Malware Analysis Report

2024-10-16 04:31

Sample ID 240602-bny18sed52
Target 1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe
SHA256 7ce15050a3854493ef4d860cc954796c5afd8f3b35fda322003d24e8e38b47ba
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ce15050a3854493ef4d860cc954796c5afd8f3b35fda322003d24e8e38b47ba

Threat Level: Known bad

The file 1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Malware Dropper & Backdoor - Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:18

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:18

Reported

2024-06-02 01:20

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmceigep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngnbgplj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgejac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ednpej32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncjqhmkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojfaijcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjadmnic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdgneh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Echfaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhigphio.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bppoqeja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhiffc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omdneebf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgplkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qfahhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aibajhdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qbelgood.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkommo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egjpkffe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kaklpcoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfgdhjmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlmlecec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nefpnhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nocnbmoo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lollckbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Peiepfgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Biicik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Effcma32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbeknj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcpofbjl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccahbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egafleqm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaklpcoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbhela32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enhacojl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enhacojl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amfcikek.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enfenplo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lckdanld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmceigep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nocnbmoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pflomnkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qlkdkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alpmfdcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnobnmpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhdcji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdkqqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omdneebf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oikojfgk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obcccl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmanoifd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebmgcohn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eojnkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kifpdelo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpdbloof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngnbgplj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ehgppi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dccagcgk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkncmmle.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mggpgmof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmanoifd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppbfpd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfahhm32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kgpjanje.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahojc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfegbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaklpcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfgdhjmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kifpdelo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lckdanld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lihmjejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Loeebl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Leonofpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpdbloof.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcnhjnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkncmmle.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbeknj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhbcfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lollckbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldidkbpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mggpgmof.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamddf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkqqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkeimlfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgljbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbjgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnfhlin.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpfkqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgqcmlgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlmlecec.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefpnhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjqhmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhfipcid.exe N/A
N/A N/A C:\Windows\SysWOW64\Noqamn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Naoniipe.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhiffc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nocnbmoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngnbgplj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbcpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddpfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofelmloo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojahnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocimgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqmmpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oclilp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obojhlbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojfaijcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Omdneebf.exe N/A
N/A N/A C:\Windows\SysWOW64\Oobjaqaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Obafnlpn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oikojfgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Okikfagn.exe N/A
N/A N/A C:\Windows\SysWOW64\Obcccl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaoog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgplkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pogclp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piphee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbhabjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjadmnic.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbhmnkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pciifc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgeefbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmanoifd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgpjanje.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgpjanje.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahojc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahojc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfegbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfegbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaklpcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaklpcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfgdhjmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfgdhjmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kifpdelo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kifpdelo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lckdanld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lckdanld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lihmjejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lihmjejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Loeebl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loeebl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Leonofpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Leonofpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpdbloof.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpdbloof.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcnhjnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcnhjnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkncmmle.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkncmmle.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbeknj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbeknj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhbcfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhbcfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lollckbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Lollckbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldidkbpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldidkbpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mggpgmof.exe N/A
N/A N/A C:\Windows\SysWOW64\Mggpgmof.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamddf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamddf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkqqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkqqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkeimlfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkeimlfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmceigep.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgljbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgljbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbjgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbjgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnfhlin.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnfhlin.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpfkqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpfkqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgqcmlgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgqcmlgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlmlecec.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlmlecec.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefpnhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefpnhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjqhmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjqhmkm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Efaibbij.exe C:\Windows\SysWOW64\Eccmffjf.exe N/A
File created C:\Windows\SysWOW64\Ekgednng.dll C:\Windows\SysWOW64\Egafleqm.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhiffc32.exe C:\Windows\SysWOW64\Naoniipe.exe N/A
File created C:\Windows\SysWOW64\Njmggi32.dll C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Aipddi32.exe C:\Windows\SysWOW64\Qfahhm32.exe N/A
File created C:\Windows\SysWOW64\Cddaphkn.exe C:\Windows\SysWOW64\Cohigamf.exe N/A
File created C:\Windows\SysWOW64\Nanbpedg.dll C:\Windows\SysWOW64\Cohigamf.exe N/A
File created C:\Windows\SysWOW64\Eccmffjf.exe C:\Windows\SysWOW64\Eqdajkkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Loeebl32.exe C:\Windows\SysWOW64\Lihmjejl.exe N/A
File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe C:\Windows\SysWOW64\Ngpolo32.exe N/A
File created C:\Windows\SysWOW64\Edekcace.dll C:\Windows\SysWOW64\Dojald32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkqbaecc.exe C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe C:\Windows\SysWOW64\Cohigamf.exe N/A
File created C:\Windows\SysWOW64\Akigbbni.dll C:\Windows\SysWOW64\Cppkph32.exe N/A
File created C:\Windows\SysWOW64\Mmnclh32.dll C:\Windows\SysWOW64\Dkqbaecc.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdeeqehb.exe C:\Windows\SysWOW64\Bmkmdk32.exe N/A
File created C:\Windows\SysWOW64\Bmpfojmp.exe C:\Windows\SysWOW64\Bidjnkdg.exe N/A
File created C:\Windows\SysWOW64\Ajjmcaea.dll C:\Windows\SysWOW64\Ajjcbpdd.exe N/A
File created C:\Windows\SysWOW64\Lihmjejl.exe C:\Windows\SysWOW64\Lckdanld.exe N/A
File created C:\Windows\SysWOW64\Ojfaijcc.exe C:\Windows\SysWOW64\Obojhlbq.exe N/A
File created C:\Windows\SysWOW64\Mmceigep.exe C:\Windows\SysWOW64\Mmceigep.exe N/A
File created C:\Windows\SysWOW64\Pmbdhi32.dll C:\Windows\SysWOW64\Bpleef32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe C:\Windows\SysWOW64\Bidjnkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdgneh32.exe C:\Windows\SysWOW64\Cnmehnan.exe N/A
File created C:\Windows\SysWOW64\Ijqnib32.dll C:\Windows\SysWOW64\Lollckbk.exe N/A
File created C:\Windows\SysWOW64\Mggpgmof.exe C:\Windows\SysWOW64\Ldidkbpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe C:\Windows\SysWOW64\Dkqbaecc.exe N/A
File created C:\Windows\SysWOW64\Qbelgood.exe C:\Windows\SysWOW64\Qlkdkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abjebn32.exe C:\Windows\SysWOW64\Alpmfdcb.exe N/A
File created C:\Windows\SysWOW64\Idnhde32.dll C:\Windows\SysWOW64\Qmfgjh32.exe N/A
File created C:\Windows\SysWOW64\Limilm32.dll C:\Windows\SysWOW64\Kahojc32.exe N/A
File created C:\Windows\SysWOW64\Lkncmmle.exe C:\Windows\SysWOW64\Lbcnhjnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjjgclai.exe C:\Windows\SysWOW64\Qcpofbjl.exe N/A
File created C:\Windows\SysWOW64\Dogefd32.exe C:\Windows\SysWOW64\Dhnmij32.exe N/A
File created C:\Windows\SysWOW64\Dfdjhndl.exe C:\Windows\SysWOW64\Dbhnhp32.exe N/A
File created C:\Windows\SysWOW64\Lpdbloof.exe C:\Windows\SysWOW64\Leonofpp.exe N/A
File created C:\Windows\SysWOW64\Necfoajd.dll C:\Windows\SysWOW64\Oclilp32.exe N/A
File created C:\Windows\SysWOW64\Cgejac32.exe C:\Windows\SysWOW64\Cdgneh32.exe N/A
File created C:\Windows\SysWOW64\Dglpkenb.dll C:\Windows\SysWOW64\Cclkfdnc.exe N/A
File created C:\Windows\SysWOW64\Odifab32.dll C:\Windows\SysWOW64\Dccagcgk.exe N/A
File created C:\Windows\SysWOW64\Pbqpqcoj.dll C:\Windows\SysWOW64\Pgplkb32.exe N/A
File created C:\Windows\SysWOW64\Amfcikek.exe C:\Windows\SysWOW64\Ajhgmpfg.exe N/A
File created C:\Windows\SysWOW64\Ppbfpd32.exe C:\Windows\SysWOW64\Pmdjdh32.exe N/A
File created C:\Windows\SysWOW64\Ecfhengk.dll C:\Windows\SysWOW64\Ppbfpd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qpecfc32.exe C:\Windows\SysWOW64\Qmfgjh32.exe N/A
File created C:\Windows\SysWOW64\Aaobdjof.exe C:\Windows\SysWOW64\Anafhopc.exe N/A
File created C:\Windows\SysWOW64\Onjnkb32.dll C:\Windows\SysWOW64\Aaaoij32.exe N/A
File created C:\Windows\SysWOW64\Lnfhlh32.dll C:\Windows\SysWOW64\Cgejac32.exe N/A
File created C:\Windows\SysWOW64\Nchnel32.dll C:\Windows\SysWOW64\Oobjaqaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbhmnkjf.exe C:\Windows\SysWOW64\Pjadmnic.exe N/A
File created C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dfdjhndl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe C:\Windows\SysWOW64\Egafleqm.exe N/A
File opened for modification C:\Windows\SysWOW64\Djhphncm.exe C:\Windows\SysWOW64\Dfmdho32.exe N/A
File created C:\Windows\SysWOW64\Emnndlod.exe C:\Windows\SysWOW64\Ejobhppq.exe N/A
File created C:\Windows\SysWOW64\Mgljbm32.exe C:\Windows\SysWOW64\Mmceigep.exe N/A
File created C:\Windows\SysWOW64\Ldhnfd32.dll C:\Windows\SysWOW64\Qcpofbjl.exe N/A
File created C:\Windows\SysWOW64\Lhnffb32.dll C:\Windows\SysWOW64\Pgbhabjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cclkfdnc.exe C:\Windows\SysWOW64\Caknol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dcadac32.exe N/A
File created C:\Windows\SysWOW64\Egjpkffe.exe C:\Windows\SysWOW64\Ehgppi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe C:\Windows\SysWOW64\Eqgnokip.exe N/A
File created C:\Windows\SysWOW64\Cddfocpb.dll C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ndbcpd32.exe C:\Windows\SysWOW64\Ngnbgplj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Egjpkffe.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Fkckeh32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdaoog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oikojfgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" C:\Windows\SysWOW64\Oikojfgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pogclp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mggpgmof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" C:\Windows\SysWOW64\Mkeimlfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nocnbmoo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdgneh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfmdho32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhdcji32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aipddi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdbdjhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" C:\Windows\SysWOW64\Enhacojl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eojnkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emnndlod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qbelgood.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aemkjiem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdkqqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhfipcid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Noqamn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okikfagn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pciifc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" C:\Windows\SysWOW64\Pmanoifd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhnmij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Leonofpp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qmfgjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll" C:\Windows\SysWOW64\Cppkph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll" C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgqcmlgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncjqhmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" C:\Windows\SysWOW64\Nhiffc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" C:\Windows\SysWOW64\Alnqqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll" C:\Windows\SysWOW64\Chpmpg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egafleqm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldidkbpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" C:\Windows\SysWOW64\Obafnlpn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" C:\Windows\SysWOW64\Qimhoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbjbaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" C:\Windows\SysWOW64\Qfahhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidengnp.dll" C:\Windows\SysWOW64\Abhimnma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" C:\Windows\SysWOW64\Fidoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndpfkdmf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfjbgnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmqokqf.dll" C:\Windows\SysWOW64\Pflomnkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djmicm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ehgppi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" C:\Windows\SysWOW64\Piphee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaaoij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdbhke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmkmdk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" C:\Windows\SysWOW64\Bbokmqie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cclkfdnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgplkb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kaklpcoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lbcnhjnj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkqbaecc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojfaijcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cojema32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmefakc.dll" C:\Windows\SysWOW64\Okikfagn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" C:\Windows\SysWOW64\Pgeefbhm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcbjgn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Caknol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eojnkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll" C:\Windows\SysWOW64\Cnmehnan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kgpjanje.exe
PID 1688 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kgpjanje.exe
PID 1688 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kgpjanje.exe
PID 1688 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kgpjanje.exe
PID 1988 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kgpjanje.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 1988 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kgpjanje.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 1988 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kgpjanje.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 1988 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Kgpjanje.exe C:\Windows\SysWOW64\Kahojc32.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kfegbj32.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kfegbj32.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kfegbj32.exe
PID 2336 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Kahojc32.exe C:\Windows\SysWOW64\Kfegbj32.exe
PID 2736 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Kfegbj32.exe C:\Windows\SysWOW64\Kaklpcoc.exe
PID 2736 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Kfegbj32.exe C:\Windows\SysWOW64\Kaklpcoc.exe
PID 2736 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Kfegbj32.exe C:\Windows\SysWOW64\Kaklpcoc.exe
PID 2736 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Kfegbj32.exe C:\Windows\SysWOW64\Kaklpcoc.exe
PID 1324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Kaklpcoc.exe C:\Windows\SysWOW64\Kfgdhjmk.exe
PID 1324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Kaklpcoc.exe C:\Windows\SysWOW64\Kfgdhjmk.exe
PID 1324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Kaklpcoc.exe C:\Windows\SysWOW64\Kfgdhjmk.exe
PID 1324 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Kaklpcoc.exe C:\Windows\SysWOW64\Kfgdhjmk.exe
PID 2812 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Kfgdhjmk.exe C:\Windows\SysWOW64\Kifpdelo.exe
PID 2812 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Kfgdhjmk.exe C:\Windows\SysWOW64\Kifpdelo.exe
PID 2812 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Kfgdhjmk.exe C:\Windows\SysWOW64\Kifpdelo.exe
PID 2812 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Kfgdhjmk.exe C:\Windows\SysWOW64\Kifpdelo.exe
PID 2208 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kifpdelo.exe C:\Windows\SysWOW64\Lckdanld.exe
PID 2208 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kifpdelo.exe C:\Windows\SysWOW64\Lckdanld.exe
PID 2208 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kifpdelo.exe C:\Windows\SysWOW64\Lckdanld.exe
PID 2208 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kifpdelo.exe C:\Windows\SysWOW64\Lckdanld.exe
PID 3000 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Lckdanld.exe C:\Windows\SysWOW64\Lihmjejl.exe
PID 3000 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Lckdanld.exe C:\Windows\SysWOW64\Lihmjejl.exe
PID 3000 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Lckdanld.exe C:\Windows\SysWOW64\Lihmjejl.exe
PID 3000 wrote to memory of 1036 N/A C:\Windows\SysWOW64\Lckdanld.exe C:\Windows\SysWOW64\Lihmjejl.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Lihmjejl.exe C:\Windows\SysWOW64\Loeebl32.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Lihmjejl.exe C:\Windows\SysWOW64\Loeebl32.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Lihmjejl.exe C:\Windows\SysWOW64\Loeebl32.exe
PID 1036 wrote to memory of 1508 N/A C:\Windows\SysWOW64\Lihmjejl.exe C:\Windows\SysWOW64\Loeebl32.exe
PID 1508 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Loeebl32.exe C:\Windows\SysWOW64\Leonofpp.exe
PID 1508 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Loeebl32.exe C:\Windows\SysWOW64\Leonofpp.exe
PID 1508 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Loeebl32.exe C:\Windows\SysWOW64\Leonofpp.exe
PID 1508 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Loeebl32.exe C:\Windows\SysWOW64\Leonofpp.exe
PID 1972 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Leonofpp.exe C:\Windows\SysWOW64\Lpdbloof.exe
PID 1972 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Leonofpp.exe C:\Windows\SysWOW64\Lpdbloof.exe
PID 1972 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Leonofpp.exe C:\Windows\SysWOW64\Lpdbloof.exe
PID 1972 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Leonofpp.exe C:\Windows\SysWOW64\Lpdbloof.exe
PID 1652 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Lpdbloof.exe C:\Windows\SysWOW64\Lbcnhjnj.exe
PID 1652 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Lpdbloof.exe C:\Windows\SysWOW64\Lbcnhjnj.exe
PID 1652 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Lpdbloof.exe C:\Windows\SysWOW64\Lbcnhjnj.exe
PID 1652 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Lpdbloof.exe C:\Windows\SysWOW64\Lbcnhjnj.exe
PID 2260 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Lbcnhjnj.exe C:\Windows\SysWOW64\Lkncmmle.exe
PID 2260 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Lbcnhjnj.exe C:\Windows\SysWOW64\Lkncmmle.exe
PID 2260 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Lbcnhjnj.exe C:\Windows\SysWOW64\Lkncmmle.exe
PID 2260 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Lbcnhjnj.exe C:\Windows\SysWOW64\Lkncmmle.exe
PID 1072 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Lkncmmle.exe C:\Windows\SysWOW64\Lbeknj32.exe
PID 1072 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Lkncmmle.exe C:\Windows\SysWOW64\Lbeknj32.exe
PID 1072 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Lkncmmle.exe C:\Windows\SysWOW64\Lbeknj32.exe
PID 1072 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Lkncmmle.exe C:\Windows\SysWOW64\Lbeknj32.exe
PID 2200 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Lbeknj32.exe C:\Windows\SysWOW64\Lhbcfa32.exe
PID 2200 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Lbeknj32.exe C:\Windows\SysWOW64\Lhbcfa32.exe
PID 2200 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Lbeknj32.exe C:\Windows\SysWOW64\Lhbcfa32.exe
PID 2200 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Lbeknj32.exe C:\Windows\SysWOW64\Lhbcfa32.exe
PID 1284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lhbcfa32.exe C:\Windows\SysWOW64\Lollckbk.exe
PID 1284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lhbcfa32.exe C:\Windows\SysWOW64\Lollckbk.exe
PID 1284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lhbcfa32.exe C:\Windows\SysWOW64\Lollckbk.exe
PID 1284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lhbcfa32.exe C:\Windows\SysWOW64\Lollckbk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Kgpjanje.exe

C:\Windows\system32\Kgpjanje.exe

C:\Windows\SysWOW64\Kahojc32.exe

C:\Windows\system32\Kahojc32.exe

C:\Windows\SysWOW64\Kfegbj32.exe

C:\Windows\system32\Kfegbj32.exe

C:\Windows\SysWOW64\Kaklpcoc.exe

C:\Windows\system32\Kaklpcoc.exe

C:\Windows\SysWOW64\Kfgdhjmk.exe

C:\Windows\system32\Kfgdhjmk.exe

C:\Windows\SysWOW64\Kifpdelo.exe

C:\Windows\system32\Kifpdelo.exe

C:\Windows\SysWOW64\Lckdanld.exe

C:\Windows\system32\Lckdanld.exe

C:\Windows\SysWOW64\Lihmjejl.exe

C:\Windows\system32\Lihmjejl.exe

C:\Windows\SysWOW64\Loeebl32.exe

C:\Windows\system32\Loeebl32.exe

C:\Windows\SysWOW64\Leonofpp.exe

C:\Windows\system32\Leonofpp.exe

C:\Windows\SysWOW64\Lpdbloof.exe

C:\Windows\system32\Lpdbloof.exe

C:\Windows\SysWOW64\Lbcnhjnj.exe

C:\Windows\system32\Lbcnhjnj.exe

C:\Windows\SysWOW64\Lkncmmle.exe

C:\Windows\system32\Lkncmmle.exe

C:\Windows\SysWOW64\Lbeknj32.exe

C:\Windows\system32\Lbeknj32.exe

C:\Windows\SysWOW64\Lhbcfa32.exe

C:\Windows\system32\Lhbcfa32.exe

C:\Windows\SysWOW64\Lollckbk.exe

C:\Windows\system32\Lollckbk.exe

C:\Windows\SysWOW64\Ldidkbpb.exe

C:\Windows\system32\Ldidkbpb.exe

C:\Windows\SysWOW64\Mggpgmof.exe

C:\Windows\system32\Mggpgmof.exe

C:\Windows\SysWOW64\Mamddf32.exe

C:\Windows\system32\Mamddf32.exe

C:\Windows\SysWOW64\Mdkqqa32.exe

C:\Windows\system32\Mdkqqa32.exe

C:\Windows\SysWOW64\Mkeimlfm.exe

C:\Windows\system32\Mkeimlfm.exe

C:\Windows\SysWOW64\Mmceigep.exe

C:\Windows\system32\Mmceigep.exe

C:\Windows\SysWOW64\Mmceigep.exe

C:\Windows\system32\Mmceigep.exe

C:\Windows\SysWOW64\Mgljbm32.exe

C:\Windows\system32\Mgljbm32.exe

C:\Windows\SysWOW64\Mcbjgn32.exe

C:\Windows\system32\Mcbjgn32.exe

C:\Windows\SysWOW64\Mgnfhlin.exe

C:\Windows\system32\Mgnfhlin.exe

C:\Windows\SysWOW64\Mpfkqb32.exe

C:\Windows\system32\Mpfkqb32.exe

C:\Windows\SysWOW64\Mgqcmlgl.exe

C:\Windows\system32\Mgqcmlgl.exe

C:\Windows\SysWOW64\Mlmlecec.exe

C:\Windows\system32\Mlmlecec.exe

C:\Windows\SysWOW64\Nefpnhlc.exe

C:\Windows\system32\Nefpnhlc.exe

C:\Windows\SysWOW64\Ncjqhmkm.exe

C:\Windows\system32\Ncjqhmkm.exe

C:\Windows\SysWOW64\Nhfipcid.exe

C:\Windows\system32\Nhfipcid.exe

C:\Windows\SysWOW64\Noqamn32.exe

C:\Windows\system32\Noqamn32.exe

C:\Windows\SysWOW64\Naoniipe.exe

C:\Windows\system32\Naoniipe.exe

C:\Windows\SysWOW64\Nhiffc32.exe

C:\Windows\system32\Nhiffc32.exe

C:\Windows\SysWOW64\Nocnbmoo.exe

C:\Windows\system32\Nocnbmoo.exe

C:\Windows\SysWOW64\Ndpfkdmf.exe

C:\Windows\system32\Ndpfkdmf.exe

C:\Windows\SysWOW64\Ngnbgplj.exe

C:\Windows\system32\Ngnbgplj.exe

C:\Windows\SysWOW64\Ndbcpd32.exe

C:\Windows\system32\Ndbcpd32.exe

C:\Windows\SysWOW64\Ngpolo32.exe

C:\Windows\system32\Ngpolo32.exe

C:\Windows\SysWOW64\Oddpfc32.exe

C:\Windows\system32\Oddpfc32.exe

C:\Windows\SysWOW64\Ofelmloo.exe

C:\Windows\system32\Ofelmloo.exe

C:\Windows\SysWOW64\Ojahnj32.exe

C:\Windows\system32\Ojahnj32.exe

C:\Windows\SysWOW64\Ocimgp32.exe

C:\Windows\system32\Ocimgp32.exe

C:\Windows\SysWOW64\Oqmmpd32.exe

C:\Windows\system32\Oqmmpd32.exe

C:\Windows\SysWOW64\Oclilp32.exe

C:\Windows\system32\Oclilp32.exe

C:\Windows\SysWOW64\Obojhlbq.exe

C:\Windows\system32\Obojhlbq.exe

C:\Windows\SysWOW64\Ojfaijcc.exe

C:\Windows\system32\Ojfaijcc.exe

C:\Windows\SysWOW64\Omdneebf.exe

C:\Windows\system32\Omdneebf.exe

C:\Windows\SysWOW64\Oobjaqaj.exe

C:\Windows\system32\Oobjaqaj.exe

C:\Windows\SysWOW64\Obafnlpn.exe

C:\Windows\system32\Obafnlpn.exe

C:\Windows\SysWOW64\Oikojfgk.exe

C:\Windows\system32\Oikojfgk.exe

C:\Windows\SysWOW64\Okikfagn.exe

C:\Windows\system32\Okikfagn.exe

C:\Windows\SysWOW64\Obcccl32.exe

C:\Windows\system32\Obcccl32.exe

C:\Windows\SysWOW64\Pdaoog32.exe

C:\Windows\system32\Pdaoog32.exe

C:\Windows\SysWOW64\Pgplkb32.exe

C:\Windows\system32\Pgplkb32.exe

C:\Windows\SysWOW64\Pogclp32.exe

C:\Windows\system32\Pogclp32.exe

C:\Windows\SysWOW64\Piphee32.exe

C:\Windows\system32\Piphee32.exe

C:\Windows\SysWOW64\Pgbhabjp.exe

C:\Windows\system32\Pgbhabjp.exe

C:\Windows\SysWOW64\Pjadmnic.exe

C:\Windows\system32\Pjadmnic.exe

C:\Windows\SysWOW64\Pbhmnkjf.exe

C:\Windows\system32\Pbhmnkjf.exe

C:\Windows\SysWOW64\Pciifc32.exe

C:\Windows\system32\Pciifc32.exe

C:\Windows\SysWOW64\Pgeefbhm.exe

C:\Windows\system32\Pgeefbhm.exe

C:\Windows\SysWOW64\Pmanoifd.exe

C:\Windows\system32\Pmanoifd.exe

C:\Windows\SysWOW64\Peiepfgg.exe

C:\Windows\system32\Peiepfgg.exe

C:\Windows\SysWOW64\Pfjbgnme.exe

C:\Windows\system32\Pfjbgnme.exe

C:\Windows\SysWOW64\Pjenhm32.exe

C:\Windows\system32\Pjenhm32.exe

C:\Windows\SysWOW64\Pmdjdh32.exe

C:\Windows\system32\Pmdjdh32.exe

C:\Windows\SysWOW64\Ppbfpd32.exe

C:\Windows\system32\Ppbfpd32.exe

C:\Windows\SysWOW64\Pflomnkb.exe

C:\Windows\system32\Pflomnkb.exe

C:\Windows\SysWOW64\Qmfgjh32.exe

C:\Windows\system32\Qmfgjh32.exe

C:\Windows\SysWOW64\Qpecfc32.exe

C:\Windows\system32\Qpecfc32.exe

C:\Windows\SysWOW64\Qcpofbjl.exe

C:\Windows\system32\Qcpofbjl.exe

C:\Windows\SysWOW64\Qjjgclai.exe

C:\Windows\system32\Qjjgclai.exe

C:\Windows\SysWOW64\Qimhoi32.exe

C:\Windows\system32\Qimhoi32.exe

C:\Windows\SysWOW64\Qlkdkd32.exe

C:\Windows\system32\Qlkdkd32.exe

C:\Windows\SysWOW64\Qbelgood.exe

C:\Windows\system32\Qbelgood.exe

C:\Windows\SysWOW64\Qfahhm32.exe

C:\Windows\system32\Qfahhm32.exe

C:\Windows\SysWOW64\Aipddi32.exe

C:\Windows\system32\Aipddi32.exe

C:\Windows\SysWOW64\Alnqqd32.exe

C:\Windows\system32\Alnqqd32.exe

C:\Windows\SysWOW64\Abhimnma.exe

C:\Windows\system32\Abhimnma.exe

C:\Windows\SysWOW64\Afcenm32.exe

C:\Windows\system32\Afcenm32.exe

C:\Windows\SysWOW64\Aibajhdn.exe

C:\Windows\system32\Aibajhdn.exe

C:\Windows\SysWOW64\Alpmfdcb.exe

C:\Windows\system32\Alpmfdcb.exe

C:\Windows\SysWOW64\Abjebn32.exe

C:\Windows\system32\Abjebn32.exe

C:\Windows\SysWOW64\Aehboi32.exe

C:\Windows\system32\Aehboi32.exe

C:\Windows\SysWOW64\Anafhopc.exe

C:\Windows\system32\Anafhopc.exe

C:\Windows\SysWOW64\Aaobdjof.exe

C:\Windows\system32\Aaobdjof.exe

C:\Windows\SysWOW64\Adnopfoj.exe

C:\Windows\system32\Adnopfoj.exe

C:\Windows\SysWOW64\Ajhgmpfg.exe

C:\Windows\system32\Ajhgmpfg.exe

C:\Windows\SysWOW64\Amfcikek.exe

C:\Windows\system32\Amfcikek.exe

C:\Windows\SysWOW64\Aaaoij32.exe

C:\Windows\system32\Aaaoij32.exe

C:\Windows\SysWOW64\Aemkjiem.exe

C:\Windows\system32\Aemkjiem.exe

C:\Windows\SysWOW64\Ajjcbpdd.exe

C:\Windows\system32\Ajjcbpdd.exe

C:\Windows\SysWOW64\Amhpnkch.exe

C:\Windows\system32\Amhpnkch.exe

C:\Windows\SysWOW64\Bdbhke32.exe

C:\Windows\system32\Bdbhke32.exe

C:\Windows\SysWOW64\Bhndldcn.exe

C:\Windows\system32\Bhndldcn.exe

C:\Windows\SysWOW64\Bjlqhoba.exe

C:\Windows\system32\Bjlqhoba.exe

C:\Windows\SysWOW64\Bmkmdk32.exe

C:\Windows\system32\Bmkmdk32.exe

C:\Windows\SysWOW64\Bdeeqehb.exe

C:\Windows\system32\Bdeeqehb.exe

C:\Windows\SysWOW64\Bbhela32.exe

C:\Windows\system32\Bbhela32.exe

C:\Windows\SysWOW64\Bkommo32.exe

C:\Windows\system32\Bkommo32.exe

C:\Windows\SysWOW64\Bmmiij32.exe

C:\Windows\system32\Bmmiij32.exe

C:\Windows\SysWOW64\Bpleef32.exe

C:\Windows\system32\Bpleef32.exe

C:\Windows\SysWOW64\Bbjbaa32.exe

C:\Windows\system32\Bbjbaa32.exe

C:\Windows\SysWOW64\Bidjnkdg.exe

C:\Windows\system32\Bidjnkdg.exe

C:\Windows\SysWOW64\Bmpfojmp.exe

C:\Windows\system32\Bmpfojmp.exe

C:\Windows\SysWOW64\Boqbfb32.exe

C:\Windows\system32\Boqbfb32.exe

C:\Windows\SysWOW64\Bghjhp32.exe

C:\Windows\system32\Bghjhp32.exe

C:\Windows\SysWOW64\Bhigphio.exe

C:\Windows\system32\Bhigphio.exe

C:\Windows\SysWOW64\Bppoqeja.exe

C:\Windows\system32\Bppoqeja.exe

C:\Windows\SysWOW64\Bbokmqie.exe

C:\Windows\system32\Bbokmqie.exe

C:\Windows\SysWOW64\Biicik32.exe

C:\Windows\system32\Biicik32.exe

C:\Windows\SysWOW64\Ccahbp32.exe

C:\Windows\system32\Ccahbp32.exe

C:\Windows\SysWOW64\Ceodnl32.exe

C:\Windows\system32\Ceodnl32.exe

C:\Windows\SysWOW64\Cdbdjhmp.exe

C:\Windows\system32\Cdbdjhmp.exe

C:\Windows\SysWOW64\Cohigamf.exe

C:\Windows\system32\Cohigamf.exe

C:\Windows\SysWOW64\Cddaphkn.exe

C:\Windows\system32\Cddaphkn.exe

C:\Windows\SysWOW64\Chpmpg32.exe

C:\Windows\system32\Chpmpg32.exe

C:\Windows\SysWOW64\Cojema32.exe

C:\Windows\system32\Cojema32.exe

C:\Windows\SysWOW64\Cnmehnan.exe

C:\Windows\system32\Cnmehnan.exe

C:\Windows\SysWOW64\Cdgneh32.exe

C:\Windows\system32\Cdgneh32.exe

C:\Windows\SysWOW64\Cgejac32.exe

C:\Windows\system32\Cgejac32.exe

C:\Windows\SysWOW64\Cnobnmpl.exe

C:\Windows\system32\Cnobnmpl.exe

C:\Windows\SysWOW64\Caknol32.exe

C:\Windows\system32\Caknol32.exe

C:\Windows\SysWOW64\Cclkfdnc.exe

C:\Windows\system32\Cclkfdnc.exe

C:\Windows\SysWOW64\Ckccgane.exe

C:\Windows\system32\Ckccgane.exe

C:\Windows\SysWOW64\Cppkph32.exe

C:\Windows\system32\Cppkph32.exe

C:\Windows\SysWOW64\Ccngld32.exe

C:\Windows\system32\Ccngld32.exe

C:\Windows\SysWOW64\Dfmdho32.exe

C:\Windows\system32\Dfmdho32.exe

C:\Windows\SysWOW64\Djhphncm.exe

C:\Windows\system32\Djhphncm.exe

C:\Windows\SysWOW64\Dpbheh32.exe

C:\Windows\system32\Dpbheh32.exe

C:\Windows\SysWOW64\Dcadac32.exe

C:\Windows\system32\Dcadac32.exe

C:\Windows\SysWOW64\Dfoqmo32.exe

C:\Windows\system32\Dfoqmo32.exe

C:\Windows\SysWOW64\Dhnmij32.exe

C:\Windows\system32\Dhnmij32.exe

C:\Windows\SysWOW64\Dogefd32.exe

C:\Windows\system32\Dogefd32.exe

C:\Windows\SysWOW64\Dccagcgk.exe

C:\Windows\system32\Dccagcgk.exe

C:\Windows\SysWOW64\Djmicm32.exe

C:\Windows\system32\Djmicm32.exe

C:\Windows\SysWOW64\Dlkepi32.exe

C:\Windows\system32\Dlkepi32.exe

C:\Windows\SysWOW64\Dojald32.exe

C:\Windows\system32\Dojald32.exe

C:\Windows\SysWOW64\Dbhnhp32.exe

C:\Windows\system32\Dbhnhp32.exe

C:\Windows\SysWOW64\Dfdjhndl.exe

C:\Windows\system32\Dfdjhndl.exe

C:\Windows\SysWOW64\Dlnbeh32.exe

C:\Windows\system32\Dlnbeh32.exe

C:\Windows\SysWOW64\Dkqbaecc.exe

C:\Windows\system32\Dkqbaecc.exe

C:\Windows\SysWOW64\Dnoomqbg.exe

C:\Windows\system32\Dnoomqbg.exe

C:\Windows\SysWOW64\Dfffnn32.exe

C:\Windows\system32\Dfffnn32.exe

C:\Windows\SysWOW64\Dhdcji32.exe

C:\Windows\system32\Dhdcji32.exe

C:\Windows\SysWOW64\Dookgcij.exe

C:\Windows\system32\Dookgcij.exe

C:\Windows\SysWOW64\Ebmgcohn.exe

C:\Windows\system32\Ebmgcohn.exe

C:\Windows\SysWOW64\Eqpgol32.exe

C:\Windows\system32\Eqpgol32.exe

C:\Windows\SysWOW64\Ehgppi32.exe

C:\Windows\system32\Ehgppi32.exe

C:\Windows\SysWOW64\Egjpkffe.exe

C:\Windows\system32\Egjpkffe.exe

C:\Windows\SysWOW64\Ejhlgaeh.exe

C:\Windows\system32\Ejhlgaeh.exe

C:\Windows\SysWOW64\Ebodiofk.exe

C:\Windows\system32\Ebodiofk.exe

C:\Windows\SysWOW64\Ednpej32.exe

C:\Windows\system32\Ednpej32.exe

C:\Windows\SysWOW64\Egllae32.exe

C:\Windows\system32\Egllae32.exe

C:\Windows\SysWOW64\Ejkima32.exe

C:\Windows\system32\Ejkima32.exe

C:\Windows\SysWOW64\Enfenplo.exe

C:\Windows\system32\Enfenplo.exe

C:\Windows\SysWOW64\Eqdajkkb.exe

C:\Windows\system32\Eqdajkkb.exe

C:\Windows\SysWOW64\Eccmffjf.exe

C:\Windows\system32\Eccmffjf.exe

C:\Windows\SysWOW64\Efaibbij.exe

C:\Windows\system32\Efaibbij.exe

C:\Windows\SysWOW64\Enhacojl.exe

C:\Windows\system32\Enhacojl.exe

C:\Windows\SysWOW64\Eqgnokip.exe

C:\Windows\system32\Eqgnokip.exe

C:\Windows\SysWOW64\Eojnkg32.exe

C:\Windows\system32\Eojnkg32.exe

C:\Windows\SysWOW64\Egafleqm.exe

C:\Windows\system32\Egafleqm.exe

C:\Windows\SysWOW64\Ejobhppq.exe

C:\Windows\system32\Ejobhppq.exe

C:\Windows\SysWOW64\Emnndlod.exe

C:\Windows\system32\Emnndlod.exe

C:\Windows\SysWOW64\Eqijej32.exe

C:\Windows\system32\Eqijej32.exe

C:\Windows\SysWOW64\Echfaf32.exe

C:\Windows\system32\Echfaf32.exe

C:\Windows\SysWOW64\Effcma32.exe

C:\Windows\system32\Effcma32.exe

C:\Windows\SysWOW64\Fidoim32.exe

C:\Windows\system32\Fidoim32.exe

C:\Windows\SysWOW64\Fkckeh32.exe

C:\Windows\system32\Fkckeh32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 140

Network

N/A

Files

memory/1688-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1688-6-0x0000000000290000-0x00000000002CF000-memory.dmp

\Windows\SysWOW64\Kgpjanje.exe

MD5 26c50284dcdf324e41172db95e00f5e1
SHA1 87461c4eb56da067b194496df842dc878eb6b30a
SHA256 397c6bc2f68cfcc429d7b737efe7b175ac55e1e686204ac2d8cb2c3bb77d8343
SHA512 9422cd81ab5000e6b25bea6f3623fadabc052ec53533c52abf4f27f2265baa7fe09e7644a5838e204b469cbc93292eed67f9c27bbc80b7e181b84875a88e0772

\Windows\SysWOW64\Kahojc32.exe

MD5 7f5f0b823486d209c1605d6ddd42f400
SHA1 b0bf1f90568a758e84832d63f57874a51ed8ea21
SHA256 43733fbf63b26aa5b2499812801088c824beaad777641653766d0d57d63e166a
SHA512 e3cc584248230b3b45ca9f6972e1fcfed77eacbf1b03771d4e42d72765245351c9c888ba7d4eed8753a1e8dff2350356e76d2352e6aa2384e1c5931340355833

memory/2336-26-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1988-25-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Kfegbj32.exe

MD5 a9a2a03516e3122911faba21bd841e16
SHA1 a6b9415897b4f264855bd92e28cf9776d4529187
SHA256 db6d9f22e62761259f422a1baf24aa541366a1c36e1e8ea40e68a3d9822ce389
SHA512 205b711698569d14e07af0579ab7e7168d33ba658b1502a191ef79cc5a4f6acbf572989395d8ace0f8cc749b4eebe131ec805af32100151b9387409cf4ff76bd

memory/2336-39-0x0000000000280000-0x00000000002BF000-memory.dmp

C:\Windows\SysWOW64\Kaklpcoc.exe

MD5 c2262528727132abb9beef7bbeedf322
SHA1 dbf24ced124ddb1824e58fb0899b69fdc6b332b2
SHA256 15367e214a74018835203a35d8eb5980d7dc4fce8afb34d15025c9331ed277be
SHA512 ede9e2d30ef32bccb794eca093915c8da3906d24e15ed6f4d549ebb9db545b849df607da65a7b5140dd2e367ff56c1c96572e1ee9034cbcf3e9529f0a85767cf

memory/1324-52-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Kfgdhjmk.exe

MD5 e2828507b0a5f6a360d769ae7f7c7d5e
SHA1 8bb5639fa75d186234baf4a7d8d8e8b21f94d271
SHA256 3d591365ec3e93793897cadfe31613cc364dd332ad25c02d95be7f3709ad9a46
SHA512 a843eed5b8d639b135392262b32e94c1a249ce21d64f483c4bd7d6fa762fd9a4b7e4f2aa4675693d2ab9bc6fae311f174ea2f03e9f1eb035abd404aeeb1f4e65

memory/1324-65-0x00000000002D0000-0x000000000030F000-memory.dmp

\Windows\SysWOW64\Kifpdelo.exe

MD5 2ed89633687739c668494b2fc56c1729
SHA1 e0b03e6da7d70520ba7237ad9ce5bba6739aebbd
SHA256 2b0177ef01c171e897813ce5bb5d47a2f760ff53cf4464047201b5562d12eb99
SHA512 3328f8b8af3f6c83f1f6ea9f0f37f75c83e3d22d5db084c1402026e0a7b03b22eb4d658f87628d976b966f1ff8a0a65cad906283dd2ad5385fe359cd8f77bea1

memory/2812-73-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2208-79-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Lckdanld.exe

MD5 619bb2bcb008db74b4d7a4bd9656cc15
SHA1 dda4872db3e994fdacf15bb50e4e9b5c41819e2d
SHA256 32a2a53f93035de97476e351db3153041e999781a0b7734cc2a37eacf4341c87
SHA512 cea336f08b2e0309eb4e34942d66f0eefadef561671b2ca283a2d584fa5ef59a22e7729bef716d411f9e23da865087c6f492e804e6a9a8ea7ee3e4ef8da7ed4b

memory/1036-105-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Lihmjejl.exe

MD5 c7525eba1828c077e677ea1b5da3edcb
SHA1 7e2c271c603cacc38c2bc3ed28c14d188d9bacba
SHA256 2ce44e386bda9dcf35c8e1c39020a2ea7d5fabdb1a7cf5f097c005ca34da1d3f
SHA512 9be2514b8215b95b9d4daabd7dee092fa37b435dd109362ad95edd7e2ee74bd0106eb01bfc27efb2bff8437ee7e1e40467abc550ecd19d15c006a5e113eead69

memory/3000-103-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Loeebl32.exe

MD5 5500da557cd5065326c2ec71ce9dc7af
SHA1 cfc1a195f0524a33a17764e2af2a87d9a1cb7f76
SHA256 53a7b9c76d99c671aee6896903fe20f679e26e7a0eacd01ea98a62e27e04c94c
SHA512 a158e42a7eba01359a17dcc5651479291b69343adfca529286d705e63f8ca27f727192bff7ca1cd819a0d6cfced61eeff9c9da4cbd10fe385fa08600e506fb7d

memory/1036-117-0x00000000005D0000-0x000000000060F000-memory.dmp

memory/1508-120-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Leonofpp.exe

MD5 98ea3ffaa4a9f0e2553c29f614623c83
SHA1 e60705b8c833aad0f5d7c7c3f4ff93c850f2d37c
SHA256 7e640f794ebc79311be88cf311f8dfc03ddb54df0c2ffe71f4453bc72e790fe2
SHA512 fa705afea8534e859b69529638f1410c1178dac1d4827be87bb120b5181ab03d23512ca013124e669fef6b42b079c99c22850f8d082f5fed0f6851112e135937

memory/1972-132-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Lpdbloof.exe

MD5 5e0ef41a2f0c3de668ef5d28ca1ff68d
SHA1 47132eb941bdc80883b1ddf32830772cfcc9e247
SHA256 ec85cdc3c0379fd46158e79419a11397f9093e973b7d595bcd5273692c22e145
SHA512 7be832dc36f94376e6d16c0c62881eae13bebea989f2e3d02a7b51f81cbbec9a01cfac891165fae4034ef9471a0150673dfd588fd9be7f8da6995fb2202c5ba9

memory/1972-144-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Lbcnhjnj.exe

MD5 a65c2a47573fb3840ba5cc839540091b
SHA1 5142a5c8fe4cf250197d025ade06f5592044db8f
SHA256 defb06ae3e6c48b16e4e9b7525376a3b861b647fdbd5d44e5a17da4504f352d7
SHA512 3b13f153833888a78ba4c1b627e9890caf37ff13102c5922674e7e7bd507b81305f0c9f88e53dad66fa4ce3d1c62c3819cc051b7f441178eadd2a4899dd512e1

memory/1652-153-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2260-159-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Lkncmmle.exe

MD5 7950df4abf320d4b985e658f902d5b0d
SHA1 c927c6f38d13f5c618da7f884128d5d6f680a30f
SHA256 475ed846f2fb8366a66530de93a01c71b5120434fc4c3dd2f1648ead1865e36e
SHA512 d504875a09e2fabecbcb06061ff11386daaf59154486adedbe508cdef5aa6e63aaedd25a948dcd223dbf3c1ac909d272035488f6473a9b3e59f09eca9a853761

memory/1072-172-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Lbeknj32.exe

MD5 2b1e4a6f3267c572a500eb624ec2b820
SHA1 2b289cc056ad60347bff70122e0fb0ca27d86dae
SHA256 52366b560375aef0c496ca9e3c31c2bcc08d800af01f9ce109822e76621f7e7f
SHA512 b4455adca06504af9bf01269f3e6ec8252caf945b6a07de6e097fb186a0e7d6c68a2c3f59c1e4f85cf24e6596e6ae0d1f54add1838ccafafc4c12dad14349993

memory/2200-185-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Lhbcfa32.exe

MD5 b8d55ff39c7e22e500e564e1302fb45c
SHA1 47169f0aa96d8ff5252497a398310e9c78b939ec
SHA256 ff58295be9fdb6d9b32fd237133ec7b3bfba7884269407ed5f8a2b5a6e026472
SHA512 78e427f8dcd947ef0e71633a2e4fc2df9da53d32d9d78af578453a6762cf56c4c26aad09e8c4df25e5f965f6e8d30b864743765174ea7288ed342bcd2c916c3a

memory/1284-209-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3052-211-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Lollckbk.exe

MD5 b6c2ca9dcd5e76ee0efbd3c40daa946b
SHA1 b3b9f1e96cc26d702d005ad880d744c4be7e4622
SHA256 5e0df36bf7903d1ad735d63f41c18a5d5c7549790159eb7c3c0c7174f60d57e9
SHA512 71cfa5a4eda4761826c890a841ed0480b4a919da93fbec9eb1f0e245486cc7c3e3697b359ff01faa7d1b5e7ddd7fc40e1bbab7f14ee7e655056e36ce815166ae

C:\Windows\SysWOW64\Ldidkbpb.exe

MD5 d56aec91ada61aa3bbf12ac275048d79
SHA1 7012c798fa13332096a432dce0e188a86e739d41
SHA256 ac758d18383338bedd80a04644781357556c7f7531eaf68e14c9e1fa05ccba86
SHA512 f3f93d7a74fe969338443b1afb5894f224d219bb32d98d1017c0d6db78b274362fdfc0a9d1c5f7c91e260bfb14ee6c93dfe2d9efb8a8aee354e2eea077064ee9

memory/3052-221-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2716-226-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Mggpgmof.exe

MD5 09fb568be9829ca4ca63c40c2deb668c
SHA1 ed9581f4d23523f021583159f6c552274c1dbfde
SHA256 3d3aced660ee6126e21a9cdbabc1aaa9db40f809d20ac2144a9a09e37a88bd02
SHA512 01e02b074facc0c41a819d179e013bd5f5fd4c80738817dc3f1bc982f088489c929908cc8f80c0e6519ac3c31c796568f5826c706511331c6fc5f9e51110f28c

memory/2716-228-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1488-237-0x00000000005D0000-0x000000000060F000-memory.dmp

C:\Windows\SysWOW64\Mamddf32.exe

MD5 ee951ea72b7d3a16b3c631cc82abab61
SHA1 3cbd6e5bc1b810549133f1679dd51691ea1fb5a8
SHA256 03327c7a71aa0dbc37dc68ea83bf9d3131bfed6d1949f9869ea260ce7187dfd4
SHA512 1be003f32fa0ab3afe38c0eff43311ec71642666d278f5a8ee60b2fd69225cbc7c8ff0e72a151ea8b6aad94ac6887852d9f1106f3b90826ca74c7629d45415bb

memory/556-249-0x0000000000310000-0x000000000034F000-memory.dmp

C:\Windows\SysWOW64\Mdkqqa32.exe

MD5 86d5d355745d960c96be127f1dd091a8
SHA1 706bfaf277cf8888da136ca826099e089d3f8243
SHA256 296f2b991f7351119e4d38f1c4ff2f5ed63265090ac3f7d0a60cc0a059ba1945
SHA512 190924c6bbb522a9e8ef26e3f7e90e97f71abe7dd331c60943bcc2c2171a5b12f293a86774200480b80b5c1fbec644cda869941e28f6916a552314b2fbe0d035

memory/276-250-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Mkeimlfm.exe

MD5 d10be34ec3815ed56621904be93da694
SHA1 38a4971aa9be51f780c41626d34798b3b65f9e55
SHA256 1bec95c40b398886cadc99f7f7f8be9968b30a838f59bce4b558c78a0995f3cd
SHA512 d6a63dcbb95ee8df7e7ef5dc216a013a1108bd2bf24b0067e3a974a68b5b51e8537141313f59e3bfb49e91defdf67af4d104867959caafffd1d976f7644a258d

memory/276-263-0x00000000002F0000-0x000000000032F000-memory.dmp

memory/1096-266-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Mmceigep.exe

MD5 384cd874c8a2213d802cbcc0774cddb0
SHA1 75525e31b7f72c3d30684e1f3539a4eb19e621e1
SHA256 923437a07785a2fd58d6acfd83800815ed82726211b2ecd2999f0f1c0d9cf294
SHA512 f1a8da5c7340cfe711cd539d4ff82253186bf10c54fb294a566020de2243a082f8a079565ceca4b6014651a77c5b9b156b647f5a9cdd61b0d73595dfef6c2360

memory/276-265-0x00000000002F0000-0x000000000032F000-memory.dmp

memory/1048-272-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1096-271-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1096-270-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1048-278-0x0000000001F70000-0x0000000001FAF000-memory.dmp

memory/1612-286-0x0000000000440000-0x000000000047F000-memory.dmp

memory/1612-285-0x0000000000440000-0x000000000047F000-memory.dmp

C:\Windows\SysWOW64\Mgljbm32.exe

MD5 559172850fe8dd22ced0b6d81c26c5a2
SHA1 ae74741de506a622efbc986364cbd6b25ae36f83
SHA256 2735f45b5736446abe5b3e2c5a9371fd16648cd8456d6fd02e31fcc53863f904
SHA512 042fadcb197a4b673b543382c30140dcc8652a14f637fffac06568954565f19e12b30cf3fa0b958033686ce0105087e60b0dffecc9e57a1cbcb8ec909ae4ed8d

memory/1612-281-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1048-279-0x0000000001F70000-0x0000000001FAF000-memory.dmp

memory/1076-287-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Mcbjgn32.exe

MD5 7785df49576a35bc64eb7b41ee3a14f4
SHA1 80d7d3aecfdd1ea1dd618a19dbaf788f19c00be5
SHA256 dbdd48e9d02ba3892c386d0233632c8166833dc6cbae2e3b87a85455f2a45f7d
SHA512 4294df1b3ce60d36d0cf1802effc34efbcfac768d128b225c574bcd4d925f4052fe1883cd7ec2bca27a0eaa08472b446217bb8d2c37a2d50299bd0fcd701bfbb

memory/944-296-0x0000000000400000-0x000000000043F000-memory.dmp

memory/944-301-0x0000000000270000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Mgnfhlin.exe

MD5 034d62424cb41ed22b546f7d16ab45fd
SHA1 16d20cd1fcb3dd3480a70d86f6baa46462c252fb
SHA256 6bcfaac0e30fc2867a28f2895685f556cb6c86cea12b318219101f2668f2a525
SHA512 dbc1d635bdcf72d82a5ea205a109da0a780b10ee59915d9f4fec1640d4e1209328ab8737dded48217fadf82b5126ec22acc3c116bd4f09a72b4a92724501e303

memory/944-306-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/2456-307-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2456-316-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2456-317-0x0000000000260000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Mpfkqb32.exe

MD5 8a5ba03966aa611f44fe45aa5fcf4284
SHA1 b9f01eeff05192c21fb34043e69736ae8faa95b0
SHA256 8bf2953f88c1d1869f0ac6aae92cc2bc64dff1f53bbad9e28acfd21c763988f9
SHA512 5c8b1ed2178bb448c35658508bebc73a7ea8458606f61e3b0a2e72aa449d0c3071f7e2528575865c88d45e76f6f61377ec1cc3df013c0f726c960aa3834dee03

memory/1584-318-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Mgqcmlgl.exe

MD5 33d3fdfa553753e4fedc7877bb7379ac
SHA1 445b5ce2508df43d1d5d8778345037412968c608
SHA256 9738de425ba5881ffc2c7366ff84909dfa80c19a3387805e1e472b598fb0412b
SHA512 9e7b0fffbdbe971d79a26f5c1dd278f527972bab33e23f945234edec605a28e7075e74835302dde5f636cadad7f1f0948618c116836187e98f2dc283d0b6e24c

memory/2172-329-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1584-328-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1584-327-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Mlmlecec.exe

MD5 905dee7d923ee0061de34d4b277e8449
SHA1 d7808b2f6e04bf10442f1ee02d0e6baf2d12b9a9
SHA256 830cf7c1da5f5c4b0f0bc14384a9d3eb421f59265faa5edd78307ec807445a64
SHA512 06c3c40e567353b4aa8de1b4a06d88d685571e623418ed54bde9b9598d5581ef671e9407dcdd5f4c47ace89a40422e4fc578a76960a574d845cf96f22b8069eb

memory/2172-335-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2740-340-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2172-339-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Nefpnhlc.exe

MD5 64b19bb3d18a1dd2d3d9b28b37f4ee35
SHA1 3ad232258f1b620d72f111f425417a457fb40e65
SHA256 bc19ae1602997b8c621f89d6120bbdcf5a91b3a4a14bb71344ecc4a14bd0e008
SHA512 fa35d71b34319d7802cd94065198c170c81165030949a482c5115abe037834f60bcb14bf7b443199bd04ac275fbdf148b3c59939879e3b7a07c7432c556ad24d

memory/2740-349-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2792-351-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2740-350-0x0000000000280000-0x00000000002BF000-memory.dmp

C:\Windows\SysWOW64\Ncjqhmkm.exe

MD5 7f8024db33fc4508a966741d23490e13
SHA1 35127cae7e5ffb9dc9202e1a69837e229b1ae617
SHA256 21945ac58dd8628dc9b4d866a91b162dbbd14e936b614b7fab2128b079f9cdb2
SHA512 c194097f1d6a727ca0e982e0515aace13f19d7e9a621c6f3209c285e44c92563ffc4ed268700df715d395054e645ba12199d07c5052db87e3d88d0c7385e09f1

memory/2792-357-0x00000000005D0000-0x000000000060F000-memory.dmp

memory/2792-361-0x00000000005D0000-0x000000000060F000-memory.dmp

memory/2992-362-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Nhfipcid.exe

MD5 fd20722c78ad4e9ab21b158f6e712235
SHA1 f8c51ef643c669347c2c4abed415808c0c1b226c
SHA256 c57b7dcc3437c7ca941492a041c5b3caff04b085569fb180b2ef897418c795ef
SHA512 0071bbc5d93d26a9e668c8e5e7d5ba456394b4aadf34180e67c1387a7291fc8aacd603e428bdb0a21e8874efe7398419ffd677f11b399ee1b40a5fca5ea93cc7

memory/2564-373-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2992-372-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2992-371-0x0000000000280000-0x00000000002BF000-memory.dmp

C:\Windows\SysWOW64\Noqamn32.exe

MD5 fb3e37bc23c84c5941a5d6f62578745e
SHA1 e505b41f4fe1743885497f3ef6a261291ee19822
SHA256 94cb14af9d0652658395a21b3dd99a2c7d325f9a37ab9e249489c8501740c897
SHA512 1d6878f406d1a091d701994b945136afecef107e0ef2b149ea3d1b4ebef96cd5d483c9599162491173f06acd8e0ae377d94b6a75badbd50fecf82c29a7ff084e

memory/2564-386-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2564-388-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Naoniipe.exe

MD5 fae2f363620540d2b21ed9aac5a31ef7
SHA1 ca4079f997e479d32b7e9ae6a407abd137e91a91
SHA256 2e68d0a8ce642e5df0b353831be31bb092ae5142a90f7193b360096f765aa3fd
SHA512 9f3739a76c9080c993d9e12b1479089c940a36d00c90aa9ded11a6ffb040dc4cb6cc04fdbc8494a7ae74627c3bb2bcb4801362cf0a8a70b60c160c20191544dc

memory/2948-389-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2948-393-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2948-394-0x0000000000260000-0x000000000029F000-memory.dmp

memory/820-395-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Nhiffc32.exe

MD5 33fe43aa9fe5a6d5c86bf88a1744eb2e
SHA1 fc8d79f462385c7008c0448b79e2c3fabe8fc1a4
SHA256 b61c95d4927a131a3a9a4efdcde1c59db5885fc15f002910fb2f95f58163c630
SHA512 5bc3e86d82c674eaab7f06540d9bfc9a8439ee6a3f16c44e33954f13b64b0be3cdaf549e0a3e50dc36acf1c87fb5ed3691a32f7f61348a703c1423f42dd377ac

memory/820-409-0x00000000005D0000-0x000000000060F000-memory.dmp

memory/820-407-0x00000000005D0000-0x000000000060F000-memory.dmp

C:\Windows\SysWOW64\Nocnbmoo.exe

MD5 3e6d702978542fc5ab6310a0f19738c3
SHA1 6529a26227b816929b6720c913e80dd3bc601789
SHA256 ec92adfb0557ca581dedcc52c2c270921ff5b6d76e5d0c3b85af66f3a58f9a6f
SHA512 56d835f2d45048a111cc451766c6dc2e8437ea316088e0680d727c37626983301886d5d9e9a779c460172d466695a8b90282c215c737520cb2905e19f517c1c2

memory/1500-410-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1500-415-0x00000000002E0000-0x000000000031F000-memory.dmp

memory/2832-416-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2832-425-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Ndpfkdmf.exe

MD5 35d09729528659d733f49ba0837f1708
SHA1 97b92aaf73b6b83ee5a0fb7d0044a42835d0a28d
SHA256 a3b9973f793bcc39c02982e365eb978701f7398e2c1ff965fbd03f9368018d8d
SHA512 2931ac3787296f177773ad477ba06115fb17db45ff16edab4dedb0f02bb8c4204cd18d579ae472d4ed66a55fe9f6ee991df8c87312fddf4aab20a761ef338346

memory/2240-427-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2832-426-0x00000000002D0000-0x000000000030F000-memory.dmp

memory/2240-437-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2240-436-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Ngnbgplj.exe

MD5 f8800df8f54a7f4b9b53cec24173cfa0
SHA1 19c127eff74dea4cae7d5a9bf7ef581099aab496
SHA256 e004c191374150914b95e46cf7dfb46efd167b245a02d87650d062d20f11757c
SHA512 7efcd4d2c3808f1c1e6939e19c619ef8cab3469e934e7de0aa89a0bcf04064ef9f7b816d604c97fede05ec1edbbf5adc2437f129aac30c23244f399251b8b66a

memory/1792-438-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ndbcpd32.exe

MD5 b4bf9eb704cf43948a3d4814bce16f44
SHA1 6f9db0343d9e8f316561f330a9bced793501fe1d
SHA256 8e88491c7b0322784baf3801e90f6132d7464f4f6fb2a904cb7caa462ea0f6fb
SHA512 21d27ab5af4911a7b1b5531a5e12b2daa1d1a8aadafa972c4c634453dc4465e15b5f81c8b7bb285a61e3928a3ca601f1fa2a5b2e98ad004fac7c759a8a4154ca

C:\Windows\SysWOW64\Ngpolo32.exe

MD5 5b43160ed3b30ec9955c69ea6a444107
SHA1 4eaa5576b6811ddca3761aa4e17c005184f1a466
SHA256 a80e0edecfcb788dfc052ab3cb3ffbfcf4982de4524e77d4bb9c85905cad4d19
SHA512 3a4406d98c4184ad64fa53d13a44bcec3a4b58deaf7cba061abfa6d48d85ec28887460a558b91513d69d96490343de6fa577bb500c5e990bbb8affa2a0c99acc

memory/2164-459-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2164-458-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2164-457-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1792-456-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/1792-455-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/708-460-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Oddpfc32.exe

MD5 96c71d543b64e3e0dcf8431432813e6d
SHA1 74535f251d982dda176b3dbdec2f6329ea712832
SHA256 5cd548fc8b39532cff24bb2f1ae779d6cb6e45da7846369bcfb8e313aa1a63ea
SHA512 a258a8bef9d48d56f5787cda261470b94b2de649779d117a2280bc9935aeaa40cbfa0911586c3e774827f0e60416e0ec8085b1c07785859f5e002ccbd564b2d3

memory/708-473-0x0000000000250000-0x000000000028F000-memory.dmp

memory/640-475-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ofelmloo.exe

MD5 208463e70c38788360d7fff0176a13dc
SHA1 dece8770b88558a72a7b909e94621e2f78b33c64
SHA256 50b0196ffa75199ef4f3a60961b0f3d59c23330ec40678be4607e46d30d8de2d
SHA512 b6104766b80903793f683ab7c1924bf7694cab9e04e21bf5e5af9dcf935cab052a8e681219f54b78f0e356f92e22d885178d52f0983cd2af2fb8ee3acc8eb297

memory/640-481-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2368-480-0x0000000000400000-0x000000000043F000-memory.dmp

memory/640-479-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2368-487-0x0000000000280000-0x00000000002BF000-memory.dmp

C:\Windows\SysWOW64\Ojahnj32.exe

MD5 890ae2ee3494a9f173dd8e2df2662c20
SHA1 a199f4483b15397b86021098af4e13603bdf32c3
SHA256 9433b20f195feb1f30d5d3f57647a8faf62ce5f8ab447bf81da9529ce4e6dcc4
SHA512 e750fe6d0c97254d92b7134be2bf701df7e58ff94b44d16c9cf7023a21b1fb8c6509a6597c5d931090a625adcd41120e4a212471a26b41d09fac6bd365346072

C:\Windows\SysWOW64\Ocimgp32.exe

MD5 84df2c1a1c33b286ccc521b4ad3c0878
SHA1 788906695ee9097fc6abe4d578531389707ceca9
SHA256 07103546bd5a4ccc777651ac66afc170a7289fdfc0fe0b61c0c833657a502df2
SHA512 ebca3862c2af021fa15941a75bfb47c24ae7908420b69be454f0fc788fc050e059561a2b8f09c21acb9181fff8dabb4d0c1beb27b929bb78fc0c5b11975e44b3

memory/1688-496-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2484-503-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2484-502-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2484-501-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2368-500-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2320-504-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Oqmmpd32.exe

MD5 e1ba3475df395c7e60e9a89a86aef158
SHA1 25b700d3e34c3e77f52bb9e460bed13a23cce903
SHA256 bcf0e2358e2e2a17fa388291257e301933d013ec6a5897d6ebdfc376aa0ae58d
SHA512 c6bc9fa43cb6cee765402ad0fb733cd6b968508a92709e3238f9b7c0045e2916e30b8841e8236f611b320ab35a1cde4bf82d998c388fdb29faac6283faefdab1

C:\Windows\SysWOW64\Obojhlbq.exe

MD5 c6c7e5e0af52f2add00e8fee3e42a5a2
SHA1 b1fd25d69ad91642d5de6fe21234d7f91c837f61
SHA256 7890f1622643f41ca2165199234829b5bcb9352dde1765166c184e3734c44374
SHA512 4053ce8e51d28eeac29b9dfc10bcc29005402b735d6cec8705fe31fced8bc7fb638e62bfe3c28ac3fa789d1267008dea59874fbe799f16302a032eca7fdac76a

C:\Windows\SysWOW64\Oclilp32.exe

MD5 4bb40adf4984994094db8cac5d789bb3
SHA1 5de04cada29c54a418218b9a0cc00b1e9af480be
SHA256 8a60f61147ed40f36075f0f45663e4eabdfe04a3e0499b295d27a66e89e99e4b
SHA512 11a0c797f3978c4ff7d0307f29925299d6cba6fbfe6f1fb637f7882119005242fedafbd794bb26e6a53ceb7a8940cc2224738784eac93b67d3e77e9045da6496

C:\Windows\SysWOW64\Ojfaijcc.exe

MD5 cc2306d7c595e1c6a52c4df83ddbdd62
SHA1 d031d461de631bfb219f4b78deae85586e084471
SHA256 72447b567982c692d6bb1c275a31bb690644ec030a2d74dc73675e0a4f890beb
SHA512 49ea66cc651568758b3b6d750a71d29b1d45bfb215e8ac4d53d2b2a2e8305f69e2e64acc8d32e950b313c55468d52c39049ee22e9592f7fefbd008aff15c4798

C:\Windows\SysWOW64\Omdneebf.exe

MD5 e4941e332505957723eaec1079c808f2
SHA1 7ac7ad9ba3dd52ca322ac7a079a0afd206a48e0b
SHA256 68d0159dc96e75335d80487bad01d13287bbf1dc025349dab1d3cd7f2cefb921
SHA512 fac3b227a9c45a7dbeb561ff266afaaa3f0b8d2e8f43d16e1b88363a3d85979fb917520e983aabe6f0c183efc6b7af797b5cf41041ae90334587c91f8674c2c0

C:\Windows\SysWOW64\Oobjaqaj.exe

MD5 5002de05a2aa396be81e9ed568a4e4db
SHA1 5654de8ba26edac04fb39ef7b06962dca9d40072
SHA256 d2b1f8cd8a76d4aa60e8e225c2e04477dd8089f46364b1f55f6ad16306f29dde
SHA512 748fad6ebf69342621fc689edac4a13128eb20798692cfb7ec8a06428689311b54cc290bc9d01575b7a6e5bf70176de3ccb1667cca19be32780e3e5ab31e78bf

C:\Windows\SysWOW64\Obafnlpn.exe

MD5 d092eed5b81ba0ea5a60a36996812a16
SHA1 aeee4ed35e16c7bcf89eac2d03b357425c016799
SHA256 f1a59496785a814280ebb7d19fe0f5734c6e83086adcc31b9546d2bf36307cda
SHA512 bfffe3a398ae7719e499c1276e6793ff96e4d0fa98f7c5a11ad4feffe42836a5717a3d012149057efdb83e6f284e9d2998dcc9b6e2b54547434307361bb1d8c5

C:\Windows\SysWOW64\Oikojfgk.exe

MD5 02233998bcc458ff33173702e7750061
SHA1 ef2a420c7658ad9df02af13a512151aab8efa23c
SHA256 ef87e35a19e50d7c5c688691bfb582a77e06ebb571b343f27d8a46126b623384
SHA512 5c02b2be2990d8b6164024f3698bcbd413dd706459f154b54c6388699e72eb648d8bbe7598576f540688e3c2aa4c2f08fa186626d47a374be6fbbde91c252b86

C:\Windows\SysWOW64\Okikfagn.exe

MD5 4bd943955dd835dfe81e9c7d4136d721
SHA1 1bc57fc196e86d01357858f63ce629395b8a7c33
SHA256 94bbc4b6a4c4f18efb05130243cb6915462df483844b1a74a84f429d0008c20c
SHA512 0ad757f47dec636401677ffda0878900a716d002dfbacea3f2e17193b16cf15621d1bdceab9017722dd36dfd86bc33c4d9fe6dfd99bd8da4acaa2640bd0a8f73

C:\Windows\SysWOW64\Obcccl32.exe

MD5 22e07b2a75de3e81a6f1cbf29c4a32f5
SHA1 75bdb8e126fea0f02dc1eae2839c04f31db0603e
SHA256 ad9e9bbef17d9e35feb62964e6d1aa0cb072f00ba1dc9b54f3734af1e997ab2f
SHA512 63a9142a8cef4be6a93b613e802263a13f86131befd4acd98426cde479f2476c4dc73a15969b5a307b4be982c091f4844a54b3081b89044bd51887e318ac5bfa

C:\Windows\SysWOW64\Pdaoog32.exe

MD5 c060f7890ba380b95d6106ba3680a84c
SHA1 03f0496148b695e46929eef917f9c42a8a62bcaa
SHA256 e741a11375a9472c9eb8296ed951bb8d37f231d2e9a96055309b22cf0350e979
SHA512 3799af44b79b9aebaeed1b422dede4c9264d72018aa5f071bd05e609c1205a4aa9feb1ee58635e8f16b70e473420d0194ca8b47f0cff2b2312f00e14c06d0314

C:\Windows\SysWOW64\Pgplkb32.exe

MD5 68db5ecb170e1a7995696107a5531fd7
SHA1 dc5248d476fdd9ff8d52ce5961fa4e2dec009721
SHA256 360a42d140e5063acecef47e960be018b8ad0913ae43640e2915bbb183cb1eed
SHA512 68ea13f829f02bd4042fde8b80bdc7dbbf069832559eab50b50a716ddfc6b65e03965b1ba26c55781be1e7f997e9cc63d43e5e312c19b34c71686a0a799cfd27

C:\Windows\SysWOW64\Pogclp32.exe

MD5 c8bbe5377b79d83729a912c9c20cbb5e
SHA1 302476bd57b22b6b7e81b56e1e04d5e688538144
SHA256 be7f762283cb7a7d645b6a0b8bdbfe3eb01b8232e3d8c9eee252d85bed14c6ba
SHA512 759f86ee0881da122e80745aa26e1ec9642560ecb4bdc928e4c1b84ee7250b62d2fd0aebbd80f4db74f120b5a0d46590687fb8a95744bb6cc79964e7ed56cc99

C:\Windows\SysWOW64\Piphee32.exe

MD5 b98ef6e1ab1e4757f26a4d602c648093
SHA1 dbbae588483f8b2d2972b271fba373805ddcc0d5
SHA256 8079345d4acc3a528e7579c297a27b59fe2bff8074ae3bbe5a167e8dcaa0b51b
SHA512 d5a74fdb806cc9a760069aa79c5509a374a874fbd4456d5b1f2e8f7f0990d60e8fbadea94c9be56c1ca90ee2398aa1bf4711c00a888fb2878049c505b07ba6ac

C:\Windows\SysWOW64\Pgbhabjp.exe

MD5 6f7edd8e11b3a7962d781b65ee617a1f
SHA1 8caa4b385ac47bd7c7631942b51c3f0f62d6e4b0
SHA256 f1a2b81d71b4e9c06011ef3da749d34aaa3b05ff0f8344b3971e242c92bcda90
SHA512 80154ba789b92a8445bde62923bbc4dab0b700470e8c7c8bb7fbea8db88bfa43b5b2234a1304bdec517dc0880cb01402c2d35b15a5709654484ecead26928636

C:\Windows\SysWOW64\Pjadmnic.exe

MD5 0ed5f74185d6090871d4bb1ea1004038
SHA1 4499ab3cc45c84c5d0068f48a9c931ae1f33d206
SHA256 c0ba7f705f83bb021a806ac7d857c31bb5e4641f0161f4a0454d46a0623ce8bd
SHA512 f28eacd2d0ccdcf605d843d838388a27688f850ad863c5db8b66e54459a49de90924511993301b1f229c8d5ea108589c97b800adcdd089379dd4b0ac82eb591e

C:\Windows\SysWOW64\Pbhmnkjf.exe

MD5 46a6482f1340e1848df9e3b92a1e4e3a
SHA1 5fcf9c4059e0f18f9dc74ae321e46b36fe87f65f
SHA256 b264f21f56dba84ffa509600c7b6b477de03baf0c481e8882a30fd39ff00c7b1
SHA512 81203d946c1260fa557c48daee00bf74e045baf8bbfb0d8b08e3dd7609f3cea54c6a52b036d21d4cef0800d8824cbf6edc788fdef587178ac830a50aefbbe719

C:\Windows\SysWOW64\Pciifc32.exe

MD5 9d5417a5776e76a69a7b12d3348bdb0f
SHA1 741661b56c87d4403cd6dbd75b34726361a7b8b1
SHA256 c661deac2c8a7f97df81d88384aa7ac5e61bbce6609127485ce1d790ff7faed1
SHA512 12df33915f9e2da8204dfe2eefef5c44569b9c79c92b4929624be1654766e980b4fb353a4ea31d7921c77742a107e4986be80423bd943cad7a8624fb15bf9621

C:\Windows\SysWOW64\Pgeefbhm.exe

MD5 ff369c1dd9402bbfa616cca61089a6e6
SHA1 e3685e1635ec7d2ac9fa260fcb8d897e37c3e843
SHA256 17bd4c2878b7a8839472dc8c5a5c11bb009501e9d3a85ceab471022ad30e5e62
SHA512 e4786d4b7ec9a2d9b51b6dc683c6867fb5e62ca2a33123b407e11c85fc277553835edcf00fe41e8ada99e1f95206552f15b07818bd0ae81ceeb8b0de47332709

C:\Windows\SysWOW64\Pmanoifd.exe

MD5 28d9e2fee86e6e5fa31ae4c21ef0e8e4
SHA1 1643afea61a84e766ee09e02ea82f7026c311c51
SHA256 5319af5e0f3ddbe156d19763c3e7f22672a69de12a3422a0073c9cb12ba7381e
SHA512 4ce97e0bd2b0dddb526333d4018027fc5b5da2d1ad3928ac0629fd8c8f89ed57c84308a5b1b554ae53722dec2ab8a9f6f8093a4c4c2bf79d8891ea6ed9cfac95

C:\Windows\SysWOW64\Peiepfgg.exe

MD5 32efb87f4cf3910263d0aa36a9486c2c
SHA1 5408feb70855ebdb333a445c84046157e4f3111b
SHA256 c4f463e5408fd43989b5f54fe5b32de4880295546a7467ff8aca743df5b02155
SHA512 0574e8286d77057e51c8624cfe05c302d0f763be0abf39ae9409ef278e99c1d432e7a7dc35b454b3422d5d50e69cf4baa8d30a8989d2f2c30a515314c25cfc35

C:\Windows\SysWOW64\Pfjbgnme.exe

MD5 09c64d64ee11d9586837b1ca47c890cb
SHA1 a08a21bc0755f04a20048b241bd62e492964d5f9
SHA256 6e84b239e101032ba82a0a8911e42be64acdcae9b7dd883c0cad37b78bf60904
SHA512 704efbbbc5a8c48d4b3fa33fea7271c3626cdeaf56a81f1e03f2c1f4d32e7fc7eea707a3e6ab6e32ca63cfef4d1214f48cca91a8628d971e5342ae61f99f394c

C:\Windows\SysWOW64\Pjenhm32.exe

MD5 8a323778ffe4ba6f86036e65ddecf669
SHA1 c8e7f27e1bc475e25c286d184355e19f8a56e2d3
SHA256 33d7ea1ed03ccaa73b02cc92d6c035ac342d3a58a7d9c19a07c2960ff9a0e25a
SHA512 a0d96a8e7802e3df787dbcaace236c7e4fc7ca98f10d0e0a0be11204311af76e823b826eb7b60d5077833006e1215494d00e594c0491ebbcc296109e959bf4b9

C:\Windows\SysWOW64\Pmdjdh32.exe

MD5 967dc527e8279f76101f8a1acf8e38f2
SHA1 8f5723a07ce13361193df90ffd3b0fa1b17dad03
SHA256 44b4cfc3dbf8b835eddccabea743e1236f011f591eb9c60e7760a3fcfb56df79
SHA512 23f987504fdf129bb8e685d3fe73760cecc5b56c56734ff8c350272f3a1b8ba34f6252515ff06a862dc0e3d725fe7ce9e61ce0f43a84902700bc6759e572129e

C:\Windows\SysWOW64\Ppbfpd32.exe

MD5 8e4050e71f67ce36554d1420ed7a258b
SHA1 fd1ff62de355630f993f8215a6059cdb688feb6c
SHA256 17c325b3cc3ef99200a897f971778f28ad6fbff76c9f12f3b44ecb3dd005756d
SHA512 e5ce08a50eb08bf086d52b13ff64d3074a6734d34b634d1ec78aee5ac549c75a0ea10561b2f0adc1dce9fc78d74b12acf0eedb30db6175a5ef6a5f190ba6f5f6

C:\Windows\SysWOW64\Pflomnkb.exe

MD5 c80e63108866a65901937a78b7d2472f
SHA1 8407aa2c23271f9c326de849d1d65b5e2dd8c38b
SHA256 f87994cea688f80c356ad8ad6a421fce3f835f688c6d798f1c9943395edd2c7e
SHA512 985382fa17492a2a087c8d6781fb79721d67946d6c643ec06ddb5846941a9b35bc93c1e7b9d1edbb1101b0e567247d39c2330397e5369168ccb4f187cf8ba969

C:\Windows\SysWOW64\Qmfgjh32.exe

MD5 196823105a4de00381d812b5e60bbdec
SHA1 40e1c8274e6bb3cf8bd643eaf13514e12ed4756f
SHA256 5859dab993b84d84ef2876ff78a361892dc050803cecf8c76bd795a6a12e7aa2
SHA512 6693caff49c9247280be4ac20a7e54e59ce3f5364357d458e10a4e5bd3c59a7386dcba1663dc0fd65aeafe3a4af29f705648ab2592e061039c2403c49977b7e1

C:\Windows\SysWOW64\Qpecfc32.exe

MD5 b1830ff36c3c7409a13e481144e6d907
SHA1 7dd603761b831a60113589330a10e06e210a8847
SHA256 9f42f5b07c1e7045fa08bde4a793fbeaf3fe0936d7beedf4929fc41c26eff5dd
SHA512 9ca977d27b8cbe5a0fa1157f91c2c7e4db877515d8ffa68f9f652866aab8cd31b3e378033ce50d488ef4065063012f57f0b783064623a6ee8fd4dec47ecfa294

C:\Windows\SysWOW64\Qcpofbjl.exe

MD5 0eb30814afe25ddfcc171a5b297c3da6
SHA1 3feae68d4c33c14d1768e18187051008fbc52d8e
SHA256 0783646f544d5d299cf9bba66bd7560667bc4b760f45a05f199945abf1f5614e
SHA512 abfa18e7e1eae09e7b25f076171b7fd89c87eb779d106a3d72e17aeeb11f0b243cfbe4322ba34aad5c1652113711234241611c71d8c37ae1bafae05aa0a2e4aa

C:\Windows\SysWOW64\Qjjgclai.exe

MD5 f6714e1d0078b5584c8afaebb54c1b71
SHA1 a31a8a5fdfded920485b7ddbce57a0f16941fa1d
SHA256 031a9fb24f8421929c27fa2180eaaf7380c09ca9204906a416e10ee1a6afe275
SHA512 f87927d805546911eeb909ff2a1bd01035a97295d3f9c78f5ec780f79d219dd234e3598f29469303ca7b0cf36e441a942137c0db3171681b7a70bd53881d04f5

C:\Windows\SysWOW64\Qimhoi32.exe

MD5 628135a7992866341dc54f982748fa82
SHA1 226b274a3bdfefd7c414771abf53f674fb679136
SHA256 17d54aa14f4554232b2f7362a5b92d6679ccbb5fbc462dad664655d2a5fa1dc7
SHA512 1cbf388e8c3283020376faba7657958585492783fab85d33847db24567a365408c5b8f65416c000c4bf553a8734ee241b9f803e6a86d3c821e5b3b9f37091436

C:\Windows\SysWOW64\Qlkdkd32.exe

MD5 e8fe89e01ee2e87a424b34e32dfd5bd3
SHA1 89434f59bcd236a30fcfe3e4aed1f7d1c3764d73
SHA256 b4767a9f46425610577855745e6da946111e0c097ff911cf4c401ca2e8836348
SHA512 e3507c0bda26ef8fbd7f37a86cfa880a4474ef0f447ac5e26088b8787a8d8c0b78871240913cce7aaf6b75fdcbf3db75fcffde4b20e008ce22b03cdb1d43bfe9

C:\Windows\SysWOW64\Qbelgood.exe

MD5 f83a9d7aaf30c8bf3b0b5220ff857089
SHA1 28ed39f78c13a161730a9fe6acdc684547da7ffc
SHA256 be254b28d537f9de17c80e8cc70ca531f31c512f7dc7648b21a67fc2f6f98e11
SHA512 58af1a9366053468ffc2b59fcf4ff3e056ac53dcba82c361d4bcf33b558a26a08352a1981a8a8f46ea5bb52f3b1933136a35a2966976fc8827635408eef4b3fb

C:\Windows\SysWOW64\Qfahhm32.exe

MD5 1b33b4c9681f96268f9e2f694a419199
SHA1 be7efa64588d602d5ffe8821bf4d4f9bcef5b86b
SHA256 1aa69d4c55e866c296e7f1836e772c5c09068915bea40fe5c2098b91adb31fcc
SHA512 18da2a9a44d195c9bf44c90219664b315cbaf436fa37bdeb8f38b43152e09f2d381d0df9dc3a0130c116bf9c548ea39b9b12197485090cb8132858d26c571abc

C:\Windows\SysWOW64\Aipddi32.exe

MD5 05d0808fe3885c28044adc534a416d5d
SHA1 cb30a5c85f1aae0a1bf7915def1917a7b3bf0c70
SHA256 6b0e587991efd8ad1fa9714193703a63e329f1ddb8f99f0b093cc7207de32378
SHA512 e222caea50ee5dc41ae797cb00943e0c01b8372c13998b5945fad4b8bcdb5d0c2ce2d12ce744099747917059d46e589b693a7707c22944e8c38f7527d6b2460e

C:\Windows\SysWOW64\Alnqqd32.exe

MD5 0c50e169c7dcc8144cc039495c5985d8
SHA1 ce012885a5349ba3325442bf9ef5e9245589286a
SHA256 74da984309b91f8c0c8b70fa7f4b87effe9919fbc0ec751cbc19870ad817997b
SHA512 d6610af15f09ac74552adb11e5a1cc344e71ec345046d80428e7611b29c93a10ca7d047b95545bc6c832d25cf7da52544582c68a4242934ec63a76e3e3fe9c86

C:\Windows\SysWOW64\Abhimnma.exe

MD5 e24ff13b399809f086e07cfcd8219602
SHA1 24a723ba9aee766a39c41e41eb035f66af7434fc
SHA256 abfa51ecacf3f5242559cc80f96210cfe8be16c19d8d56b5d293dc8c8aabc6af
SHA512 e0eb76722b07b150fbe11eb8f63f007a1ee524df72d972b544d8a46c0d6e242279069e561901309d83dc9bcb18e5427d3c4345f125fcc9aa0feb94f2c0877599

C:\Windows\SysWOW64\Afcenm32.exe

MD5 7d4a935fae5748ef2b5c54feb5d5c327
SHA1 fc058dc85f313afed3f1d47d28a050e3a9170fa4
SHA256 f699c8260eddb3b226a570af355e881ac2f3f3e034974b81b50f288278c77d5b
SHA512 d6b702264c4ebfc70d651bead27bcfc6978f7ecadc0c33ef384e589b029f5a43439297ef5b900751be8e2823c1e123e1e34632375a090e9bd161b05cdcb615c9

C:\Windows\SysWOW64\Aibajhdn.exe

MD5 90fae2909a3ac7c66cb0913ab1fa57fb
SHA1 c4bd3c4f58acbca405e1f6210bb1447ae620193d
SHA256 63123421077a485faad67ffd9178fc0aa1e042878861a122300ab77aaf90da8d
SHA512 14a2495de6c856d961eb1472338e58ae9afb5d8c4a215ea324fe5ecfdeeb4b535298ac3bfc82ea637b7fa4af1cdc49aa7a536a95959289877481fc171994b39d

C:\Windows\SysWOW64\Alpmfdcb.exe

MD5 384b920f96ea2da1e9cd087d4ee1cc92
SHA1 05b40d051898b5e038f407d4b69a414738ecf92e
SHA256 7c5562a7392e1d2c7142b9c29047d68587f5060aa5044fd4f987b06ff8ed3fff
SHA512 a4f20dbb8067d7738fecce08d22f2fba6b309e395d539bc327d26cd89a58b2fc78aac139433b8e101f9523e6dd7adcb6346fb66686c253736fe8235e9957bd5e

C:\Windows\SysWOW64\Abjebn32.exe

MD5 5208ce598a291feb3facc5b269c9dd38
SHA1 856498abfa4151cfba7ba85aa8173c5eff4887e2
SHA256 69192b50ecc5ac00c2eaf80bd767a72a8f68dc62959be40cd87493c7ba2a751e
SHA512 3785b6e3990a1840539ea25c8d9b3c4207a9d24f48d07c0e930dd6cf918b741ea0639cd9797ae8db9e9f2bd28a0fa38fe0c98787f2187f26c9dbe67e31d3d60e

C:\Windows\SysWOW64\Aehboi32.exe

MD5 e8c54524ff20c05d1efb6ebe6b8ffece
SHA1 6e07c61bb8b9e658d6d345cf769fb956edd1eaf8
SHA256 dfe1daeeced9a484aba96b9f6a1b1bad05911bd753714de77e7f5fabcb4ff23a
SHA512 5aa7af963409a7acedb68a054d8eba12cfd7bcee62b5b2888b30f3212a3f38e27f98e1832f8a4339de851df70a6d5077b324c94f4dbe3260f63fa63f0a478738

C:\Windows\SysWOW64\Anafhopc.exe

MD5 5fa423d43b21d033460dca14a308b003
SHA1 7be3cfdaad0f7dafa10dc1a3f6fdf75bfe81d259
SHA256 0721a5be82c2af2377bce8bbfe21bce65dd6f7ccf150be6db979e4ea1988635e
SHA512 827fe84273b4eeba5da5be110995d1536ca930601199f3602e509eb7825819dd1426ea881e146727e479bbbe23a05238c8694633737e6792897788b44cd1539c

C:\Windows\SysWOW64\Aaobdjof.exe

MD5 9ff664fb489f5f1727b0c2046de609e8
SHA1 076805b1dece999527508166db04e32f11074579
SHA256 5a3ac36ccd476e7e3c7f3ea6f6123d0862518575fdaebf16b03827e3833a2d57
SHA512 e357fdad9365b05eada54a8d56e6b1813bcc415139cbf0c2f1517881bbce7655969044646e926fbaf99ee2a24fff3ade280cc55d39a4b94f9d53261f257e62a2

C:\Windows\SysWOW64\Adnopfoj.exe

MD5 bf17282bb7ee26cc0aab92ad52441aca
SHA1 c924ac6841ee07f1868db5de0baec626441e267c
SHA256 c538e35a188cd1039851d702421285fc60945919f2ebeeea6519d7f2f98f403e
SHA512 06718ffbe06ef015656a4e7152c2093ff82940c3f668277104778356be8f290ee6ed6125b228450f8e0fe210e1b1cf4157f57e62b8a1056378213a7cc67d7798

C:\Windows\SysWOW64\Ajhgmpfg.exe

MD5 486742159cffdf1c3e34871408305ecd
SHA1 2af627a79593a65a890366348eb080687aa75937
SHA256 b959d94949bf448ff626957f6a76324d5d77f74210c306f551d7b86c5bbc4804
SHA512 ccd30c14097fa3d1a514d0306cef5bc57af510bbbedc30d0a03b328978d8afc7f9babddb67d7df3590de4b7d67193f80556ffd43d520d958897a6b128715e645

C:\Windows\SysWOW64\Amfcikek.exe

MD5 2234966aed7276e05f36b2b91fb334cd
SHA1 82193dab489f4f4623d3b68eca8d9ab2b0071225
SHA256 f0a5c58edbdcb6d6cf9d05337f36c930939e2367ab75f5deb93226b210a08a0a
SHA512 09f90d91826d8488b204ddb8783782a35bd3c3c405e39d1ae28bb40888edc84ac1928c134fc59b8abf3332c4f8b88d7ec4eb0ed90db05908495035694bb47519

C:\Windows\SysWOW64\Aaaoij32.exe

MD5 189bd470c0c4ab3a877588449ebf4fa1
SHA1 65a7c6d012cd9dbcd3fa7eba62c165e4c0b74b46
SHA256 7c4aafc7a1b8d2b42500f8eaecfb62b4a5b304c642e423a6e9fc7b23e22cc4ba
SHA512 47577dafbb98d89a3528da54a9e692fa7fe130f436637ffbb842cf08236204ac4571bb20f8377c1286d94477d0e95cc1632ce7e68c214699267d5d7ec609a6b3

C:\Windows\SysWOW64\Aemkjiem.exe

MD5 50cbf69550335fb2bed8581a7478aba9
SHA1 7357f7b0ffc72e47eea9f73eac038bf43c893dfe
SHA256 9f69b14c07a1e3f5d0cfe6a48c6ff16d2743f5418107771a43e0df1520f63c86
SHA512 e669e473433324cb316067567bcd7be39798ae6e9c57d91f09350050a48ffd97120f837f0c64a59fe729b2f513c6a0befb8f8a4ec3f344eec037790d7eb8b96b

C:\Windows\SysWOW64\Ajjcbpdd.exe

MD5 bb7adf61c555a6a8fd9172b65f6a1e93
SHA1 96986d04e76fa5484f92c8232aa1cb30949b2c55
SHA256 f92d853dc6ffa0317ae83f779ff539a1e197860fab2bbe0f4f47cdcde6cdae2d
SHA512 1b19bbe0725e6d04af8c0b8ebf7bc96d92f2aa6fab23d0f05a143e525080456d973f040fdd94e1f32b849f834fdd2e8fdca53589f59e8b7b050fcada410ca650

C:\Windows\SysWOW64\Amhpnkch.exe

MD5 3ad5486b2030ffe658626b8b3038820f
SHA1 d08c8de63f015919256808530cf44d03a453a1d0
SHA256 1a5f9c7138d57cc0db940b8c0c383466eae7dd9ffd521ff23c1838bc1dd88c0e
SHA512 77a558280052d1dfcfe164f04eb7fb8d048988b6397d55c6a9557278febefef07e08160f56e0531cdc80e7d5384e1cdc9b2680191dd6dd6752f8b685ad11059f

C:\Windows\SysWOW64\Bdbhke32.exe

MD5 2917dcf76480f383825537889d4fc5b3
SHA1 0d95e6df5075264f288258dcd8af76d55ebb9e29
SHA256 68a15d217d56824c76206ead090b9ceb7072af3efae3e93c51c0e1189245e2f3
SHA512 00fc86dc2e13b943f275887757e49bdd9361217acee8fe34a2818071f4638748b8949d246219ec32e8e47e59f9be8b8c9f631efe1281c720ee1d7c0a3f50d300

C:\Windows\SysWOW64\Bhndldcn.exe

MD5 592ad5ec89d995bde3b99ba582a81a57
SHA1 b476d48d47409265983d5ff31b4a551caafd48c7
SHA256 c65c406a326016b88c123e18a6c1229830955b383ef77e3d3b13042b56de308a
SHA512 39e623c8e5bd79ce359c2978ee1fb2d8fccd576e6e48d710ebdefc56dfe7d8a9dd3d77ac403919d5ddfec29c1c2e3ae0c82f2061056770b9621e3686f1550b36

C:\Windows\SysWOW64\Bjlqhoba.exe

MD5 ac8bcb1c27d93a702e3579b8d6a9c719
SHA1 9aac9a0fe86f3676f381fbf7e20db138f9d52f2f
SHA256 0ec9bc78adb9573894398c16bb36c72f9b49070d4baf651230e9d5ec96aad0a0
SHA512 330d9c036b5d84e645018ab4a44bcb5b3479c1e50a87a137f197bc14e66c4e7c1972e5b82e80c6cfc039c402b64fd30c1484ee1cc04854aa451956559e62ed7c

C:\Windows\SysWOW64\Bmkmdk32.exe

MD5 c12b4d9f49bbff8be17497c6fca3f5a2
SHA1 349f529d45b221f9f5e4502fd294cd220618e0d3
SHA256 cd9fa34cd371e23c509d16da2b2c1c6c2cbb641a8d00740b481d4fc181b2a139
SHA512 d42b45b8b5a8229f50cf6c4470f10860de8b394f4e6bc024a0a2de1be13679dc3a9fbc7275bef9caae692d871455284c0c350109177ceb47a7ddf4c942ff0096

C:\Windows\SysWOW64\Bdeeqehb.exe

MD5 5b3364ab2596d0e077ad4b5ded2d071e
SHA1 1cc3353dfb97380db552f3c08c7b7e30080f689a
SHA256 be1afc55d320fd43582ceb107514967dda0b1a421259232ea94674e45f4b64b5
SHA512 bbb8fa23b5b5454cf71a5664f65f9e989f2ef1ad5ea13ea3fb8ad474809dbf3b72865f9abeb93de3b5f66eb007372e289cf412ade020ac495948e13eb90d72e5

C:\Windows\SysWOW64\Bbhela32.exe

MD5 5ff6d185a80dbaab3ba04cd917b43f7d
SHA1 ffd7de1bab884463d71a4b18c3c961178b393717
SHA256 61e84d4ea065976d085774b396d8afb93a136aa8457c6801125f1c5be12a97ec
SHA512 cf8c39cb0abc8db17fbfb158c76f6c081f36f80dd588ecdc40bb9e186f4950b2bded8d81a94079f6ac4c4ce95f7488127232c2c121aa8588d3495b6ed92554e5

C:\Windows\SysWOW64\Bkommo32.exe

MD5 746fcfa22f1348e058bd250bb2332414
SHA1 247d14f9030d5fb978cba15f633951bcba9c3b1f
SHA256 3f13b988e7d2137e7f5d558ed070dff8e45c0ac103223e5b73e5a305417ce1f1
SHA512 6a5345d4d3efff94b526fdfa03bfce15c4c94dec74de26a082244a30c8cb57f6290b4d9954ba3fcfdeef55e71f3dd2dfd71b7a4cd53f87c324311a51f9c24926

C:\Windows\SysWOW64\Bmmiij32.exe

MD5 007db0d6ee00a9016d4daf27ecf8df6a
SHA1 3336e9cbc42b51f3199cf515ce4b8575d9412241
SHA256 a018386c43655906ec3c70533386283263aa19b85cc9a28bf99b80bf64544b20
SHA512 23f3bb17fd1ca8c361e1ff30fbd2640c9a3c1d6b856f89e68b63d789cf267816d9966104bae297d8deb51e89492646be9bce81b9099286e3fbfea6753a1c6d0f

C:\Windows\SysWOW64\Bpleef32.exe

MD5 2de821336d37b489f52a3c3d2d8de16a
SHA1 7cc719e1482ae3e008db7c43c8ffef8580b72b9d
SHA256 c4ddd8fea3ff4442925d947cafc5bd2d35422e48a1cc5de1160f8b1be23dd8aa
SHA512 9714e25c89a0687a7d6350c227ffd0754a81bee076f0de7f90623d5682c2b250f92c5f615924974fec75fbe78b8bedf78e0deaf3f8375f1cb51a361226c27802

C:\Windows\SysWOW64\Bbjbaa32.exe

MD5 22f2ab5a3296c69107bf22cf65686e52
SHA1 8d0f376cac9a1427179be10fc865f6a2dd6e1b39
SHA256 ae02bff1973b5510e55f1453712bdf3458a2cefb59cd47542d33e959855713a8
SHA512 bea11b0f157d02cb7978c75a10ee203416995820406a66027ba7edcb767856151a0c94bea17664d4dfc16a6acca6c7a67e2d6a51f475e49081e59db5b232ef7a

C:\Windows\SysWOW64\Bidjnkdg.exe

MD5 f94e4e262c5db1becb3eccad7e273fa7
SHA1 f3ef98a1142330e738e5ebfcbcaa4a01740643a3
SHA256 3d58443b1ae88b4f18896229f260f296b13363ae6a1a79c349e321526df50de5
SHA512 8f6399baa0deaca28efdffa8805219dbb00ea511b58da62368f7d924a7e0c81687ea7ac7f50b49a3f904733a5e50f3643b3af805850ef34369d43335d6de41d1

C:\Windows\SysWOW64\Bmpfojmp.exe

MD5 90d9b0dfa2d024d0c79097a5114ba5fe
SHA1 d03b902689817afb52bed7dbe63ee8656f360aa9
SHA256 6c257cebaea652ebeb98496c85ed583ab2aa8e109c4bda668c46ea21e4e1ec4b
SHA512 3f68f6e4f0ce05819a0d92d0d0928323ae3058b9dda51617f3d1d2955357be0a09ba0b9cf1577f90b6192c68ada333fdb0fe5a1ffdf69ccf9849a5f3225d5d29

C:\Windows\SysWOW64\Boqbfb32.exe

MD5 13f99f343e2fed15e00d93a1c2d81743
SHA1 d42cdebd4199d4f6a8ff746cde14c6b80e45820e
SHA256 e9a5162bc89b50f91bc74a8a8b7371dca32b90263c9ec0181f66dd7079b631b8
SHA512 05eff4ccb69ed6d730503cb4a46e2284ed3688d4122cf39ea94dfb0fd6d7a2a70895b91fdfe081e7ea4cf8df650767c3f16dc64dcc314770d6bcadd7532d6ab7

C:\Windows\SysWOW64\Bghjhp32.exe

MD5 26877d1d2fdd3b52280376435c27a6e8
SHA1 de269106e7da0f5b22d1054b3ca93eefb4ff18f0
SHA256 dee61ae75fb82f8b8c1c466a3da280b87e4e5dd2e754dffde27b7d57694abf87
SHA512 a7f4c38780c8910cb2cb3b608c310e45ed3deaf40b7d6761f0aaa97808bef3a418dd606acec01926a33dd78e8d471ea3ae254f50e9813c3177d6037c1bc94291

C:\Windows\SysWOW64\Bhigphio.exe

MD5 a5ffa14515a4c6f9d0013e96c5204c5a
SHA1 ca14d155276295d229393479e5816680b3b8499f
SHA256 b3dae210d0ba79edcc9ca7b3c0ba6ce93683e092f7c51eb96c5920a3988bc8b0
SHA512 a4c8156ccfa69a2cd1e5eb9982a6404c6b27003645a124f6951e584f515b714140e2696bb930c86ba6565ae83a567a20bbcbd033560d43ea1af2e394e979e81b

C:\Windows\SysWOW64\Bppoqeja.exe

MD5 d1ceae0940f60bbda1e31b1c140259ad
SHA1 166dc61f8274e9895647aaf2997c9b1702b0d8ad
SHA256 af3829e8e5d3bce6afb1d46e443776714e9eb64ace0374491d93edbfc8edbd8f
SHA512 0f49f50f77aa9f4589a178f7360d055b241ca12f3f9ac6cf875cbe84c53798b5b52a64946b8459f5b57e8cbc6f3a773f2ff9d852d9661398af2b0d7364be837d

C:\Windows\SysWOW64\Bbokmqie.exe

MD5 08f82d0138600fadec7b8e4a16bfa34a
SHA1 99f2a6352117e28a76546ab655bc398d0b97b30d
SHA256 25ba7096103be0ab51d1cef930d927a70e5c71ebe3f1f6e140ca161f97bf455d
SHA512 9474993396d636dd1119e5b6d6a2a21c413611dc81e065011ea8f7025378e6e695a7d387c1791f84c85677f2b807bc785f84f36ece442b0b96a99ae9b0156170

C:\Windows\SysWOW64\Biicik32.exe

MD5 e771d947882adb4895477e1e5fc6611a
SHA1 a75cfe18d75cf096e5176911986f226b72b942aa
SHA256 763dba8f85fbd4feba2811fd45692a9b6ae7e4ce702e455983f47e9d9fa82ced
SHA512 234f74b5a5f76f502d4ea0e17148f5e05b137a7a2d7762729248ce56d9b11ec042b93711bbf75f0c3cd27b52cf2b8c8e428c70ac8b8af9b5cacf345a58069029

C:\Windows\SysWOW64\Ccahbp32.exe

MD5 fb34c350af3d43c303d0d1786bc92487
SHA1 044881a921fa8274f9a80d6c20c83b22addaf587
SHA256 048a8f22a71c68f588c68e82d97c50a3c279439e1e823a7b0b6fe8b11ef6eaa6
SHA512 004a8d11661911895f3ab96304686a6271c345dbf9fe845dda9fab4f307f7e72bc7b1a17b3ca7db63e8f6f8dc9ade66f228b84972accbbb35f23ee1f5ce7e63c

C:\Windows\SysWOW64\Ceodnl32.exe

MD5 536a1446f797971aabdcc405bd947bc5
SHA1 cc1ca1e11ebdb82c587af321d57d4e19e5478186
SHA256 77e80a75b166edf43c62d7557fa4007120ad938566fb5f0aa96cce8528299cb9
SHA512 26ae88cc84ef34ee7bfae28fbc7c6d1e79c726c5ea2aa0dc00fbc10c3d0470d001e9f82a30ebbe6f52960d5c01aee1b7f9bdbc35c5f30e0ffc2a9709801c7fef

C:\Windows\SysWOW64\Cdbdjhmp.exe

MD5 49165d082b24baa029126aea39af31ab
SHA1 5d477c6de1bf181bdc94f403731d2436ce2192f2
SHA256 95a655668daa19cabc210233ff2691f5e4162c579c3103c103c7b03ec7e861ef
SHA512 4dc9d0f7f6f756a1c402460da759397acf089c098b4a8b3aff944e9deeb932ac41a9b2c5b49ce653e97c4bc9959f40264918d71dac54f8a62b3e5576052e886d

C:\Windows\SysWOW64\Cohigamf.exe

MD5 21f35b84fdf5393650e05346ae51b045
SHA1 d00b9198f31bb876b9c91ba910e16e4445bfed3c
SHA256 d309ab2a019bdf15833e3159d6af887f1a4eed4654ffceeb4386fdc5add1f996
SHA512 3074aea2b81f2d68aa116e21b198a0d668aab353d4bafe6d65d88fd4b5548db02309ecbeef6a3ba62bf1ec907b3a2ea86da2ac0612267037f1e07327a93bef08

C:\Windows\SysWOW64\Cddaphkn.exe

MD5 7e5c51aa454cb563109a35f144447107
SHA1 90723ae806796f4abde56681cd204492bfd3079b
SHA256 ad989334571043e4f91475d28c27e41503a2210930185e4f901ee19411463be5
SHA512 1f4ccec8749094abf162010f5bc8735755032c1a96eb932d555ec105cc89e2fdd65bb4f5da1a095e8208f868674d38cbabcf7ce3f15377f105e57c523ce7f323

C:\Windows\SysWOW64\Chpmpg32.exe

MD5 d2363a037a7b2fc50e53becd3d6bee35
SHA1 8409281b4891efa41174abd71c111de2e8400f48
SHA256 075ef809b38c0aa0c74e9f2c17dc0a51f837350365f41f1f57077221f4303b7b
SHA512 dbf3dd998b1cd3f2c4d511abfb742abe3cb5c0f651a2e4679c9c3ead53ebdef0dea000906cdff3f5eb33f58f60e20fb1207090c154d3184e231f662ba32b90df

C:\Windows\SysWOW64\Cojema32.exe

MD5 c80cbb3188090dfc26c5ba1eeb1b16d1
SHA1 d61f712e1840562f8da7bd0ed02c9080b9ce8733
SHA256 650d6a64173e234aadc674758d4078b77421f7e9e04d348f369983d1b91453af
SHA512 29428dc2121770a7f68d988ab79a0d6223bc39b8ed69e73285afbf32fa1ad3f822620ca57928857625bacc4bc49d7c7933a5354591b2cd8b98164ed88db7c8f9

C:\Windows\SysWOW64\Cnmehnan.exe

MD5 601f026cd9ce2862ee3780fef96036a2
SHA1 c2fbee69215a3788dba6864d6017636cc9558547
SHA256 9c2bf6079ee8227ba859733615fefefa11a9c1bf69a5c54046b5e65ea3a05d3e
SHA512 3835c235fecdca3164c0cb63aef455c49ff625e4afaf49dd2ed713ce0f487e4bc0cdfb5eee30f522417ef6d5c45ad3f95452f24cfd0fae8b306c7a867e9ea1f6

C:\Windows\SysWOW64\Cdgneh32.exe

MD5 eeeb920fb969688cb0c159cfb00a9dd3
SHA1 406f11ad0a01fb8c5b298dfa12e5c287915db207
SHA256 35f9743008f7e19403054f4ea7c2d1c617e0a5aa696873570ae34873f225d199
SHA512 fe2601e7a7e8d570a7beb7118069a683264c9b121607419f800710fb0db9c987f85e452c389a81f76af3afb4881e6fb3a45c848347944e7766f404527d5584c0

C:\Windows\SysWOW64\Cgejac32.exe

MD5 867f52059a045d7cf06be30bab8dde2d
SHA1 4c594417b9b6f4485970415cfb514235952d4102
SHA256 4cf66b72fd6724ba3a3c4e1b4cb7d253e0f0f8e67fcfc524c77e8e044e2ea921
SHA512 83dc814e68c46880b52ae18f1738a1176b830b973e97afb1e19162be416027aad9373bffb245f44a5e95f19fb9e60192ef985a989bbf9be2bcfe8a658dccfe4f

C:\Windows\SysWOW64\Cnobnmpl.exe

MD5 cf15df404969a0ee11b3419729a71a44
SHA1 9896e77c7f749ad574e5d8a85250165e61456471
SHA256 5a5840d387f28c6433787b95ae0d0b661387f9f85e01fa5abfef829d76007525
SHA512 4bd941d4c4431a0dd9e131051cff05efc6667be7f3c1957e301a8dd365486013f5e0b7a2a776acd4fd7c84ddd6706c711d9c27f55d950fa0bcb66e0f25e7dae4

C:\Windows\SysWOW64\Caknol32.exe

MD5 0ec48bb2c804a32a77af3f5b9861ab8a
SHA1 ef3e453c6987513b1cd6ccb92af6942446f481b8
SHA256 85b07906d5c4172e5c23c41c3179ee437fc581cf508e794f4862f666f1fe54dd
SHA512 652fd4cd3308090d3ba2b861fd255a52570eab4158e5bba0e15d2f760a8103601d381492d4d5b7a68303586b04e7449ce7a3238f8997db2c4e644ed1a1c3f5f0

C:\Windows\SysWOW64\Cclkfdnc.exe

MD5 d4d413b0676dc997f0d63eb92f8b1026
SHA1 848f993c34911cb7c672c98f62d28a750831ed7b
SHA256 54ad38af8ddc7ce2058c756d3ec097de60e20676df09624f26fb5572bf3a05f9
SHA512 0450f60fa646d26a8190a49e4edebcba0ef62b2b1ba209a40b1a60c237ceeec93c340054cf890c22d84d744d60b65b7905d8366d81fc7530808345ac3f37a09e

C:\Windows\SysWOW64\Ckccgane.exe

MD5 d645c826ca419971dd686b4d3161e63b
SHA1 538f7a6f45856f997a72bb8edaf1a26a4df59cd8
SHA256 5250efbdeda6e2ea2b40a0461962a3585d9d94187af39eba73cbb56b06b1f0ed
SHA512 859b0c4ac4af0d16901751bd5e3ba41c03a34335e3ac31e1bf61660fd15538a642568dd3bf88affd3e615957698e7beba0155cae1944b42cbbc7a983fa16525f

C:\Windows\SysWOW64\Cppkph32.exe

MD5 063376efb175e8461181d9831be5bb45
SHA1 27e45ad561845977e8a06229a015876a8ef7b346
SHA256 9e9c35558d8e463a3c3f437bda4cbe0e57513f8b0a154e0f680b9670ee86f906
SHA512 4a01b27207719c45f0ec72679d54e5e3b88640590cf6930f99b1cc0a91aecbdafe431d0992b45f202858c7ee110b6e50e84e835c92dcf7239cef5ddd8cbe2d61

C:\Windows\SysWOW64\Ccngld32.exe

MD5 756ce81ab1aed5d1eeac401e9e932159
SHA1 07f5e1bf79f6ceac1ad0fff1179c71ab943da369
SHA256 857692a6a023ad7a14b04a065bc37225a5428957cc50bad5dedee0b962457a3f
SHA512 e692bc5e3c4f4ebe829966502113835373e53d27c150dda41c765794d6fcaddf307f545ced73b56d2c8afed143dd77a4d19db557ac2a58417c0d856e02510b0a

C:\Windows\SysWOW64\Dfmdho32.exe

MD5 c717955bfa77ef9c88d51adb30895423
SHA1 e792662c59237dd35f8eb4fedb1ab443a15de9e5
SHA256 b80c45a4f6b1424cb3b15d562cc6c51e8fd97c8ff15d20ae6b9a567ed6d1c9d7
SHA512 c381d6b8ec5b52dd10d39eff1cbb77ea7bf991dc4d3c3ba42602f2c802e9a5f4df6ee359555ea902dab546e49d30915d3352b1f70eeb8ae737a8053997fbe772

C:\Windows\SysWOW64\Djhphncm.exe

MD5 240b1bdb0e98cc665f9d525020c65418
SHA1 197a1bbeaabafb6a22131a2200040c04ca1b2a3a
SHA256 2a30706bff892fa1c4992d219476a6c9551eb615b7c2dfb7b71406747041247f
SHA512 d332f014cb52ef19c70282e0a53c79531c039112fc3adff1b027feaac126da290cf1df75a62a9b792e08a0bd1d5fabf40799f7f4dc0c0c8bafed1b3b589846a7

C:\Windows\SysWOW64\Dpbheh32.exe

MD5 24a78a31584b0476743b58344d80db1f
SHA1 7377ab685d901d1c948f57a1f919739c8fd51914
SHA256 926c26855bf6a02cae21c0ce563e60004d5ed0501173a59f636dbe48f5a8c202
SHA512 c7b44f94c7faab4b9dcc583599dbc45280ec89d5bec1a94c174cc21eef8dd0d5f0ae0e1b3a6c21c743376e8ed891ba20b6e9f057ec88c51a09bbf0adaab2d332

C:\Windows\SysWOW64\Dcadac32.exe

MD5 09135c0716c7496aea7d1a7b7fc665bc
SHA1 898a425094c3f35f6a3dcb23321255d270f29920
SHA256 7a40b5d1583f37481063bf0cb9fde08fea5e938f69c5717b1ae92bb2f3bf3eed
SHA512 1f75be274cb3cc6a24bea145cd97b069e35a7d319baf6c2ae09602bde0999a2619d48fe81c55a539c1d8b62c1a9197fee66d02cafd8c86de08c927213eaad19a

C:\Windows\SysWOW64\Dfoqmo32.exe

MD5 cc8714c547ca9f127a9ed9611f9066f5
SHA1 ae2b8cb546aa9995038b049d1c0debc73a6bfffd
SHA256 0c2533b2335410fe16c9237d5a0b7a11e1432db1b711423602f35dd1d101533d
SHA512 4bd8985c38a87bd63a1733004da3769b5ad58dcaaec325475969805911da6337444d18c0086a14d34dcfb6aa45426e9f8d9af50ec3a5a3ab8dd19eb47a4c69dd

C:\Windows\SysWOW64\Dhnmij32.exe

MD5 d89544137a0f995afbdb6c2aaec664d6
SHA1 bce313bec6b923982c66a87de0c7b4de9291fcdf
SHA256 0c25b83a744e98aae2558319f1bb2669af54ff101fd6e72d57c8e2404960ee04
SHA512 131159676106519bb79e255102fa5f7ba10b9808078315b2aa55c01517768aea44ac3760562dc8caa1818d98d8b75d953b54ef7ac675fdc758abfd3379b0f80c

C:\Windows\SysWOW64\Dogefd32.exe

MD5 80e6a73789313047376101af247b285c
SHA1 c7fbf5f77bf0d39ea377f4d4422d8614a874c20c
SHA256 aacf6fa26624c13425d66dcf64a56f77661d957a8e9877efee28271d8170a0f4
SHA512 5dc14ff86fdb86e961234083dece47d0f771363f5cca5f4731d851f1f4ed5c6c226af85e0c2d32d1db11ebd643f8f64bb6f684279f9abe08704f9eb7e152c742

C:\Windows\SysWOW64\Dccagcgk.exe

MD5 369722a4ab4b4f48eea35146bf340757
SHA1 f3e17549ff494f251b645750174f38ce9a855563
SHA256 4d955d30b77aa01adeddc7f6592e71bfd9de2c9006676d2eeca6f75f40e35468
SHA512 8a840a114fdf331667fffbf49c678e7129aa217903f978d0a246b615724eaa459d380f6b207d47687b131088e2275eea5d36634257501939c310c470488a6b68

C:\Windows\SysWOW64\Djmicm32.exe

MD5 5eb0b9b4c6027086b04f6cab1d60e547
SHA1 1eb0c65fcfae2dcf1f8b71df17b85978effdebfe
SHA256 55655495f3f5f79ad65670a3915aef9c227e3eaf878176ace13191f5d093bb14
SHA512 bdb4fd3caa18f626b59780cedbcb1c4c8ff65296b1e179ff71e8c39ad0971225b33bdfff6e63ec340672eb63e93f6a7a1384e93ccdc0660e1cdd7b433b670d50

C:\Windows\SysWOW64\Dlkepi32.exe

MD5 70cd9134f1040fd6ae9e4175148f5663
SHA1 ddb2791b67a52cb8a95c57ba62fc258105910eeb
SHA256 78139ff79ee21b1cd57946b9b12f99c613437071ea8bc907c5ef5d9264bfecd5
SHA512 59bb9b4ebab339071be4dd1eb9214e9dc7bf52bdbf9ea6597be4ec5d0730f5ee98b940d3ddace19cfd81e3ae0e105ecac7f73721c560b52408eaf3e1a60f7d9d

C:\Windows\SysWOW64\Dojald32.exe

MD5 582d4b4dd9bdefeab9a146d323af7f1b
SHA1 7cff64d20c3b8a432b919e823b0d4bc0647cd26a
SHA256 a6b0d4353c3a7c1ea1303c4f30003ebf587e6d26c52e2b41c40226ca7874709d
SHA512 d0e6a2b247cf2d5a6e47602350f2d03c6a24e2726cff9895d42e278b359b7b169ab42b77fdc0b20fc98b0b2c58627c77c2980258503d2e68ee30065f18ba9d5a

C:\Windows\SysWOW64\Dbhnhp32.exe

MD5 d34bbc9bb7389ada8f533c73db47637b
SHA1 0d4c547790a48adf7a16fd790627561d4c9a8671
SHA256 d9e422747c537a314b5ce16eebf704c0c39b2bd2209c226b2f26750a431e0880
SHA512 1e214bc21e655d870bde1e6f80be677d63a8cf00157acdbdc1f516480a83f281e522c211378cd8ad98f1c87f140f052cc939a97bfb902bf435b122aaa16d7167

C:\Windows\SysWOW64\Dfdjhndl.exe

MD5 bb9968b560720f70ae4a8fcd66ce079c
SHA1 0a8dc65bbfc7c764760433bac32a9684133f81d7
SHA256 26d3a767ceec409b6d4f03397ca942e6e4971a2f9b0dfb853c5158e1e008d6f5
SHA512 d74fd19d11209f82fb738a1833eb2e71b52f851d500e356071c5d552414cc581731051db27618d4a7e11a28162384e92265a7f92c57a007b1b338b156c893193

C:\Windows\SysWOW64\Dlnbeh32.exe

MD5 90f646489c7ce0352355ebace0b354e0
SHA1 c385712376622fcc038dc8a3072cfbd90c5023e1
SHA256 464743de83b636af38569250b3aa7c554c9f62c63b559ea987d930602f1ba6c9
SHA512 3ad2ac93f0fcae63a082e9cd031783c062e0b21249b3f70fb014c98a7bc31aa88c7287fb2fe198b88fa231801af6b4fcdf15b44d2884dc7a0cc60f7e9ecac96e

C:\Windows\SysWOW64\Dkqbaecc.exe

MD5 8de151b0a4ca50276d0a7e59260d6392
SHA1 e3500b1d18aa97d0785a42d43fc534ab96e6a01f
SHA256 61fc30fc3c4b0571becdc967646bcfab6c79ffc3a1f34d1cced692c7b07d38e5
SHA512 27f775d40e7531ccab998c2c82f75d23180992ea18be82789fc86a0e8fb38865638c7b662284a1fb6a1e2a60815e589e04f3e3d85f9b1092ec4122cac92d6fb0

C:\Windows\SysWOW64\Dnoomqbg.exe

MD5 ad4d75e23edcf6d93658f90cb4aefe9c
SHA1 60e78c1f6b4c82f5884ab0c0a2aeeadf5f19f3b8
SHA256 5d01b2a23ec4066223abc86307bc73bc48087202913c3d343566ff65718eaf68
SHA512 3a3cc0063d3108f3495e4fcadd308886137d51fa6654b755c824368fa776a188a7f2d000237afd7689e10dc2db51596ac03afd512afb67a3cf3fb3fb8a90ee19

C:\Windows\SysWOW64\Dfffnn32.exe

MD5 14a81ffca1eeb03863cc60e509e73c8a
SHA1 93b16a9e3a7858b1a1d080fe660805da6bd19ec0
SHA256 6917e255b6200a9568f9bfc8a5309da98ec07e5a204c84060121cc6b3c83f008
SHA512 e786e49f084907324065738af9720407c18ba25a401da6cc6fbe02b5509eb450bfade95307b155b160b30143b427a8605fefeb020810bce3e9c5d3e7c5016968

C:\Windows\SysWOW64\Dhdcji32.exe

MD5 a949ec71f98c704d303701711e8c908a
SHA1 0c377031bdc033e10918e555967d44f1bbfeaa84
SHA256 da41242edc55aae4a1edc8e069abb08593baf93cc1f516887e8d2897566a9e71
SHA512 508a514ac1b05c6bcb1bf57f4157c4ac4f57689a718d56e52fe9725c2dd4988fbcd085e2016887f9d08657bcdc3f887edea01acb214aea4a4d68896c12d38f35

C:\Windows\SysWOW64\Dookgcij.exe

MD5 52f1c37e3b1be08ffd54f480da30eb2e
SHA1 135a16fe1f11d90c5da9d73229b530f156f93ace
SHA256 a7fba3012d08fd744422f001c7e82f9fe0dbdf9f24dff708f5d7ae21d94fb76f
SHA512 e115cfc561180f26957724567fcdc572f9bacd1f0e1d64eef75b501572287f84c5705cd1fec8cac07ac1e30a5769055475413806349df6e85fa1eea56d6e8865

C:\Windows\SysWOW64\Ebmgcohn.exe

MD5 215523ac78b7500950bbac4a84694d78
SHA1 5da11b32cb1e34763726931a43af2bceb0fcc351
SHA256 b0f322ece3f9aac33dabea4c9b257c5139e7c09819bcb8b4a6c5d85165a4a6ad
SHA512 ceb97c342b0c5786c9c1281aec802034ddab6df812ed62e4c4669137c4ebf77169cb2c674b65312fbb764a3adbd705d4640f1e46610b348ca4f18e0b69aea4de

C:\Windows\SysWOW64\Eqpgol32.exe

MD5 d2af941903b5485c4faa42aa2ed4254e
SHA1 3c13d07c8fdb55f76eb45b0e1aa2ee93e00c37e6
SHA256 f8c5dd1a5d1cb64c97f49091569db21dc04ce772e7d449099fcc76f95c8f9148
SHA512 a82a8016df847f89b83adfe4c94a7e10ec8bd6426977b50d7a524fe60321ad2cdee74fac1d543f41d0b1e9c74539d359cb9b881a6c3ca1be8a8455e4eb06366c

C:\Windows\SysWOW64\Ehgppi32.exe

MD5 9ee756d792994bb18077790a10e2a559
SHA1 a410ddcfe419b7a320732f3a5d615db6c746b9de
SHA256 d7e1b76d7737455d9e3e77a14f8b633b8ec3a643324bb20fd78d231ecd21aa6a
SHA512 1f133d540c7e4bd6981227ce66e6f85e042ab3b52d4ba8fc82999689e6730c7b08fbfc6ab0594be8051a9c0a155e8f9ce3536f33ed9a20ea29d9c82ae5a3c10e

C:\Windows\SysWOW64\Egjpkffe.exe

MD5 bbf71f75a61f4ea4d92e81055f1545e6
SHA1 a39e147b8618929d14bd2dc6d7d8d5055f361ad7
SHA256 aa72fc6df10e6565ddc0c4f24ff2c4426ef4fbe8319b4ca5957b830969ff5293
SHA512 9554b63bfd2b88da680a8cafd912d830007e8bd184d8b61e7e74cca06214bc280762367dd39b69fe6b5f8192cb1849e7063f1796dc09030e01c0983d5bff4092

C:\Windows\SysWOW64\Ejhlgaeh.exe

MD5 59463029f9c4d411dec2c20281c60d38
SHA1 f3ea9838dafee30dc2d88b43725409644c32370e
SHA256 aab03f27601b63ca1af86ea78e12ebe371755d54d26df72cc5ea489f946658e5
SHA512 5e659cef97116501b6e1780f6e610d2e0148214c1bfc8c43ead693b44dfd9338e829500bc2fe2e8ef024ace69493661041e14e9fbd51aa8210ce39226a51f22e

C:\Windows\SysWOW64\Ebodiofk.exe

MD5 c9d1db9a30bea2083f54380375d8d5f8
SHA1 fcc4125c433ef60d19cd9b145623bbe3b2f57d10
SHA256 04c162831f11b4e7a7674d9b282219229c4812ad8b43bbf4b1d89fa18e1a614a
SHA512 b69e04c385d16ce9a784c16bf60d72e5b25f8f1df48718fe275f81175e9427180394453cd82186cecc44d44f89a9ca4fcac2a379f173c607394d4c3f34e9b50b

C:\Windows\SysWOW64\Ednpej32.exe

MD5 860f9d0866f393a03418f61a7dd95f6c
SHA1 bcbe678ea1d9c1f109eb0ab261a69c50c04df5a8
SHA256 bba1e4929eb2131b961035111afee261b96eb23c5495187d53bb190ff0484fe7
SHA512 2f0da04abe75bcb3bcf3ea55776f2df4cfbd5c7c6ef9c8cfec4a9d0b874fb4003e97fb1cbd79f9fae3397a04cf175519017ba44c669d2bef934f065d8c1a3919

C:\Windows\SysWOW64\Egllae32.exe

MD5 be61dfe8ffa98582259785d640d3e9fe
SHA1 59963afe0b595d48ecc7655924cdd57da8da0c8e
SHA256 3e22191d8b35faa5fa612c6f16003301332a4c8f4f6a86cea28659020ade4d47
SHA512 f84081cc1091bd3cfc94f59521a8a2bafd61b9131b1e3ec09c8c722ea14b1c9922a80bee812cb6cd61c7fdad9dc4904f8955766999c6734b2ec5175e44960f56

C:\Windows\SysWOW64\Ejkima32.exe

MD5 63a46072a834a004440eeed8ba1dc7ad
SHA1 2a81671c9044a39a6a106f997382324c5d580df4
SHA256 51e9b14d886cc49695ebc0a71b47d1d3c99dbdd22d48a1289a86df05c927613d
SHA512 b653e2c3d007aae6b5ca4d9cadd1acfc54146d395e932816cf301cbc91c950c805ba018aed885ab9b43bfd05edf1cc61d784252449caa1bb6c08c1be238b13cc

C:\Windows\SysWOW64\Enfenplo.exe

MD5 2707c237891418835f80605e7f3265c1
SHA1 379c551177d058edaa13974f8cdd844cb1b71eeb
SHA256 9ccaf212bc617bb8746fd87b2094ff7e7ef4754ff3bd1deec4bb1b526bf540dd
SHA512 d433334c416474aace66be2a4e2374dd89c0d6d942994eef5db5818ae2d227a1f0927fd56de302fafc8a8617bd177b7051a00bd29eefb920013dd57af26ba045

C:\Windows\SysWOW64\Eqdajkkb.exe

MD5 5959b7b2ea913a395da3b0602739233e
SHA1 c5fd53c07527b4cc87823d5128f8efb38f6c0782
SHA256 01f75cff7ddfcd2acc5181014637aeb3c88a617413d06023f376fc6cbaaf46c8
SHA512 12fcf261c245aa4b5f6d77087ef22904224f1f0ee141786d53bb629993e4d3bba3a822ad0599b94ee2edcf9ebd1c676063f120f2c2ba4f9c2a37a24ddbb2f8e1

C:\Windows\SysWOW64\Eccmffjf.exe

MD5 c639d80209085a13b24bc5a86cd66764
SHA1 6720f54988ca8b2a5962c06d1829487684aa4a88
SHA256 ad8cdc2742f4196efb7b9aecff4d4999d5ce80bfa42621a7757ace06058280f8
SHA512 0f0ebbb37a7c585f79fb701768c8ccf70fe0f7e79857751f2ff10133cbceea1f0e97a6c3bb12d4a500fb28325b38d8d16fe433aec3582636971d513ff056148b

C:\Windows\SysWOW64\Efaibbij.exe

MD5 345aa087ea7595bb07eae869a403a0e8
SHA1 ab77ca8fa0a1dc4964b26e472c72813aba8ea529
SHA256 69285781c896687cb779deed02e7a132229652d88abf81ed8dabd29b520cb768
SHA512 6ff9333f06b16956c2f156dd1db7b0989a19290e1cc5b33018cd7b40a7f19af47778e8e2d7dfd0598c2e6e5b1c82dc59825cc50cfb3eea29716095c9a869712f

C:\Windows\SysWOW64\Enhacojl.exe

MD5 d877fcebc7c63af050509240cff1d2b9
SHA1 17e0be92bd4be7ece36582fbb978b0175a76018a
SHA256 62296bf6df6e62aa39c22a0dc0801018a233f8b7875dd00d195d637dfb74a133
SHA512 3e8bfbe2e38aeb05a64e09782136130d4c8708dac2fa3f71fa4878c0ebd1f0a2b81dffb26fd2e42bc3cbc28d1c709eeb5e60c5e61192712f5e8997ae60addf22

C:\Windows\SysWOW64\Eqgnokip.exe

MD5 8f7a70253d7cafd0ca2e5dfec326eea5
SHA1 76248ed28182795b2f48984dae160e109874e0ba
SHA256 dc6f314bc8d529aa1f88e977f45d1ecbded06add87645fcc23a9d49c6c9fe01a
SHA512 75b423dd7783c69841585584c6dd735a9a9f2de17e3c5981e839f95a403378f75e4fcb513032a05d191e832c752b4d4486279bd44523b7792f35d1b007b8a535

C:\Windows\SysWOW64\Eojnkg32.exe

MD5 fb2df23dd50ecb58699ecd62f492c74a
SHA1 c655d41c81b22ec5e96cf8301f039f48137f1bc2
SHA256 46d555ad238f311bc581b324e698a4ca609df59c6f95b10a62687a2967e32eae
SHA512 0b89d0a5e170500cbb8c36d6005cefe817cdea5aa5c2408ee8117b3368c6505630770e36ef63eae1c00e2128836de7ca709754300cbf98cc59d83f0363426978

C:\Windows\SysWOW64\Egafleqm.exe

MD5 194ccbae110a0a75fae52a7577c7b32e
SHA1 616e54b0e754228678d7826d58bfe0849fcac2ca
SHA256 0d22a2a9823ae588a32aa91f7491c3801750b52b04b1b4a596a55b3d6d0d4a5c
SHA512 17c29295887c7fb1940736337329b1be517687db497a8cdc4421659be7298fcec80c0a45ceb8989dec6017b4ebe1893c8f83ec986ac4308bfab743ce9d53075f

C:\Windows\SysWOW64\Ejobhppq.exe

MD5 c58da2b96440396eb9c99735a00a8974
SHA1 5edf1dfa454ea9c47ab07a6a1bbd11ab99e277cf
SHA256 7f8d49e046c1decd778bb1b6ad75af4d88527f972c0d68e84bc45d32fe95f042
SHA512 2de77fbc636c355f4d210bd0ecbffe204a16f6f7ca1e86320237a2b15078dcfa4bcf8ffc603dcd7335979cad9f08e9e2652ee8bd9028821600cf36d13883d572

C:\Windows\SysWOW64\Emnndlod.exe

MD5 2a9dad6d886fe798e3617ce34d3e716f
SHA1 5a2e42e3a5a5b453052a77f42ab4fa661b87bb6f
SHA256 253eca3f7fd8377bf6fbeadae3e50670cf59837038c69b0d45fef1e90712cf59
SHA512 8415c6b5bc7f9f317f325790c288471300884bbf7c0f38ce5b87b63e482df0f77e55251b62585ad0ad63ab5faf8311c6ff1a5945858f2d070eeab68fce828337

C:\Windows\SysWOW64\Eqijej32.exe

MD5 8756195f8444ec346f4004f188b67dec
SHA1 06019817c2bc05df14c0b2a37921fb1d6952f3b0
SHA256 cf7301a1c371937829d0c730b7a4e149eba3337d590109bbe3d333efc736e987
SHA512 ff021614d0f9811b81e6b714340557f9bd58954a3b75efbe1e1252a0b80f5cbf9dfe1b600b5287294821eb71d5f94e1f61b95b1c8eff1309be6d4c75acec1ca2

C:\Windows\SysWOW64\Echfaf32.exe

MD5 c5f9a6848d49e8ab168b785c2f87d355
SHA1 a8e5cf88fa010ad235d4d97c41f105b76e5859a3
SHA256 25b64af61c71ef3b9ca8b7dd5a7150955b74ed6fd636e574bd063eac889a880c
SHA512 a4e3aa7fad1c92f8b427fcedb51d21337a66e2c1b12b97286fef9ba119458d7cd420cca0a21f8a7f7048e9796ac09827c48f96cf97f21f06643127da96a605ac

C:\Windows\SysWOW64\Effcma32.exe

MD5 cab7fc4e401d94fffe045edcf4b9b3a6
SHA1 05c999fbe477c33a4aa451fbffe1946eb21e6447
SHA256 c27a366612c6ac3855e674d36f0550ed2d460831af0d78c394fc18eaea201709
SHA512 e22775a276e35b9aea85530f08e59625421bc6436165267f3eba821c182719eb67e1039bf26f86bb1218b479d255657ffec35e42d67e00eca4456692ba750e3d

C:\Windows\SysWOW64\Fidoim32.exe

MD5 5abdeb44b888870c030329932043a04b
SHA1 b22ec1a5ec0f0c32c707f49baae486b1d4d98787
SHA256 fb7ab1c324bd7c71683a5920feaca2fe55fd54fc173d87dc00c47c8e9f972859
SHA512 13365c67127f10c128e955c60e8947fab2ee7a08c6cd45310ddb0a2737631005e6071d12c2a00db1f009546e0602fb9409ce27f06b8d49675d9f724bff922f39

C:\Windows\SysWOW64\Fkckeh32.exe

MD5 57280d6fe581598a6014fcf9e2de3fe9
SHA1 e43741716c81381611735e00b442552918192d55
SHA256 85097c42b689583cd986d218e75bb5cbd7f5308ff7b0fc65c00811ab92b2bb7d
SHA512 fbe0a4c5a8379f3d82310ed145ab81de2b98b528b48010df8581288bcf1af4796793881ad91e279aba732e9af8398d75400aa77f30b689777ebb09b81b7448b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:18

Reported

2024-06-02 01:20

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcgblncm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbjhlfhb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlegeemh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dllmfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibagcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkbkamnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbhqjchp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Behiln32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elccfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Himcoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aldegj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fflaff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dljqpd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aemjpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djnaji32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecbenm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ficgacna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aemjpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blnhni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Behiln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcopbp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebbidj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nacbfdao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okmfpm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baojaoke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boanecla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpgqpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccfmla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pijjpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qefdpq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahppgjjl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqalmafo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Himcoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Majopeii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnfipekh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pijjpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qlpllkmc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoqenf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aifiko32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dofpgqji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paendb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpklpkio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imihfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qbjdiedp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fqkocpod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppgobjia.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffekegon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmkbnp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goiojk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dphifcoi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcnejk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ophbqlea.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oilmnbpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Okkjjnok.exe N/A
N/A N/A C:\Windows\SysWOW64\Obdbgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oagbbdnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Okmfpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ophbqlea.exe N/A
N/A N/A C:\Windows\SysWOW64\Obgomgee.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiagia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opkoflco.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalknd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olapkmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Pblhhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pejddb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pldlqlgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbndmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pihmjqfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfiflen.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpacfmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijjpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plifll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngbhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paendb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phpfqmio.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppgobjia.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbekne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piockppb.exe N/A
N/A N/A C:\Windows\SysWOW64\Plmogkoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnlkcfni.exe N/A
N/A N/A C:\Windows\SysWOW64\Qefdpq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlpllkmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbjdiedp.exe N/A
N/A N/A C:\Windows\SysWOW64\Qehqepcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Albibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aejmkpaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Aifiko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aldegj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Appahiag.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaanpa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aemjpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahkflk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apbnnh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoeniefo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aackeqeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aikbfnfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aogkoedl.exe N/A
N/A N/A C:\Windows\SysWOW64\Abcgoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeacko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahppgjjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Apggihko.exe N/A
N/A N/A C:\Windows\SysWOW64\Aahdqp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiolam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blnhni32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpidngil.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbhqjchp.exe N/A
N/A N/A C:\Windows\SysWOW64\Befmfngc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpladg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbjmpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Behiln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blbaihmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Boanecla.exe N/A
N/A N/A C:\Windows\SysWOW64\Baojaoke.exe N/A
N/A N/A C:\Windows\SysWOW64\Blennh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bockjc32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Abcgoc32.exe C:\Windows\SysWOW64\Aogkoedl.exe N/A
File created C:\Windows\SysWOW64\Qfiapa32.dll C:\Windows\SysWOW64\Fbllkh32.exe N/A
File created C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Lcgblncm.exe N/A
File created C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Chjehioq.dll C:\Windows\SysWOW64\Okkjjnok.exe N/A
File opened for modification C:\Windows\SysWOW64\Ophbqlea.exe C:\Windows\SysWOW64\Okmfpm32.exe N/A
File created C:\Windows\SysWOW64\Opkoflco.exe C:\Windows\SysWOW64\Oiagia32.exe N/A
File created C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ejgdpg32.exe N/A
File created C:\Windows\SysWOW64\Haidklda.exe C:\Windows\SysWOW64\Hibljoco.exe N/A
File created C:\Windows\SysWOW64\Gmlfmg32.dll C:\Windows\SysWOW64\Hccglh32.exe N/A
File created C:\Windows\SysWOW64\Pbpacfmj.exe C:\Windows\SysWOW64\Plfiflen.exe N/A
File created C:\Windows\SysWOW64\Aogkoedl.exe C:\Windows\SysWOW64\Aikbfnfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Boegpc32.exe C:\Windows\SysWOW64\Blgkdg32.exe N/A
File created C:\Windows\SysWOW64\Coojfa32.exe C:\Windows\SysWOW64\Cefemliq.exe N/A
File created C:\Windows\SysWOW64\Lfmige32.dll C:\Windows\SysWOW64\Dagiil32.exe N/A
File created C:\Windows\SysWOW64\Mbfppi32.dll C:\Windows\SysWOW64\Fcgoilpj.exe N/A
File created C:\Windows\SysWOW64\Ffjdqg32.exe C:\Windows\SysWOW64\Fckhdk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jdhine32.exe N/A
File opened for modification C:\Windows\SysWOW64\Plmogkoe.exe C:\Windows\SysWOW64\Piockppb.exe N/A
File opened for modification C:\Windows\SysWOW64\Qehqepcc.exe C:\Windows\SysWOW64\Qbjdiedp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dljqpd32.exe C:\Windows\SysWOW64\Dephckaf.exe N/A
File created C:\Windows\SysWOW64\Fllceb32.dll C:\Windows\SysWOW64\Dephckaf.exe N/A
File created C:\Windows\SysWOW64\Gagaaq32.dll C:\Windows\SysWOW64\Epmcab32.exe N/A
File created C:\Windows\SysWOW64\Ejlmkgkl.exe C:\Windows\SysWOW64\Efpajh32.exe N/A
File created C:\Windows\SysWOW64\Nilhco32.dll C:\Windows\SysWOW64\Jmbklj32.exe N/A
File created C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lpcmec32.exe N/A
File created C:\Windows\SysWOW64\Bdknoa32.dll C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File created C:\Windows\SysWOW64\Aikbfnfd.exe C:\Windows\SysWOW64\Aackeqeb.exe N/A
File created C:\Windows\SysWOW64\Blbaihmn.exe C:\Windows\SysWOW64\Behiln32.exe N/A
File created C:\Windows\SysWOW64\Chnlihnl.exe C:\Windows\SysWOW64\Beppmmoi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecbenm32.exe C:\Windows\SysWOW64\Eofinnkf.exe N/A
File created C:\Windows\SysWOW64\Llebfo32.dll C:\Windows\SysWOW64\Fhajlc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File created C:\Windows\SysWOW64\Lgkhlnbn.exe C:\Windows\SysWOW64\Laopdgcg.exe N/A
File created C:\Windows\SysWOW64\Ibhblqpo.dll C:\Windows\SysWOW64\Mjqjih32.exe N/A
File opened for modification C:\Windows\SysWOW64\Obdbgh32.exe C:\Windows\SysWOW64\Okkjjnok.exe N/A
File created C:\Windows\SysWOW64\Albibj32.exe C:\Windows\SysWOW64\Qehqepcc.exe N/A
File created C:\Windows\SysWOW64\Bofjdo32.dll C:\Windows\SysWOW64\Ffbnph32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqmlhpla.exe C:\Windows\SysWOW64\Fjcclf32.exe N/A
File created C:\Windows\SysWOW64\Lpfihl32.dll C:\Windows\SysWOW64\Idofhfmm.exe N/A
File created C:\Windows\SysWOW64\Jjpeepnb.exe C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
File created C:\Windows\SysWOW64\Kqpaojmf.dll C:\Windows\SysWOW64\Aaanpa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baaggo32.exe C:\Windows\SysWOW64\Bockjc32.exe N/A
File created C:\Windows\SysWOW64\Kbnhno32.dll C:\Windows\SysWOW64\Cedihl32.exe N/A
File created C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Elccfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jagqlj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Ebbidj32.exe N/A
File created C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Njljefql.exe N/A
File opened for modification C:\Windows\SysWOW64\Pblhhg32.exe C:\Windows\SysWOW64\Olapkmic.exe N/A
File created C:\Windows\SysWOW64\Qehqepcc.exe C:\Windows\SysWOW64\Qbjdiedp.exe N/A
File created C:\Windows\SysWOW64\Digkijmd.exe C:\Windows\SysWOW64\Cpofpdgd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dohmlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dagiil32.exe C:\Windows\SysWOW64\Dcdimopp.exe N/A
File opened for modification C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Ehhgfdho.exe N/A
File created C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Ffekegon.exe N/A
File created C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Fijmbb32.exe N/A
File created C:\Windows\SysWOW64\Pihmjqfj.exe C:\Windows\SysWOW64\Pbndmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Plifll32.exe C:\Windows\SysWOW64\Pijjpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Blennh32.exe C:\Windows\SysWOW64\Baojaoke.exe N/A
File opened for modification C:\Windows\SysWOW64\Biiohl32.exe C:\Windows\SysWOW64\Baaggo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cchiaqjm.exe C:\Windows\SysWOW64\Cpjmee32.exe N/A
File created C:\Windows\SysWOW64\Njqijj32.dll C:\Windows\SysWOW64\Dadlclim.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbifgkeh.dll" C:\Windows\SysWOW64\Oiagia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dephckaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll" C:\Windows\SysWOW64\Hjmoibog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hibljoco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iiibkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Giacca32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aoqenf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eofinnkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eoifcnid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbgkfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqijj32.dll" C:\Windows\SysWOW64\Dadlclim.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fomonm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pihmjqfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll" C:\Windows\SysWOW64\Hfjmgdlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Clldogdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnielckg.dll" C:\Windows\SysWOW64\Plfiflen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbjbq32.dll" C:\Windows\SysWOW64\Baojaoke.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpcmec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plfiflen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aejmkpaq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll" C:\Windows\SysWOW64\Giacca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll" C:\Windows\SysWOW64\Gmoliohh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll" C:\Windows\SysWOW64\Gbcakg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fomonm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higjda32.dll" C:\Windows\SysWOW64\Ppgobjia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcopbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdjfcecp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpepcedo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phpfqmio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigpemda.dll" C:\Windows\SysWOW64\Chbedh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ehhgfdho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" C:\Windows\SysWOW64\Hadkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cimhckeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" C:\Windows\SysWOW64\Ffjdqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkbkamnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pldlqlgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Elccfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll" C:\Windows\SysWOW64\Icgqggce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ophbqlea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpidngil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll" C:\Windows\SysWOW64\Dagiil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dohmlp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjclbc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hfljmdjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" C:\Windows\SysWOW64\Lgpagm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhenep.dll" C:\Windows\SysWOW64\Bbhqjchp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbpacfmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoeniefo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpgqpe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eofinnkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll" C:\Windows\SysWOW64\Fbgbpihg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Oilmnbpg.exe
PID 772 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Oilmnbpg.exe
PID 772 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe C:\Windows\SysWOW64\Oilmnbpg.exe
PID 2044 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Oilmnbpg.exe C:\Windows\SysWOW64\Okkjjnok.exe
PID 2044 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Oilmnbpg.exe C:\Windows\SysWOW64\Okkjjnok.exe
PID 2044 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Oilmnbpg.exe C:\Windows\SysWOW64\Okkjjnok.exe
PID 3508 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Okkjjnok.exe C:\Windows\SysWOW64\Obdbgh32.exe
PID 3508 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Okkjjnok.exe C:\Windows\SysWOW64\Obdbgh32.exe
PID 3508 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Okkjjnok.exe C:\Windows\SysWOW64\Obdbgh32.exe
PID 4692 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Obdbgh32.exe C:\Windows\SysWOW64\Oagbbdnb.exe
PID 4692 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Obdbgh32.exe C:\Windows\SysWOW64\Oagbbdnb.exe
PID 4692 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Obdbgh32.exe C:\Windows\SysWOW64\Oagbbdnb.exe
PID 1372 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Oagbbdnb.exe C:\Windows\SysWOW64\Okmfpm32.exe
PID 1372 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Oagbbdnb.exe C:\Windows\SysWOW64\Okmfpm32.exe
PID 1372 wrote to memory of 1160 N/A C:\Windows\SysWOW64\Oagbbdnb.exe C:\Windows\SysWOW64\Okmfpm32.exe
PID 1160 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Okmfpm32.exe C:\Windows\SysWOW64\Ophbqlea.exe
PID 1160 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Okmfpm32.exe C:\Windows\SysWOW64\Ophbqlea.exe
PID 1160 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Okmfpm32.exe C:\Windows\SysWOW64\Ophbqlea.exe
PID 1164 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Ophbqlea.exe C:\Windows\SysWOW64\Obgomgee.exe
PID 1164 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Ophbqlea.exe C:\Windows\SysWOW64\Obgomgee.exe
PID 1164 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Ophbqlea.exe C:\Windows\SysWOW64\Obgomgee.exe
PID 2180 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Obgomgee.exe C:\Windows\SysWOW64\Oiagia32.exe
PID 2180 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Obgomgee.exe C:\Windows\SysWOW64\Oiagia32.exe
PID 2180 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Obgomgee.exe C:\Windows\SysWOW64\Oiagia32.exe
PID 4988 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Oiagia32.exe C:\Windows\SysWOW64\Opkoflco.exe
PID 4988 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Oiagia32.exe C:\Windows\SysWOW64\Opkoflco.exe
PID 4988 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Oiagia32.exe C:\Windows\SysWOW64\Opkoflco.exe
PID 2144 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Opkoflco.exe C:\Windows\SysWOW64\Oalknd32.exe
PID 2144 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Opkoflco.exe C:\Windows\SysWOW64\Oalknd32.exe
PID 2144 wrote to memory of 3732 N/A C:\Windows\SysWOW64\Opkoflco.exe C:\Windows\SysWOW64\Oalknd32.exe
PID 3732 wrote to memory of 4788 N/A C:\Windows\SysWOW64\Oalknd32.exe C:\Windows\SysWOW64\Olapkmic.exe
PID 3732 wrote to memory of 4788 N/A C:\Windows\SysWOW64\Oalknd32.exe C:\Windows\SysWOW64\Olapkmic.exe
PID 3732 wrote to memory of 4788 N/A C:\Windows\SysWOW64\Oalknd32.exe C:\Windows\SysWOW64\Olapkmic.exe
PID 4788 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Olapkmic.exe C:\Windows\SysWOW64\Pblhhg32.exe
PID 4788 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Olapkmic.exe C:\Windows\SysWOW64\Pblhhg32.exe
PID 4788 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Olapkmic.exe C:\Windows\SysWOW64\Pblhhg32.exe
PID 2792 wrote to memory of 4476 N/A C:\Windows\SysWOW64\Pblhhg32.exe C:\Windows\SysWOW64\Pejddb32.exe
PID 2792 wrote to memory of 4476 N/A C:\Windows\SysWOW64\Pblhhg32.exe C:\Windows\SysWOW64\Pejddb32.exe
PID 2792 wrote to memory of 4476 N/A C:\Windows\SysWOW64\Pblhhg32.exe C:\Windows\SysWOW64\Pejddb32.exe
PID 4476 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Pejddb32.exe C:\Windows\SysWOW64\Pldlqlgp.exe
PID 4476 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Pejddb32.exe C:\Windows\SysWOW64\Pldlqlgp.exe
PID 4476 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Pejddb32.exe C:\Windows\SysWOW64\Pldlqlgp.exe
PID 4472 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Pldlqlgp.exe C:\Windows\SysWOW64\Pbndmf32.exe
PID 4472 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Pldlqlgp.exe C:\Windows\SysWOW64\Pbndmf32.exe
PID 4472 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Pldlqlgp.exe C:\Windows\SysWOW64\Pbndmf32.exe
PID 4436 wrote to memory of 4820 N/A C:\Windows\SysWOW64\Pbndmf32.exe C:\Windows\SysWOW64\Pihmjqfj.exe
PID 4436 wrote to memory of 4820 N/A C:\Windows\SysWOW64\Pbndmf32.exe C:\Windows\SysWOW64\Pihmjqfj.exe
PID 4436 wrote to memory of 4820 N/A C:\Windows\SysWOW64\Pbndmf32.exe C:\Windows\SysWOW64\Pihmjqfj.exe
PID 4820 wrote to memory of 32 N/A C:\Windows\SysWOW64\Pihmjqfj.exe C:\Windows\SysWOW64\Plfiflen.exe
PID 4820 wrote to memory of 32 N/A C:\Windows\SysWOW64\Pihmjqfj.exe C:\Windows\SysWOW64\Plfiflen.exe
PID 4820 wrote to memory of 32 N/A C:\Windows\SysWOW64\Pihmjqfj.exe C:\Windows\SysWOW64\Plfiflen.exe
PID 32 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Plfiflen.exe C:\Windows\SysWOW64\Pbpacfmj.exe
PID 32 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Plfiflen.exe C:\Windows\SysWOW64\Pbpacfmj.exe
PID 32 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Plfiflen.exe C:\Windows\SysWOW64\Pbpacfmj.exe
PID 1388 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pbpacfmj.exe C:\Windows\SysWOW64\Pijjpp32.exe
PID 1388 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pbpacfmj.exe C:\Windows\SysWOW64\Pijjpp32.exe
PID 1388 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pbpacfmj.exe C:\Windows\SysWOW64\Pijjpp32.exe
PID 1248 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pijjpp32.exe C:\Windows\SysWOW64\Plifll32.exe
PID 1248 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pijjpp32.exe C:\Windows\SysWOW64\Plifll32.exe
PID 1248 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pijjpp32.exe C:\Windows\SysWOW64\Plifll32.exe
PID 2820 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Plifll32.exe C:\Windows\SysWOW64\Pngbhg32.exe
PID 2820 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Plifll32.exe C:\Windows\SysWOW64\Pngbhg32.exe
PID 2820 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Plifll32.exe C:\Windows\SysWOW64\Pngbhg32.exe
PID 4768 wrote to memory of 4012 N/A C:\Windows\SysWOW64\Pngbhg32.exe C:\Windows\SysWOW64\Paendb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1af96b8fbb73ee88c199ca85e4bbfdf0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Oilmnbpg.exe

C:\Windows\system32\Oilmnbpg.exe

C:\Windows\SysWOW64\Okkjjnok.exe

C:\Windows\system32\Okkjjnok.exe

C:\Windows\SysWOW64\Obdbgh32.exe

C:\Windows\system32\Obdbgh32.exe

C:\Windows\SysWOW64\Oagbbdnb.exe

C:\Windows\system32\Oagbbdnb.exe

C:\Windows\SysWOW64\Okmfpm32.exe

C:\Windows\system32\Okmfpm32.exe

C:\Windows\SysWOW64\Ophbqlea.exe

C:\Windows\system32\Ophbqlea.exe

C:\Windows\SysWOW64\Obgomgee.exe

C:\Windows\system32\Obgomgee.exe

C:\Windows\SysWOW64\Oiagia32.exe

C:\Windows\system32\Oiagia32.exe

C:\Windows\SysWOW64\Opkoflco.exe

C:\Windows\system32\Opkoflco.exe

C:\Windows\SysWOW64\Oalknd32.exe

C:\Windows\system32\Oalknd32.exe

C:\Windows\SysWOW64\Olapkmic.exe

C:\Windows\system32\Olapkmic.exe

C:\Windows\SysWOW64\Pblhhg32.exe

C:\Windows\system32\Pblhhg32.exe

C:\Windows\SysWOW64\Pejddb32.exe

C:\Windows\system32\Pejddb32.exe

C:\Windows\SysWOW64\Pldlqlgp.exe

C:\Windows\system32\Pldlqlgp.exe

C:\Windows\SysWOW64\Pbndmf32.exe

C:\Windows\system32\Pbndmf32.exe

C:\Windows\SysWOW64\Pihmjqfj.exe

C:\Windows\system32\Pihmjqfj.exe

C:\Windows\SysWOW64\Plfiflen.exe

C:\Windows\system32\Plfiflen.exe

C:\Windows\SysWOW64\Pbpacfmj.exe

C:\Windows\system32\Pbpacfmj.exe

C:\Windows\SysWOW64\Pijjpp32.exe

C:\Windows\system32\Pijjpp32.exe

C:\Windows\SysWOW64\Plifll32.exe

C:\Windows\system32\Plifll32.exe

C:\Windows\SysWOW64\Pngbhg32.exe

C:\Windows\system32\Pngbhg32.exe

C:\Windows\SysWOW64\Paendb32.exe

C:\Windows\system32\Paendb32.exe

C:\Windows\SysWOW64\Phpfqmio.exe

C:\Windows\system32\Phpfqmio.exe

C:\Windows\SysWOW64\Ppgobjia.exe

C:\Windows\system32\Ppgobjia.exe

C:\Windows\SysWOW64\Pbekne32.exe

C:\Windows\system32\Pbekne32.exe

C:\Windows\SysWOW64\Piockppb.exe

C:\Windows\system32\Piockppb.exe

C:\Windows\SysWOW64\Plmogkoe.exe

C:\Windows\system32\Plmogkoe.exe

C:\Windows\SysWOW64\Qnlkcfni.exe

C:\Windows\system32\Qnlkcfni.exe

C:\Windows\SysWOW64\Qefdpq32.exe

C:\Windows\system32\Qefdpq32.exe

C:\Windows\SysWOW64\Qlpllkmc.exe

C:\Windows\system32\Qlpllkmc.exe

C:\Windows\SysWOW64\Qbjdiedp.exe

C:\Windows\system32\Qbjdiedp.exe

C:\Windows\SysWOW64\Qehqepcc.exe

C:\Windows\system32\Qehqepcc.exe

C:\Windows\SysWOW64\Albibj32.exe

C:\Windows\system32\Albibj32.exe

C:\Windows\SysWOW64\Aoqenf32.exe

C:\Windows\system32\Aoqenf32.exe

C:\Windows\SysWOW64\Aejmkpaq.exe

C:\Windows\system32\Aejmkpaq.exe

C:\Windows\SysWOW64\Aifiko32.exe

C:\Windows\system32\Aifiko32.exe

C:\Windows\SysWOW64\Aldegj32.exe

C:\Windows\system32\Aldegj32.exe

C:\Windows\SysWOW64\Appahiag.exe

C:\Windows\system32\Appahiag.exe

C:\Windows\SysWOW64\Aaanpa32.exe

C:\Windows\system32\Aaanpa32.exe

C:\Windows\SysWOW64\Aemjpp32.exe

C:\Windows\system32\Aemjpp32.exe

C:\Windows\SysWOW64\Ahkflk32.exe

C:\Windows\system32\Ahkflk32.exe

C:\Windows\SysWOW64\Apbnnh32.exe

C:\Windows\system32\Apbnnh32.exe

C:\Windows\SysWOW64\Aoeniefo.exe

C:\Windows\system32\Aoeniefo.exe

C:\Windows\SysWOW64\Aackeqeb.exe

C:\Windows\system32\Aackeqeb.exe

C:\Windows\SysWOW64\Aikbfnfd.exe

C:\Windows\system32\Aikbfnfd.exe

C:\Windows\SysWOW64\Aogkoedl.exe

C:\Windows\system32\Aogkoedl.exe

C:\Windows\SysWOW64\Abcgoc32.exe

C:\Windows\system32\Abcgoc32.exe

C:\Windows\SysWOW64\Aeacko32.exe

C:\Windows\system32\Aeacko32.exe

C:\Windows\SysWOW64\Ahppgjjl.exe

C:\Windows\system32\Ahppgjjl.exe

C:\Windows\SysWOW64\Apggihko.exe

C:\Windows\system32\Apggihko.exe

C:\Windows\SysWOW64\Aahdqp32.exe

C:\Windows\system32\Aahdqp32.exe

C:\Windows\SysWOW64\Aiolam32.exe

C:\Windows\system32\Aiolam32.exe

C:\Windows\SysWOW64\Blnhni32.exe

C:\Windows\system32\Blnhni32.exe

C:\Windows\SysWOW64\Bpidngil.exe

C:\Windows\system32\Bpidngil.exe

C:\Windows\SysWOW64\Bbhqjchp.exe

C:\Windows\system32\Bbhqjchp.exe

C:\Windows\SysWOW64\Befmfngc.exe

C:\Windows\system32\Befmfngc.exe

C:\Windows\SysWOW64\Bhdibj32.exe

C:\Windows\system32\Bhdibj32.exe

C:\Windows\SysWOW64\Bpladg32.exe

C:\Windows\system32\Bpladg32.exe

C:\Windows\SysWOW64\Bbjmpb32.exe

C:\Windows\system32\Bbjmpb32.exe

C:\Windows\SysWOW64\Behiln32.exe

C:\Windows\system32\Behiln32.exe

C:\Windows\SysWOW64\Blbaihmn.exe

C:\Windows\system32\Blbaihmn.exe

C:\Windows\SysWOW64\Boanecla.exe

C:\Windows\system32\Boanecla.exe

C:\Windows\SysWOW64\Baojaoke.exe

C:\Windows\system32\Baojaoke.exe

C:\Windows\SysWOW64\Blennh32.exe

C:\Windows\system32\Blennh32.exe

C:\Windows\SysWOW64\Bockjc32.exe

C:\Windows\system32\Bockjc32.exe

C:\Windows\SysWOW64\Baaggo32.exe

C:\Windows\system32\Baaggo32.exe

C:\Windows\SysWOW64\Biiohl32.exe

C:\Windows\system32\Biiohl32.exe

C:\Windows\SysWOW64\Blgkdg32.exe

C:\Windows\system32\Blgkdg32.exe

C:\Windows\SysWOW64\Boegpc32.exe

C:\Windows\system32\Boegpc32.exe

C:\Windows\SysWOW64\Beppmmoi.exe

C:\Windows\system32\Beppmmoi.exe

C:\Windows\SysWOW64\Chnlihnl.exe

C:\Windows\system32\Chnlihnl.exe

C:\Windows\SysWOW64\Cpedjf32.exe

C:\Windows\system32\Cpedjf32.exe

C:\Windows\SysWOW64\Cafpanem.exe

C:\Windows\system32\Cafpanem.exe

C:\Windows\SysWOW64\Cimhckeo.exe

C:\Windows\system32\Cimhckeo.exe

C:\Windows\SysWOW64\Clldogdc.exe

C:\Windows\system32\Clldogdc.exe

C:\Windows\SysWOW64\Cpgqpe32.exe

C:\Windows\system32\Cpgqpe32.exe

C:\Windows\SysWOW64\Ccfmla32.exe

C:\Windows\system32\Ccfmla32.exe

C:\Windows\SysWOW64\Cedihl32.exe

C:\Windows\system32\Cedihl32.exe

C:\Windows\SysWOW64\Chbedh32.exe

C:\Windows\system32\Chbedh32.exe

C:\Windows\SysWOW64\Cpjmee32.exe

C:\Windows\system32\Cpjmee32.exe

C:\Windows\SysWOW64\Cchiaqjm.exe

C:\Windows\system32\Cchiaqjm.exe

C:\Windows\SysWOW64\Cefemliq.exe

C:\Windows\system32\Cefemliq.exe

C:\Windows\SysWOW64\Coojfa32.exe

C:\Windows\system32\Coojfa32.exe

C:\Windows\SysWOW64\Camfbm32.exe

C:\Windows\system32\Camfbm32.exe

C:\Windows\SysWOW64\Ceibclgn.exe

C:\Windows\system32\Ceibclgn.exe

C:\Windows\SysWOW64\Cpofpdgd.exe

C:\Windows\system32\Cpofpdgd.exe

C:\Windows\SysWOW64\Digkijmd.exe

C:\Windows\system32\Digkijmd.exe

C:\Windows\SysWOW64\Dlegeemh.exe

C:\Windows\system32\Dlegeemh.exe

C:\Windows\SysWOW64\Dcopbp32.exe

C:\Windows\system32\Dcopbp32.exe

C:\Windows\SysWOW64\Diihojkb.exe

C:\Windows\system32\Diihojkb.exe

C:\Windows\SysWOW64\Dlgdkeje.exe

C:\Windows\system32\Dlgdkeje.exe

C:\Windows\SysWOW64\Dofpgqji.exe

C:\Windows\system32\Dofpgqji.exe

C:\Windows\SysWOW64\Dadlclim.exe

C:\Windows\system32\Dadlclim.exe

C:\Windows\SysWOW64\Dephckaf.exe

C:\Windows\system32\Dephckaf.exe

C:\Windows\SysWOW64\Dljqpd32.exe

C:\Windows\system32\Dljqpd32.exe

C:\Windows\SysWOW64\Dohmlp32.exe

C:\Windows\system32\Dohmlp32.exe

C:\Windows\SysWOW64\Dcdimopp.exe

C:\Windows\system32\Dcdimopp.exe

C:\Windows\SysWOW64\Dagiil32.exe

C:\Windows\system32\Dagiil32.exe

C:\Windows\SysWOW64\Djnaji32.exe

C:\Windows\system32\Djnaji32.exe

C:\Windows\SysWOW64\Dllmfd32.exe

C:\Windows\system32\Dllmfd32.exe

C:\Windows\SysWOW64\Dphifcoi.exe

C:\Windows\system32\Dphifcoi.exe

C:\Windows\SysWOW64\Dcfebonm.exe

C:\Windows\system32\Dcfebonm.exe

C:\Windows\SysWOW64\Daifnk32.exe

C:\Windows\system32\Daifnk32.exe

C:\Windows\SysWOW64\Djpnohej.exe

C:\Windows\system32\Djpnohej.exe

C:\Windows\SysWOW64\Dlojkddn.exe

C:\Windows\system32\Dlojkddn.exe

C:\Windows\SysWOW64\Dpjflb32.exe

C:\Windows\system32\Dpjflb32.exe

C:\Windows\SysWOW64\Dchbhn32.exe

C:\Windows\system32\Dchbhn32.exe

C:\Windows\SysWOW64\Dakbckbe.exe

C:\Windows\system32\Dakbckbe.exe

C:\Windows\SysWOW64\Ejbkehcg.exe

C:\Windows\system32\Ejbkehcg.exe

C:\Windows\SysWOW64\Elagacbk.exe

C:\Windows\system32\Elagacbk.exe

C:\Windows\SysWOW64\Epmcab32.exe

C:\Windows\system32\Epmcab32.exe

C:\Windows\SysWOW64\Ehhgfdho.exe

C:\Windows\system32\Ehhgfdho.exe

C:\Windows\SysWOW64\Elccfc32.exe

C:\Windows\system32\Elccfc32.exe

C:\Windows\SysWOW64\Ebploj32.exe

C:\Windows\system32\Ebploj32.exe

C:\Windows\SysWOW64\Ejgdpg32.exe

C:\Windows\system32\Ejgdpg32.exe

C:\Windows\SysWOW64\Eqalmafo.exe

C:\Windows\system32\Eqalmafo.exe

C:\Windows\SysWOW64\Ebbidj32.exe

C:\Windows\system32\Ebbidj32.exe

C:\Windows\SysWOW64\Ejjqeg32.exe

C:\Windows\system32\Ejjqeg32.exe

C:\Windows\SysWOW64\Elhmablc.exe

C:\Windows\system32\Elhmablc.exe

C:\Windows\SysWOW64\Eofinnkf.exe

C:\Windows\system32\Eofinnkf.exe

C:\Windows\SysWOW64\Ecbenm32.exe

C:\Windows\system32\Ecbenm32.exe

C:\Windows\SysWOW64\Efpajh32.exe

C:\Windows\system32\Efpajh32.exe

C:\Windows\SysWOW64\Ejlmkgkl.exe

C:\Windows\system32\Ejlmkgkl.exe

C:\Windows\SysWOW64\Emjjgbjp.exe

C:\Windows\system32\Emjjgbjp.exe

C:\Windows\SysWOW64\Eoifcnid.exe

C:\Windows\system32\Eoifcnid.exe

C:\Windows\SysWOW64\Fbgbpihg.exe

C:\Windows\system32\Fbgbpihg.exe

C:\Windows\SysWOW64\Ffbnph32.exe

C:\Windows\system32\Ffbnph32.exe

C:\Windows\SysWOW64\Fhajlc32.exe

C:\Windows\system32\Fhajlc32.exe

C:\Windows\SysWOW64\Fqhbmqqg.exe

C:\Windows\system32\Fqhbmqqg.exe

C:\Windows\SysWOW64\Fcgoilpj.exe

C:\Windows\system32\Fcgoilpj.exe

C:\Windows\SysWOW64\Ffekegon.exe

C:\Windows\system32\Ffekegon.exe

C:\Windows\SysWOW64\Fjqgff32.exe

C:\Windows\system32\Fjqgff32.exe

C:\Windows\SysWOW64\Ficgacna.exe

C:\Windows\system32\Ficgacna.exe

C:\Windows\SysWOW64\Fqkocpod.exe

C:\Windows\system32\Fqkocpod.exe

C:\Windows\SysWOW64\Fomonm32.exe

C:\Windows\system32\Fomonm32.exe

C:\Windows\SysWOW64\Fbllkh32.exe

C:\Windows\system32\Fbllkh32.exe

C:\Windows\SysWOW64\Fjcclf32.exe

C:\Windows\system32\Fjcclf32.exe

C:\Windows\SysWOW64\Fqmlhpla.exe

C:\Windows\system32\Fqmlhpla.exe

C:\Windows\SysWOW64\Fckhdk32.exe

C:\Windows\system32\Fckhdk32.exe

C:\Windows\SysWOW64\Ffjdqg32.exe

C:\Windows\system32\Ffjdqg32.exe

C:\Windows\SysWOW64\Fihqmb32.exe

C:\Windows\system32\Fihqmb32.exe

C:\Windows\SysWOW64\Fqohnp32.exe

C:\Windows\system32\Fqohnp32.exe

C:\Windows\SysWOW64\Fcnejk32.exe

C:\Windows\system32\Fcnejk32.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Gbcakg32.exe

C:\Windows\system32\Gbcakg32.exe

C:\Windows\SysWOW64\Gcbnejem.exe

C:\Windows\system32\Gcbnejem.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Gmkbnp32.exe

C:\Windows\system32\Gmkbnp32.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gbgkfg32.exe

C:\Windows\system32\Gbgkfg32.exe

C:\Windows\SysWOW64\Giacca32.exe

C:\Windows\system32\Giacca32.exe

C:\Windows\SysWOW64\Gpklpkio.exe

C:\Windows\system32\Gpklpkio.exe

C:\Windows\SysWOW64\Gbjhlfhb.exe

C:\Windows\system32\Gbjhlfhb.exe

C:\Windows\SysWOW64\Gjapmdid.exe

C:\Windows\system32\Gjapmdid.exe

C:\Windows\SysWOW64\Gmoliohh.exe

C:\Windows\system32\Gmoliohh.exe

C:\Windows\SysWOW64\Gpnhekgl.exe

C:\Windows\system32\Gpnhekgl.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gjclbc32.exe

C:\Windows\system32\Gjclbc32.exe

C:\Windows\SysWOW64\Gameonno.exe

C:\Windows\system32\Gameonno.exe

C:\Windows\SysWOW64\Hfjmgdlf.exe

C:\Windows\system32\Hfjmgdlf.exe

C:\Windows\SysWOW64\Hmdedo32.exe

C:\Windows\system32\Hmdedo32.exe

C:\Windows\SysWOW64\Hcnnaikp.exe

C:\Windows\system32\Hcnnaikp.exe

C:\Windows\SysWOW64\Hfljmdjc.exe

C:\Windows\system32\Hfljmdjc.exe

C:\Windows\SysWOW64\Hcqjfh32.exe

C:\Windows\system32\Hcqjfh32.exe

C:\Windows\SysWOW64\Hbckbepg.exe

C:\Windows\system32\Hbckbepg.exe

C:\Windows\SysWOW64\Himcoo32.exe

C:\Windows\system32\Himcoo32.exe

C:\Windows\SysWOW64\Hadkpm32.exe

C:\Windows\system32\Hadkpm32.exe

C:\Windows\SysWOW64\Hccglh32.exe

C:\Windows\system32\Hccglh32.exe

C:\Windows\SysWOW64\Hjmoibog.exe

C:\Windows\system32\Hjmoibog.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Hmklen32.exe

C:\Windows\system32\Hmklen32.exe

C:\Windows\SysWOW64\Hpihai32.exe

C:\Windows\system32\Hpihai32.exe

C:\Windows\SysWOW64\Hbhdmd32.exe

C:\Windows\system32\Hbhdmd32.exe

C:\Windows\SysWOW64\Hibljoco.exe

C:\Windows\system32\Hibljoco.exe

C:\Windows\SysWOW64\Haidklda.exe

C:\Windows\system32\Haidklda.exe

C:\Windows\SysWOW64\Icgqggce.exe

C:\Windows\system32\Icgqggce.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Iannfk32.exe

C:\Windows\system32\Iannfk32.exe

C:\Windows\SysWOW64\Ibojncfj.exe

C:\Windows\system32\Ibojncfj.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ibagcc32.exe

C:\Windows\system32\Ibagcc32.exe

C:\Windows\SysWOW64\Idacmfkj.exe

C:\Windows\system32\Idacmfkj.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jpgdbg32.exe

C:\Windows\system32\Jpgdbg32.exe

C:\Windows\SysWOW64\Jagqlj32.exe

C:\Windows\system32\Jagqlj32.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jdjfcecp.exe

C:\Windows\system32\Jdjfcecp.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8180 -ip 8180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/772-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Oilmnbpg.exe

MD5 13bb9d7947445faae2619531928bfbaf
SHA1 2206c92f26516e9927bb7ab183e6fa8b8e98bfba
SHA256 99cdcaa0d78046d63a7d64b24acd4aab6944985b35e094150546b6de66aadfc8
SHA512 81c3245e4a979806ed168349ae365498af2d77b0d9949d8452133ba865f261fb9f66ebbb807f34e332c49e41d81a67b137fcf94cb6d0ee149aacb34b5a50f291

memory/2044-7-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Okkjjnok.exe

MD5 d70f89a9bb4dbb916df9192278ac8c97
SHA1 72e3d3b8e668171bb866eddcd0e701b067314dd4
SHA256 f0cf14e9732acbf3f6a85d3f1c6522d491f1e77f362f016635bbd236086c754e
SHA512 7fa816cac9fa8db1004120f373ef36262abe51ce9378619da914434ed9a7574a3828681a956846fe3a8a72eca718303fb50fdd7917a09f061dd7655abee8f90d

memory/3508-20-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Obdbgh32.exe

MD5 4a5f5cd71a93c033c8c6a1e3529cb5ee
SHA1 2626a53b5429b16798fcfd066bc06292f88aa0e5
SHA256 33dba4d07fbe741c172e11a5bddf1f41e5ae96bb8025c3bff97c3eeeb28bfc36
SHA512 684aa06925fb1e24f835dd2fd73367dd6c5f84e8717f0b33b50a3e6921ed1e5cd2bcca1fa98eb466169d03768ed8cfe1eaf9bbd7d670510f7063fa68ad462c0e

memory/4692-28-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1372-31-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Oagbbdnb.exe

MD5 089633d95d55e2e191f2eac3046b1943
SHA1 1f8cf453e7783c427ae690122ef0779b0dbd10c3
SHA256 76aeeaddd74b8a5bea868dbdcba6cf2cd24c7885d044a1260d1acf24bcd8b5f4
SHA512 9bd8e491dcf4853af65162eabae434f3404627b07f46b113cd76581f678d602a60c77dc48710d200260fa7eb8a86991524b0e6f89135473fc4587e3f10e42d38

C:\Windows\SysWOW64\Okmfpm32.exe

MD5 0d64c2a72e7ce92ccbb7240a616d0de9
SHA1 b8c990c8490dffc6a6ec621aa8396509d3d9dd3a
SHA256 ab5a284c982687166dceaa6a4d25470771a0286a4332006cc8b6c7691d9937f3
SHA512 39b08d0874163299e10be6c2f3459285c708ebcbbcc3263951267fd9d9279781e0bf3215dbf519c44dbf77340881eaa3ff42b65847f90f28b667f01482536f4a

memory/1160-40-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ophbqlea.exe

MD5 74238412f6e5ee5ac3b8340d4bdfc70b
SHA1 478996541d4c6fa3f49362ccd8b9d7e7204f2e6d
SHA256 6cdc978f8390ce1cec801e22734338f411f7710592085e5fca2f33e477bb06e5
SHA512 064f1e003ae428f15fccb91e34e81e8776b36d0db3c90a51bf27d25bbb40412703ec3007c0f4b2b02470e8e9962868fce13b1ff8eb4af33cdda0a52ca617cd07

memory/1164-52-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Obgomgee.exe

MD5 489ab37fdd71b484794cec5086e3f341
SHA1 4fb192499bdbe0a521ea8f9f93c364b628d3fe31
SHA256 0df53ff3e285ecaecbf1c74181d1830f1ae580f5fd49892b3f2f9937cd0d4b8c
SHA512 fd1bee6a11be24f503846454bc21cd0b2b9551a1ddc175dbc14a374245c5ee53a02413cf4f53ff36f5842c5f09eeb3f0c855ebe7847623ae9ef6ecb87188160f

memory/2180-56-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Oiagia32.exe

MD5 9c63821cb43e6d754da0cec21d31ca0c
SHA1 5e75df0b61592c4d634f54a726f97fa88beb268b
SHA256 9b40d64fa2594ed2e5b86c4d3ced97a138af38e2b6b2ae2989b96ab292a6ef76
SHA512 d104004868a8d8195833c7b25d168375c2ec21012c546547c808eb89d9c13b7c49f2452193296ed843efaca54dd92a4c90d1593541142793fd189fa8fb3e09cb

memory/4988-64-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Opkoflco.exe

MD5 1709e20a55095a4d8bebf6cd71433604
SHA1 4699c0b51a72468f0fd97ce0740b33281223ccbc
SHA256 f5d66c41086be1af345921d4fe8007c526912a2a07f6d386003d1488a0e3c8b4
SHA512 ff30540466aecbb520b97413bfa84a6d4d01712b5873b5e83875b7bd78f086a7bcc4bac10c6c083b5585fe83f228263215eb06e846b4a0027ced959f057c7094

memory/2144-72-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Oalknd32.exe

MD5 d6db93946b35e95db70719a91fc56076
SHA1 7ada8361e8518713558cae44a7bb8ce795b57883
SHA256 cd9f61225f44d893617861520cc6d16bec778c7f7f6c47c382dd47302243567c
SHA512 211576b17a090d98106a2420eeb6e56e7973ef6ac1e361ce55114b3e3c3b4c8e05a30e82ccf7fc99acb5d2b5670e0ef636cf87df86048782983cfb27a0f7d304

memory/3732-80-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Olapkmic.exe

MD5 e21d85d1955115d60c75a9a9f4032f6b
SHA1 c0fd367f9944b742f54bd87d161e620a0dc837ba
SHA256 b6f13cb3ebb841e7120a28531882c557956241cc1d30aa44b0c888e02f7f509a
SHA512 c48fdf914c83b9e2fd554dd0a509b8ca22ab1013f2f68afe5b5c40e8782c9d79582df10553453edd961782e5ef6325b7f086a2da7cdd7c23a350f5b78726a600

memory/4788-87-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pblhhg32.exe

MD5 fe514e27168f443db540b6695e3e31a6
SHA1 13bdef68c25586bd9266547a9328158173a8aa72
SHA256 83bcd1f527672f97e5d1a494a05ed4269c0ab483c50899648af70ee21a9b31e2
SHA512 a0e3c586387b45551e60e1f9664ab5d376fd1ea4b901e5dcf5d4358be084800dbb6efa86d315db6413b0cd14abd4d2f58d99c1c343099af7b5896c087094adf5

memory/2792-95-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pejddb32.exe

MD5 ee6b47986a32dc6a35ae0d71625384ff
SHA1 03b0bed617e1c26de52d6fcbdaf87522ca6f3fe1
SHA256 b6974b79ce0382ceb21b4a7f637a2607adcedf4aa1c30a72082d46005f318d1a
SHA512 2fa89478613d51cc2e70ecd58d13e35f7c1f219f5e121287b09f6da6f2a6c471dd059ac418705dc2f14e70f4bf54e65ed7486f5d740888d9b8ae866485a0c20e

memory/4476-103-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pldlqlgp.exe

MD5 087c47177ff7e80dcf13a9345fd958bf
SHA1 28e82baafd1c1db8b80bfaa5c41e97864d0865c9
SHA256 6693b494051acb63b823297a447b9978417df166f5057fe8fa47ff8b9a2b5990
SHA512 41dc29a7e11d4d0d89edd36818f29e326404c649081a11450344e62b9790898de40e4a0a867a7096628357838c174191374e33ee308fca944024f6a7d2023112

memory/4472-111-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pbndmf32.exe

MD5 6acc986c02de4c61e9ca1d3a138a3c6b
SHA1 94e4d3d352bcc0037caaf90b742cddf9aa95fefb
SHA256 46a98a84bcd00f0ec7fd4b4b3e908ecaba1821a9930a592625d229c486d3e06c
SHA512 fb6fe99828a43b6d76080f4ba919e6459835706fca2b2b17b1bf4c39c18cec6cfd8badcba027f036c0ad1799a781794f806b0547525a10b1785645149f1fc37c

memory/4436-120-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pihmjqfj.exe

MD5 057dde1d1c4124ac0273a0d9d5345110
SHA1 d833fe30685c0d40cda24aca28bd1b0244e95a8d
SHA256 62c8870ae39891800414af0abb721b306922ad426433db4c4f9c1d3a3ca4b0d5
SHA512 7ae4c31ae352587346a2214936a8609660f7e83fe7aa09592df2ac8c6a1b1c4653b7cce49d82ebe0fc898eae59f1e70a78113d41166e0dc519e0b4f85f9852ad

memory/4820-128-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Plfiflen.exe

MD5 cba7b9c00ef29abb733fa67468114191
SHA1 ea6a9acebcc060ccbb7e0055c2837046b9c31b97
SHA256 acb2ff40879f1b1c2d579eb995145e2e2a28f2faa321b720eacc89a0e693fcaa
SHA512 32c44bfde51bcebb00644ffebbff2418b76b56c19c9a3509bba1af21feeea86b9f9c5d6db40fd1102528912e3865a4b98a671589b01d111486e6587f8e05e1d1

memory/32-135-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pbpacfmj.exe

MD5 da85c58619677875150be280098bda88
SHA1 a1834b1f33bbd3e422b158fea75552b5dc478764
SHA256 ca5703325ccd26911080f35990ff122ff64ae2d1e7a8ac967bcf44c6e56d12cf
SHA512 367584ce695cec058f3693859ccbaa8ccec8b5a55ad0fdba8be8214941853fc13e2e5d6bad42d4ee0736c7b20e2c112df40341776624aaaad63c4726752cc03c

memory/1388-144-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pijjpp32.exe

MD5 b8383783f9b4a7a0cf21d8d8474fc6c0
SHA1 9d2ec2e69f9acf0d0e9cd3920783232fedff9e7b
SHA256 79aca6ed64dc9d41b4c926374c8a95c3a2239365accb8657c7446f8f8b8c59f6
SHA512 225131ebed30d0da928ad12b85f4df52375208012284178c200d4e4866ecfa3d8f0081e30feefc884c249fa85cd97211f31ff6e773fe3dcd88c0dab902b58bdc

memory/1248-152-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Plifll32.exe

MD5 a8438bcb6dbc82ca7ba615b8f38f53e5
SHA1 c4bf71b3bdd99fbc91cf337e0064735222d2f5aa
SHA256 bb96a10f3b91ec2a7cc1a17834c1173a1427a7cfaa35cd9c86f98ecdbce38297
SHA512 9ecc977efd404818817d7314ca4b71e8e3c6834c5a2ac3cb0c267287e3351a0497215d7965073ea43d1b9184bc6891e0deb0900f864dbaffba1f12633ae6edc7

memory/2820-160-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pngbhg32.exe

MD5 bf0a726c43b8b9ab63702cddc6aaf1f2
SHA1 4df4fa639c2f36d7cbfa5d9efc3f260277ccb997
SHA256 821b03254a1c6f2807f5043c3f1aacf6492bfec80bc1f846d2450be0a08ff4df
SHA512 50dfefbbc1e032a420f4ccc531f1e16b53658b0282ad6101cb04e5abe8fe824edf1211273f7acefef3c11bcc0d22a922cc35a0891bbaa3a596aff65c1d5858f4

memory/4768-168-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4012-176-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Paendb32.exe

MD5 40579c1318d6575d00cdbac93b6e2887
SHA1 87d11919e5803e1f56ca8927ca5fe4e26098f06e
SHA256 55d059ecdaeb16b8a0e519a3d7e45718c03ba4f40f1722e7382f6baf700601ea
SHA512 73e57814f701599caf25d7e049c5cd9d7b23e95f9e1b78448b4e6ad1e050b120798306185ce1c7e5ca7004617f0bafece6f68ed30c8bd276c9cf22b00807fd3d

C:\Windows\SysWOW64\Phpfqmio.exe

MD5 36fd844808c75ee44b0146ce7df45a74
SHA1 fbe8c945ec6552fd65e06a0b811fa57e8c072ce4
SHA256 df175da79cc18f75a26eea9592db393611c2c203a97aa13c98e8658c165c2c98
SHA512 739be8bbf041dc238711063182ea6e4c0e8a1af2550ab1040a484d03fb52886cf353df9969fce2e554b1beb78d9f8e5a71143826491bb2cad4beeb73db62d612

memory/3524-184-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ppgobjia.exe

MD5 97df68939141baef5cd6304efc61657c
SHA1 94d1c9a232024530b86d527c8e75d17c0abe8e45
SHA256 65df0021a9ddff7be9d9a634645def04cb5e84913c82665b587b3354ac260e4d
SHA512 6403926f0df5c67feb267534319195d814763ae729a8bcb287e3db84b78c11c90464de95be2083e89f190a1c467795a71907fd6b2a6d0c8f4916e36d17c9b917

memory/4868-192-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pbekne32.exe

MD5 2f19508ce383e47e83f093171d2c2454
SHA1 3a34bfa0b3dfc05b48a8679d30659204cfe23c58
SHA256 0d1ca3109c8d853b75afa08ba9bcdcf79da72b283df2aaa687bb7dd3df2b2b8a
SHA512 526b224881fea834fe104c8d1b9d27ccdbee40fca40bec1fdf6a56417739c64d1523aa889335b5943b1fdb6bf34af1830df0653374c4689d81ea5e4dedc1ad5b

memory/3304-199-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Piockppb.exe

MD5 8b63f4c5586d9f437ecd5d17cd35b3ce
SHA1 48a23bb9c3312de2d8318ce053e8312a23d5c11c
SHA256 95a4dc28cedeca31ae0b16aad930e9b58222856b578f468a5b9d5d2254b6aea3
SHA512 d4e4de50bd1f5f72270bd390376b2ed61f44e15aa8a7989bdf5d00245e586da42f8fdd501e19fded606b1e8f8aa67407da6a9623398fd52fb89efb959ea6f3e9

memory/4048-208-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Plmogkoe.exe

MD5 471a3380be09d4f96efcba14edd23429
SHA1 32323227b008fba189e518cbc68028b76a3ae9bd
SHA256 b037e306c5d2b2550ce98fc4319bb93fc167aba676cc6be1718bb8b7c84395c3
SHA512 464ce618b7292e9c8722580dc50de3da65b6c6492678722b3b773caa592a126c7840d859c861139ea462679ff733e176d979a930130b3357181b5cb4bf8a36fa

memory/4908-216-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qnlkcfni.exe

MD5 e41160a262048719208a72367f1b4c64
SHA1 411e36e2cd42ebbd90d3862f277653ffdd36774f
SHA256 b9a9a6f0e3bc22d3affb66f492d025dc8e9cbe0782d5ffb36769e8ffecf8408d
SHA512 a09fffb402599388322f5675303465e7ecba602b46b9837fe709a50d5ab5e98d5ee713a67626a700932ec255fc7bc6c68f48298ca943c4b5b3866d8e7779b55c

memory/3748-223-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qefdpq32.exe

MD5 68515cb7cb9c26e3330171715839829c
SHA1 cadb3b9b11f71c5c8fca14ca6d97b8bd0a8e4faf
SHA256 09ee6b8d206c5c43f8bfc055dde820d46330fda7c319188460779286b1e5bddc
SHA512 bb219fb16ea0f4a45593fc27b3a091ff43bd19e6ac62d7187068b63f704bff1eba55a48cb6442159192abd424781452ef5422abbd09b57d8205d927a0485483b

memory/652-236-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3540-244-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qlpllkmc.exe

MD5 7d441a36a40cc59b5f61132a8aaed6fd
SHA1 99279deff7cb1febac6bddaa41eb1718242fdc25
SHA256 6b5c4d90c8dcfdb58611f1bea991545ce86a1a166ae6dc4772b2e999567ffdfa
SHA512 fa8a06685c92b32ced5551227314c00415708f581ac1c2f161f8428f0fa9c0aa00338cbae1253d8dd5a0180b02e632fded2f23dac5bfcf2b6421b401a134c521

C:\Windows\SysWOW64\Qbjdiedp.exe

MD5 0d8a835960b812b20d7b00b93273fb7d
SHA1 77edb023acba17a1efe5933b50bd3cd4fe7f22ea
SHA256 94aef2df884a3b347d704dcfdf2cc2cf97df190db04ceed6719144b30cc5d8c7
SHA512 1148a9650b529b0e9da5f1e8cdc07235f94a45d9fee622ce114950aad492eb39a8aba0ad2439bda2b2e7e04190369fc0fe1759ed3120497d277219dfb71028ef

C:\Windows\SysWOW64\Qehqepcc.exe

MD5 babebe11a0bab307dff80b36af757de6
SHA1 35e91bb9c379c83f341c1dc9c05aafc51136efaf
SHA256 ee4a836c80a1b8a92b467a52fb4e10583796ef34428c07cd0c13dc4296acb5d1
SHA512 881f800b3aabb4b29fae42dbe5086111429006bbfd5a2ede628f59aafd33824e16c9318b7570d88a59266db54cf23f57929a6e1fa7cc3f10743081ebc136b377

memory/224-253-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4592-261-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4392-262-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4728-263-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1812-273-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4024-275-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4484-285-0x0000000000400000-0x000000000043F000-memory.dmp

memory/768-287-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1028-297-0x0000000000400000-0x000000000043F000-memory.dmp

memory/800-303-0x0000000000400000-0x000000000043F000-memory.dmp

memory/740-309-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2084-315-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3384-321-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3604-323-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1020-329-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5024-335-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3752-341-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4348-351-0x0000000000400000-0x000000000043F000-memory.dmp

memory/544-353-0x0000000000400000-0x000000000043F000-memory.dmp

memory/940-363-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1896-369-0x0000000000400000-0x000000000043F000-memory.dmp

memory/684-374-0x0000000000400000-0x000000000043F000-memory.dmp

memory/560-382-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4400-387-0x0000000000400000-0x000000000043F000-memory.dmp

memory/856-389-0x0000000000400000-0x000000000043F000-memory.dmp

memory/552-399-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2868-405-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3676-407-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4760-413-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5020-423-0x0000000000400000-0x000000000043F000-memory.dmp

memory/220-429-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4420-435-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1644-437-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4380-445-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4488-453-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4080-459-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1212-465-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2468-467-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3684-477-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1544-479-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3416-489-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4784-491-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4184-502-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4704-503-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1092-514-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3976-515-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3920-521-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2768-531-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3040-533-0x0000000000400000-0x000000000043F000-memory.dmp

memory/772-539-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3000-540-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2352-547-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2044-546-0x0000000000400000-0x000000000043F000-memory.dmp

memory/388-553-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4072-559-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1372-565-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4516-566-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3588-576-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1160-572-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2968-580-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1164-579-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Digkijmd.exe

MD5 eaa4693ca1ccd2b9d5fb7ab5352e59f0
SHA1 3d586669666e9bb6ed929e2775529c9522864e6f
SHA256 98497d8d72a7abbe5de246b62948de127605bc21013708bbe90c79e9ce17d1f4
SHA512 213dbfa73859038f42918d857261e23dae1637381ef7a19132a6e89f21ea50098c687912296bde072a6024360ca36e4931c16b7e606c4829d53af245b1031f9c

memory/4872-591-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2180-590-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1040-594-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4988-593-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ejgdpg32.exe

MD5 b0de1f58609f3c5c884cba267051d6b7
SHA1 f3a002fafad0ee58267a0b0bcdfe76156bf6a0cb
SHA256 01950ebe3e97175d5b60d812dac8188c8acd876c882173ab88f9d4b7c56105d4
SHA512 4a3bc368369737c01aadf496c6307c46ad96493ac24e8f8b2fcb53b18a6ad682f3b7986c44994955dbe9f1955444957841206b995e65c454e4905284de0041a2

C:\Windows\SysWOW64\Ejjqeg32.exe

MD5 b05a7f3f05286360ef9d147962780230
SHA1 78af9b1b83f794845f49782b0e20d2c699aa8140
SHA256 2af542c5c91d6b0bf48ea45cf89aeb93eeefb12a325cb0680d970dfd82436d4f
SHA512 911b265c3b8540bc2ab79c8e8262234323513399aa6635a4803261ca0ce574b4aa7263ba5abd830899e78e3a222578fc789456aa625730e9b05b8f61edb8d873

C:\Windows\SysWOW64\Fqmlhpla.exe

MD5 de9da3eb5ee0e74e27fe3bc23c4e224f
SHA1 8f70481f05d70b06df17f2f4ed9a0d65f7219643
SHA256 ad218559f1ac53d98f9ddc313395096977914c3f17d53a92325fecb201c3c5c1
SHA512 7fe4b821bf3ea0aa0f7bfb240b4b83f014d31fa902ea6c153326927f75282c5cb1769cee59ecf0d5133e60582cf352ffbc4acf67b2d9e8d167881377d3b33698

C:\Windows\SysWOW64\Gmkbnp32.exe

MD5 b64cef63b2c5dccec55f7b76aff4f301
SHA1 2147166e31f8bb574c2510c86a61a1e2b126fb4b
SHA256 51422112ae5f366cf991cd30347dc881f20aaf8a76c342b0355802d4d4f9439c
SHA512 b20c7459c07ec30479514fe219de74cae299b3101269e32e69dfa719a42e49f945832c63e07a6a5b22cee4d55d6c9501b09d98a0fd0e6e858d8bfdaf52907c60

C:\Windows\SysWOW64\Gmoliohh.exe

MD5 7b439f39424e56076baa7745a5e8e062
SHA1 d9e80898348057b9f30d46493a0b3f0ade2cfc6f
SHA256 ca0ed823b56c9c120618beace139ae587e3117061a36ee85d20329f9f4918310
SHA512 76848bc55038043058a26f607c14f1c2cd0e171d487c50689cdc71f498d2e2ccf3f1a8eaa8a460e0f30d815cc4126bc2246d992cb23d1029cfcb9175cbaa3ce9

C:\Windows\SysWOW64\Gjclbc32.exe

MD5 5786e8183df407362258a74f98a99bc6
SHA1 2708de299008db58589884bce5e579d9a8cad212
SHA256 923e486a41a6949c68725d4726615e1b627822ea21acc96df25884e26460097e
SHA512 e551159a0b545c79724bda5b043392a43908d8862d9d207373bef5c9f672324505d7f59edab0846c324fb4f82547941e92cf1b0a6d4311587c2ce0fd6d4141ef

C:\Windows\SysWOW64\Hfjmgdlf.exe

MD5 5839eae461c3c13aba96cc367e9625e0
SHA1 700d0cebd30f1db356276ca93b715dd14a405e25
SHA256 58be5e87cde66df8417a4ad489b232dd39d8c7ef4137d106fa810d5dca4ee220
SHA512 90e6be87c1c3e42cd6356848299ce7dba982768feacc6a766f0c3358de6d2327d91bf6ffce5d66d60f7c7b4b71d8326da97ed4f7905a201a9ced4b89a69cf93e

C:\Windows\SysWOW64\Hcnnaikp.exe

MD5 8a7b6bd4cb98ba3c95e928ae5da9b0d8
SHA1 ec921edc699479d40771aa999ea85dec7fa52b50
SHA256 285b59d90d17eefe2f755fda534d6c5ab5bee1fee724be2e6a3626865b766d5e
SHA512 7122a2bedf61621e48f171798b15b7b47e8aa000b19b84c1d058b457eaa262d1eb172e8fbb7207e5da275ac11d7af073f796f0abe322987fd0f9fcb20b22dd98

C:\Windows\SysWOW64\Iakaql32.exe

MD5 44dc45a33be757543d403f80bc17af9b
SHA1 bd3a2b724d670ca9d1c14cdc636f50efa14af8b5
SHA256 ba5d6807f2eb4dc3683d5a21d338036ef7564e9ed820d731bdbbf0437ec9387a
SHA512 5a87e0df26ca4d0ea2a7bc6ad9782ac5f3597d9a25de7c70828d13e7e8c7804b834f2f7bc37ae8d2fe6d56f133150a79e527c2d3041918acc49d8246e3a1ffad

C:\Windows\SysWOW64\Idacmfkj.exe

MD5 0588b48ac5967b8651f4d9e0375142e8
SHA1 55af37975127a5e49f280c61f078039165d6ee0d
SHA256 cc631ce5a60c9e3b431a5c2eee285000b8b426e598a022bd4a7813c187e47905
SHA512 c94ef7cf9dea3def56fd8346c07e79edd77234eaf53a79edc1dbf670d785b92ae56b959041098f34f20d9b12bcc01a80a7f52f4d5b76823eb41052318b9d2d69

C:\Windows\SysWOW64\Jagqlj32.exe

MD5 c31a760ee266345f0bc6fdec9eebeff4
SHA1 4b99b17fa126839a962aba102b5ef35af9b0fef4
SHA256 80a9bf1c441ab62c1f69bb45c544d6206c549dcd6732e35442b66ca6b7c34ebe
SHA512 3bd9d4e331ef08913f018b18a491469edc32e59a5c980743862817ea8f5855560d53785a343c3bcf4bc0d0d62cbb28b2e9de3093fa9fdb82e0893f4f5d8920f5

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 e01c198b7f97d8314ea8e6b0a701e50c
SHA1 9baf1195ddf34346371c380df1b30cc0565fc65f
SHA256 f9c893c27486d9d25df0a3af2fac65a31946ca48e4b765dd9da6616997a236f3
SHA512 06970b8cedf81f09314104f67970c8e36ff986807b747a9020c22d953cd5f041cdc1708a7c97ce9cf341a8f98db2c92d7c02d43eddfefa387e6d7050ddcaca1d

C:\Windows\SysWOW64\Kbdmpqcb.exe

MD5 193e65c3d0d49a2544e8da09a0cb4e02
SHA1 25eb4357abea164e1a91fe12ab5a31e4ffc0b65f
SHA256 c005bdb390199c14b5b6a92b29c2a641b64f0dbd263d6b17d6c541ceae19135c
SHA512 a68ead8fe6e752f2453fbc985b15af05489e882565771990a4a9cfc1223913d70f68baee5d30d9a4a07a0ed758f0ce8133ad702327af628852457fafff6dafb9

C:\Windows\SysWOW64\Kaemnhla.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Kdffocib.exe

MD5 36d47c601906220db179f32ada802d56
SHA1 23b254d12c016fb70bcc940ea778f5f91cef8310
SHA256 a4d124b7ec372ca6f91548d21260c3a57ce1e5112f2dfa281d2a240580e28772
SHA512 931d34b30a8f60f5abaf96d5e2d59cf64251e95dc289bb85359864647108793d200f380aeff66d0a64004afba7b5b30b3fba4134497ba9af1062be9a364af75b

C:\Windows\SysWOW64\Lgkhlnbn.exe

MD5 f0ae9fc306afae9ae8ec68ef9a3895b0
SHA1 2359d63fe62bab29713788e58482631fed9ecafc
SHA256 d76d8c4767ecf48ad7efb76f6f368ae9dd5a852f95fc363034bed84dd304f122
SHA512 b5e2f7dfeb585414b79ecdf0c4bced7e0c35b56e1c4a8328c979346ed2768423ac18bbb2de7e8c91f4e28a9f3ffc67f57394e8bd076bc356678cd6c3d9beb4d1

C:\Windows\SysWOW64\Laefdf32.exe

MD5 9d9dacc33e9eb6dd8cec3e76ee1c2bea
SHA1 812f03fc2daabeeb5d94736599c4548b7540f56c
SHA256 304121b55cc8eb8790009f41cd2985a2f49bdb2ec57660697f51f6e0719b56cc
SHA512 4bae0b682a80a2e53cdba99c3f70e301015316646a03e4fbc0222ecd3f7a37f5c81c1b00d151bcfdb37dfb5a1be84cd2629f2f7870d92f45a4b74ebbca719a7f

C:\Windows\SysWOW64\Mahbje32.exe

MD5 e2ca90ca0a9d0382b24bcbb5a6865643
SHA1 988dc1066dd8e0dd4ddcf2f0279653170be7a316
SHA256 a55e4f949b55ca9d273e9d51e358d7cd04dd3380b30213926d72f6af7afe54fc
SHA512 7de2b812b249a420d8c24a1669eedd7c8e68fdd340fd40372219a191e5d62a37ddd63b8368aecbca02fd9bf1710a8dd5541087df2ad6c14bab3de930b77bddb5

C:\Windows\SysWOW64\Majopeii.exe

MD5 31482eea51ae956561cc04ab78f5628a
SHA1 dfb6fe75185ad56cbcd2a93139786308c1bb9b9f
SHA256 e45863105c6752d4c3da21cbb510ccee3cbba0017fdfe997925862bbaa14ce70
SHA512 d322391a60bf703e66b9560261c3bc43dacd38f6cf859edb1cf5b53d234f90950644a46c542108b05a696d355b2dfcb4478bc31bab85c5b6d20a1d16cd0cbc56

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 1a71c8e8d3df2eeea02465c1cc4e3c56
SHA1 38d2953447281603a144e86989b0344191f1dcd3
SHA256 274c4af74eb481fe916fef9fefca4ed5dd22af7e7e422f0ced4ab5b2c20ce453
SHA512 6cbcc063e464499878e03dd5dd50349e28934fd57f2b99d9e099dd7ee727ac83cc349061cc57f2030e7cb30b04e7efed59a4cae1416e8fa94961a65c435de608

C:\Windows\SysWOW64\Maohkd32.exe

MD5 2ac9ae52dea99713df96a6d30752affe
SHA1 67e8f111c244c332a9dc795c03a731a0d60c3f6e
SHA256 682f3389a58299b69916382b373644c1fc83bad925cafe18ef681b21f353719e
SHA512 808d07f28bb14833685091583e4e495628f6cab4b48a2ebd641a4250cd111a498c60047087a94dd01b9aac589ae3c7bcedf0a10a6fa46f58516c6bc55481af4e

C:\Windows\SysWOW64\Mglack32.exe

MD5 683a75b452f7d416038cb279202ac44e
SHA1 e7f2a714388e908ab0ae95398cce3e42d49626af
SHA256 2437bbfb86b954a925e0a6d076781d9f9c0a488eee157f41f3e5f42a7df28f2f
SHA512 85dc40660057618e881cd36a65e8681d5e8f751dcf97075371a81a618b010ba43960879dc2ed281df04e12eafda7e5a73761e2683e50febd8f124a65a1a4ece1

C:\Windows\SysWOW64\Njljefql.exe

MD5 845b2f19c14ee0361ef6fc234973ede3
SHA1 db2ad0f4545d98ccace32463d12ab76ad8945fdf
SHA256 77d82b2fa42b09b470faf501daf582426064a6bb3ecaf91177c925723b28eedb
SHA512 167e7320740d1aa38f0d8347085eea22029e4b516910128666ae7f2b04cb029dfb70e6a241ba56bd598e921877a8082a940df6f6d500268202b08491a34beab5

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 594715e016ecae21a80d194144f7b4d9
SHA1 47a5a239bcc4428ac9191a29f5e1bb53bdc6e980
SHA256 30a077203337c9791435814b2c3d57da1549395028b3ea1740fdc12c4e7434d4
SHA512 d6438f04a59141ca0d50d05cf2dae129de017aeaa51a4a36acc9dcec43b9a028f4d9f5102079afcdba93940d5d4d9dfbe6c12a61cbd11a6077effc294da36244

C:\Windows\SysWOW64\Nnmopdep.exe

MD5 98be9c37ff67975c25ed118deed78f4f
SHA1 70921e3a2b37abd30958c8ae27f4cda79fd951c1
SHA256 2cfddd710a80bdfed1dd8e784ba6883d726f93628d1d0e222c6e563ccb5b5727
SHA512 f66df9a5e81b8e98034365a92fde14044a73efddf0df6581730102709374854135eac6d9dc7bd94fb94c99925cf219fed9a52b9cc07f57d21df899efe62b8017