64\Lekhfgfc.exe
PID 2280 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Loapim32.exe C:\Windows\SysWOW64\Lekhfgfc.exe
PID 2108 wrote to memory of 1748 N/A C:\Windows\SysWOW64\Lekhfgfc.exe C:\Windows\SysWOW64\Lhjdbcef.exe
PID 2108 wrote to memory of 1748 N/A C:\Windows\SysWOW64\Lekhfgfc.exe C:\Windows\SysWOW64\Lhjdbcef.exe
PID 2108 wrote to memory of 1748 N/A C:\Windows\SysWOW64\Lekhfgfc.exe C:\Windows\SysWOW64\Lhjdbcef.exe
PID 2108 wrote to memory of 1748 N/A C:\Windows\SysWOW64\Lekhfgfc.exe C:\Windows\SysWOW64\Lhjdbcef.exe
PID 1748 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lhjdbcef.exe C:\Windows\SysWOW64\Llnfaffc.exe
PID 1748 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lhjdbcef.exe C:\Windows\SysWOW64\Llnfaffc.exe
PID 1748 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lhjdbcef.exe C:\Windows\SysWOW64\Llnfaffc.exe
PID 1748 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Lhjdbcef.exe C:\Windows\SysWOW64\Llnfaffc.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Llnfaffc.exe C:\Windows\SysWOW64\Mcmhiojk.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Llnfaffc.exe C:\Windows\SysWOW64\Mcmhiojk.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Llnfaffc.exe C:\Windows\SysWOW64\Mcmhiojk.exe
PID 1192 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Llnfaffc.exe C:\Windows\SysWOW64\Mcmhiojk.exe
PID 2800 wrote to memory of 772 N/A C:\Windows\SysWOW64\Mcmhiojk.exe C:\Windows\SysWOW64\Madapkmp.exe
PID 2800 wrote to memory of 772 N/A C:\Windows\SysWOW64\Mcmhiojk.exe C:\Windows\SysWOW64\Madapkmp.exe
PID 2800 wrote to memory of 772 N/A C:\Windows\SysWOW64\Mcmhiojk.exe C:\Windows\SysWOW64\Madapkmp.exe
PID 2800 wrote to memory of 772 N/A C:\Windows\SysWOW64\Mcmhiojk.exe C:\Windows\SysWOW64\Madapkmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Iqimgc32.exe

C:\Windows\system32\Iqimgc32.exe

C:\Windows\SysWOW64\Ijdnehci.exe

C:\Windows\system32\Ijdnehci.exe

C:\Windows\SysWOW64\Ikggbpgd.exe

C:\Windows\system32\Ikggbpgd.exe

C:\Windows\SysWOW64\Jagmpg32.exe

C:\Windows\system32\Jagmpg32.exe

C:\Windows\SysWOW64\Jklanp32.exe

C:\Windows\system32\Jklanp32.exe

C:\Windows\SysWOW64\Jancafna.exe

C:\Windows\system32\Jancafna.exe

C:\Windows\SysWOW64\Kbalnnam.exe

C:\Windows\system32\Kbalnnam.exe

C:\Windows\SysWOW64\Kmimafop.exe

C:\Windows\system32\Kmimafop.exe

C:\Windows\SysWOW64\Kibjkgca.exe

C:\Windows\system32\Kibjkgca.exe

C:\Windows\SysWOW64\Lhggmchi.exe

C:\Windows\system32\Lhggmchi.exe

C:\Windows\SysWOW64\Loapim32.exe

C:\Windows\system32\Loapim32.exe

C:\Windows\SysWOW64\Lekhfgfc.exe

C:\Windows\system32\Lekhfgfc.exe

C:\Windows\SysWOW64\Lhjdbcef.exe

C:\Windows\system32\Lhjdbcef.exe

C:\Windows\SysWOW64\Llnfaffc.exe

C:\Windows\system32\Llnfaffc.exe

C:\Windows\SysWOW64\Mcmhiojk.exe

C:\Windows\system32\Mcmhiojk.exe

C:\Windows\SysWOW64\Madapkmp.exe

C:\Windows\system32\Madapkmp.exe

C:\Windows\SysWOW64\Mepnpj32.exe

C:\Windows\system32\Mepnpj32.exe

C:\Windows\SysWOW64\Naikkk32.exe

C:\Windows\system32\Naikkk32.exe

C:\Windows\SysWOW64\Nkaocp32.exe

C:\Windows\system32\Nkaocp32.exe

C:\Windows\SysWOW64\Nnplpl32.exe

C:\Windows\system32\Nnplpl32.exe

C:\Windows\SysWOW64\Nghphaeo.exe

C:\Windows\system32\Nghphaeo.exe

C:\Windows\SysWOW64\Njgldmdc.exe

C:\Windows\system32\Njgldmdc.exe

C:\Windows\SysWOW64\Nbdnoo32.exe

C:\Windows\system32\Nbdnoo32.exe

C:\Windows\SysWOW64\Nccjhafn.exe

C:\Windows\system32\Nccjhafn.exe

C:\Windows\SysWOW64\Okoomd32.exe

C:\Windows\system32\Okoomd32.exe

C:\Windows\SysWOW64\Onmkio32.exe

C:\Windows\system32\Onmkio32.exe

C:\Windows\SysWOW64\Onphoo32.exe

C:\Windows\system32\Onphoo32.exe

C:\Windows\SysWOW64\Odjpkihg.exe

C:\Windows\system32\Odjpkihg.exe

C:\Windows\SysWOW64\Ocomlemo.exe

C:\Windows\system32\Ocomlemo.exe

C:\Windows\SysWOW64\Ogjimd32.exe

C:\Windows\system32\Ogjimd32.exe

C:\Windows\SysWOW64\Ofpfnqjp.exe

C:\Windows\system32\Ofpfnqjp.exe

C:\Windows\SysWOW64\Ojkboo32.exe

C:\Windows\system32\Ojkboo32.exe

C:\Windows\SysWOW64\Paggai32.exe

C:\Windows\system32\Paggai32.exe

C:\Windows\SysWOW64\Pcfcmd32.exe

C:\Windows\system32\Pcfcmd32.exe

C:\Windows\SysWOW64\Pchpbded.exe

C:\Windows\system32\Pchpbded.exe

C:\Windows\SysWOW64\Pbkpna32.exe

C:\Windows\system32\Pbkpna32.exe

C:\Windows\SysWOW64\Pelipl32.exe

C:\Windows\system32\Pelipl32.exe

C:\Windows\SysWOW64\Pbpjiphi.exe

C:\Windows\system32\Pbpjiphi.exe

C:\Windows\SysWOW64\Penfelgm.exe

C:\Windows\system32\Penfelgm.exe

C:\Windows\SysWOW64\Qbbfopeg.exe

C:\Windows\system32\Qbbfopeg.exe

C:\Windows\SysWOW64\Qecoqk32.exe

C:\Windows\system32\Qecoqk32.exe

C:\Windows\SysWOW64\Ahakmf32.exe

C:\Windows\system32\Ahakmf32.exe

C:\Windows\SysWOW64\Ajbdna32.exe

C:\Windows\system32\Ajbdna32.exe

C:\Windows\SysWOW64\Ampqjm32.exe

C:\Windows\system32\Ampqjm32.exe

C:\Windows\SysWOW64\Abmibdlh.exe

C:\Windows\system32\Abmibdlh.exe

C:\Windows\SysWOW64\Ajdadamj.exe

C:\Windows\system32\Ajdadamj.exe

C:\Windows\SysWOW64\Admemg32.exe

C:\Windows\system32\Admemg32.exe

C:\Windows\SysWOW64\Aenbdoii.exe

C:\Windows\system32\Aenbdoii.exe

C:\Windows\SysWOW64\Alhjai32.exe

C:\Windows\system32\Alhjai32.exe

C:\Windows\SysWOW64\Aoffmd32.exe

C:\Windows\system32\Aoffmd32.exe

C:\Windows\SysWOW64\Aepojo32.exe

C:\Windows\system32\Aepojo32.exe

C:\Windows\SysWOW64\Bpfcgg32.exe

C:\Windows\system32\Bpfcgg32.exe

C:\Windows\SysWOW64\Bingpmnl.exe

C:\Windows\system32\Bingpmnl.exe

C:\Windows\SysWOW64\Bokphdld.exe

C:\Windows\system32\Bokphdld.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bkdmcdoe.exe

C:\Windows\system32\Bkdmcdoe.exe

C:\Windows\SysWOW64\Bnbjopoi.exe

C:\Windows\system32\Bnbjopoi.exe

C:\Windows\SysWOW64\Bdlblj32.exe

C:\Windows\system32\Bdlblj32.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Ckignd32.exe

C:\Windows\system32\Ckignd32.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cllpkl32.exe

C:\Windows\system32\Cllpkl32.exe

C:\Windows\SysWOW64\Cgbdhd32.exe

C:\Windows\system32\Cgbdhd32.exe

C:\Windows\SysWOW64\Chcqpmep.exe

C:\Windows\system32\Chcqpmep.exe

C:\Windows\SysWOW64\Cpjiajeb.exe

C:\Windows\system32\Cpjiajeb.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Chemfl32.exe

C:\Windows\system32\Chemfl32.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cfinoq32.exe

C:\Windows\system32\Cfinoq32.exe

C:\Windows\SysWOW64\Chhjkl32.exe

C:\Windows\system32\Chhjkl32.exe

C:\Windows\SysWOW64\Dbpodagk.exe

C:\Windows\system32\Dbpodagk.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dqjepm32.exe

C:\Windows\system32\Dqjepm32.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 140

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Iqimgc32.exe

MD5 a64fa1a59960b7b228efb3a79d913c79
SHA1 40a8b749941f4c549ce036aaeab51b2511a4c742
SHA256 737b7089917399c399c2cae6ea7d68810f5c131e5a813ae20774c1c25e35fad3
SHA512 0fe32eea72e70752e4b21029ec84eda34206fb847dde8204779346007c3815bac7a0fb8d8f4625bb065bbb0eef450bd46bcf61d7bf2e03d7b0172823471e9264

memory/2188-6-0x0000000000330000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Ijdnehci.exe

MD5 605c54ef2ddeed85dd61d89e25452f88
SHA1 87f4ef451c896f1b01f82b1d92cf2767f2c79b8f
SHA256 709b5ee0e2c151b528a80f96601bc265e3206389ba2dbe27b93ddd8c67151ca2
SHA512 90ed522d4de3fa9a9038286c263c6d40197b7efc788f50475b798a4b9b401a830aca0050e6c61f01b944fc6f757a78cac780c70f3e7ecdb6f329dca1f429d9bc

memory/2000-27-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2984-26-0x0000000000310000-0x0000000000353000-memory.dmp

memory/2984-25-0x0000000000310000-0x0000000000353000-memory.dmp

\Windows\SysWOW64\Ikggbpgd.exe

MD5 926410acae1aca52526c36899f04c24b
SHA1 e0757cced163d98b26461034f8b2dcb1142d77f2
SHA256 4589a4afbe00892f6fedfcd9cdae70c1406289e5e525cb84a972d6b2b995a906
SHA512 7d9e409bfa820c0e31fce8ac3b4a7f96887c01e1e2943c49fc072d64e7a920a8b4f29a925037866de91040ffcba51303507414f7e8e8a3cc5fbd855ece0fcf76

memory/2000-34-0x00000000002D0000-0x0000000000313000-memory.dmp

\Windows\SysWOW64\Jagmpg32.exe

MD5 1f19ee7c31f1b159581e58c1618e4284
SHA1 7db31323a266405acf5999a077dbab5a1e87a5be
SHA256 b9a783f3102de1142e2b574ef213f61b7a6e34c00d4f528a4208d2e0cced4c9f
SHA512 92eb2bd898ffe4dafeb9cde8d5c9a55279378c0fdee9f203d32073a8139347d420e535874cfd1071737c0d4baea9110d5cd0ed572e896157355771df7bcdd889

memory/2612-53-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Oekngadg.dll

MD5 54f4111935195e7bd4f8ece61b80c7a6
SHA1 0e13675633b53f461ef8c25139d61c516f1f99f1
SHA256 cd44194891786f0699cc0d662868d9f7a2f480efbec6e0c1cca864ed045d750f
SHA512 003bbb3f82f3c896914886db0eef4a0baba6176ac15995c3b660536ee4a437620ee1e21068769862ef8731d1793c430fd8fdeb6e51e974a778f53a6e69d911b5

\Windows\SysWOW64\Jklanp32.exe

MD5 76b708b97c9b77e315b4be61c8ea9095
SHA1 117a5b249ff5cc46265425121c2c5bf146053793
SHA256 7837d79fbbd3d1b7033ecf68687fcf1321836786b905301198ff93c2a4f2a0e8
SHA512 000c4c3ee574b38113081a942f79779d5696592633df868edd2ef16b814ea81edf0d44e73aece615586d6d79b25f88484965275f59a9d1fba3fed11dd804deeb

memory/2612-60-0x0000000000250000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Jancafna.exe

MD5 12118b7f68c6ec158bf9fbd63a40b9f3
SHA1 bfae0d0b5ac4d31c4309da1bb4294286c545443c
SHA256 9db45cca5238de7539cd48f1b17c784b24e4f4ebead1076d43d93e1b49f7e09b
SHA512 d025308c0310a20491870fde954c3acb6af709833e34aca4627c6fbc9da381165a35a8e1ec114e1b3c48d56f6eaf219e7cb3168f6d1e631fc28da77b1b42c329

memory/2696-79-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Kbalnnam.exe

MD5 fa5e64ca8bb296d6f9c1f697f6805ac3
SHA1 12a205efa970c0f6ef7685e2d15772ec3e06ea77
SHA256 8ec83a865894be5b52f19b2c72898df614b72d700dbda19c570063d115421c73
SHA512 214e37fb7b763030ea3dbf44a01eb957e1d33b979e7e33167866905ec57778f28bb4d28b85c2e23dd628bef2043704b2a740030b72e70c950cf1411e11e00d21

memory/2120-92-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1560-106-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2120-105-0x00000000004A0000-0x00000000004E3000-memory.dmp

C:\Windows\SysWOW64\Kmimafop.exe

MD5 7e700cd7ddf1e47cd602f88ac51ebc1b
SHA1 23c3084301ae7b146ae0a0a326a7e316be65c110
SHA256 4f1471c70c00b8b2d4aa41cc9c1b0d4451716c043d869e8d3283a5b3fd26c98f
SHA512 1f4d5a22c7ca24dc62968ecc78993742ed115728216212262285a78a5e9059bed61fdd62694a83d994683a58bc5de71c16c866f9daf2ff02eb002dc869225531

\Windows\SysWOW64\Kibjkgca.exe

MD5 597967f9e91fde2ec2d222fce8e14bb3
SHA1 365935523a4f0b704b92048bf54d92dbb4216196
SHA256 ffedd16b4ff5205f5394ca64eedafdccd6fccb452929e8f14fd0a1a848de3518
SHA512 1e5f4999f6fd028227ec2d796ace5325745415ce45b85cf9f893ac5c987904a1deb29a00fb0ff8656ae69c8c0bee5dfdc530b0e29c09497dd2fa2acfc858704a

memory/2460-119-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lhggmchi.exe

MD5 887bb96022b544b8be6cb31b209b67f1
SHA1 76b4bb3e458c9fa8c395641055fc08d7da0ca425
SHA256 9b6ae58c42345c59a6e7e31d7749499cd0d3c9b5523a4ac558ec40de99e5eab3
SHA512 efe6f9e7a7af094abee779226748ebda8098b46358c441a5063107474176e0bf6797ad4a48e00b37c3ae15ea691e8a14ac229de46ff45cc170b5d9a0a3da0fc4

memory/1248-132-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Loapim32.exe

MD5 39780c90885cca8f0c40ba5e3e1a5b08
SHA1 0335c51b9ef7080aa64444bda32d03ca27b8290b
SHA256 8293d1154b9aeec3173233b6358cb3bb66c9e2610cb6ec57cdb5be25ec865437
SHA512 da8c8fc070caefd6bf729774c544cf2722aef75e5e4152a8e44065c192a2e60dea975b9729f3f8a1a288ebbea0ea7ae6fbe3539a096cc09397bc972e156c85f3

memory/2280-150-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2108-159-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lekhfgfc.exe

MD5 ee7588f4a33981533f8f04b281088358
SHA1 8a53f19bd6349b95495f236e86eea672c6553620
SHA256 dfcea46b3d12395c300eeda42e7e7989627225da30b7aac2175e6fe26172bbe3
SHA512 11de3119b83568048927b82a9b35841a93fae012be4fa08dfd45420fc42a231031c061d831dddce446223daee5fc9d412f933e7521063601666a3ca93c978cc8

C:\Windows\SysWOW64\Lhjdbcef.exe

MD5 0ede5cf0fec4f2cfd2097139d6d13468
SHA1 d8b4c4d4e60b2d470c309ca4194328ea95863ffa
SHA256 9416d253db7ee4159fa26a44d843b0c3e85ade091b323fe4ba7b8cc28f035e8e
SHA512 f478bcc1b2eca09ac69978ca2cf05c3e25a41f2f870ee3d6bc1de9aa520a1a3c65915e5e1b0888beb5d45aa84a87122a710152a74bd4dc96d07bc3645b081750

C:\Windows\SysWOW64\Llnfaffc.exe

MD5 02a00fec1f890ae8372ae8ad8b5019e0
SHA1 d21c3e9e0afd461670704cb100d260150134f257
SHA256 fef6033963f67633afdd2d68efa31c223c682b3412a87ecfe29f3a8a5bd09660
SHA512 38e744a8b1a88ffd909a3e1cea674d7e70382415b35abbbde19502dc4e39885a484b71de36d139ff7c05d87a78c1fc40fe76e1cd6ba7dc886f081e9d0a91315f

memory/1192-186-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1748-183-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Mcmhiojk.exe

MD5 b223f9add96aa1841dcbf8754da0ee5e
SHA1 ddd9989b7953edbcf4563b62655e01ed02323ded
SHA256 22bc747619a631145de19ef7db43d65717ac863de9f040ed2a3e239f4648fcce
SHA512 f41383e02e638617353f4ec2db699a3c2a747e4a0bdefcb6b5ced2e38c6476e002482261e7bf7db47e8d0b07ccbd58710d4407fe76e63ea582ac3df8d589d04c

memory/1192-196-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/2800-198-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Madapkmp.exe

MD5 ae10a7e6d52956fde84ea9ba2578aed3
SHA1 c1c30c141ec1aaf021a8f915c743d3c4476491d9
SHA256 f8b80980fc5046aeaf3e9c0cef7c40ddf77e3645a2984e5c2c2eb910d425b97c
SHA512 a8cb6796d2dfa26e832f78bf9f1433dc010b941abc0fc79862fcb277614c21a4c81ca55ce82cba6bdd7b2486c2431143fd60ae083098af2fd32083539d07292b

memory/772-211-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mepnpj32.exe

MD5 395e7bf03b1cce8be9a7fb6a7fd920ee
SHA1 9287d723886d8cedd617eab66f49c9bd85e86a06
SHA256 d7dc9163072e8c7831acb22f99774e8baa20088b0faa4b42f40cf2d7e040a51b
SHA512 945092fafcb0cd8491637e8b863f933f5848691e1ad3f4a910737ca22be965a40002311a083cf530a6da6ab3e2879d92f9b608cd3d70765e0d02e573e8172ff9

memory/1072-225-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Naikkk32.exe

MD5 20474f58ab836a00010cc6159abe6751
SHA1 9d3b742602936b2b1a2d69f77fcf77619cfdf403
SHA256 53bceca59b95c8c7e4348efc40ef075a92e2bae9fe9032ac63d9b18c0dba84cc
SHA512 91ec58998df778abf04288561b2856ec71ed7adde5298406eb81876ea46987892c1fc0e28627acfc56591ebff9a6ac7ff16abd51a49ec39b530beda7b47d0f4e

memory/2288-231-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1072-230-0x00000000002E0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Nkaocp32.exe

MD5 31b4cc73d704c35578223c68745dae80
SHA1 ffd165a5f2489c0da8ab8f9afbb124b7561fe321
SHA256 188d76401d38072c70034380a9a0b78b3bc14d6ced1c9483bce100b3fc82b840
SHA512 5a756077983e85d987e24661916589448a962a801edf500eab769534f0b4be0e64b6a3c00ebe3368e02c17623aad79dfea76681c4dee276f3ab0c6ea9e6b70cf

memory/1120-245-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2288-244-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2288-243-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Nnplpl32.exe

MD5 481c332a17a80ddaee09e57b59cff1f9
SHA1 0d4f0578f7cde98aebed4d078506cc90d4660d71
SHA256 d05e6a2a1bb36f64c76aa7ba359be47c6a95718c4a3164b2f1e34c93d5137d46
SHA512 8ef46ef46b1821c0ff200b7f872296c8fcf7559ed5bec998961026c9f5771a79511f94511ae53c4c501204e225a1d3284d75405778425b3f6164f6aaf472407b

memory/3044-253-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1120-252-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1120-251-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Nghphaeo.exe

MD5 68a9b28d69d86a089366a71d5c9b4f1d
SHA1 a38c45c4b8d65efb17cbd4f83698c540ca432e62
SHA256 2d120d23ea35fe00d26f898da1886155c24af1fe4eb8cb0a2cf65cb8b3683dce
SHA512 d368260d624a6633b35ce426162cd3f196c26625d9aeb3531a8fdf44e8b932d90b3be2f0adeec346d419ca92e9a5ad7d2084dff7d812b30397d538e86601ac49

memory/3044-262-0x00000000002A0000-0x00000000002E3000-memory.dmp

memory/1772-264-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3044-263-0x00000000002A0000-0x00000000002E3000-memory.dmp

memory/1268-275-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1772-274-0x0000000000310000-0x0000000000353000-memory.dmp

memory/1772-273-0x0000000000310000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Njgldmdc.exe

MD5 993da7a44079bbabe6b3b81cc4df70d8
SHA1 c5af03c020feb4ee470533045821c1b0c56b53f0
SHA256 14b3fd7b4b05fa9ce98cc03ff563ca6b37a26dae8e5c50a0e907d29c2e2cedbc
SHA512 a7194e077c1358fb787ec968b7753477a7f9a147ddf41e540c89140ac972cd586a0754a4fa577394c0a84e35ede61db87552c98fec2bebb498d4466f22dfe905

memory/1268-284-0x0000000000450000-0x0000000000493000-memory.dmp

memory/1268-285-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Nbdnoo32.exe

MD5 00a2845ae896ab2de6f4bb24241cf2ba
SHA1 ca71c46fbdd5d3ce83682a307f2ee385c7703ad1
SHA256 8c0545aa47d22c0d71420f51905a4c64be1472afbc9eddefa8672f5312eafe43
SHA512 7f2bc83265c1957e5edfd60ff8033943d5f6a2c07278158f1d932865dbd418cea47a2b8a338cd04325ab24a7a4dbe8bd4d0df951014a01413a9326b30c7a6003

C:\Windows\SysWOW64\Nccjhafn.exe

MD5 1a25050288c1fc56e6f849ff1534be49
SHA1 9dd26ffbf66980c803d4629a0a883d182d410ef2
SHA256 db30c8d8a31fb08e7aa3e80e861cdb3655d314675ae3250ad6f5124cf4c6aa13
SHA512 e58c0e32d3852766a9695acd7fc0f148b7f5b25b2200563575d55208ae15be458efd1d61b9009dd765b25447b055a0d9844673e929c76080a972ac3620c9d36b

memory/1028-296-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1032-295-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/1032-294-0x0000000000280000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Okoomd32.exe

MD5 fad6923793d6f6cf6963205ea91513b0
SHA1 6aaa3304b7354040dc7c437331fd37761588b918
SHA256 f52f14c741f021b86283904d2a98e495e8b5a7669166ba01ac6c3bfaafb310a2
SHA512 185dc3f02c950019d88bfbdf44fe2b29ba156431dfbac1696e5584f62d21300694c7845af934a740573a169eeb6afe7811071c53423171128c71514307b3c723

memory/1028-309-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/1028-314-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/880-318-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2228-317-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2228-316-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2228-315-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Onmkio32.exe

MD5 4dbc56f90b275f3a3a862f1cd6cc44cd
SHA1 90caa540178342db41aaa2b24886f869ff3964ee
SHA256 cfdeedce1f2706fc6e298db2edb2e048470e87f81fe42389d551fcd143d5deb2
SHA512 a5482b0093403c31232f90e21a8b84ddc351a4648020eb77347db43beb4db801a736d189fcdbab04ae760cba1c24fb16ae7da75ee94fc6180ca0d255947302f1

C:\Windows\SysWOW64\Onphoo32.exe

MD5 a848ca49b23ca27100aa7e406467e022
SHA1 abc8795f56ae0bc5ff77f2603e47e2a5634ee187
SHA256 7630f8aea8b9b68bff0b3302a0f4e40f2409fd751d142818ff29c4902299d90e
SHA512 9f11677ac23f1ec1019f0c66b69f6877754deffd0552c0ac8be71a831e09733224a2959d8ac443f25ea6b7fc94ab8912b40ef73dcd35fb3f2acc1a36206bbe4e

memory/880-328-0x0000000000450000-0x0000000000493000-memory.dmp

memory/880-327-0x0000000000450000-0x0000000000493000-memory.dmp

memory/2156-329-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Odjpkihg.exe

MD5 78f39ad09c96163508707a2dadb16199
SHA1 564ebe3b49775693139260ed92adefab4765991f
SHA256 a788005fa78b91acd42828d4687cb7053d83a56b683993fb77b5587cab0942fb
SHA512 34aab06a6958d7105de1e701ebee5133ec702bcd0aa9cfbc4deeafa45faa74909c1a543312a075113be51835837098b3c2eb6e183a382bb58fc90ba3a6517256

memory/2752-340-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2156-339-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2156-338-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Ocomlemo.exe

MD5 8b1bb585c6d3f4f1f305451d9dfbceb7
SHA1 f67ace7727ef7219a6953d476cdd0fd812f17f4c
SHA256 a2728da0a30b5bbf153598cf28099d007afe4da431ae6fcaf871edb4f1295aa9
SHA512 0a759d7e92f2ae7481188676461c2a1310bfe1282c62c6e1071cfcdc27a2135c34be21143ff5685312796959c27315225cc2b89e3910f5cf4844101625b9faa7

memory/2432-355-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2752-354-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2752-353-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2432-357-0x00000000003B0000-0x00000000003F3000-memory.dmp

C:\Windows\SysWOW64\Ogjimd32.exe

MD5 9b7e057ca34f869d275f4217fd9763a5
SHA1 1d206c5d1373935e5c1d35fb71c281b3c3151930
SHA256 813d1870154c2e0e2739b6281c050de0b17a83d352ee609ae5cdfda56cdee560
SHA512 8ae249b7d3e2ed9e1834eceb3f4dd7aa53ace6b15dfcf8f7a9c6d0c07e142631cb204a438a5b315c966b94e69d7bec1e6b0d561acbc14c96a216afe17880a45d

memory/2352-362-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2432-361-0x00000000003B0000-0x00000000003F3000-memory.dmp

C:\Windows\SysWOW64\Ofpfnqjp.exe

MD5 941073ec1f2dc1db1f6466017890d087
SHA1 49116a6800099b0be8d591088271d530d7409e4d
SHA256 0dbfef91140fe149447a24547b2080b11d1166f5fc7174b4a4da29f52403b076
SHA512 14a3fea9e874c84c027f99cea950d5446e8e19f89922256ab2f429359a7703c1690a404de51aa2a368873ffdda090415eb4a408ea84a05fcdf0850ee5e3b58f1

memory/2488-376-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2352-375-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2352-374-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2488-379-0x00000000002A0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Ojkboo32.exe

MD5 20149c54aca760dab48306bcfd822a53
SHA1 39797ee1571069c102066e69c597eac1eb8f87f7
SHA256 949580ca7bc34d611907536d8965f3bb672ab7a6a9a1a42c6d479f57421a2096
SHA512 70ede4db46203da6b9e3df77254fe84b72c6241352c8a2a531512945746bc96f34268181bca56639a76a8345214eb617218cb0825e4d21025387b3e0722b47a8

memory/2040-384-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2488-383-0x00000000002A0000-0x00000000002E3000-memory.dmp

memory/2040-390-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Paggai32.exe

MD5 05676d6c5c450ff8196c14076f65e327
SHA1 54de3837d548464093a33b4acaaa0a76c78abd8a
SHA256 b45a3cb51335c7c8c5e4d04edc07b9f3da8c3b57e27f1ace122c8d0675ec469c
SHA512 142adf72c6fd1a27a95383a45db11fce41428c2f92bc56490b4defd2358c3393ca456f8e4fe788f80b3ddeaa9e9d243f764e8b5ef1ddee013f7107e805fe8232

memory/2484-395-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2040-394-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Pcfcmd32.exe

MD5 a211a95265e61761f67ee1e0118105e0
SHA1 f1e9dce35d1963c0f12a45cd1e7dd41b15667663
SHA256 f062fc7267c23ef69efa81283d6641420e703b507ef21375f8daf880a8299eda
SHA512 ce12e45b7cfa2799ded66fd3048ade14e7c24cfe8de760d6eaa0abaf0af345a991d494a7aa74415d4bba0c7fc45ce5f500977545a9269343665357023617a183

memory/2116-406-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2484-405-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2484-404-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Pchpbded.exe

MD5 b60f579bb07aeb5f97b498c85a29ff49
SHA1 d0fb049a73e10119ba4801244020e846a70bf8d6
SHA256 991f420e1a0df80ff56eaa718c4024e6b96cca7868efd337547dcd98c61e30bd
SHA512 531234b2c54e7e541e80ccbde5077562f506e25eac045d6e8e9bbf82a51921917981339e75019b83843effddc1bf2440d2ceb1cb965ea2562bc1e5b7784c2df7

memory/2932-420-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Pbkpna32.exe

MD5 2df944c2e9bd98536b0174d7c1daf282
SHA1 35069e7fd6c1a1ae05047569c29803f9e5919b47
SHA256 f6f6b0ea9c2808459d4b5de4fd22e9c8cba7152c06c66a5bd81a39235646fb6b
SHA512 64ea04a8de0e3192b472e673c412f7b9dca93c81229a54971fcd91bd2aea67fa89276ee9bee5ec3ef8006bb38ec60e5cd601a7b5541362fae2fcaf3a2a6ea990

memory/2540-428-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2932-427-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/2932-423-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/2116-419-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2116-418-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2540-438-0x0000000000450000-0x0000000000493000-memory.dmp

memory/2540-437-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Pelipl32.exe

MD5 7f69bee72989a9a0c50c07d5248d0f51
SHA1 10f0137d31dfbf7454560043137b72431f9d301c
SHA256 69f2cf431101e5853421ee2727852adb257b86cf1b70c3b5a070fca695db1687
SHA512 5d6ddb8c413d05368fe334e58c744f92992d8c22d93b3fcd920eda93281ea8f38b69f0df5776825f162f30d51b283b58ba4e48e377c4726fd9d2f5c66d02a2b0

memory/2808-439-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Pbpjiphi.exe

MD5 9d9ef59dc98ef9b50ef2002a2a94d1d9
SHA1 159bbcdd78325a22b3cf7d2742256bc183f2a741
SHA256 4b803c62faf1f3b331be9f234833c1ac87e672a9de16642b91e7aa2db852448f
SHA512 6cec0a56dc11e1f281c7481db1f04df2b4854a4ac136a19b3b4abd70fc1123212a74308ad637e8bd0cc4c1d0314618d4637a693eeb81e83e246494a001b48469

memory/2756-454-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2808-453-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/2808-452-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/2756-456-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Penfelgm.exe

MD5 58b1f388d07e3ab395a997052aa07ebf
SHA1 2e64186e2e1fa5a9bb54abffd826747d20b2556d
SHA256 dd845c6dc7d61f2cdf986a7fe89925e94fb7e38995040079dbca7d600333f879
SHA512 a1d57f899d2280021041a3db3f1999fb55273bf4fc4027522670c3757c0e7fcb8752143b4c9836ae4d11fc64e619690be87e9a77b2679aa79f8a570784fa3025

memory/2756-460-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Qbbfopeg.exe

MD5 b9770eba253909440d7d5904d16ce1e1
SHA1 1fdb8dda73c423e007c825a2b4c66df50313ff2b
SHA256 b842c26fbaa062c14e65a1e2d8577337aeb8d2551b73e1a4d2e236229db31975
SHA512 287904c87ec85a9729e5fa28d7907f7703e5f6b5ac825ebc7bbfa5aab659421a4b3117cbdf43c3d649af8ef8e115122792801efa61f59833bb5c412452eea02e

memory/1800-471-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2520-470-0x00000000002E0000-0x0000000000323000-memory.dmp

memory/2520-469-0x00000000002E0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Qecoqk32.exe

MD5 3031eafa2595ac5916f1c77c7c25c983
SHA1 856e9e252893ce5a435b02424c6fb56ef5b02d19
SHA256 041ba3d7b85ef831e0905614dc5a886213f5438d0872753ff622b3e9083e3d2a
SHA512 3dc31e09ce9a332bb70ccc8f438f7143fd46378ad1b8c1cbb331843997af314979c18d8c3af49300920a6f87335edcfa823eb625159ac97a3c7f8481c40c9ca1

memory/1372-486-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1800-485-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1800-484-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1372-488-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Ahakmf32.exe

MD5 5adbf6c7916e88fd6836ef73148f1c17
SHA1 1934bb949d37a657cf3217af59a6951fe609bd48
SHA256 624a0e71ebb6752a6dfd8edb4bf0a1a7ae4822f31da89e3534365085515b7908
SHA512 8f4ccb361bf6e1441aaf29c76c18c3c22a66adac5855c165760b6cf9a39f67f187a7d3a0d7eed792a399fe8d721ef0f233fab68d9d433a4a26b4f1c72d40e61b

memory/2212-493-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1372-492-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2212-499-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Ajbdna32.exe

MD5 89810af93f69f7b0da489ad693c1e244
SHA1 93a572fe1c21cff33392bb80da5c40b905794d31
SHA256 b774dbc6c1b3e94a009eab8f367a92fa8b8cbee768c2909a2ac5a2d2834e5b92
SHA512 cad20bf967fd0da845d18ba5b6b8471e117ac4f715e2a9c979f3dd75539cffac4e9438d9d51617009571a80730fb3876ec6518ff141dd4fe3d74e1b85b12a87b

memory/2212-503-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Ampqjm32.exe

MD5 500011204c6e66887f292a24dc2742b5
SHA1 4e82167cf7361620f650098885a78f961c4c5769
SHA256 bd3969af3657e5ea526120068dfbf6af347fd6719daf2b5c75f512ce75e26c72
SHA512 ea3871d58c9fc85f948a9331713399acfb4bc1dbefb415aa6c74a3e5089495a820ec77a39b4a80a77182b1f1e28333edae43bf2d48aee7878002c90f44897a78

C:\Windows\SysWOW64\Abmibdlh.exe

MD5 d250c421cb7313889d5ea3525f92a5f5
SHA1 c8a9d159a80c69d72de3c943f027f3f54423f426
SHA256 50eb4be0f4d641a7fdd37978456a9facabd240c9d1178ea428ae5693fc692179
SHA512 50b138fce3b439065b3a929953aa066443859dff8d65b63661bbaa5fdfe90067304d358d7761f69f7c583718dbc6250b4386301d7ba031684d1c40f4f50bc4b6

C:\Windows\SysWOW64\Ajdadamj.exe

MD5 9cef19615a010a2f0e8466be36e187e1
SHA1 681e284b4b8acb1cbd9f1b7f77ca1be4831d3da5
SHA256 726a6d175d078c0c6ad19f52f85a1422775888b1e054a7c89f679198ce6f301e
SHA512 75bfdd40ffc15a0841245a0cd3041a25b9ed10332b6f9d84962e096980fafeca4673b31026121aaaeba6902d0414ceb721bd56873abcb2f3eeb1c5f614a823d1

C:\Windows\SysWOW64\Admemg32.exe

MD5 a9315b3b3166811e982a2f0beaa0acd7
SHA1 f96d953ed29ad69d5d12fece89ac32c96c4150fc
SHA256 c16983677c2a1600417d9d03e2cf4fce71923719cef901428ce7e103fe07f537
SHA512 4e6267dc888a1e6b07d886073831fb8cae57a8e0032b23e53aadeaed9443d78b91d49a2b3b312a199cf54527a1d6e173141ee5473fe9d3ae812edc7dfba8d01a

C:\Windows\SysWOW64\Aenbdoii.exe

MD5 bf3f0fb8b16ec8dd2adc84fa035e290b
SHA1 877269197a4e198d2414ce0580a22f2218543a52
SHA256 2987e4cfb8a5eb36c6abe85f121920521720c3e628582d1efe2900339fac3809
SHA512 7b259bed6a7cc91b3d09013a91eaf445c383b4e7541db97096ddf56b036b95363b488f8a2b78538208749d5cb14a1f113ee38af4e25e8111a078388d41a9712c

C:\Windows\SysWOW64\Alhjai32.exe

MD5 852a7c969815ad9c276f53c0ec8aafc9
SHA1 973af24f4149e054cc3ac24fde0023f3113a0df6
SHA256 b1e410231c1ca88eae2ea934299acd25c6d83c4e66d8a4f1b5e98c3cc138c7e0
SHA512 ab2d5f31580e5cd7e65764ed6492497042f175eceae0d68582758300480aa07059ba5c1341f5fb6491e86f871c78b8f0a7ca39b13274df410eaf239ccd80d6fe

C:\Windows\SysWOW64\Aoffmd32.exe

MD5 2b5634667507db75a412ad8b4aa22110
SHA1 38c4e5b06fba4ad2c5ed9d44c00ff0798dbf7e51
SHA256 39f0ba74cac56508634925a0002c332a475314114c08feb6febd3ca866557bee
SHA512 67f62880e2188b28d55beaeb4c9cf9f3907a9fd58a1353491b466f716217f7bbd6850c36646b5186fdd7cef6fd5646cb89bb6b6185bfca99f0868ffc0886c4bb

C:\Windows\SysWOW64\Aepojo32.exe

MD5 fedc5eb4fb0191b2f52dddfd0d1f9d14
SHA1 fe93d229d42c4d7874a16bc59d0cf27edba90e22
SHA256 30ac877cab4cf6247d45f6ceb5cd82067fa39333fc906623b628b0742740acad
SHA512 f3bad807c50aedbff2a982a2d48e547fa0f7ebf9ab3461c2a4bdf520ebe99520f4a4e2a30de837d4ad8c78de36b90685576ec908b32908e4a3f6404555863349

C:\Windows\SysWOW64\Bpfcgg32.exe

MD5 ba383caef0e12ef8ac6bbddad9d033c7
SHA1 18a7fcba55118faf3fe4dd0c42c867c946c813d2
SHA256 a66ca33970eb81bd182d110bcda7d58d04f91a26fb046c482434c02110af8dba
SHA512 e088ec5caf0dc4b3b9dc8a543ca88e37d0d38564a30663ee00f1f94f977ca9d6e9d81e2e4c673d6ff5e21a0a176827798f1d82251e10d99724231e3d452784ec

C:\Windows\SysWOW64\Bingpmnl.exe

MD5 45ae476508653980a6f8115009d822e6
SHA1 443d2c32a35d44ce703f8a4b79c6722e51cdb5c4
SHA256 1d8ad083ac75e91f4a8a2328655b572d9c0d07a39362f981359971773f3a1936
SHA512 256f131bc67513f63acf9f318b86feb38cba3f897e5e696a8167b619559aa052d8a33ec72454a72db80b541d8595b2b1ba104b9664c89b6548ecfe05e365787d

C:\Windows\SysWOW64\Bokphdld.exe

MD5 b5aee390f11f9872087e407ad365b2ef
SHA1 bdbe779fedb9392182332fbc0b48dfa0263073d1
SHA256 954e135f0d944ce4c2bfd2cbe5fd92cda3b2485202c41e4ae55b8e4919f3e28a
SHA512 59e3cd531fa31d1c03fd9e573928ac13c501abda90f97dc353c655153b3c6565ebfdb04b18b7eebc91adb8390d5355bd143d4fd2b5bea60366f7ecd46c84a2e3

C:\Windows\SysWOW64\Bhcdaibd.exe

MD5 2bfbced4bc26dd3472eba0e0150a860e
SHA1 14d819c01ed261cd7b6d6aa0a0ffbc4606496fc1
SHA256 317ca99de121b9aaa4e792f9f7eb746865589fd6f9ec956eb136ac240bfb2598
SHA512 007d5d87963bc92005af2f94767e29ca0d7cafc154aa0e3d06ea6ddeab30c4f647e339d97f29b92d5e0be05805c5b449fe696e24690ccc77ebed291384ff9b9a

C:\Windows\SysWOW64\Bkaqmeah.exe

MD5 97de7a5bd05dd50e6b37d7aa9df9e0f0
SHA1 9190b00d44b03bd7732da0269de14d6b3c5c13a9
SHA256 aa1e557f4fad6c1c7aa1bd941c2a95e4056627f3a9cf2b26b74bfb7fb0d48e4e
SHA512 8c41ef978cca0abd9c24d59c291ae178be809a9d6194ad97d7be25bbf903bba560f3f13fa9bf045efd5c7d277ddd067fb5970df6401e7d77ea43d8ff94a6a50c

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 e4989714818685aa40b4993be90475ac
SHA1 c265712a769345b05c969880541ebc6712729040
SHA256 bdb9937d68f29eab0c8724b34f5b884124ad4294624999774e8391200504e095
SHA512 a3a3780592ed4d69a8933bebabd2c7eb71663c456e87ae7551d649837086eb634886429779ca6d149304a154dc076c15dddb8af8701f1daad72e92f2bc70f92c

C:\Windows\SysWOW64\Bkdmcdoe.exe

MD5 b8e2e1cef9ead69071a3678acf7d3be8
SHA1 f97e8547b014d3b336d4e8e58ae37e4b4331219c
SHA256 6b904b5313828d69a7e31d99789fc53d6abdd4a78264a9c4bd0ca52a6c20566a
SHA512 6a080c4ec43a855f84014d32ca6d088b9807cb90b3b66f994389d74044cd9e3b083eebcda4d2e7bbf379bc9ba0265835fa64406d6b16854adbcf573ff8b64f2f

C:\Windows\SysWOW64\Bnbjopoi.exe

MD5 a207cdd0cad5bcef1eedcd7abc065eae
SHA1 21554d89793c77b8ea9b68b7c772823813e03048
SHA256 5afbbee749849a264bc5ef2ba113e2cf153454b981f75feb961f1472666adac4
SHA512 008990a018abdaf401e3bb23da77c8756f55ad2140ee0957a217750798d3b86b5ca3739f3a613c3d7a1b43ce7673d4738b839a32256cd8a7540aacbacbe37254

C:\Windows\SysWOW64\Bdlblj32.exe

MD5 94c76b2689a311a096a09921240dc75e
SHA1 da13693722aef4499ee69c8a718ccc365d32e879
SHA256 5c347bdaf8843f101d2e0794fc2bd59149ddc4a8653f05e8b52309f7429e5ed6
SHA512 f2b48523716288f412a74635f8c10c77da9587884a10a5b20b2a1304439aee127bcdb04e75838937b6bad6ddf9a5c43b8b6cbf67d1ac7c4fa58250c83458eb40

C:\Windows\SysWOW64\Bkfjhd32.exe

MD5 942159b90d5d8f103ee44102e9871027
SHA1 21e96a3b5f4d2230862f3dd7b7b9ad35fb5917bb
SHA256 20cd95baa3b77aaf88f6303fdd16a8dcba86432ef6e1724c1d97d7b342df4962
SHA512 5ea76beda910760c07b0d0374c874d49aada3d396c8d10ae0bf36c054591fd78d5f53c38ecaa94bbbcd11f229e9efca8e5f5cc282916bcbfecbee56cb6bd876e

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 cf7baf9501f6c44740835455981b89b9
SHA1 71d3b83c43f0d6fc8319136386cb28b5296da8ae
SHA256 8f47bb5a19761267558cb3dc477bd8f8e3f8f182a1b899de489ea971df3b61fd
SHA512 c75583c6aa1202a2a4a29c5f3789e670551e4c332d11055606a1ddfd2aa7f16bf3ff417f7356c32ca3eec7ebe03d678ebb4d14ab03a2dffd9e018bfc8d1f7277

C:\Windows\SysWOW64\Bcaomf32.exe

MD5 8fe1cfe6df10a7fab40def6b1d2b3711
SHA1 0756efcd05ddba14c25d16dc5c11eef84dfc74f8
SHA256 9052c33963163157e37039f2825fb9cf69d9bbf2df9befa769f9e192b350e129
SHA512 54d87e0542a4b90fb2b4d9c83b7db3579e02b54e528a5ca9e8adc0ba2443898663d7650875b327a0eb20714088316b4d123951303963ae626f9fe913af142ba9

C:\Windows\SysWOW64\Ckignd32.exe

MD5 d840797e48c37163142202b14acd9128
SHA1 fb606a8a2ac5ed557b858cba127f6a94e1473814
SHA256 b46fd7701c7fefe86ebe7491c015f711f738e7472256c1285cfaa443ab0d97e4
SHA512 14dc4a493fb1b0ca64fbe71fcddc564b8bad9e47dfcb64867d02ffbb272f4808738db4d7aa67e2869064e7e4c30ab1e45d1604db4270b40b84d78dbdbd6b0e43

C:\Windows\SysWOW64\Cfbhnaho.exe

MD5 a02aed02b0080a5f4e7f4999742d8861
SHA1 3258d03e5b65d6481c85b0f1e7dfc5a09d756faa
SHA256 575944b9d4086b8008323fd9caebd9f31c5df6fd5e4f67d01cada4d617c02693
SHA512 be133df151c6acd11c7f2cf58ab0baf5ca2f944246af029648877f33ef19d55f7e9aa307f927eecc03d9830f0633f3d7abe5512506ddba297a6751c3c7190efd

C:\Windows\SysWOW64\Cllpkl32.exe

MD5 60977bb4691e0c2d28ae65c3dd669663
SHA1 57e26b2beea7e34cad0088218c35dbbc96e0b18e
SHA256 2fbd5d0a1987b2ba2aec744d90bce7f614b72ae48cef9ab0f1e1e48c6bea2bd8
SHA512 956c373df433d321fcce20984366c54c798ab6a35e11269fc7907c8cb7da113b3d4f127d22a726fa68c02fa3fb4632583d3fd5b8cc1ad495e643b7de53014bd3

C:\Windows\SysWOW64\Cgbdhd32.exe

MD5 6c01fd6a3bb162cd014804a651133fad
SHA1 e448bbfa37d65c08068c0e704e50ca63f7efa44b
SHA256 91766b002810e90caabc9dbbb4e11b170fd6db9ea8fb05727887098af5887099
SHA512 065321381ef2125c20292d91319fddd4deb3612e3e886c812e0ee81225a7425a5d7d982aa1075ae62d88a8cb82a308ab3014934c87b2802330f571c3a02941a2

C:\Windows\SysWOW64\Chcqpmep.exe

MD5 2fed9da537a1401b58d14b2c33eb7b1f
SHA1 00d5c84ced2407523968ae5f58470931a912cb78
SHA256 ad129e35c6e05ce33f35ee2ddd7926e5620fc8a0568f5a728a9e3cbe08d35d8e
SHA512 fb719badb02844b69b00edee328cbd3d2a62a19f97e79d156189443c29c09069fb8dca40d708be935e876587ae78e9fff259f079ea011ecfc871b962fcdc03b8

C:\Windows\SysWOW64\Cpjiajeb.exe

MD5 3943bd4b28f1303d18f6e68f79f0a0d0
SHA1 a490f24d74a71bb3c9febae415a09d629982c139
SHA256 d086f3935c306e08fec5f117c5a29d4368217187bd364939715adcb78bec907a
SHA512 a1bba8f4f894b6c38d6b70632befa850c2298159ac660f051b622b12b0b1ca4d4c4588aa22c118679a1fddd5127557359138c339e6cf335e20d18b4255485b62

C:\Windows\SysWOW64\Cciemedf.exe

MD5 5b197ffb1cc989e9fc39349b0433d80c
SHA1 ae4a930fa378f0849d431e9a46e6efe3c67174e3
SHA256 3e96289141cdb61dd5902e7b6f1ce55964bd5e474d8b73a30ce69bdec4d509d3
SHA512 b88813e149567669d2ac49c4110e97f81ad52991dfeb78b4a4371a97c5e1e43fd21bcf91e509dd5c2db71f8ada4c5aa6b82aba10ab0c936ab2a58eabc4b56027

C:\Windows\SysWOW64\Chemfl32.exe

MD5 2951cf05c4f99adfa445ee0d2c8288e6
SHA1 3f6bdd86fd49e20174be4e98134b41f3f2bd109d
SHA256 5d0c651fe3dbc6f7efc3554fd2bedd4b1a0d1f714a23e15688c7d72fdec79093
SHA512 08722343025fb687120456b63f5f347188775c4501f7b833876b66f768385605043e852c501f6d2b8b85388d559fa2aceabcdfb0ef651fc0c90c1305dbccb7a5

C:\Windows\SysWOW64\Ckdjbh32.exe

MD5 916a9c4f83c3adcc38cff32db3044fc9
SHA1 5cd35a94718682046d89dc0c765b1ffd72d2b783
SHA256 b0ddfa6b23c7f8840e252ff9373b06dab879a910cd74e1116149f5dc150d0f60
SHA512 c7c562445cca7367f32050c7ef73f0d0770e1d0ac07ca31d17385ea2d7550bb2ea302055fdfd4d1e3f822c3223d20666c8780205bcf1df2ec3604e514134c78b

C:\Windows\SysWOW64\Cckace32.exe

MD5 2eb16b9e752dc2c4826786544bf4f08a
SHA1 82f69b0ac1435b59721f660293c559f0e0945578
SHA256 de27822da5faf2ce287dcdf8c80e9494a6c4e94d09d34e164a42719b644fb8fd
SHA512 2826c2837d9e9e317e20a40bee83b6dbef5d73e0e9ccfec6041bc10fc3066a3139a09b3089b32635f426fd13c080c08bff302f8890942f2afdd184b04e5846d0

C:\Windows\SysWOW64\Cfinoq32.exe

MD5 32ea27b8c2c953318382ae415e83eb80
SHA1 00d8b0fe55de5852e8f520a874bf8c4031adbd64
SHA256 f27cfad1764ea06a50003cd45928f344033cdd5de020d0e132dfab8fc599e720
SHA512 57ec53364d18dc97aa5a1042e8a122148fa3a9492c4a112da6b01856a6e4b2e15322f6c9b0704d60e19bf08e0c937ea2bcaa2b12ef0eeec5c70abd112b9978d7

C:\Windows\SysWOW64\Chhjkl32.exe

MD5 58a81006c6edce301f4fec9cba2b588e
SHA1 4a22254a709026c2a991857753730be30bd31e00
SHA256 d60af0944772f077846fddc4c2c95b26ed5d5b0d8f209b1bf831bbbdde22dc75
SHA512 9f20bc3481d99faa9d02921c0a111cb26bac5821f06cc508d3cbdc091893e3db0a4db9d6ae0c494735663c87cdf8fec9de72ad0cdd6ddc5e07c0c97b744b5b41

C:\Windows\SysWOW64\Dbpodagk.exe

MD5 8d8b31d013f814568e081ae44e85f26c
SHA1 86c3c14f9e84901bc102d1f344721fc868108023
SHA256 46d201e28134aeeca2c9a40d5a35b9dde3e22c510cf0f9c52f959904abdcdef0
SHA512 8545bfd0a84562dc2c2cfeb516682cc75d1cb7a0263a623ce796a18f79d3a0cf48a94dffac52f654dce83b7b3749f045bcb45c115cff9ff51f14df087f8d0cfa

C:\Windows\SysWOW64\Dflkdp32.exe

MD5 226e2292e2fbe1a1a99b3fa0250a0183
SHA1 59d17cbfe09fafe4413c2e9061773b69b4526455
SHA256 981d34a7d26240de1ca98f291b4074591fdb677df0a59bcc03ff5e394b1ffddb
SHA512 5d8bfb2d5f28225d02e81493fd7a8aa3b85797201ee869df1bb28182384bcabc65627e7333ae6a995700f57c7318de354ee7d30c6dcd548719f93683f0b04168

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 6db8faa1b0a49e5a58210189d884c607
SHA1 748e79d994ffabe9ad0d459897d6d5c82a7880bb
SHA256 2474722116766d2bbdcef80961a1e4204bd90e4f3b4482bb94f3b7d04351bedd
SHA512 aee281947dda10737146feb87121b20805b21dde15424c39461f4837b18fe2ce8c851edf054da405e6a82f7360906823b5d7822d824004e20e49fb974bc19bc1

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 971907fd57e4c16e4a3bf03da444cd3d
SHA1 86b5e18d9641b61a98dcbe1b26c8a02b987eeb7e
SHA256 c0e6bb3fe18b0ef29385b720f2b4e74b7fc4f27173403bad0af508be79a451b3
SHA512 bcaf80cdcc8d972afdd3128bcfac59940e146e70fbc6e4e169e70b18f55db0bb75d27f3ebf9c873ab2eab2b3a75279ab876ccacc60ec321466039a595cf86056

C:\Windows\SysWOW64\Dhmcfkme.exe

MD5 10aa6ac750ed7ee03ed84dcc1e7030fd
SHA1 4758e53d684302661488a7055e0b9a780194cbba
SHA256 32b907e79f0d5b275ab36ce0e0f835f534a60bb1be7de4b93700bf5ef875573b
SHA512 87ef970a91aebe48e8c76286b58af514e5f190a2da5be3d55fe1cb7f491d6a575ee67010afda292c2a850fddf773f8be5cb2ebe9cfa393eca5ae3b254f6d91ac

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 04253b8f6965cdb68dc20250ce11f3c7
SHA1 863eefa9191b41a25bd009b659694f80d423b99b
SHA256 afd9fb1a7395839016406f057cf32a94edde4d3aa919fdf612ce3a50f90f4882
SHA512 fdc9ccb1873a683e9e67202b445784cfb9d6faf1663ad1129610d5b16d4f3381c0c4df436331397d688437b3d9923197ac87cc256ba8fc253e821321021d7499

C:\Windows\SysWOW64\Dcfdgiid.exe

MD5 d5a0792540d265e009e732d8801b2b65
SHA1 169d4090750efa47a21c43482cb101521ce79792
SHA256 f632474705e82a19a9c64ee92a8c838f401150d0c6c41b908f929c6224fa8ada
SHA512 f0c25e6827590356d9d6e4b2f39bc92f34e0a3f0a02a1b108599a05d36cd13bb702a3f947e42affb215f49bf301bb66814453b27bd09723839ebb53ddf95b20e

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 77b706d5e6415050340e6e3cc941da76
SHA1 623fc8c40bd7c3fcdb48f42d7add1d040de17d63
SHA256 5637d746bafda3d526c9b9e5f3edb29883d61aa5f44d1ce49abfd57d3cb97eaf
SHA512 d6d07b60b9b04fb4cc8e46a7916487c1afcc20ec24be207fc8dc785c6e52ad7c4571fbc1a31fe26f240c82b86b585feb1cee72977043f4ec0b28e0b0c2f30c9b

C:\Windows\SysWOW64\Dqjepm32.exe

MD5 dbde883940eaaf5ce84eb1ef532038c4
SHA1 3b6151ed1f7ac902e5ff68dd8bc43ed4ddcb8df4
SHA256 4990a1517cfa7504362305893bfc8e7aef3aeb05d0fa6a5d3b2efa6ad122fbf0
SHA512 b8b0d458acd6f49d5ee00ac9c49c59d51693d74bb6c669e552cf4c4121b6714010ccf8eaaf5e0c6889558513b4b5ebbe98db5d48c116ac8582fd453b5f7107bb

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 22a4ab40a2b475b1006b4cd37dbc5d97
SHA1 4df93c51299a536c8247c334ba3dc53b1304d32e
SHA256 2c9f77dd6867111a59f6fe0f1085f3eb5e2d4c52e6f72520f45e2c8d4142ca1e
SHA512 2f0d42d4015771e227fb9136394cf5c9c3612992553f5075500eb8d0a9a879c7e55a7c1b47c0842034d109c146aca8cc34779ecf2e259f153c91acd0d08524eb

C:\Windows\SysWOW64\Dchali32.exe

MD5 ca678855cf2b1d33320cfc0aee9a45ed
SHA1 bf977de79b9f50effa26c4876e974574768b6c13
SHA256 19877d3259d760ba7d7c8beddb130b22f582bc5c0d543a4297d3c3ae7c15441e
SHA512 a4ea8d27911bfd2bffe7531eefedb91b1e1ab93f6dd020078e7872c251f1f1382f020cbe07d186a17bb7f768cf00112ccdf04815515230718c123bbb9716cffd

C:\Windows\SysWOW64\Dfgmhd32.exe

MD5 58c67cb6f6dc1d7c446ac9d7c4d87514
SHA1 6b1d796a6cdcdc588b460fe3c49e8a711ed093b5
SHA256 fddbc82d43057c68e0ee81aa1ad2b1b212968dc3cef73385f50ed51704ffe0e7
SHA512 8b464035398b964b25f1fa54aebf3cb8b9f5f10dfbb0e15ebb5e9158aefb6116e7bef3feba8ef6a2e26d7962052305535f32867ee366296cc7f4ab7757ff7d73

C:\Windows\SysWOW64\Dgfjbgmh.exe

MD5 485c98b87f1d52cfa64316a1417dc865
SHA1 778e9f8119295799aa5836b7cb8a900b28ed8bcb
SHA256 ce6ea3f0a738a8bc0e05796c7c88c9b53d69af4602f69dca056bf28774c2dd12
SHA512 cb1978dc3556211feb57f13a41942741bdfe9babc1ebe3f40e98c8098e3eef1ef36249751737a0558258c11bb2c6143fb52e205281544909903a17f2491c9dee

C:\Windows\SysWOW64\Djefobmk.exe

MD5 da8b710787880f563d75fd983063f6c5
SHA1 00fb92e62ab8c7d8d78b0ddf50a40338e23c34e1
SHA256 bae2f7c2241087fa5ea098f1b350217c882ac97c31bae77f8be31051bcef462b
SHA512 ea67a6776c1fa0babdede359501964b01cff3b5bd71fcc4ebf9dd3d037d4ca678e725f6dcf5bb49d04a9a9381976876cd7d9d0129361bb0c4cf59142b07608b6

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 10528695734aa5ac24e02576e94285ea
SHA1 041f088f1c0554fcc028b547e2c26ccc1b66d12f
SHA256 9360e10ce48b62d85d5f394b10e61ecb50480ab7545c8f80d5c93d0bc7d01c23
SHA512 021bf96d644cc37cb629b88f07e9304c4869e6a3c28370367c40bb72126b16cfc6091507b536e1689e7743d562d9a0b170a875046fed36dd5e9c449729a6d8b0

C:\Windows\SysWOW64\Emeopn32.exe

MD5 631e63d8953b130cee5963574f836a27
SHA1 dfe9a6123b1aba72d78e212b09cb9d8f901008ab
SHA256 b4ac33d01a24ab0862c0ace8ad8f61fcaac7572e15feaf1ac97689c7871cd74a
SHA512 14cf0ebbd25fc7e37fe59710353c93810384d2f8d5263451993b70c0c0dee425f1540147a5c89ac32666d1b7d5507dbeaf2b3f06d684541f2ce0baf97f75ec35

C:\Windows\SysWOW64\Epaogi32.exe

MD5 64d0ade619402349650f336c760f15ab
SHA1 9bffa2a69ffc846597df2a5c730f4135097e588a
SHA256 23082cd30c07d2dd093493e2512c67248158a9cd9940b80fee6e354a81b86572
SHA512 590b5ee5f44033aa692d99661a03e7e035d6791d01be1eea7bbdd9f770a97ee57d4bc3ff3eb83050f1f242d067c85aa9094d0043a01493ef6f041a9d26dd42f8

C:\Windows\SysWOW64\Epdkli32.exe

MD5 0cdb209241de20e6732afcff0c5787f3
SHA1 5100a1130041595781b7695293092acf06b9d1ad
SHA256 08d1d0e0f3877f9d1d70d8290f48c2abc6af12db0bcd14257a63fa5ac488485f
SHA512 600ac1004761489abd6e4a15712da095910cafb4f5094af32a3b26207de067ba02441cd8c532aeec0a69dd5727f04128f26e390115b7eb50ce01492659b3a19d

C:\Windows\SysWOW64\Efncicpm.exe

MD5 955ac57e772b4a954350927d66c06ed7
SHA1 7994ac40a1867240ccb3d9254ee63269a71a416f
SHA256 c9d400b760d4928f670a0ee6235511c6c2c4d893c8197c98b4da45fabee7b523
SHA512 d6c919d4d3d98f5e36b14056147d2b9bf7e438d58543b52e847aadc0af242cc8ee21eb42f4c025e8c4e727628b715fc20ab53dceb9e61b81fd1b177b3af0518f

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 22e6ad2236a404257eb441da088a3716
SHA1 10defdf2d288d3723e1d752c9c2a0502eae13e23
SHA256 eaa0fb6715077218ddd98f5f3bef8a1651559f6f9443305445b080878d41dbf1
SHA512 43b495bab9d7363fa86ed66e64b5688e97309c3a2821b3daffb7f9c294ccd600167604c0f26a306e0646ebfd98411c4b6fa12a2bab5250691fa2fc43956de574

C:\Windows\SysWOW64\Epfhbign.exe

MD5 fd404f769bc288c8ae060abe4688ea95
SHA1 838981bd7301207d6fa8532c29ee5a4ae4b3ff84
SHA256 aa83b027c0aa3e37bb550702c5710c6d55387ff71688983a05513779ef3b4505
SHA512 be0696e1bd7caa9a1b75d822067b9eddddd41608177800926cdb4a6a2e9d6b67627afd8b7befb7053d0e5dfb1669e0bb21204f6dae881a469f5304f0ebc5fa46

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 07c6d5f202b1795f09932a3ae6b29d64
SHA1 a7695f7014f25e4d72e66ece5e9f4f90f3ee6e07
SHA256 1f4e2672c93f544b1797d30d38c537d7bc01c8f4890b697cc631e8e0c3461ff6
SHA512 39847bf7d6ffa12ddb6c09b4b95b967eff55a056737dbc388df4de05644d5af32deac01ceb4ed376fb99efd24ddbd5ecd49c12b9a627b1a33a34bd3c6910587c

C:\Windows\SysWOW64\Elmigj32.exe

MD5 7d8cce998a4ebfaa45a0a38323e01f1f
SHA1 a39faf241e57960863827ab7b932190247bcd806
SHA256 fc79d790e62bd5214d3bec73884616cc7696d4185cb9e251a0cffdee02fba809
SHA512 1f1b443b3cc4baeab18c5836d4687ae3bed95237fb9d35360449230f2ff17c2ad945c4e528664712da18f2428c8bf0eb4f8bf9939cedfa25664b67aa933bc041

C:\Windows\SysWOW64\Eeempocb.exe

MD5 b6333a2aebbcaa03b63ec98a65e3a56d
SHA1 d2217fb6ac9e7768febce29cd30f9601a954b113
SHA256 13edba8c3f1b098e390e7052ae85af9516c9bc291c9d4d4b1dfbf4e498c3f1e4
SHA512 283063bda1e132afe1d6712180c331195859ea9c6f164b8b8adc264a29587a2868842eda6340dea69c98838b8341c43d68df1d1bee685be3b5f2851095719819

C:\Windows\SysWOW64\Eloemi32.exe

MD5 4b352d9ffee0dd70105b9a7fd0b545ca
SHA1 33f583776c773bf909b2b986920c9bc0f47bb29d
SHA256 c030382a682055f77866dd5c0c0996474593a6c48233d2990513b1c8a3c1e15d
SHA512 36c9c9c97880722b7306d162c7ae5a33cb627580edb464ea38cbde2b4e22205fcb8550c49f8c8e00103144e4496ce394b793ce3dc69b786c1cd644c24a3cd7d9

C:\Windows\SysWOW64\Ebinic32.exe

MD5 0d0488908073d2c935d82edc9b42a243
SHA1 0a97a2a35c160902039ef5ba7d789f5ab87c39e6
SHA256 4ffe32705e166747d1e6d7699a8fc7175fbe983683e7f7bc50eb20992c2fcd48
SHA512 4de5801cb6c57ffbb82ea7bfbfafdfb6da32aac9dc65f0dc658db9736454b679c60beac2210401f595303489906c65bb10aeb873f05e39c1a4aea8a614c154f6

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 159b2f92c70074b553dbbf3b5985471c
SHA1 8831498293edb60a0d57861129882678f61c9048
SHA256 05dd347f9e22a650ba808c414a32ea5a2c220b7685988cf854d29c6e079c9a10
SHA512 ad0d885212bb8b4993416c41621de4ccfeb9522f567af931b9d46a86d706f4303983e5e44d104407317523f00dfe9857f85d2290662a1d6cf99c86c287bc7d81

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 112f64300c6b0543512c15f662cd9d5b
SHA1 2203296e011f63e8b1c2e909fcd3ae56a7a920b5
SHA256 f3a055449522dabaa993d27d83a0972432f85f79cfb4297f1e43ba14a9e62d65
SHA512 2e5a6ec2b5576db4747327f64527dd1a9249e0dd1ef87174b07b2382e35c7d6886ad68e10e8b63e73d18932aab6a79358025ca99a96ee023d45042a5e0d0146f

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 c15dc54b42063e99588f47c774ef120e
SHA1 7c37ebfedd98ff2fab3d30370b38a98e4afd2dbe
SHA256 bba3d136f16d17fbc5b1278010a709d4f6c037184ee392b9320de32d1569740c
SHA512 247d9b4ea2f9e8bc21581c383dc39d6b2af3507ef127adcadc051659bb2e1b08c7c93dda3347e428f43e9ac90e4bf4073dd4c3659c7da9aef3beef3cec293cf9

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 8699131fb732e727b2add328ebe4161f
SHA1 858d0021d13fcafbdecf07ee2b4bb2824f63ff35
SHA256 0a50b05b88376c57bd1f265477af07920a37d90f9244e8d938ad727fbb94397c
SHA512 ddb3258318e1fbecb54a4f67d8274399bf548bf7be8c9f37c7a2727afb5f07a29a8ebb04a14f23ae64fe2e834bd08bfcc5c56846df4d610d9c4b9fd5191da8a3

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 79647d1dd94208c1965e6d6bcf3c0afd
SHA1 bab2bf76853871150e53534b4ce15db7742e1e73
SHA256 57e0d304f41d8070924cbf6bbe3442895057a70ad2c64ce08d3b6f6d592720e8
SHA512 e8e4acb9803a4f0eca5af157da09270f595a25606b3019d58a1baad9cf46421f5af65894d3cf37063bf1cc57f634be390aee19659102ba0424834ae8bdebc753

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 77b9a228c3a967a34ab2a085a0299813
SHA1 1c7ce0ad26b33618eee6d7eda08f1bd50931305a
SHA256 2031c802445f99888d310d801ec63149d2a94629330ed647b6da758cde23035c
SHA512 a12bd058656ec1cc2dea67bb8a24a6a73c0bcf8074093e9124915177e976960f8a90c34d3473d2d0686268b6d0e5ffa0ca767e85e4821d23e81265425e9c58da

C:\Windows\SysWOW64\Filldb32.exe

MD5 3f633caa46900df2a3a6a20be5238d16
SHA1 3425f96693fed218aba35f04c5f7748ded6fcf6c
SHA256 347f01b137652c9c42bfc9e9e12e9799979f1dfd8e72fa80fede08903d7b50b1
SHA512 34c9ec13ef7942c8547d693936118fb278b3db00e11e3e7c94111cb6844851d825379efbb62bdf60882cb52f87f4b6bb1a2fb44174989cc27c532cbdf16677ce

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 29e0f56ce2e7777f0b2314d48e79eeac
SHA1 0fea6d55dbec8dfd15e76cea5c24b4b027dba747
SHA256 6b15c98a1c1053937685e73b94d6b32874c5670f7fef766fdc02b88bdda74f04
SHA512 d5476f10a22f82529da319da7638117fd05986d20957caae3746955e3bdc6c174bf884541967b327fec9e5d2bd3c579c3392f59cbfb866ac66f1e0150d0738eb

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 da6e198da730f461216a0c6baa17596f
SHA1 fd2112cd75e4667a2d01e9cd6ee645fc681d1a4c
SHA256 d315b3dc54e8ea8e11f98bf4d9bede1342704e5b24ae11160eda93e656662e98
SHA512 dbbf1ba45a239d6cb67568562ed02eb32ae1d7254c677d8a7924b1fe065c5878dc22552cf646ef101b58f10f4702eb01886806c223830f1e42c3fae96efd7157

C:\Windows\SysWOW64\Flmefm32.exe

MD5 d0c4c3a2af9a07d66c4af7924e6c60df
SHA1 891fc69f1a0beb8e44ed65e2c0e437cf385ccaa7
SHA256 70cd85f6828c4c49af23ca610e07976cf10bca0e367547316b178d7f0afc9150
SHA512 aba718100701bf042f22ce96d2ef540aea2c921dfe3d76326a253a4a4e7b6d01e587091a680c83d8ed57aeebcf1594e3dcce15b7133b9dbd01e67d9b06b2a4e5

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 123ff066bd71cc83725c8e23aaf205b4
SHA1 54a5ccbf059777ee1eb669ed2805f5e3399dd115
SHA256 b9b8aac1c3b41261fa2d3b727fe1afa413d0727afc24c761ace6179d23a0cdf2
SHA512 3fd748508abd1878b49b3b78f36c0e7b0932bb50908bbcd587e08675d88d866290528512bec81e264c4bc34f9b89c252896a65e5d19174e4aa9f9e0becd76f66

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 79e4b2eacbe4237e3d484e7961c40042
SHA1 89850ec6bb2d2c1170c36e553dedbe14a194465d
SHA256 1a63dfd7f1e3f817a1f5725c2b013c2c7ef087f4b01c82161adbd951573b1315
SHA512 afad55737802e764d44767fe70b491ae70988dd3147001c45b9f1561387e3a5129ec0936d94a7b1f6f3406d63675d9a356654af025edae716cf9709c0ed714c5

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 211064ea43149e95923e864f91317b07
SHA1 12c60bce77bc13c2fbbb85c1a6abb9a0e528e48c
SHA256 681078498ec40f55e623106ed80f3b8108808f5bf7298eed4a09afbe38d78fd9
SHA512 6f11d3173c1bcedcfcd0a30ce55b00686602d1781f704985066120c10b8e788ec57f8fc2248c4960ef86c30667e3f300ac28b70e61c598e7186745b61e0ffe1a

C:\Windows\SysWOW64\Gicbeald.exe

MD5 ffd7ec95975e65ef58c17d8135bea082
SHA1 de43eb9bcc4f36c54f3a4db7a72a7b0dfc62aff9
SHA256 a2e1265c98888a9270afab832f33b770f16916b218254bd5b70053707b4051a5
SHA512 c241105d616846ea5cb09fe50467f2c056277d02492e7ee2ac828f2e52b8266a1817549a632a7d407b69abc96fbabb3ec03026ab325d3286cdd577d5ab444e0f

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 647e4cf31af03f268f53ff7996751479
SHA1 975abb0dd978f6cff5217dd5546f72eba352e4ca
SHA256 5b54a0e7f778eb47549b6ce9903ebf5c496c43a874036f93997e23aaf42def8b
SHA512 859f6f724d07311089db9979b136d14569ea87ff221d30832904323bcf43f36d0bb28d49083c007ad0967af84d5d900da4c9197fe090e0ef0c88ba1c01b88fc2

C:\Windows\SysWOW64\Gangic32.exe

MD5 ae87ba91052894fc060017679614a35a
SHA1 bc7198ff2fb20b271b64e89ccb36d7bc521fa375
SHA256 ec848810654237d619ec4a880d40dd80ddf311caced6bf638ecd691baa8b75cb
SHA512 cd94bfa8467ac144cefafd744843e2c84021a6603f5c3fd29271e1f2beb8c9f7b944255030851284d41d1ab31884b799c83d5d4c7fd5b4029c53fa52919a38ab

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 7fd56638bd9fc68edc36d6654dd192ef
SHA1 069a50aad4bdf5d75434564160b0bc87b707ba8a
SHA256 1513479046e9559ef89b0e7ef727971ef05d5b63b4bef9178d8e848559c859c0
SHA512 b7e4969fac944b0ecf000727425d9de6aab8b0d60520e79e101e89d3b57b647bb25c8d3f7db02a5c104e60f7a8fba2b12a315e66576fd5e5493277edc916d4fe

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 2a853d6a8d2484941b1f358ee60940d2
SHA1 31f1dfa27e489ca3451f504f63c55e1fb85403cb
SHA256 96491540469ccc35c98a86ca4ef48ce506d23c1bf98b8be75b6434c14eaea68e
SHA512 022f5a99d00365d3a6d1732cf412a8942a34d05c36325ef7fc71098c27fe77a38773d8234a2fe9b5b122e3d72e687040b4188d0ef6812d56fa3d0fecf05ddae2

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 9330d2a44888e1f8395e888714c4f99e
SHA1 24cb4c2ee458f407a35f38e91c5a93643d8cee68
SHA256 bc0fd39eb40fe79e93de63984d7d0d119fb15531c9b0399f4fba5099982b8052
SHA512 ff375149dcdf75b01e55f1a2e33b22834d2144649aa2a862c1ca1ca4e380034d8d31b2ad006f4e2c7b2b1ad1640b3fd903381871ecae48aba42f38ec216a5963

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 2df6fe09ad9b8c09838ba1ee400d40cc
SHA1 a3d2bf6ea75638e10fab1d87e16a8f2bc5392c92
SHA256 767b4e42e85cd391f88b7a23d298dedda6da015f907477ca39da4bb14088b731
SHA512 c57cfc4af7e80c66f73f1f359f39c0a24bd14d31f09b24ad8509e68dc2fe36ad0148a7e233099ad87409a53bc1f8db260fefb88de846c527084feccfeb029784

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 5d570860a96ae7669eee509b80b10c8c
SHA1 ac4b8e36d35da7eab444ab245782edc8428eb49f
SHA256 1710f8fc656eaa23672235de401df7e15c4c9344df0a59e898534739686f66d7
SHA512 1473fe98ad924c279a8509d1c0003102210d922e5daa1fdd5551eb8a89bd0fff59eec4f362a0e43b7f4559c31587bcfba2798ac4baa9a8331763f302adfea301

C:\Windows\SysWOW64\Ggpimica.exe

MD5 feec5be11a929ff2ab51a99521ee565c
SHA1 c38c5176a3a414331453c52f9221b79c4fea9184
SHA256 407d2c27167d77e4297f23855872b92ae4a487ec05979b61882a9695bc476161
SHA512 beed7bf4557761534b6ed994b4ef6440a259ee6da9c7b86bf97b8a043d43824d10b64ef9ab9ee35c20f30e1060d8b48052abfcdfbfb8defda4759718941ec7d2

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 15a5f747ebd8e73c52f309dbad6f6c84
SHA1 3b250ace08b91814a5dc3b97caf5af94e8690da5
SHA256 bdba3a8b49ef20c6b4385b6eee53de698091b24663350e8fd485e0aec13dcbdb
SHA512 be7fb4c9c1acbb546fc586b93b410d6c2b1927c27e261a950e7316d3bb49583316f758c592bc8a5ae07b4174e06b5ff33c1edaa47dc01c5f3c514aa805963824

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 4bedd00dc177a4b8795cd0192234ae28
SHA1 cc0be15d45f363484b2d6c4006f5d63f9e7f6f6f
SHA256 505463d3dc7542c5599929db349966044c49de30bb51257e86a6e3fe827049bf
SHA512 e3771303993e43e703a8018560d6585232b41f74ad35b8ae5c8f4c801db2004d83f8c76c36f9e2ecbd81bba3f047052ec0fd326dffb20a53e9cbf871d6e061db

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 d023d841086146e6ca9759972cb9216f
SHA1 4d176bf2d0742db72262fc17d964062c8bdd6b63
SHA256 94362c3d2afb8c5bdb81573fded03f08b1d1e7336d9974d5d3fafa7c7c7a2c25
SHA512 e63a20ddeb1cf7b650696d3be762a0b2ea0c51ec5fb575a30263abf5f61a924cac277d6df518c11456d8203177f54122130daa1d8961d7ede3c95bcee1af6802

C:\Windows\SysWOW64\Hicodd32.exe

MD5 cd1a0cdc616fe6aa79e2e68cb1bc6e34
SHA1 901d831454062a1ae7c906a55e164d11b07b461d
SHA256 4130edbded9eab57bb3574139f3f176ff97fc006991ee453e26462995029a3b2
SHA512 0492104edae480da81fe84aa75ca6a14db733f37678db9e5c637418a429d23435a10dfd224f317d1be5385e3f19ec45e04b9cc05ef5ad0f352ef8e0546f0c978

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 568949e2fcbf87eac434886407d44bf4
SHA1 b35d5c5fcfacc16dbcc414a099442e4fa4f2893a
SHA256 306e646eefe0491c352f68e2e85c8447f624c1a51e4d5e3d24e231200e879645
SHA512 0367cc53414638cc88b3b68aa1fdbe7004e4da9f1f2c2dc023e3fabe7282add755cf18fa151a416a19ab66d0c1595e824b9d7dffb6af0228df73ed6a8e16e6f4

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 937cb0ea73cf0e416a53e8bf541e0362
SHA1 171fb34664d5671e7e955f40851de4bfb7d86351
SHA256 d30ecabfffe7248c9973cdc95349a0ddca3800182f76d7f0532f7c4706b128a2
SHA512 e4b2b293211b77089f6a162bd5eb70240d5a105d15d86d6c01ff574396a2146e3bcfe4c1dc3a716bd46a0c02b3b105e0e406ec1de9d2491a9af32b258893fd8e

C:\Windows\SysWOW64\Hobcak32.exe

MD5 142d7365f84c48b052631c30590ac40c
SHA1 23f03b1ffd0e0792f6d08adc720bda24ee6b5e52
SHA256 307ce453e6ec4c962646c42535191890a52d59074dcf2696635b609d5d155181
SHA512 d21283b942faab3739f332b5c6073b10693ab65253ec45a1167c34a0e4a1116f7750112aecaa1bc0c6de25811e10eb7aed3accffbec0923b496af7a844a2d8e2

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 6f5ea20128f9801856a626747f0914ff
SHA1 1afa43f352d64749f035f08cefa96eaefa4adb07
SHA256 1cb240516ad6f8d960751a0dc8df45592596ae99edff4cec2960ebf52d164ab8
SHA512 3b81f3adaa781536565545c296d32f953d668de92869b24117c8782a5ff7dd857ffce188c2619e10c762b403e0779439d76d7e458d6cc48617fdc2dd319979df

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 e30a23fec7f1e310c81670f1d5c166fa
SHA1 b5de33d2fd90e4e6bd77fa6fd06605dc43694035
SHA256 4f044fe5a2ae5570cbb0e130be5bf9ee589c2d0db632487e22489d7d54b65cf3
SHA512 cc0fff366236067947d0975d320c953d94f87f30c14df0eaf54a981ddab12b7f2607349fb22826a53f700e6087ebf12c9e33748e9f40cec8c3621c58485f8d56

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 26b28c3aedc4273150c427e865ce1962
SHA1 0274f8a0ccc4ec748e49020cfec74c13ad61f06d
SHA256 032cd398aad00e12a75b0d496c15f4d10014b5d497038438b0cf2d589d277868
SHA512 9cf8924e1a36e967bfdbff3c2ed51ac962bd2a1c0341f861840a9854878ecdde89a6ec72fcdcd45e4f22f25398bedda3795561a7f532826ec6f51e86061c2f53

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 cd1791a96b0f2ff7de0396d40bc78945
SHA1 d64638675de21054c3a3fb2ec8dd9022746cc84d
SHA256 7d78064f2b8c4d20a428a2ae30b5e3c32d6c80afb85ef42fb8acaa758ada4f1c
SHA512 304196ff0303c9f8e6cbcec05509c339869ec0f698e71ed21fe48dda51415a669eff910b32d5712a9c2e8cc7023ad4fbe74dfb3ef3d44919ff5e9af9c3aac016

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 8a5203c6146a2d35e6b1ddc59900729b
SHA1 fd33f84d7476bb3445453975e24ab27c5cda4385
SHA256 288092a9f2aaa4013bcba9588234ac655899e9a46b1da3b2edd7a44228b6ae9d
SHA512 39a884970f845aa9addef9f0bef4b7530b9379078fb71b5270981eca8f0aac09b214b7efec1bb025483ebdcc0a4cb4d476a3e2ad838c0245eb9a54b67d5ef5b5

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 d32f7dba899ba92d5f703ea65000aed0
SHA1 28a7f5dc72061c47ff721961e449a14e9d9109d4
SHA256 8913009da230ec41330d049bbe486473481c1994697ef97e1da6fe5e2c5101c2
SHA512 7b1008bb3b82b84992fff02874a344613596bef421482d838f693634bc82d8714ce6dc41112122b5d548848d65fa39c0073e6c77e6ffeb165709b809e5ee5d6c

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 ca0667ff9f3d5e7c2763e35feb786c42
SHA1 4cb149d3e2bcfe5ea1dba9e7e38834d7e1c6673c
SHA256 0b3de53237fcedd8a12ee8562fab0d9629a9e58e17e85f7b469febef04afd674
SHA512 8b10961b80d628eefef1bfe664e6e33ee0cf85a898a6c583fd82594c45a14e640cd28dac6a62873a82d9c40a3e69af0fd3d8ec3f30af0ceb2ecff7a472fd71cd

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 296c4794522005307ecab74bc4554568
SHA1 b15e3588e5dcc1c7cc1a3435a0688e1821c291f3
SHA256 8bc4f3fb6dd03567e482091d48b0448619e11f34bc53f85d1727bd0a320fd4d4
SHA512 fcde3d8700b6b0d9537c15e9ae2fa9010e45b61b897bd421e709dffa2fa257c152521b35e0c2e13b46d2d6fabdbaff820a9fde8ccf85a569166226ff1c3fb7e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 00:22

Reported

2024-06-02 00:25

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpgkkioa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Maohkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jmnaakne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lalcng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpbaqj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ipqnahgf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifopiajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iabgaklg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkkdan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Icljbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjbako32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaljgidl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcdegnep.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbapjafe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Impepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaimbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maohkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbanme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Imihfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdemhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kdffocib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lphfpbdi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklfoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jfdida32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkdnpo32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hpbaqj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbanme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpgkkioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcedaheh.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmmhjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icgqggce.exe N/A
N/A N/A C:\Windows\SysWOW64\Iffmccbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Impepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipnalhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibmmhdhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijdeiaio.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiffen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqnahgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Icljbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifjfnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijfboafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdnklfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipckgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idofhfmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifmcdblq.exe N/A
N/A N/A C:\Windows\SysWOW64\Iikopmkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Iabgaklg.exe N/A
N/A N/A C:\Windows\SysWOW64\Idacmfkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifopiajn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijkljp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imihfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpgdbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbfpobpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjmhppqd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpjqhgol.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdemhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfdida32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjpeepnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmnaakne.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaimbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdhine32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbkjjblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaljgidl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjfcecp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfhbppbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdnpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmbklj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpaghf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfkoeppq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiikak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaqcbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbapjafe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkihknfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdaldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgphpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkdan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdcijcke.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kknafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffocib.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdbkohf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Gmbkmemo.dll C:\Windows\SysWOW64\Ipnalhii.exe N/A
File created C:\Windows\SysWOW64\Jkdnpo32.exe C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File created C:\Windows\SysWOW64\Nilhco32.dll C:\Windows\SysWOW64\Jmbklj32.exe N/A
File created C:\Windows\SysWOW64\Lbhnnj32.dll C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File created C:\Windows\SysWOW64\Ogndib32.dll C:\Windows\SysWOW64\Laopdgcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File opened for modification C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ipqnahgf.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jfdida32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lklnhlfb.exe N/A
File created C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File created C:\Windows\SysWOW64\Lalcng32.exe C:\Windows\SysWOW64\Liekmj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Laopdgcg.exe C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Dnapla32.dll C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File created C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jbfpobpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Laopdgcg.exe N/A
File created C:\Windows\SysWOW64\Epmjjbbj.dll C:\Windows\SysWOW64\Mpmokb32.exe N/A
File created C:\Windows\SysWOW64\Omfnojog.dll C:\Windows\SysWOW64\Jjpeepnb.exe N/A
File opened for modification C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Lcgblncm.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Windows\SysWOW64\Mnfipekh.exe N/A
File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Hionfema.dll C:\Windows\SysWOW64\Hpgkkioa.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Imdnklfp.exe N/A
File created C:\Windows\SysWOW64\Ibimpp32.dll C:\Windows\SysWOW64\Jdhine32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Gkillp32.dll C:\Windows\SysWOW64\Ijdeiaio.exe N/A
File created C:\Windows\SysWOW64\Nqjfoc32.dll C:\Windows\SysWOW64\Kdaldd32.exe N/A
File created C:\Windows\SysWOW64\Mpmokb32.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File created C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jbkjjblm.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdaldd32.exe C:\Windows\SysWOW64\Kacphh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdcijcke.exe C:\Windows\SysWOW64\Kaemnhla.exe N/A
File created C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mpolqa32.exe N/A
File created C:\Windows\SysWOW64\Ekipni32.dll C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hbanme32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Icgqggce.exe N/A
File created C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Iffmccbi.exe N/A
File opened for modification C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Iffmccbi.exe N/A
File created C:\Windows\SysWOW64\Mfpoqooh.dll C:\Windows\SysWOW64\Jpaghf32.exe N/A
File created C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Bnjdmn32.dll C:\Windows\SysWOW64\Kajfig32.exe N/A
File created C:\Windows\SysWOW64\Dnkdikig.dll C:\Windows\SysWOW64\Ldkojb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnepih32.exe C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Kmdigkkd.dll C:\Windows\SysWOW64\Mnlfigcc.exe N/A
File created C:\Windows\SysWOW64\Mgekbljc.exe C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ngedij32.exe N/A
File created C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Icgqggce.exe N/A
File created C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Ijfboafl.exe N/A
File created C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kaqcbi32.exe N/A
File created C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Bgcomh32.dll C:\Windows\SysWOW64\Lpcmec32.exe N/A
File created C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Lcgblncm.exe N/A
File created C:\Windows\SysWOW64\Bidjkmlh.dll C:\Windows\SysWOW64\Lknjmkdo.exe N/A
File created C:\Windows\SysWOW64\Pbcfgejn.dll C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Ekmihm32.dll C:\Windows\SysWOW64\Ijfboafl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Npckna32.dll C:\Windows\SysWOW64\Nacbfdao.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Ppaaagol.dll C:\Windows\SysWOW64\Kdcijcke.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll" C:\Windows\SysWOW64\Kacphh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" C:\Windows\SysWOW64\Lphfpbdi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifopiajn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdaldd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ldkojb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Icgqggce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Idacmfkj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lgikfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll" C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ipckgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll" C:\Windows\SysWOW64\Iikopmkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll" C:\Windows\SysWOW64\Jbkjjblm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll" C:\Windows\SysWOW64\Lalcng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpjqhgol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jjbako32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Impepm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iiffen32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ifopiajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Imihfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lnjjdgee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Hpbaqj32.exe
PID 4980 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Hpbaqj32.exe
PID 4980 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe C:\Windows\SysWOW64\Hpbaqj32.exe
PID 4804 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Hpbaqj32.exe C:\Windows\SysWOW64\Hbanme32.exe
PID 4804 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Hpbaqj32.exe C:\Windows\SysWOW64\Hbanme32.exe
PID 4804 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Hpbaqj32.exe C:\Windows\SysWOW64\Hbanme32.exe
PID 4064 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbanme32.exe C:\Windows\SysWOW64\Hpgkkioa.exe
PID 4064 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbanme32.exe C:\Windows\SysWOW64\Hpgkkioa.exe
PID 4064 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbanme32.exe C:\Windows\SysWOW64\Hpgkkioa.exe
PID 1064 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hcedaheh.exe
PID 1064 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hcedaheh.exe
PID 1064 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hcedaheh.exe
PID 4608 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Hcedaheh.exe C:\Windows\SysWOW64\Hmmhjm32.exe
PID 4608 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Hcedaheh.exe C:\Windows\SysWOW64\Hmmhjm32.exe
PID 4608 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Hcedaheh.exe C:\Windows\SysWOW64\Hmmhjm32.exe
PID 4544 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Hmmhjm32.exe C:\Windows\SysWOW64\Icgqggce.exe
PID 4544 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Hmmhjm32.exe C:\Windows\SysWOW64\Icgqggce.exe
PID 4544 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Hmmhjm32.exe C:\Windows\SysWOW64\Icgqggce.exe
PID 5104 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Icgqggce.exe C:\Windows\SysWOW64\Iffmccbi.exe
PID 5104 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Icgqggce.exe C:\Windows\SysWOW64\Iffmccbi.exe
PID 5104 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Icgqggce.exe C:\Windows\SysWOW64\Iffmccbi.exe
PID 3328 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Impepm32.exe
PID 3328 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Impepm32.exe
PID 3328 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Impepm32.exe
PID 4044 wrote to memory of 5028 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 4044 wrote to memory of 5028 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 4044 wrote to memory of 5028 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ipnalhii.exe
PID 5028 wrote to memory of 5076 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Ibmmhdhm.exe
PID 5028 wrote to memory of 5076 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Ibmmhdhm.exe
PID 5028 wrote to memory of 5076 N/A C:\Windows\SysWOW64\Ipnalhii.exe C:\Windows\SysWOW64\Ibmmhdhm.exe
PID 5076 wrote to memory of 4032 N/A C:\Windows\SysWOW64\Ibmmhdhm.exe C:\Windows\SysWOW64\Ijdeiaio.exe
PID 5076 wrote to memory of 4032 N/A C:\Windows\SysWOW64\Ibmmhdhm.exe C:\Windows\SysWOW64\Ijdeiaio.exe
PID 5076 wrote to memory of 4032 N/A C:\Windows\SysWOW64\Ibmmhdhm.exe C:\Windows\SysWOW64\Ijdeiaio.exe
PID 4032 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Ijdeiaio.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 4032 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Ijdeiaio.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 4032 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Ijdeiaio.exe C:\Windows\SysWOW64\Iiffen32.exe
PID 3024 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 3024 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 3024 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Iiffen32.exe C:\Windows\SysWOW64\Ipqnahgf.exe
PID 4868 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 4868 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 4868 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Ipqnahgf.exe C:\Windows\SysWOW64\Icljbg32.exe
PID 4688 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ifjfnb32.exe
PID 4688 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ifjfnb32.exe
PID 4688 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Icljbg32.exe C:\Windows\SysWOW64\Ifjfnb32.exe
PID 4900 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 4900 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 4900 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 2132 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 2132 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 2132 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 4308 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Ipckgh32.exe
PID 4308 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Ipckgh32.exe
PID 4308 wrote to memory of 1140 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Ipckgh32.exe
PID 1140 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 1140 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 1140 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 2600 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ifmcdblq.exe
PID 2600 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ifmcdblq.exe
PID 2600 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ifmcdblq.exe
PID 2140 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 2140 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 2140 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 3204 wrote to memory of 388 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\12c8ab088c0a5626aa61cd1d662acae0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Hpbaqj32.exe

C:\Windows\system32\Hpbaqj32.exe

C:\Windows\SysWOW64\Hbanme32.exe

C:\Windows\system32\Hbanme32.exe

C:\Windows\SysWOW64\Hpgkkioa.exe

C:\Windows\system32\Hpgkkioa.exe

C:\Windows\SysWOW64\Hcedaheh.exe

C:\Windows\system32\Hcedaheh.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Icgqggce.exe

C:\Windows\system32\Icgqggce.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Impepm32.exe

C:\Windows\system32\Impepm32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Ibmmhdhm.exe

C:\Windows\system32\Ibmmhdhm.exe

C:\Windows\SysWOW64\Ijdeiaio.exe

C:\Windows\system32\Ijdeiaio.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ifjfnb32.exe

C:\Windows\system32\Ifjfnb32.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Ipckgh32.exe

C:\Windows\system32\Ipckgh32.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Idacmfkj.exe

C:\Windows\system32\Idacmfkj.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jpgdbg32.exe

C:\Windows\system32\Jpgdbg32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jpjqhgol.exe

C:\Windows\system32\Jpjqhgol.exe

C:\Windows\SysWOW64\Jdemhe32.exe

C:\Windows\system32\Jdemhe32.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jfhbppbc.exe

C:\Windows\system32\Jfhbppbc.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jfkoeppq.exe

C:\Windows\system32\Jfkoeppq.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4980-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Hpbaqj32.exe

MD5 d31ab713235e384f578f314a32c9512c
SHA1 00dc654eb4601bd5e4fda9cd3d360387796cafea
SHA256 0408a37dc72e4dab32e5fa6081c43cafae90444f9774876bc47081ce948bf321
SHA512 669d9d7b2911eba7e77bab4cb058c3b4183c59c771f0cca32a496e8c7c6275315e9c974f08f664f522f88f24fc5f6a6da4acd8185eee0c5aee59f3bfa6b80050

memory/4804-12-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Hbanme32.exe

MD5 4aeef9554ec731d7344807a476d8fe0d
SHA1 69d80c4c413d5cc43946bd383c0423dec6f7a000
SHA256 e59402af05ca379f17b552ac529a2c2df97648cc868c54859acb099020b1f946
SHA512 074dfae1459317aa52d80eb9401cea1c84a61c286f982f6d44d46aceb6077adbeb8cc005c12fc5b05ccb05ddbc2a0d16a41b0cd2c4e59be3877427d3447bd8e4

memory/4064-19-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Hpgkkioa.exe

MD5 ea8c2439791fa35bc55f1c7266218e2a
SHA1 d6ec420d5132071a7e925cd004bced24dcead3c3
SHA256 534f05ae51f5a62a693f2415228b8197ac8f809cb971c21ee2019655b5fafc53
SHA512 e951e2b86dd613f51df5008debb37c0dc08a66112a226cd142430e2b70f8471ea783fe584c6308ea86faa47a594b48a969d09d36fcee6453a833471e7f34c933

memory/1064-28-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Hcedaheh.exe

MD5 86a3d800186ed94b066ceed2af112005
SHA1 dadb55d4f06e3d035e8701bbbadb199e63699c2d
SHA256 779f1d853dd57cb4e9d1c9c3046b1e592766178266ad14f470fd19b61eb6d343
SHA512 fcb7d91fa9340a216fbf7f9940859737b8c0a92650917d9e55e73783fff291680a24692d9d746ed25c5ea5b65c454ab0aaf951d827ef18fe4c0e5bc345e46823

C:\Windows\SysWOW64\Opocad32.dll

MD5 c32584fa61d7e261ac3090deb71ec3fb
SHA1 f72e0548b5ac7fe2c0022e3f0239c1f486fab2bb
SHA256 412d1b5e573d609d1e3d6a5e8ebde82d6d8d69d8ff8570ac7d69af8c3c224d32
SHA512 cba80851dbe014a18a0b6f5c8b57638c6d60b23616462e82877ef2f949abb419769ca5913a175f924fd0ea44bf62079ae2833be6a8debba0fb5aac8c6f5bbc48

C:\Windows\SysWOW64\Hmmhjm32.exe

MD5 0c7e1fa52256db48a1cf764a2079559a
SHA1 3ec52d966e3390673dd069142ef0a58d58fb8cba
SHA256 7a83f7e249e3ba01e48accf6570fa5e3109b5c31a4a59ed20b629f0d67511597
SHA512 b8437a6226a611b075ef4f916d563d241fad4c8b9984b95b49ce9ba43553431cb40408c54194eac0f2531bbb4cbb1b2662565072253a619941f4bcf93f512f05

C:\Windows\SysWOW64\Icgqggce.exe

MD5 85af1498f674e73b7853b97fe7d4328d
SHA1 c45aedcce50685ad488a036f2aeac4f4a8095198
SHA256 0045c06c44ad50a7ee9bdac443f38737c60e846216620ce81ce8b87d4273a465
SHA512 5d56a862faa9b73fbe7895ad136719ee2a7f7e6b681b91a0e100051c0d3dcc3c17709034e3adfba8c5423455fd789febe00850e6f6a7de6ed4082e8afe8440f3

memory/4544-50-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Iffmccbi.exe

MD5 b8e774cef46a332350cec813efd873a9
SHA1 c021c65f1e960526a9601a019223ee93c19d0f0e
SHA256 50ad93f51adb3a4d5738bd1676dc8994c5891eebd2e45cf9eacb4d2e8f924633
SHA512 eb8ee7a6f550705c6af32fe3314f35e0ed75f8a62ea28f57144ff88c2587d4acf1d79b72143aab52b8ade2e9ed2ef3dc2f382f079dcab641a56fe49decd00921

C:\Windows\SysWOW64\Impepm32.exe

MD5 15db1ecdc028ffb2759e368815142020
SHA1 f3c69f38c8a5fe57cde8fea1e81e86581e7ce7ef
SHA256 0b7534f978951c5b939f7233829b767bc785d550df88358498aec45d58d69e46
SHA512 031f42bdd180ccf159e2549d19d36807a0dc830e70d9f14a10a411b9ac464e7107d90db0da67df28f10c58a50eb7847ebe23b009d22952f89743d216af3c3219

C:\Windows\SysWOW64\Ibmmhdhm.exe

MD5 3b8153604259f0170e99ff3038845c68
SHA1 f75b88599f2a812cc1fb4d2de15121011458df8d
SHA256 4bd081e9af9ca09212b3d03f1522518157d29c40da60f16e6609f84a6923c4cf
SHA512 562a3400b388ce2fb6226c024ec57d233c0f6216d06b69d99772de062b25a974efd939582228807ec1136ee05a9e990b588f6cc87fa0c60955685dbb38acff32

C:\Windows\SysWOW64\Icljbg32.exe

MD5 3b9f30a0a67c31e67fbfc2b1f4538c50
SHA1 414a84c52a018e6ac1b0f0087d1a368016bc0db3
SHA256 568c7704d64a8e3cececa946d8875eaae0e9e7458dd05fbae301d67d71969ef7
SHA512 b8e754dda0f69770e9bd457f951a69371f1392891686f996b95350bb96e8db5d28c7ea36d401ef4dcc3085a9f153608fce7a68fa3b525005d721714af5cfa43c

C:\Windows\SysWOW64\Iikopmkd.exe

MD5 163fc7e5973e39d6b0705ed48ee2d5b2
SHA1 a479c2fcd0a583491a29602277b3479fb459b5af
SHA256 ebd4ee403769a0e30b8017d54e328a56daec628e2213863920675273aa54eb81
SHA512 4c2209f4c11d859e99aaafa81144d5e82d3e990ecc1fbe9d953f0a6c4af559976863b7a11912a062815c1cfd7411cb80716ee859ff944cb54666ece696018901

memory/5076-709-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3328-706-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1540-724-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3188-728-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1852-733-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4464-732-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3872-731-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3544-730-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4864-729-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2116-727-0x0000000000400000-0x0000000000443000-memory.dmp

memory/800-726-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1688-725-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4216-723-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4820-722-0x0000000000400000-0x0000000000443000-memory.dmp

memory/388-721-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3204-720-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2140-719-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2600-718-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1140-717-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4308-716-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2132-715-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4900-714-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4688-713-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4868-712-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3024-711-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4032-710-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5028-708-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4376-735-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2688-739-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3340-738-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2748-737-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1556-736-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3724-740-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3228-734-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4044-707-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3684-742-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2020-741-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3060-749-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1964-748-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2216-747-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3788-746-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3472-745-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4896-744-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4812-743-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3984-750-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2448-756-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4516-757-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4700-769-0x0000000000400000-0x0000000000443000-memory.dmp

memory/6024-794-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5984-793-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5948-792-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5912-791-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5876-790-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5840-789-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5804-788-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5768-787-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5732-786-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5696-785-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5660-784-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5624-783-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5588-782-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5552-781-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5516-780-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5480-779-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5444-778-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5408-777-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5372-776-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5336-775-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5300-774-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5264-773-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5228-772-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5192-771-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5160-770-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2152-768-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4668-767-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4588-766-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2836-765-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1188-764-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4296-763-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2112-762-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3152-761-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4196-760-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4336-759-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3944-758-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3592-755-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3520-754-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1060-753-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3820-751-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2016-752-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Jfdida32.exe

MD5 62c6097662d67c9697fd61badbb75869
SHA1 697546892cae116a0513759e9f3dd0e7e18e1f07
SHA256 d98efcd8a8c92f244dc48b59516bf549013f9cfdee098d9a8e419625cb5fbe88
SHA512 184f1af654d585c48d571df8e382cf62f1f0c14c79ce73f7bd700d44bcc9d06d0a2a77af983387160b7fb7cd29c7654aa2b0a06f614f2627a7b2d7d4aaf2259c

C:\Windows\SysWOW64\Jdemhe32.exe

MD5 3bdfed7141df284dc5a61ca989623ee7
SHA1 b50cc633f6bb93df661c447c27f5a53894875c0f
SHA256 5cd9d1a5d7fd92e05bd10694615a02cc5ca09a3a2de2bf6ce8285a2a3661787b
SHA512 b6919ad2905ca37cc819efbb2c53b1bfcb3198ef4d5279845594e7bb4126933f3cc2b74fd6c6fe4594f3744607fa38431fa63cfe6f38c21a96c3b1f8e2a9df0b

C:\Windows\SysWOW64\Jpjqhgol.exe

MD5 c44d3e162644e1e570a47c51d761b15d
SHA1 cbbb80542d0a12c5339c70fcd05ea9695d936d74
SHA256 8df40d1a81ca6cd380721de325052d7802a0756ac2bfdcc2e48a0ffbbeeeecc5
SHA512 e364a03feca3c8c7fcac362e2e9811fdab7a4a74c4819450d2cae1597232e8fe89048c7b372589b98407e507adb217167699a52acfdc7005906080b791303267

C:\Windows\SysWOW64\Jjmhppqd.exe

MD5 d33acdcaa2eafbdce673d0e183b9a34d
SHA1 a8065d62a6cae4212732d7aa0b8b531361ba6811
SHA256 7b3859143b3026e28722f91b867d7831a50ccc73b9e1be2d8aeccbf344567679
SHA512 964cd0d97855d0476e6b82c916be2297ed3224bcc10e612177a921aa5c16b96eafd1b278494985a63dba90d233cba1b7d734673c4df2915443c22006005eb177

C:\Windows\SysWOW64\Jbfpobpb.exe

MD5 3f762938816e9168c500271ec909edd6
SHA1 9cd5803ca25d1aec108c1167f6b9158905c84766
SHA256 d14218e2dc0fde95dfe7033e639c96849bcc49b677fa9ee4de23a4e052fb185c
SHA512 446cb199076a5fbc4f47f3c9428cac838eb137d99c3140eef96631fdfb0651379990b224d1bee92da6b4fe061a47d190ba650823acbd9277bb9f7e085041dd10

C:\Windows\SysWOW64\Jpgdbg32.exe

MD5 7faa4f7efe4ea424baf0abffb02138c7
SHA1 c8738994f377c6f6f0543c6c7bef431122b7799b
SHA256 7eb666da63fc9dc8ac7ab8210ad5b27719cc0c0969dc90ea865520658b916732
SHA512 131321d3984e0b0d17584b773f905c29ab647bdfb1f045f83832d1d2b8fa38389926629b41cc4cfdc9b5c87062b4c57aedf128deed8c14d31880583a183c978c

C:\Windows\SysWOW64\Imihfl32.exe

MD5 59e53c7de773615be304abb7983ec86e
SHA1 2b5a1926290a0e07981b5dbe9e70420a5784c2d0
SHA256 a626ae13d2efc9b9561f16f2334480a277f61142dd4d1fc6436bb15df34fdb4c
SHA512 1a14f73ba754aac6b5de266fa790fdc7447e30162779b9676a5dfbc8161d8baf636c28f43c2c4a38577ac47b87815d4a31119f68d1bedb055e505e70400109b7

C:\Windows\SysWOW64\Ijkljp32.exe

MD5 04c007218c6007c3e0bb9a32af30c8ac
SHA1 26fa0bbc089d14903f9f4faba9d472e0f30682dc
SHA256 947a79e068787a019d3a8810e87042e21b8379659af1f392258724ab633c3298
SHA512 11cc99f3bf3c5e8c61928099a1654114adb801389a276635166f586f698f286ce057ff76ab3e98f3cd9c42407a79f161a59247f8ebffa5ab2a3eb03d4793769f

C:\Windows\SysWOW64\Ifopiajn.exe

MD5 c03d2b5b6ab58a97c4f84329e34afb46
SHA1 0b02329ea177b7357bad818e5f6ffdf00d39bb52
SHA256 c6d74be939afe6c477e20f72ef498ba31bb40c6bc94a40b2ad87fec6c3fccf98
SHA512 6fb073ff6f794886f70f656fc67a2cd81fe46c94dbc435b70f68d086a5b900a66c012da441e8c25dd6b8e113f78b975c27b152ff88be1715604db3c7c0bd7f70

C:\Windows\SysWOW64\Idacmfkj.exe

MD5 2ffff722a85ef94b9c1a9408ae1ad1f1
SHA1 47e90a2fa76de84d00ba778835a792225718f109
SHA256 f7fbf549cb8030113df3036c094bbf223a77430ad3c2eaff6c3e9c5efc37fa40
SHA512 61e83eb028b36fc4b373d4b209b23e13ded2a98f42a112207dff6c40e75049f81d16d1abc21af08ef67ece739244aefa74b5f55c13a400b128bdaa8e5a3f5b00

C:\Windows\SysWOW64\Iabgaklg.exe

MD5 ac215a82bf1e7e6ceccaf872a04896d7
SHA1 3ce7784ba4409db6a18f54babb3e22cad4d0ba8d
SHA256 f2565363708530fb183c9906e3e90346bdf5458c6c339c147bf9fdaa69dfa241
SHA512 bd01b8185861b0f15aabf606a3b434ed8c4225a7d57052f049442cc34eaeea2a6e3172fe739a5a9d60d6d9d5aa5809965b4dcd59d45e2c385c73d07df945bbe9

C:\Windows\SysWOW64\Ifmcdblq.exe

MD5 dd46184b6bdbad02489abd10ecae6c93
SHA1 981b2c30201fc1057972e5a5e3ccaa8c6e6e04ed
SHA256 18502a0e3b70cb8b5c61634cca1ed5ccd013914bbc56e42107091e92d56a81a3
SHA512 b7a63892692892918a44ce9aa03c67cb3983a772e1f5b0d0a934518beb24429345121879b5016bf437474fa6e15a5a77e5be6da84dc1b9b3aeaf2e2702cbaf64

C:\Windows\SysWOW64\Idofhfmm.exe

MD5 a7aaee2ff732410207261e296b0f6e42
SHA1 19aa12834499e189920719e54f741d2c4bbae3ec
SHA256 3fe548d57ab43fc0ebc48860b4e632101f90956d89782de8f8ad3f09a909293d
SHA512 350cca5f0a7ccecb4d541f8b5d27ef13f6853f6e98b44b2e797ee60b7c25c1ab6abced1b2e77f333cbab58515819c754bf025edd2e2901cb155c2f37bceee5d7

C:\Windows\SysWOW64\Ipckgh32.exe

MD5 d6d5ff4d9b1e391d010a70a4b871829a
SHA1 f658c82f31c1ee5fc381f939227e02abb384e5ba
SHA256 39e54a62ae630f96cbc843a5b281ca11bbee237a00ec40e4a7d1e0b73425a2fc
SHA512 a1544624472c4d722116e99a44be94040837cd095975d2c740e8479a4b2533eea44680e6c0d228bbfb7f03742b3cf002290e96096d7a15fa5797ade3d4eb2eef

C:\Windows\SysWOW64\Imdnklfp.exe

MD5 95118c7345561ebbcd8dcc76e8187e18
SHA1 3293d555182b0a57239c8a5440ecaac688d69c3b
SHA256 c72484daf8acce82806ead1c6f632d71af5fab9b16917d4980a8d916720e4640
SHA512 b0e32b127328477108de255558e57d7acac11067a8784c1da4b407d5dae941f0b5290b384a92dab13cb89a9a885b71734c5478d37c411168cd4d8845d4325cfa

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 36070e9ca2b31f64c74b273e321bc9e3
SHA1 fa9c159f13179920a20c933252935d18a30886c1
SHA256 a86c4e97513f49fca1a179e1f0e0050edaa13bf58eb586fb58eaa61b82b84777
SHA512 3b8317d020905c333411d7b54e7d5bd7aee2ae58369e182ee86f7c107c6eb2e34ea82eaa5ea1855ffb5bedde78e6f91cb98cbaf05205cb474986475f6dec48ba

C:\Windows\SysWOW64\Ifjfnb32.exe

MD5 5db91d343daf81966a0194ca5c542453
SHA1 f40d79743c09d5f8911fd1567617b81c14c30d2c
SHA256 247964b8f7e9049544e0d810264646bfe345507e224a5d895f010020ab5053cd
SHA512 b020653a8101fb451e4c9c1f33818b07316dee2d1bfdc0847271c997ee02d223418e2911b353bc47140f6f96aa38ac61f52929961c8435a4627c27ff0dc6d894

C:\Windows\SysWOW64\Ipqnahgf.exe

MD5 517aa89e6d22b95394b33f276f24494d
SHA1 61a2bc140179dc84a84e56051046c293cfcbb597
SHA256 92ae9b0d244899cf46f6557b728d4b8f90153a52721ab364c601a1f86afa13f6
SHA512 a80ef903106bb6b3560ef415de46119da10e39aa41b49114043cd69c07bdfccf84c708f83716c5dbabd740e0d9b286a6dbfce91df054b29fc8fb90381c492b13

C:\Windows\SysWOW64\Iiffen32.exe

MD5 c7d90bb6ca2a513b7b38693c2b8f7185
SHA1 0c63a5c502e472e6ad5eba002b1ca4d4e6d90ebb
SHA256 96a1633a9099fb35176f3073633c50498a4d73957b156bf125bc9901974a64d6
SHA512 30640a15b89b47531112f04caf744883ab707722d32bd4953136296047408f56b91ced3a45e59fed243b974fc7dc400a38817d5d3d4d3c6971f4a1aa1127ba89

C:\Windows\SysWOW64\Ijdeiaio.exe

MD5 e01f1530cff0fec2483c7dd22d500f84
SHA1 17038ae365860ba8a32d3ece76fa166de1c1feb7
SHA256 71436df1a7a5cd895e669d78ba62a15ffc5f59a29c9715e5dded8700f3fc48ff
SHA512 bb4130b6df25a7ef03904e27e2ac32687c11869360d7cf5c1fb2f0166229d04c6bce301ddf25f912b09322c2e3b3805016daf29a50cd5592139a70e92c03a08a

C:\Windows\SysWOW64\Ipnalhii.exe

MD5 b6cfea1dd32fc95ddeb1f237c32f31d0
SHA1 189cb6bc115bc1d8016168d504aa89eb83590828
SHA256 78ae9ddb0ea928a79e265d6987cb7a8125feaa5ee83afff193eadf7ea9a30443
SHA512 b1022bf8451bcd6c24f96b3ba04fe73c2f22575e643581d42e471e79e5ceda65a86c3dd95c4aff3885ae4c2245df118e0b071a8ad19abc418608670e0e6ca64d

memory/5104-51-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4608-35-0x0000000000400000-0x0000000000443000-memory.dmp