Malware Analysis Report

2024-10-16 04:20

Sample ID 240602-hw73fafa85
Target 4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe
SHA256 7b7dd7f373969853bf6bd7e4fdfe0f411d385743cb52425706a98b521e80a079
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b7dd7f373969853bf6bd7e4fdfe0f411d385743cb52425706a98b521e80a079

Threat Level: Known bad

The file 4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 07:06

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 07:06

Reported

2024-06-02 07:08

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Glaoalkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Plfamfpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amejeljk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amndem32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alenki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Apcfahio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Comimg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aajpelhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aiedjneg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Penfelgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afkbib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Abmibdlh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqjepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Penfelgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Adhlaggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ealnephf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgobhcac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebgacddo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmqdkj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbnbobin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gfefiemq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eecqjpee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dnneja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Affhncfc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbehoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afmonbqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ebgacddo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbkpna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfiidobe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qagcpljo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cndbcc32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oqndkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oelmai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondajnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Paejki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgobhcac.exe N/A
N/A N/A C:\Windows\SysWOW64\Paggai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbiciana.exe N/A
N/A N/A C:\Windows\SysWOW64\Plahag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmqdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjknnbed.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeqbkkej.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajpelhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Adhlaggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpfhcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmonbqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfcgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdhhqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpcbqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjlgiqbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccdlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqndkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqndkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oelmai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oelmai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondajnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondajnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Paejki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paejki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgobhcac.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgobhcac.exe N/A
N/A N/A C:\Windows\SysWOW64\Paggai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paggai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbiciana.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbiciana.exe N/A
N/A N/A C:\Windows\SysWOW64\Plahag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plahag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkpna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmqdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmqdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiidobe.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Penfelgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjknnbed.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjknnbed.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeqbkkej.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeqbkkej.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnigda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qagcpljo.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajpelhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajpelhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmibdlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpfhcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpfhcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bnbjopoi.exe N/A
File created C:\Windows\SysWOW64\Cndbcc32.exe C:\Windows\SysWOW64\Cobbhfhg.exe N/A
File created C:\Windows\SysWOW64\Mdeced32.dll C:\Windows\SysWOW64\Dkkpbgli.exe N/A
File created C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Abmibdlh.exe N/A
File created C:\Windows\SysWOW64\Cfeoofge.dll C:\Windows\SysWOW64\Eihfjo32.exe N/A
File created C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Fmekoalh.exe C:\Windows\SysWOW64\Fjgoce32.exe N/A
File created C:\Windows\SysWOW64\Gfefiemq.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Pdpfph32.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe C:\Windows\SysWOW64\Cgmkmecg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Afmonbqk.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eihfjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Ealnephf.exe N/A
File created C:\Windows\SysWOW64\Gieojq32.exe C:\Windows\SysWOW64\Gejcjbah.exe N/A
File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Hbfdaihk.dll C:\Windows\SysWOW64\Paejki32.exe N/A
File created C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bdjefj32.exe N/A
File created C:\Windows\SysWOW64\Pdamlbjc.dll C:\Windows\SysWOW64\Qnigda32.exe N/A
File created C:\Windows\SysWOW64\Mcbndm32.dll C:\Windows\SysWOW64\Ddokpmfo.exe N/A
File created C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Cckace32.exe C:\Windows\SysWOW64\Ckdjbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Ecpgmhai.exe N/A
File created C:\Windows\SysWOW64\Ipdljffa.dll C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Moealbej.dll C:\Windows\SysWOW64\Qeqbkkej.exe N/A
File created C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Midahn32.dll C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Oomkin32.dll C:\Windows\SysWOW64\Paggai32.exe N/A
File created C:\Windows\SysWOW64\Anapbp32.dll C:\Windows\SysWOW64\Dbehoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe C:\Windows\SysWOW64\Qjknnbed.exe N/A
File created C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Ddokpmfo.exe N/A
File created C:\Windows\SysWOW64\Cgcmfjnn.dll C:\Windows\SysWOW64\Dcknbh32.exe N/A
File created C:\Windows\SysWOW64\Bhpdae32.dll C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Hkfmal32.dll C:\Windows\SysWOW64\Cpjiajeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Cfbhnaho.exe N/A
File created C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Pabakh32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Abpfhcje.exe C:\Windows\SysWOW64\Alenki32.exe N/A
File created C:\Windows\SysWOW64\Jkdalhhc.dll C:\Windows\SysWOW64\Bpfcgg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Gegfdb32.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File created C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgobhcac.exe C:\Windows\SysWOW64\Paejki32.exe N/A
File created C:\Windows\SysWOW64\Abmibdlh.exe C:\Windows\SysWOW64\Aiedjneg.exe N/A
File created C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bnbjopoi.exe N/A
File created C:\Windows\SysWOW64\Jnmgmhmc.dll C:\Windows\SysWOW64\Fioija32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
File created C:\Windows\SysWOW64\Pdfdcg32.dll C:\Windows\SysWOW64\Bagpopmj.exe N/A
File created C:\Windows\SysWOW64\Oeeonk32.dll C:\Windows\SysWOW64\Cljcelan.exe N/A
File created C:\Windows\SysWOW64\Dlcdphdj.dll C:\Windows\SysWOW64\Claifkkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Gelppaof.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe C:\Windows\SysWOW64\Gacpdbej.exe N/A
File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Dnelgk32.dll C:\Windows\SysWOW64\Oelmai32.exe N/A
File created C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Afkbib32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cfeddafl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dodonf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe C:\Windows\SysWOW64\Ddagfm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amejeljk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbkpna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" C:\Windows\SysWOW64\Cnippoha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bokphdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" C:\Windows\SysWOW64\Afkbib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" C:\Windows\SysWOW64\Oenifh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnbjopoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eecqjpee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" C:\Windows\SysWOW64\Aiedjneg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" C:\Windows\SysWOW64\Amejeljk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ebpkce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" C:\Windows\SysWOW64\Pbiciana.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Plahag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apcfahio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cljcelan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofpfnqjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qeqbkkej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajdadamj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" C:\Windows\SysWOW64\Ebpkce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oelmai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ondajnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnigda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhhnli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alenki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ccdlbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccdlbf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gegfdb32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Oqndkj32.exe
PID 2240 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Oqndkj32.exe
PID 2240 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Oqndkj32.exe
PID 2240 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Oqndkj32.exe
PID 2196 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oqndkj32.exe C:\Windows\SysWOW64\Okchhc32.exe
PID 2196 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oqndkj32.exe C:\Windows\SysWOW64\Okchhc32.exe
PID 2196 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oqndkj32.exe C:\Windows\SysWOW64\Okchhc32.exe
PID 2196 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Oqndkj32.exe C:\Windows\SysWOW64\Okchhc32.exe
PID 2272 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Okchhc32.exe C:\Windows\SysWOW64\Oelmai32.exe
PID 2272 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Okchhc32.exe C:\Windows\SysWOW64\Oelmai32.exe
PID 2272 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Okchhc32.exe C:\Windows\SysWOW64\Oelmai32.exe
PID 2272 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Okchhc32.exe C:\Windows\SysWOW64\Oelmai32.exe
PID 2652 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oelmai32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 2652 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oelmai32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 2652 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oelmai32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 2652 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oelmai32.exe C:\Windows\SysWOW64\Ondajnme.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 2876 wrote to memory of 2616 N/A C:\Windows\SysWOW64\Ondajnme.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 2616 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ofpfnqjp.exe
PID 2616 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ofpfnqjp.exe
PID 2616 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ofpfnqjp.exe
PID 2616 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Ofpfnqjp.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Ofpfnqjp.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Ofpfnqjp.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Ofpfnqjp.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2452 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Ofpfnqjp.exe C:\Windows\SysWOW64\Paejki32.exe
PID 2960 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pgobhcac.exe
PID 2960 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pgobhcac.exe
PID 2960 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pgobhcac.exe
PID 2960 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Paejki32.exe C:\Windows\SysWOW64\Pgobhcac.exe
PID 2792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pgobhcac.exe C:\Windows\SysWOW64\Paggai32.exe
PID 2792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pgobhcac.exe C:\Windows\SysWOW64\Paggai32.exe
PID 2792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pgobhcac.exe C:\Windows\SysWOW64\Paggai32.exe
PID 2792 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Pgobhcac.exe C:\Windows\SysWOW64\Paggai32.exe
PID 2820 wrote to memory of 908 N/A C:\Windows\SysWOW64\Paggai32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2820 wrote to memory of 908 N/A C:\Windows\SysWOW64\Paggai32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2820 wrote to memory of 908 N/A C:\Windows\SysWOW64\Paggai32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 2820 wrote to memory of 908 N/A C:\Windows\SysWOW64\Paggai32.exe C:\Windows\SysWOW64\Pbiciana.exe
PID 908 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Plahag32.exe
PID 908 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Plahag32.exe
PID 908 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Plahag32.exe
PID 908 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Pbiciana.exe C:\Windows\SysWOW64\Plahag32.exe
PID 1196 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Plahag32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 1196 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Plahag32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 1196 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Plahag32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 1196 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Plahag32.exe C:\Windows\SysWOW64\Pbkpna32.exe
PID 2708 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Pmqdkj32.exe
PID 2708 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Pmqdkj32.exe
PID 2708 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Pmqdkj32.exe
PID 2708 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Pbkpna32.exe C:\Windows\SysWOW64\Pmqdkj32.exe
PID 2932 wrote to memory of 1400 N/A C:\Windows\SysWOW64\Pmqdkj32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 2932 wrote to memory of 1400 N/A C:\Windows\SysWOW64\Pmqdkj32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 2932 wrote to memory of 1400 N/A C:\Windows\SysWOW64\Pmqdkj32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 2932 wrote to memory of 1400 N/A C:\Windows\SysWOW64\Pmqdkj32.exe C:\Windows\SysWOW64\Pfiidobe.exe
PID 1400 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 1400 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 1400 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 1400 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Pfiidobe.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 2896 wrote to memory of 616 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 2896 wrote to memory of 616 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 2896 wrote to memory of 616 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Penfelgm.exe
PID 2896 wrote to memory of 616 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Penfelgm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Oqndkj32.exe

C:\Windows\system32\Oqndkj32.exe

C:\Windows\SysWOW64\Okchhc32.exe

C:\Windows\system32\Okchhc32.exe

C:\Windows\SysWOW64\Oelmai32.exe

C:\Windows\system32\Oelmai32.exe

C:\Windows\SysWOW64\Ondajnme.exe

C:\Windows\system32\Ondajnme.exe

C:\Windows\SysWOW64\Oenifh32.exe

C:\Windows\system32\Oenifh32.exe

C:\Windows\SysWOW64\Ofpfnqjp.exe

C:\Windows\system32\Ofpfnqjp.exe

C:\Windows\SysWOW64\Paejki32.exe

C:\Windows\system32\Paejki32.exe

C:\Windows\SysWOW64\Pgobhcac.exe

C:\Windows\system32\Pgobhcac.exe

C:\Windows\SysWOW64\Paggai32.exe

C:\Windows\system32\Paggai32.exe

C:\Windows\SysWOW64\Pbiciana.exe

C:\Windows\system32\Pbiciana.exe

C:\Windows\SysWOW64\Plahag32.exe

C:\Windows\system32\Plahag32.exe

C:\Windows\SysWOW64\Pbkpna32.exe

C:\Windows\system32\Pbkpna32.exe

C:\Windows\SysWOW64\Pmqdkj32.exe

C:\Windows\system32\Pmqdkj32.exe

C:\Windows\SysWOW64\Pfiidobe.exe

C:\Windows\system32\Pfiidobe.exe

C:\Windows\SysWOW64\Plfamfpm.exe

C:\Windows\system32\Plfamfpm.exe

C:\Windows\SysWOW64\Penfelgm.exe

C:\Windows\system32\Penfelgm.exe

C:\Windows\SysWOW64\Qjknnbed.exe

C:\Windows\system32\Qjknnbed.exe

C:\Windows\SysWOW64\Qeqbkkej.exe

C:\Windows\system32\Qeqbkkej.exe

C:\Windows\SysWOW64\Qnigda32.exe

C:\Windows\system32\Qnigda32.exe

C:\Windows\SysWOW64\Qagcpljo.exe

C:\Windows\system32\Qagcpljo.exe

C:\Windows\SysWOW64\Adeplhib.exe

C:\Windows\system32\Adeplhib.exe

C:\Windows\SysWOW64\Afdlhchf.exe

C:\Windows\system32\Afdlhchf.exe

C:\Windows\SysWOW64\Amndem32.exe

C:\Windows\system32\Amndem32.exe

C:\Windows\SysWOW64\Aajpelhl.exe

C:\Windows\system32\Aajpelhl.exe

C:\Windows\SysWOW64\Adhlaggp.exe

C:\Windows\system32\Adhlaggp.exe

C:\Windows\SysWOW64\Affhncfc.exe

C:\Windows\system32\Affhncfc.exe

C:\Windows\SysWOW64\Aiedjneg.exe

C:\Windows\system32\Aiedjneg.exe

C:\Windows\SysWOW64\Abmibdlh.exe

C:\Windows\system32\Abmibdlh.exe

C:\Windows\SysWOW64\Ajdadamj.exe

C:\Windows\system32\Ajdadamj.exe

C:\Windows\SysWOW64\Alenki32.exe

C:\Windows\system32\Alenki32.exe

C:\Windows\SysWOW64\Abpfhcje.exe

C:\Windows\system32\Abpfhcje.exe

C:\Windows\SysWOW64\Afkbib32.exe

C:\Windows\system32\Afkbib32.exe

C:\Windows\SysWOW64\Amejeljk.exe

C:\Windows\system32\Amejeljk.exe

C:\Windows\SysWOW64\Apcfahio.exe

C:\Windows\system32\Apcfahio.exe

C:\Windows\SysWOW64\Afmonbqk.exe

C:\Windows\system32\Afmonbqk.exe

C:\Windows\SysWOW64\Ailkjmpo.exe

C:\Windows\system32\Ailkjmpo.exe

C:\Windows\SysWOW64\Bpfcgg32.exe

C:\Windows\system32\Bpfcgg32.exe

C:\Windows\SysWOW64\Bagpopmj.exe

C:\Windows\system32\Bagpopmj.exe

C:\Windows\SysWOW64\Bokphdld.exe

C:\Windows\system32\Bokphdld.exe

C:\Windows\SysWOW64\Bdhhqk32.exe

C:\Windows\system32\Bdhhqk32.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bnbjopoi.exe

C:\Windows\system32\Bnbjopoi.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Bpcbqk32.exe

C:\Windows\system32\Bpcbqk32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Cgmkmecg.exe

C:\Windows\system32\Cgmkmecg.exe

C:\Windows\SysWOW64\Cjlgiqbk.exe

C:\Windows\system32\Cjlgiqbk.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Ccdlbf32.exe

C:\Windows\system32\Ccdlbf32.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Coklgg32.exe

C:\Windows\system32\Coklgg32.exe

C:\Windows\SysWOW64\Cfeddafl.exe

C:\Windows\system32\Cfeddafl.exe

C:\Windows\SysWOW64\Cpjiajeb.exe

C:\Windows\system32\Cpjiajeb.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cbnbobin.exe

C:\Windows\system32\Cbnbobin.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Ddokpmfo.exe

C:\Windows\system32\Ddokpmfo.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Dqelenlc.exe

C:\Windows\system32\Dqelenlc.exe

C:\Windows\SysWOW64\Ddagfm32.exe

C:\Windows\system32\Ddagfm32.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Dnilobkm.exe

C:\Windows\system32\Dnilobkm.exe

C:\Windows\SysWOW64\Dbehoa32.exe

C:\Windows\system32\Dbehoa32.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dqjepm32.exe

C:\Windows\system32\Dqjepm32.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Eecqjpee.exe

C:\Windows\system32\Eecqjpee.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Ebgacddo.exe

C:\Windows\system32\Ebgacddo.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Egdilkbf.exe

C:\Windows\system32\Egdilkbf.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 140

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2240-6-0x0000000000300000-0x000000000033F000-memory.dmp

\Windows\SysWOW64\Oqndkj32.exe

MD5 ea10a1a44ec25778fd556c4598515a3f
SHA1 c9002823ed2c62aa6f1783dfc5a3e1c1c992884b
SHA256 38688d0e83c8875519db0c59d8b074a99cf0a4f82c5ff3e09fe79b6205562640
SHA512 f3197fd9dfeeb8fb01620e7be657840c71d81118fc84c19bad0631a59f45d5e797377dfd68e940eb7d669f0b4cecc708d8c3ad800d92e4904c13e944e894f508

\Windows\SysWOW64\Okchhc32.exe

MD5 7b640206013e8cffc9f61c03a4560df4
SHA1 47d9b7f3c5bd464717dd462e93df6a55e455d0ca
SHA256 7a979451f8b3041b3356b6f689a2c5c59a6adcb8c3c32927325ff80964919b42
SHA512 c2b7524a4809240f26ffe6ec6c6c3be78993b62454d88e731dde607d57366ba68d373e5facb92043871973b3d55cb853a38aac4da0923d262065bcb8ac827732

memory/2196-25-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/2272-26-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Oelmai32.exe

MD5 818f59f1f2bde99261c1586ef18162c9
SHA1 e47b2e11d3855ab2bdd20a071dcf7026b26cf75f
SHA256 778940ffed96a4a6537ef66b2b754639b8256f2fd4268bc08fbad33e1c8bd8a4
SHA512 bb39ad08a4ec29f9110327174e18d4408673d497e63c7ea3e913c6e83bba2c308b6c946cf8bda34d9535e8fb31a0c7f4bdff518bbf2fe5a54a34b20b03475361

memory/2272-35-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Ondajnme.exe

MD5 ec971aedf94c8fd7a289f6ea64b736c5
SHA1 05d68efb72033eb0bc7ef8cde3248c93042a0938
SHA256 fca78e1e1db5d403fcac19159bb0aa9678c57c4068aac8aa2628caf398a373ea
SHA512 7ffb2799665b1f954718303e9fc9a2aaf1a9c7a00e97f0ac6c46a3d56b5f87d5a8dfb3fa7abc4d95df85e4f765d3fea77d6588c41984078be340b9122576759d

memory/2876-52-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Nbdppp32.dll

MD5 bd71fc9bb869f8855a2f5067d698f14d
SHA1 0841a979e43de98fba9883387bf47c3a77779f07
SHA256 3175b22eb6d91f731437737851aab0b4e0ccc69af22af770fc2dbe0be1f1d967
SHA512 fe2a8e835c71c5503fc8cdaa110399e62edd060fc9be29658e8d0e595b1abe5c74ad832f7ba3b817f7ea29740a7c68923eecec70c67917e08c16b8781fd81e7d

\Windows\SysWOW64\Oenifh32.exe

MD5 a1ea9c5c04923ea7e41de153c22a1500
SHA1 15f14a87033229f5e863b363e195d48f4bcb0101
SHA256 575d833bb69afdf156612009f519184d85eceb427fa0fee8d8665b616dafca9e
SHA512 102b76cb2e5110c18aa0fafd9b96a28a0e50f164a1cbe677413e7e7d6cef16f468d5f5543ef7e4f7d329759b59a56fcb6322c71f2f6b7c6fefbcc78edd05cb9b

memory/2240-65-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2616-66-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ofpfnqjp.exe

MD5 b1f9c66b8500c4a451f2855ef283bdfb
SHA1 80babde6e35afe23a26e8d5b5f2aeab26d69fefe
SHA256 c4a72cf94e26a02458e703926a6625e298a99337ba835e781034a08f477d8ac8
SHA512 6ef53de29c801e047cc801cf3c4c7f0790f6e1866598b3a20b0ceb06180e6ec619175b96fb4ef759b40179f75c10b99a948527305de6e90caea5bf4ab32af4f4

memory/2452-79-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Paejki32.exe

MD5 66c74301c166aa8a23562a4f5c6aa279
SHA1 9983361c33e8dda989dc3238f28ce309715dcaf6
SHA256 24c7167481ee7da84a0a313ead8223a4a78e8c0723ff4508c7683818015bc352
SHA512 04e01dfa1bd0045280530bce385c1575232583d591acd288b8bc7c501569581ffce68a5d81006c2df6721eda8e2a1c4355642403e802768a7bbb673b34afdee2

memory/2196-92-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2452-91-0x0000000000440000-0x000000000047F000-memory.dmp

memory/2960-95-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2272-94-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Pgobhcac.exe

MD5 dc7781d08293d04b31f45ec3b5f3393c
SHA1 02c8ea447d88a5cb1013c0f15eded5786201fbee
SHA256 71a7cc6850c8ba450152cc989c0cc5c3b31fa873fd756705bda38f38811e1e0c
SHA512 725548df52ddead4329b146794d366c87f36c2fb35fbc45f6c0ad5e56ff7a8145e9be9bc23b8b26e061e85c9840a3093850e9f1e063b7ddd5f90d8e9544bc3ac

memory/2792-109-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2960-108-0x00000000002D0000-0x000000000030F000-memory.dmp

\Windows\SysWOW64\Paggai32.exe

MD5 97c1efd2306e200d42a1711bf7c766c2
SHA1 bbdb33a0956610683c3fcba70f9063dc9b72eadf
SHA256 9df06ea93b809abdf3d7b2c83c3e10db7bd36cf3eb1c49646fc256e3ea4b2868
SHA512 e33a62b44dfda5bffa2c52104d2e51d1d6b12810de166d049b9f48c4aa9042f018180d74160a9a2c404ee5495a193fee35be8e7c4932338d03098ad490cf62db

memory/2820-123-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2652-122-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Pbiciana.exe

MD5 0c7049ec6f8505caeb637efe6fc120fd
SHA1 1a9ea6b825dea37ff4a399d303f542cb2f47f272
SHA256 6ef64a623de9b457af9134bacc0239dff8afed419cc5a35b28f86cff0530a098
SHA512 eb332dcc8aa729d5e0f79a34c37c3e43668f95382b915efce23b89d2d0c792873d04e71eace5fb2237e76402ffb270402e6d712d8a2fb06447a2b8358d7f7d8a

memory/2876-136-0x0000000000400000-0x000000000043F000-memory.dmp

memory/908-137-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Plahag32.exe

MD5 bc03b625c4be293d83691b0f3a3622bb
SHA1 3b5be2c901eaa6dd416f7179b126654de8ebe615
SHA256 e2dd7d66037d211bbb2e9d51fe60aa5c707dea18939e0a1856ace895c1b29249
SHA512 2ddb89c3b5ce459ce30fbbe8688ec76a55eebe4b01f52cb1592e44f6005528ec8b03f7779835153fa810833ef1d6b3a8467118d7bdda0b3f49c5b6f152f567fa

memory/908-146-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2616-145-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1196-154-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2452-153-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Pbkpna32.exe

MD5 ea86000135711282462b894762593144
SHA1 ef590dbcecab4c771cde13ad4acfc6001395d855
SHA256 182a9b3981dc3fc9a4c377295c46efacb73dedd1e7f9083676ae85708b6ac4a1
SHA512 7e3e706382f27b3779fb5a4ddac4d011f9f65132438a4eaa60d11502c50c995a2bc43db9754a86551e662a64babd83da1227e28787d0700e4a0ec3ec68b7f308

memory/2708-166-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Pmqdkj32.exe

MD5 c3c9c606851672c5597457db5fdcc5db
SHA1 3e46594a8ab78021d7b637fe1b467d11b2f5115e
SHA256 43f7e708b5f1c84ded63b9df2b90e0a776b10a76e2af594c3a54f9495ed2facb
SHA512 ee7072d0079c8fbf3531953e044d72d39f80d50273b0122618bb7bf780887166317442f5757016ec6add0faf793305eb06c59ff93cbd7e7b4e8d71d91178ca5b

memory/2960-179-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2708-178-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2932-182-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2960-181-0x00000000002D0000-0x000000000030F000-memory.dmp

\Windows\SysWOW64\Pfiidobe.exe

MD5 c059629df53d42ad713101df11dfac5c
SHA1 c2e06d7fd05f439c2d23bf6430c10dced551b245
SHA256 6abf3ec07321a975b6e5b65305dd941f03a9e2469beec11b4ff6f1194c23fba6
SHA512 5ad3fe81071cc57589fcd66c0e6fc338214dcb2d96fe50625b16ad086bb67b5140a90447b9cd5fff34bb0b4cfd1e585efd5eef26895535fcfdbee92d42fc7aa1

memory/1400-197-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2792-196-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2960-195-0x00000000002D0000-0x000000000030F000-memory.dmp

\Windows\SysWOW64\Plfamfpm.exe

MD5 d0b246d1ff3e345de163a2d96472a12f
SHA1 3352c589d9c16698047ca2d324cf5e6b3a8646db
SHA256 5293136357fa688ffbe4d9f2092d9a1fa617ebaf521a013e15db8a96a2729b75
SHA512 294671ee5e16bad43c0e0b236020ead4fd1c13f8c0df4edc52f4759a9dbdb744a4f149aee4c5618806b03807e107ff1f67ee39762cf66cd397b1d291ff960f20

memory/1400-210-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/2820-209-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2896-212-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Penfelgm.exe

MD5 2ffcf7c752278fab204330f469c1f707
SHA1 db4bc70be9cb44f618df3bbf4ab39904546df049
SHA256 996383a0f445180af06bc790427310aa4879bd175c7079b914a61c9c473d9e19
SHA512 870542addd87410007500b8e61062362a5149496ee32e914cdcff306d388769ce49c79ed54972cdac505484fe7091260c33971fe60ff91f40c79ec9e558d6bef

memory/616-231-0x0000000000400000-0x000000000043F000-memory.dmp

memory/908-224-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qjknnbed.exe

MD5 d9feaea2407775c1c88433a4a5b9d2aa
SHA1 30bb24d7df51894eb23bd1e85809dc7a4f88de4b
SHA256 3e48f33ca3df799136de07f0448c269c3075b092db574ae04ca3d5ce601200d5
SHA512 08406fe000b6269011b6806d92c3bba7a05c8c28414dfc5b01ba9d9c53e32df545b0f051e3ec4ff245e71eba4741621188e958bd92688dac55e097c1c8940c42

memory/2132-242-0x0000000000400000-0x000000000043F000-memory.dmp

memory/616-241-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1196-240-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1748-248-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2708-247-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qeqbkkej.exe

MD5 b2db71ecd1b4de93b383bd083c028c89
SHA1 45596363f10369ca6bc03fd7482a24151d28083e
SHA256 8533214e63055dba7d0d5dd9908bd862775f61aeb4a3d63a28271d4faf82aab7
SHA512 afef577a41021e9feabf3b7c88cc4c2315ff1fd91559d38cf22d39968deef678323af94f90d2349eb6fb48a5d2939a2e479edffecc2b6f12f5ba99a05b1ed710

C:\Windows\SysWOW64\Qnigda32.exe

MD5 8041ade33bc6a7d677cbc2a67cba334b
SHA1 6ca74fe8cd091a3e09c2bef5edf51b8c293f7436
SHA256 39c6e809863dc3b83f22013cfcfd29f5d2671d01d4152017c5199d364c0c2946
SHA512 7ed7a8e7d26d2e8490e76a5efe383e1fd68ff8894995b228b08b32bc73a115736789741c09ca582b02130354bf8188b9ca4e4d655ba1421ea5f3eb08c7b212c5

memory/1748-261-0x0000000000250000-0x000000000028F000-memory.dmp

memory/964-266-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qagcpljo.exe

MD5 fcf6ac20db06374688da7ec31f46af7a
SHA1 f950bc7ac9792fe3fc169a0781c27ca71ff87c8b
SHA256 1203042bd063cab6c7d80b4308344cd0dc1c1824c4c8f3a69427b09d14dc4050
SHA512 79d6224a673ddecbaeeb4fb96eca0c07b1779620ad844cc0bb895ad21891b52fa592cc0a34bb3cb28e32043eb38faf004580b9d6336d28189a7a25352aca19e3

memory/2932-267-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2264-269-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1400-268-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2896-279-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1400-278-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/1028-280-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Adeplhib.exe

MD5 479e37b77778fb5cd372e2de30c77088
SHA1 c572aa4e8fecb06f6c5b14dd66aae5e233f12325
SHA256 16277a92a1264a98960eaed0dca82a64d90053a84cfa39ca0fa363aa7c6745ac
SHA512 94988caabffeebadc4375110015a437642873aacd649000ee9d60d90a234ebcc0e28480b2a876dfc6e24cabbf270734d624c5c1aabf10a124d79c4e15e3d2c06

C:\Windows\SysWOW64\Afdlhchf.exe

MD5 b7c6da1048e302caef81a7d8b9e66e06
SHA1 92f674ae2cfa4946ae2f64da3af1c5783df90121
SHA256 188d0226bf48a380b5c301b81455e733f9abf3084a54c87366d9ec7b387bba74
SHA512 80cafe7eef5914d1c3964a523f41fa048808c1dd041d605b757f4ad2db300a7875052ea9aaa8d09c6ab485dcdc7880a868a2e98ead0af63bed0d7a7beb7ed543

memory/2920-289-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2920-299-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Amndem32.exe

MD5 faca930486a237798c978246b01f4304
SHA1 9580c779997a8c7f5a76cd7d00cd66ef0605ff16
SHA256 1e01ece95e542ac8bbd3beda2f53e81e8de13f03af236f838c046983160c2c8f
SHA512 fea87db3003c7f3a67a57df7709f8fca8ea3a5b092a9838962d00e1991999bf29b16da9d8724f0478cdeec992ccfa5ffad5f57b7b76c4fa1427b990242cd3f56

memory/1696-303-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Aajpelhl.exe

MD5 65668aedd7ae02832ec28965b37a2961
SHA1 50463596a4c7f9d6f94854ff0889ffa9bb642db1
SHA256 d4cc37c51b88ca6f53a617be093db4ecba3ce5946a4d1bed295fb52a7e08df5d
SHA512 29dba8ea68c93dc737ef56aee45614f2c4cda755f850fd667dc7a8ef2c047a2b74ce172d896d03bccc3724a5f473053d682ec1700e705fbc919b5759b923763a

memory/1780-308-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Adhlaggp.exe

MD5 3b14bcfc799600005b1f18c9c3441d97
SHA1 cb429d3a73bff35aa9dc2700ec4bb17b59c308cf
SHA256 e5e7b8b9a460c66a6072e9021f59952a216942282d7039a6282257ed01357df8
SHA512 d071fb250210542ba1fe08d2a87fcc3b4378b038945cc2b4be567f6b6b97b9a8f546f30e978b14fe59357a442d369590665f2fa664d7e8e3f5a8f7d0cf5f7805

memory/1748-317-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2068-318-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2068-319-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/1576-321-0x0000000000400000-0x000000000043F000-memory.dmp

memory/964-320-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Aiedjneg.exe

MD5 508a781642d200fefdafbfc957a410f0
SHA1 168f9854ad41f38676da560c9d15191964a15c08
SHA256 86d81c3a322c8ea70bc074b5858fc8300bb6e4056270e13f721a8aa3ab123b4c
SHA512 454fad1f60ac8e4a0c4ce6c6094bc1ee7c2f2f6a1a00bc8228f01bb764d7af3bba467c9e928851dc8797b538925fd9c61a04ea6e4f9abcb6b1ad86150743107e

memory/2264-332-0x00000000002E0000-0x000000000031F000-memory.dmp

memory/1576-331-0x00000000002E0000-0x000000000031F000-memory.dmp

memory/2264-327-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Abmibdlh.exe

MD5 5d052f37c71154a777cb6810aff650ca
SHA1 c65759ab7a62aa0f8f6d68a60e8b0fec8346fb85
SHA256 4d8f7d80f8c6bd4ea9858a96bd2f58a8ef73a2e9f701cae647664a5273911839
SHA512 87a06a22af35cbe6ba69d3c06259d228d1cffe5135143647736e6df98648d52d2ebf3cbccc17fe215d438e2d61b63632875cd1cd64a94a5371f6792b8b2664c2

memory/1208-346-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1028-341-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ajdadamj.exe

MD5 e0959c511fb4374bcfa7b9f3d755fb1e
SHA1 0a5ed5c9673fe621dae2d752ee2537f68611df2b
SHA256 8ec523186acb9c31bfeee16524e1df36a664ed7238e0ca93640d91de36e5ca5d
SHA512 4c476327e9505edc82042b106240866f08b7a4a68ea7ba68667b23a939e193b8d71c637bbfb0fc956a769561db21cb30488493c6dd43930e405af4644773fa26

memory/2920-351-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2636-356-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Alenki32.exe

MD5 7a0ec634a35a566f468227b2886930b9
SHA1 a2488665306309061740b3a4e62e734322ccfb13
SHA256 b485e75a666c02ea92a3e017b2d95acb4c3b2cabe2b5271f307672257d1da007
SHA512 da1c1aa12e2c99772f17af0d44931e405d1638ddf0f482d64f2fee0c34b0dfbb7e99df5f1a1993887cfb9148e6eed44e38d9d3a9ea9928d2123bece979e36abc

memory/2476-363-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1696-362-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2920-361-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1780-373-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1696-372-0x0000000000440000-0x000000000047F000-memory.dmp

memory/2476-374-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Abpfhcje.exe

MD5 ea19a7343964a3677fb6e673d44dbd1b
SHA1 2915b10e69083b45ed00b4a1d99ccdf5f4bfc82b
SHA256 d45e6fb6efe75889488f2b76dedd595da3c30c7f52cbab600d7d41fd9e7a064e
SHA512 987ff9cc2e98db8125d2a828c9f0a412054fdce581bce31238abe1a684611769df300583b4f691d921d80ef8617466d0cc28ed20472fa64f3c4b0943d00f0585

memory/2768-381-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Afkbib32.exe

MD5 5dae59060d1f66fa7c772db93edce499
SHA1 8fb49b1447de90953ea590f0fb021e51f6a43378
SHA256 afc807feffded013891096567447cc93807fa2c2b236827c3b26f5a00e751113
SHA512 762b508da92b8831153ce0a5ea534122c7d038fabae3bdbaea69e0d7bd3869969426b572f67f1bb1bc2887982b7dc660d040256b8f20e12f76c4b3f9c00e544e

memory/2068-382-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/2768-380-0x0000000000310000-0x000000000034F000-memory.dmp

memory/2552-390-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1576-386-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Amejeljk.exe

MD5 0cd9917dade7358d6376bbc29321cabf
SHA1 4ab22611982d19883333284a5e304c19b685ee08
SHA256 1c1cd33bc52d53a409ca0fd1d534abdae8071485b281f4636ca44692289ba134
SHA512 464378954fa55c4e75d383eed38d9ce431fe7835f46131ac277278143297d76973646991b54e5502c744b108a2c0c50b0a9cb4a32eae1a0190f43a21e2ca6495

memory/3028-397-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2968-396-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2780-406-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Apcfahio.exe

MD5 92d05f2ad6fb8b7ccfd13ad7f1305d0b
SHA1 77a60ce57be13b104aac78ea1695198664a6da4f
SHA256 2120d43c4db1575c8e3eebc60b5f33918db5b34235defbc39356176fa9481441
SHA512 10b0740cd442b17c07f42a3bfb7a5c86f07e5cde34e30008be44ed03d72990d23eb70eb7a8cfa478a428a2c34398b9d9f109e10c7af91ab2a45700779f1bdecd

memory/2476-415-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Afmonbqk.exe

MD5 d7faa2b01389f38529eced226bc6a4d8
SHA1 7b98540b84f6f4fe7f312516f0d8a24c27461e21
SHA256 31f75df084777698a77367a198f392abcac0663e9915f600c2e11f2b0606fb8a
SHA512 b592a7541ce0f76829284f32564af0cc9692d73837a8d827cf3705c0ecdb51d06bf1a39417975d2b0c2ee94c2d54e5a03f94defee99692c71711afffdd17991a

memory/2812-416-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2812-422-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Ailkjmpo.exe

MD5 1b49b001a820afb1bb6c11bab29d96f5
SHA1 98cfc69a77c6d088a59e9b5c4d4caed0e4c55fec
SHA256 76c2a9bf58e159cb3001daa5766b1d7c5d0890c4889e82f0cc515ab2a8a6bcac
SHA512 e78f319946cbe8fd5cc9065c20c1ecc45d3a40103b3b70abb605df943d08eedb94f895a44cd288bb391a37d6791566d32ac5c68da5ee86a5c1118516a773a0b0

memory/636-429-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2812-428-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2552-427-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2552-426-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Bpfcgg32.exe

MD5 92cd26e085567325504e120d2d67085f
SHA1 60b58cddf005b075bd9af7365d03a2dad5c99560
SHA256 fa8a4c5cf73770d99523ce22c3c49974c1f5115552d97a7857b1f87e8eb924b3
SHA512 21fa07bdf8ee120c09cf72157bd3f52f8fa5e461015990030be5c051b26986b8a26cf633000536c9694431087416421fb9717f5a21fd8a34436306405a5ee910

memory/2176-438-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Bagpopmj.exe

MD5 1a0a0ed639bb9e5ff0c8ce161fb35aab
SHA1 6a3607d90fde69af9f5479b69e1ffe377a5af6b5
SHA256 bb8766d8b9ddca23d74f10957a96f96c1ae049c458d5a63c6b8b460ccb80cd27
SHA512 aed8b2a4fede4cb1f163017be486e68b7ed5f9c38bcf0657c92faec1585e44b6794f93a62212426d3d4ae7356270cac5e615f69a0e7b8cfae778a606988e946d

memory/2176-447-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1536-449-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2968-448-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1536-455-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Bokphdld.exe

MD5 a5d063b67e85bda13eece7c9e52dec76
SHA1 ef9fb251165253e60636b573a32550929ffbe940
SHA256 e536ae5812824557fe55c0b6eb851b74a94989ecb7b70c1ccaebb1b7fba721c6
SHA512 45c3da2f57e6cfb62a6454fb26c41350c947e737381cd7961c7d81def6bcd16db4f727c00d996fdfe1cbefc10750c527c538ba95007da4b89aebf9adc5b04ee3

memory/2780-463-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2332-464-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2332-466-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Bdhhqk32.exe

MD5 73d4e7d82caf2313123f9ae50792abc3
SHA1 497a129db83ba6f444315565d87535910fcbad7e
SHA256 5fc346daf60d8a65c392a8b637e9870dfffd05ab0f14998ad0e88be9ebf0a50b
SHA512 740138dfdff474a475b23edce90bca85c85c3c14d7108afd4652448b3b6aceee5c4e8bd4f0c31d23813e34c00f53e66cd2e5a3cddd81d8ebd2c7a1b091e85f2f

memory/2332-471-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2780-470-0x0000000000290000-0x00000000002CF000-memory.dmp

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 3e91bb46adccb5a5a8cd81ba23050c13
SHA1 ee776af3061e4e11c5cf563e8284b57eeea00ea9
SHA256 6c1819bf73f8633df84456c4d60bbe5a9054f549a75b906e58adad2ef85cebee
SHA512 cd4127c3f1deda684df84da92dc646f96fca88b2641e627db2a7516703f5a041d7d89c6c8099df8dfc9900e5ada7ed4dc2a236da01fadce53fae160227a56253

C:\Windows\SysWOW64\Bghabf32.exe

MD5 8e3cea3918b0df7408ae2ad826668a31
SHA1 a1654b92a67f2d43140f5b9feedff089de1c3755
SHA256 551754236fe5cf87a42239cf5b5bb80fbe09ea04476889f104c612eb5d242200
SHA512 2b53d643a9bff4fa5e3147893410d617368e81e4f36e35d4133a6f73684f82bf67d03aa93cade37dda55b6ab134fab7373474a4beba57efdaba3dccba3008f22

C:\Windows\SysWOW64\Bnbjopoi.exe

MD5 a92ac5f6511a5044924dd9e43df50236
SHA1 8dda0aaebf4b61b10334202972027e2aed3343b3
SHA256 621653199b02a277900a9a13858fdd77455b6b57fd374aa6da41300ccca63ddd
SHA512 63987d35974504f0d9acc544cdd3817765b94afc4e0eabd97fdad7480f83ebce396ed954591dc2add3457c054fe85052e0cf6b16c9bf3c36f28fd3ae8a2b0aad

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 56030aa3db0e2d7aced30ed09aefb713
SHA1 e109cfd13f7f882283544f0e73cd21ff13869280
SHA256 2374914dd92f5d6e20705e14d0a67ea69977367bd5d2b0971d3bd38cf7ec52f2
SHA512 cc30d0fb9887aff62029ba149d8b47dadb151fdf2ddf3379215b1de5115a3ec18db20115562b6d8231a252e4c14920de0b81c02a5453a17ed9a8670764592a12

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 e2fc7eac0f55426a1a8831b23ef1951e
SHA1 aa3b5a339f7ac23e5e585510fe856810cbb650b8
SHA256 4deacdae852f6d2b06f0624ad82b4e9f8eba3721c1f148120389dd0cf2729878
SHA512 664b9a89245bf2af4fe4cbff394d107586e47e064894a013c91025fc4a438ac8b4d6f53c56e2f4a36158a882566ae393c2d2960e43c668cbcf7cc09efe6d170d

C:\Windows\SysWOW64\Bgknheej.exe

MD5 8ad69b5f42b3832fcb40ca4fdbb73264
SHA1 8b626f6174bdb59e4841dceab416086f41718b18
SHA256 f3f297af0da3b4e85f586852d290fc0b849e46840d9f2528a152d6c3b397bfed
SHA512 d791155621990912b8f4118cdda882ff16fc3ad291bb9218e5fb1952bc7299beb20ab398c360309124f4a65e89d84aa0f851473804a58a91e5d104a927b67123

C:\Windows\SysWOW64\Bpcbqk32.exe

MD5 5ca66cc1460cb03b4fab60d9eadc2384
SHA1 dbbf6fc2c9af49549125f98a09d7d506668e0be9
SHA256 1269cf44e4b75eb2d522fe59760419f5bf7359ef28a547c161f1d0b1535d2242
SHA512 3385e203ccee71cfc8d670bac77956ca8220a048e36d14cddac4ed7091e66f17badd191866a26d0f6b4afa8e94eaa060ba53072ed78816c6d722e4c8bdfc18ee

C:\Windows\SysWOW64\Bcaomf32.exe

MD5 271029300c101c9b7f0defc624e1179b
SHA1 0b0ab331d3cd54135cef7829b7148c8f0d12f934
SHA256 c255b746109331a19c368935aea9e734f729e0e9d98ac6273ebb5992846dd737
SHA512 938f0f0f15999c59d41539ad46dba5a20efad646adf4646667426c6ec41851ace6a3ab7c74b68c7a0bb793e3ddb22ea55311f6ff85907a205fc5ed8b7de498b7

C:\Windows\SysWOW64\Cgmkmecg.exe

MD5 87dd2cbf12ebe501c9bb20e39b234887
SHA1 04754c74138b0f527023f012ebc8a5a02bdca9dc
SHA256 8d80ca43d3762a420ea0f1e638a108565c046c2c8dd090f643a11832270cdcd1
SHA512 85930f83cd94120b96218d99fb676322c6ac0515bf0a9e30e10b19bf5347777f490ca65129c9478d9dfb2d1d575d5ba72a326d55333c89b1a27c3b34fb986a35

C:\Windows\SysWOW64\Cjlgiqbk.exe

MD5 5e987848179014452b1f3a17a1975f7a
SHA1 d606d7a07e101b57686688d5bcc57bfd36e773ca
SHA256 ba68eb1dd4ff28b5e44cb551f71bb117e934e2529527edb83ac7edd32f057c2e
SHA512 d47b834361c4dd43937cb889c9782d27431e947d7f6b4bfd441857db8caba30a95d78e34cdaeef9c0ba8ecdd1d6cb4f93f5c9b00b64c65afb856dbe7c2be30a9

C:\Windows\SysWOW64\Cljcelan.exe

MD5 d5e505319981f2c0a752c6fb72e5d052
SHA1 3786a5cdeb040a9a80b7c61fdaa4a19bd33dc2b3
SHA256 03ffd59f11043c50e7540e8724e5482a7d61307143b308ab8069b5630781f0d6
SHA512 dee8f89ddce954406de6ec2d7f6da195143278e730f4444e3131801359691f77af819d01831e4a4414cd2d3c6270db72a47b890cb94edc38fc6dee4e026d3b5d

C:\Windows\SysWOW64\Ccdlbf32.exe

MD5 a9b5245828e4c632f729f8b6a7a6cd4c
SHA1 ce70118bb95845c40b2f57bd592710fbba6dba86
SHA256 1da88701be9238cf2cec566f43adac9a50a0a503082f5b9c1bc6e8353e232132
SHA512 c75a7f50aa9ac3b27b2a65532bfd0cb8e1cf2fbe62e4c0846f304a1ec06f1e7f5de9d820a9bed9c75f998b8f05383df46905d17ff7e79fea2412a80389a727e3

C:\Windows\SysWOW64\Cfbhnaho.exe

MD5 fe2b248823e46110828a9e990ef53847
SHA1 b8e7381c90551848f9974ca384f6840e54e27805
SHA256 6a9fb8bd7565d58c9fc9831ef38b5c1ae7a20838f3e9ecf3c0963d2388837ae4
SHA512 b927845a595b16aaaf00c37c1e9862bb9fcd8a9e1da6476088bc567c5ac4f6f8de3dea8020f9dba7187d9a2dade22e98baaacc8a612c4f6307356a119f5ec446

C:\Windows\SysWOW64\Cnippoha.exe

MD5 796bd4ced674f6150736f287699db59b
SHA1 3e79b028ee7759d36d3cc1111252256e4027ac53
SHA256 a64dd95ebd9b2b44b62f2666c5448cd40e38f73c435f1c050d2d0f17219654f9
SHA512 105ae01bf3ea42c32adae0ee082f7e60363df94680cd6ce549a422c1e7a331abcf05c27e1a682266f1ba50f1738d510b0da3995a4d82be26d447a8030bd95e57

C:\Windows\SysWOW64\Coklgg32.exe

MD5 8c1f7bd5341c3a2ca93860b12a17ab16
SHA1 f8273b0fb4ba5899c862b92990278b3594a10cec
SHA256 d1f2166c68526a3417f91216007166f92e7e70fb3073489a044ea871191eaaaa
SHA512 3c34755b7f4527d1e2dac883e34078413896011d64f72c62abf191bae31eabcb2d2583a0425913b1ee524ea37aa7019858cff50588b920f575abac2da23ebf6b

C:\Windows\SysWOW64\Cfeddafl.exe

MD5 31396ed59dac7e9ddbaaeee30b51a833
SHA1 9d13b3ba8fe58b0e7afedbc69cbe774a30c49202
SHA256 f6593391dcd66b2cd14f3c400429c7447e4daa57ac31b8d44a2b380d1346653b
SHA512 bc867bf4a4804067a002ae5cb867fdebe44ac237a1cec603b202d44e0b655f2fbd26abef21e2014cb1d08fd3dabd20ac0854a605b5a29020bb6bc331f486e5ca

C:\Windows\SysWOW64\Cpjiajeb.exe

MD5 14713b5c7d512fb1449cf9b900a2896d
SHA1 e955072921789ffa30d08e2b6b20479c80ce1877
SHA256 b7f86ea8936f4299c27a0fb65cd76f8cd9feeeeb63c08f640f33140cc07e224e
SHA512 a2aaf6a82ec958fe4556dbcabfd8f6a579b0795fc2a6038c98628c923201a0ab48c7f6b2f3d5589e131984cf7b04a0f1628638828ca2749e3f8e8252d751fb08

C:\Windows\SysWOW64\Comimg32.exe

MD5 8cbd03cea4c8c377e258dc732ad44ee2
SHA1 577a2c859dd7b204ab47828b906e677675ce05e6
SHA256 810cd271ce86111309c15e1f622843fe8ad6ee1f086f2cb04adc706dae50bfe3
SHA512 af97c9de310a63d476e211e22308a64a65ff9adee74acd238ac9abbce0478f4770cadc445828ce2d84a9fd5d6128f185d333b30ae62b8331a1c51e15b7be7ce1

C:\Windows\SysWOW64\Claifkkf.exe

MD5 0937e3112fed9362bd0adc1a8980a8be
SHA1 3b89902a270c81299980c69be1f0361040b78344
SHA256 f6c2dd624beef1ee3f376d251f7307f767f5b5ce73f73de298cfc8af99978bb5
SHA512 1235181230d1aad0010569d76d091558dc89dd54bcb215628864d6bb8182898d6143fbdaeeb95951d6006588692043921e2488fd6d8b6f29d67115bd16a41d25

C:\Windows\SysWOW64\Ckdjbh32.exe

MD5 37c6cd5bceb868f479fd81a49084bcfe
SHA1 b409f5c4867bab34c4c28f319b62ea5d95c47b63
SHA256 ebb88ada826e37e990f0ef505fff2e15e3b6e26c1beedfbaa91ac888316446a9
SHA512 7cd4de39d4945b8cae6396f98b138d992f5126da990604255277297503d222bbccf6bea27c4aa7a98501f17e90cfcf865efd8e6ae1646e5161091afe413ac299

C:\Windows\SysWOW64\Cckace32.exe

MD5 cafd429437ada768cac6a1211e2fbd14
SHA1 28a7dfabaedf2b41c1038745d02acfeaa863c10f
SHA256 888c75037574adb471559f51381728b631ae2704d8484e05413251779724bf3b
SHA512 fc26a9d7b3ac3f76b220c1a80213d7093c6f524bce219363eb72665dda5ce5e6cb5de0094f928644a8dac032998bad35fccca3ecb4ef5fe8943916545e71cc67

C:\Windows\SysWOW64\Cbnbobin.exe

MD5 e1433295d2e2e3dc2a46b3b30ad3ff17
SHA1 ecb5031fefa9c00eda40e97fe24bdf7ca8d956cf
SHA256 5ba08ba3c634c21dc2dc8d526fa03862d4c8b4c41ecd64747361d04a42d2ce0e
SHA512 33e24c115ffd1f7acf5f406bf2c463000539fd1bff19e0bf7fb1a36484c59dcd982b9a114d854d1a2f964b5940a33a9bb2e1a9ae32c941eb95037732c2858653

C:\Windows\SysWOW64\Clcflkic.exe

MD5 cbf0e93b8c4f10d27b4ad9f44c0b9a89
SHA1 390e80e346bb076051c9e9d24a9946c246f98f7b
SHA256 ccff36c50eb3c3ebc5da5da69cb460d04de3446c97df14e05f120c241d12df55
SHA512 42cd5c37cf1207e3aa60085d89e803e820de8f31968eaa94abf4fd047a67d15ac54d0de8fcd45511c111079b46e3e402f7594a616d064ed0bf10605174ef83ea

C:\Windows\SysWOW64\Cobbhfhg.exe

MD5 f654edcc54840020759b132049a23283
SHA1 cf3f88d1c665d6fde340fdad24e0c388fbb5295b
SHA256 cbc6c586d684fb8959b507192768b63b1be5d6e1c42e8a9c6478236c8f25e704
SHA512 066c4a1bc56f1b8e57b1408854069f820713d5f9ae414e28f20f878dcdd866d33d66c4ac8955e519097fe54a679067c17ab064414d56b2711442c14ab4890a0f

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 fa3128a1e8e9889f7071a7b8b170ef31
SHA1 8857589ce2e5ad7e2534ce9288fed411b2acff7d
SHA256 4225be156399dc05d3f23458cb5041f0a6289899ed7404600fc71c60ed63f0e6
SHA512 3aa8a2912559b91370975e5d12b4bb59d1f54a3e17fe69df93019be45448140e24e849798dc82ec7839d5e8feaee8f637be36b110dd9825842723ab335a6766d

C:\Windows\SysWOW64\Ddokpmfo.exe

MD5 150af32263a1f44fd3757e94807e99ec
SHA1 6fbebd783dfdd78d952cd2292b2869804a3ec5d0
SHA256 f03f1f231e461ee6015d8c025ba1277e3327d01065400555703c2d6df54df1b3
SHA512 a663b2e4295b76cea6a8726df486a1ce12804e343d443cedb688d6cf10e65b362a0cda053fb0b17543a27c9fdbe9f07ca802594657a041a4a012cebab391478c

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 5f90a5dccc327f2d9a7a7563d26f023b
SHA1 215ebed1c1dec9f217b7710aa29ccf693b0a2b84
SHA256 5f3e3e356d324ed886db0237918316e46e953c8106f8dd9f029c177c5c9f964a
SHA512 602726e80ed26adc5d7f3b11e2c7b025d299b9980029a303da61b4d7b431d3c01cee10421eea1ed436117041e9f96c332a2707020421c84ba0a5d2d19a88b550

C:\Windows\SysWOW64\Dodonf32.exe

MD5 6352a4a2f5c615f4fe3465205c4de36a
SHA1 4831c5becd246e44afe7b2d168a5bd6e1a237d83
SHA256 a3c94d001d2525bcf93903a10f91ce625657b1035046b96cb167c82897f2e8ec
SHA512 16df2a43744cdd9f25f83f475f36e906fa2738acf4f7fc658552cd7f503f51e4338126d90d04600fedd4a5d94660c3caaa481d7becc6eec3630442b96b6819cb

C:\Windows\SysWOW64\Dqelenlc.exe

MD5 0c0ac5677bbe816570ccc0cdca4fb6b2
SHA1 0b9825cdaef1bdc188df9dfa83d2ef0953491e4a
SHA256 76d1b3d6f7c34ef52a5858fbd80f86ae7dacca25049a470424d27b396e4f8d36
SHA512 5241563ad2cf2040db5a2aaa3ce4f85925950251618f74b9c5a4672eaaa28529374ea63d61e1e861edba0218f92c35bd589a946b9dfd833862d91b86db261a17

C:\Windows\SysWOW64\Ddagfm32.exe

MD5 d96ef5fe65d240f53d71a2e780b002a7
SHA1 337b73c461853b2360d4475ca8da779996f74f7b
SHA256 f0d5e96f6d482578378d692d064be1f3e5ccfff73b73fe383d99bd58f9a8ed0d
SHA512 1272fa87b9166fc7c25dfeeb7b01eaa800aaaf266324b3f12c63093f207d6582649a81a4087a61a4ee460710796012c525cee7f060bff68eb04863bc1699d030

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 64013171f7010e04a60186fb06b5c09f
SHA1 ceeb5352e022af19b76110a5f22a1be585e4b764
SHA256 a20d7427558001a0c9fc14330876d48c5b34c5ead45970dcf64045953970420b
SHA512 7d602a99bcd914e5a7b9faa240afd855db1a781df86e1d8410ae489a65e415170fc0aba9679ec3ed35c7f86b15ff5ddd3cc922e223ea119de2336447cb0ede89

C:\Windows\SysWOW64\Dnilobkm.exe

MD5 239c90d5f18f067d4f4948746173ba47
SHA1 0360056e62877a940341fb15c88893a5511a3304
SHA256 88762cd41bfbb12e40532d71bb6e286c4ba4bab7a842cb87a991697e28a281b2
SHA512 7cfac979c9dd8513452611b7db03e6d0921957a2866e3f2a62a36aa3ab4f070ab20ced3832cac3687833902c5ff6bda78aa9ec3d7ad2bc30e50b85bc4c5766ae

C:\Windows\SysWOW64\Dbehoa32.exe

MD5 b25da91ecb386e6613cd85bfc1122892
SHA1 447d37e36b4b0b77999a41fec3b9eb898a4acd8f
SHA256 200c9777e44579b9e2356c2be9ff1b4d8fba3b011926be9f24b7d6d255bf8a4c
SHA512 56d198a9d41917d3f027ab043f8035610428887aece57ea18610090091e55895410a9c7eae71f9dc66c296ee069663aab46672997968aea5e503912de80e631b

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 ebde2dc445e53f6c201a7266935c7a84
SHA1 9a8706d4e13167c23f6e2685afe7b52880cf4973
SHA256 e7c51e7d1c04b9c0e8bae8af52adb0f8d2e0815ee10fe5f90b38c03a5f996a77
SHA512 d1efa4f2979b2f54a1ef74ff15ec8e789430dd06c7c19d3369177c96fd2fa9d937f511796d1dfb53e0695f30dbcebbe578796a4fca453588c0d7b109edc5cb05

C:\Windows\SysWOW64\Dgaqgh32.exe

MD5 88aaae2cbfbffbe3e88648e7b9d441e3
SHA1 8d1e5ea3204de772793b6b5ccc11544c4fc0f36c
SHA256 94863af50b357da5e7d89ff8a3e919531819a12c576d33e1a3d614b9d214caa1
SHA512 40d690e24c6946a294a72787d1a5f68ca887ffa41d33d7b4d794e0904f030563410e40c3d7184f64441100958a068f7270745f74d80688fe134633a1ee148e6c

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 cd4400395a729d0cb7d9836a7280a568
SHA1 ccfa4c58611dcb72e48b4aedb928f207aa9ae9f3
SHA256 2cad0b44e41c888e50127cbb90c1cae44578c81a25917c499af28cd55fac5629
SHA512 cfe1f2e966fdf37ba034310507ab0fddb0954db6a185562e601eff7d3190b4a98f83c15c33fef67b55ef988192b3e6d2f235023bfc60d523f6902a5226b2f120

C:\Windows\SysWOW64\Dqjepm32.exe

MD5 c5f4d97fcdfa7f4490823e85770b607e
SHA1 d3b8bcf15e871183486997e49c415ff91697df68
SHA256 353ef9cfb90e1d76cb1b03ea0066e87874a6b2b6d458ceb72bfdfb2e09a2f28f
SHA512 d4569951f1c3a6c7bad5f2419d277f6182d701810ebb2443976fabe63d13e095875982bf75c43968f7a7b3aa558469ed444fff50c519533686713b7c31ffefec

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 f920506cecbdb3fa5f0ffee4dd3c0d09
SHA1 775e11d50abe551d70650c5aaca4666ac9144c3f
SHA256 a9b68f647cbb442ceda756fedd75ad340e60fdf72a1324d23673965fc9868e38
SHA512 b51e3d46baf9204e12c9790bcd318502d56759fce9cb805d4f79783b5b61625b3a4b6e0f2795621597165843854f2018e7801d59772a2cc5003a326aa32d1942

C:\Windows\SysWOW64\Dgdmmgpj.exe

MD5 30df87e55682b52f5c5cbc408eafa22c
SHA1 0ea91151c7ea05b9a11d84de001c763d535bfb91
SHA256 8e7eff52cdf0eaa945ef7f88a93fe82d84e9af6d497c616c4cb48d34b371fa83
SHA512 7153a5a077444727889d58801eeb26ff6d0f5fd1a31c642d99d252f2558b5b6f587c037ac07571287c6b22f844aa6fec7a6676ab75e5c429e819f05447bd88fa

C:\Windows\SysWOW64\Dnneja32.exe

MD5 47a2430a9f5920ebfb12de00b89cdc72
SHA1 5dbdedb95179a2550f413f03badfab1d1b7f44ac
SHA256 017a2b179045a1b43851c0e5ccc5bab4e2ce2e2d343d2461115d126290830a27
SHA512 0debc36ff46db20c6e0b7aceca0e9f9ee6bf9617608a60a7f4950de1e73aaf513e84b5f23db22dc1f340c4a1dd315ccd90640a0da894d5fdb320fb5affd0040e

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 97075221d087d8672087851ca4820e45
SHA1 9ee123265d802318ae5d5e4cf1b0a7d7f0e4ef77
SHA256 7d2427f5c9a53b8c224afaa269c8207bb243b8bbaf302db2d86a4e5ecac12e65
SHA512 a96c0f429a5c26f295ab95a16adbf0940159cb7b79db706df0f83d21c09d5207c8dd67ef8d49ec72c1b466767917887a5daf23f07494f881a1e26c37405cce84

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 29790dd0fa42d0769abfa32e7143a294
SHA1 df21fc3b619e92ccc799cdfb6b27b727fc7210b4
SHA256 16e5f51127c6baf59f1ee1d5048b40327dca6e401fe8985a900edbfafbb68bcd
SHA512 4521155f877969c520d59e1dc69b0415ad262bd6c05e742ecc1988383c669d095d3f6b18da18bf36a7610af05177e73335f338f588eea36578e07b4101296220

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 7d8c30419fa6a90de460c22cefae67d2
SHA1 1cb6a737083dd321e76cd0a7a433a442bca4029c
SHA256 7ed8a1925abd5a5ee74f68fb671ada604028ae67596344379f665557a94626c7
SHA512 e8a2f0d039d175b70f73acec014a20a12595795a1dac1bbaa805282d84c02a43d9fba7e14f63cf8a99d20e06b9bbedcf6974e2c43f9b1dcaaff3479a111164d7

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 5a551089e8d25ab02063a44b827df9a8
SHA1 e612d380cb5af12a37a34ebce6e5ad08584ab615
SHA256 5ecf6bc4c0426767fafbf8bbe04e98880912370389a0e62357f4c3d34e669b53
SHA512 e047e5862c0393215763d6c5063bf4ea0c0a9bcbec29d0e1db9c9852d3808187e27b38a93847301946d0c5fc478c74e385a2902c2c36a37133e80d3adf38ed68

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 392cc456b766b190dd18888815dd56db
SHA1 f50d1319d8cbd5c788353979f5712238ae75dff3
SHA256 f98d178659251a3e2f82f2acc83efe8f4a180964d0c0fdc60eb178a17b2d6651
SHA512 2d203f828b4c2c7792949983a66ba2d05c111758d18598f25ff70e2a271a87929546ffe0cc2e2e88d988e08868d1457e789c1e33ffb1fc0cb7735ad94854c54c

C:\Windows\SysWOW64\Epaogi32.exe

MD5 eb712596068fa98581ac6c41b0869107
SHA1 e134dc7481d04816f95a68b6d7b291623c0a220f
SHA256 59b4ee217e0b95ccb85f88a7efe00c7e47535c876068d32da64f05fcf5bc6aab
SHA512 de78e686a41f72dad10f8702d770d007fff0338474d1b64a8e2addf8681981b483397591621052d1d5c9df9b2636c809d8e5da7af6eeffe7102ee1522df95492

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 d0f925cf32e346cfe95d77b9e0c9de29
SHA1 16648b5deb055260b77f3b113e5afd14e7b4bd11
SHA256 8670746c9bfdcffd0d76ff295478ba50a447998f6803765526610691bae4c0a8
SHA512 2ed69f8b10ea972f060dc5ff1ad43d8667e0823eb69a325f93e986fa51883d469976d03c83ef9f75ef797110d78517ed0de75a9ff697e557c2eb1ad7efbd0f2c

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 bf18e0224c44353c854eb8be8f58cd0e
SHA1 4cc33b40acad7bade58dc53a0f0585453dd3694e
SHA256 5196039ac272b06330cc22a4a218558debdb1ae63b0411d03473d1eef0a8c6e6
SHA512 7fe39632b76f85b358c8280c4545f3b9fa310eb34baff23f8fced84d24a89fa95288ff5f912a9208696042f40d9b8dd4cf7095b573aa7a3b4232ae5ff2675296

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 a08ad927b405f199723791cbf4fbbca2
SHA1 df9c41e5eea6f85bc479274fe18fb77e1f18b3b2
SHA256 0fae0673edfc85c088c509eb12c958afd2f6ba43a632d568aba120fb90f89538
SHA512 113899f5979f73618b5e648423202f8bacf139efdac626a031d589e09ed5f84e90746c56d45689262571a36485298e03e700195758a6c336a83011b7af936c44

C:\Windows\SysWOW64\Ecpgmhai.exe

MD5 86804732e19de58763c8cb22ab3e1d43
SHA1 e8f90292b9d53e2a1d915a666855ae172b06fdbf
SHA256 43418d0d8ab9bd56bfd74ec2c9171a85af23f9015bd5214478806c2373e15462
SHA512 5871a9f1bab467e75030c24b1eaf333763c8b981ff38f9e11277de4e3f34c6171af11ae203829efdc8051fdc02352955b18ce3cd99fd6b651e62a75c7889a665

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 f7c5b75e42414aeb7952022841200da7
SHA1 7634b317c3b9515a0962907028dec24875cc6e1b
SHA256 021b34484254a7cff26ecebfacdba51af9ec8a735cc5d619eb5e5047baffdb04
SHA512 ffcf21fcc36215bf27856bd5444a217c9a1459f6b65b2ed496b6a5c4c0e6088a769af99e2478d52b118bb371e05c011c719a9e1090b46aa8f5fc413e6137ab44

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 c6d25a2523da4397085d35d3405cdcf7
SHA1 b821972970a7fcdaa66fdb72c3cb6b70fc2586d9
SHA256 19bc24cf7f767f3482148ee0aaea5b3862dcca86a4187e93d3fe597b3af72cd1
SHA512 4bb01d97cafb83ae9019c0518f0055142588fe098f47534134cb9c3f8f21196a1a9141e0d20c475f134edcbcfab4632a201515342847401e35389a6fd7e18981

C:\Windows\SysWOW64\Epfhbign.exe

MD5 88dff566ea06eced5418e13d1e2e4f4c
SHA1 6efad86098f75f8149b2a69f5119a2521f7ab005
SHA256 02b9ba712828183f6fd448b55cdaac2b45c69fb50957c314b7ea803055398632
SHA512 2ed335101bcd599b2a3d145aceb2e20efdede0cf140018d8b19f1c77b6fc748927f4725f94d463c5fa17217623cd8d28fad58d1228b1fa54f43cf150f2d96398

C:\Windows\SysWOW64\Enihne32.exe

MD5 0006b87656ca1a93231599bfa66e5dfa
SHA1 4a198f9d3eeff0212214ff14a6465dae5741bee8
SHA256 b323fb9b21f9b1cb47e3516cee69056814ee6ffefb3ffdc817ab9dee73a66a04
SHA512 c29320bbb0cc54243ca6464f2723b688789f6ef06d8f0e7500b1f881b0bc08089457d686ab35d6169383a192905d1f650d402c19d74efa0cc2756f643b9d27c1

C:\Windows\SysWOW64\Eecqjpee.exe

MD5 fb4ccaad04e000ce342ddf00666faa9c
SHA1 005ef3771c4cc49b5b5d2bd77a4c1d7db8c6a099
SHA256 1fa14714c02ecc275b38832ce855a7a947d5bdc1fd2d8873ecd93088d055c0ec
SHA512 45fc31793ff8b71712c5ad1a671248ec6db2701c393144b8ba1739672657fff27a8eaed55c732fc075ab387f194ebad8acd2b667af0577f39014c5efd6daba6d

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 17f4300dc8d35d05164c25a71edbcd29
SHA1 7d36446fff9b09c45922841b51fa4b5ba96c92f6
SHA256 17807804576d20cac79a79aae2cf218409c57790caa21fdf8c3403ac73745a8f
SHA512 7ee7cedc30ebd57fee5b5ea509ff9f2191e5f5f20f0449091c53c07aef0cd9ecabb836332232ffe9e8ad379a0802d742ebe21b00d46b42f48300b0bd3416dd6c

C:\Windows\SysWOW64\Epieghdk.exe

MD5 8775d9230d6abd3ef741a25a7de204ef
SHA1 0c61de057a1cb853f86430f7fbdde5fd9454a657
SHA256 5b38504b243aa89315a6eb9804c9363015ff4b7168c31b30cdb90d6d846bc5f0
SHA512 0523217e55102f89f39da609dee03f4649e28cd571ea049cb9a512e81ae76d35d576f1f02a4e93ec91b2097f58e2f51ebb37a73b56d86ec9329e4a269412173e

C:\Windows\SysWOW64\Ebgacddo.exe

MD5 eb85659e3c252290ab389750b0fe5eba
SHA1 96bfc2785ecc9842be2a4181d675d6f186db1ee8
SHA256 50bc02883f8bb367aa4fd9c1d86a9f0c381009287c00e4baa3b677b11aef3786
SHA512 4bfdd6fb515d5c66fb00ccf1753bda6cb8915a8a6c83463255e88f6727b1d2ec6bebf37a3df9c095b025089661919bb84fad9c2f0931a90e0fd149c5593fab7b

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 aced9ddc9aba2f3ba73524588251beb3
SHA1 c103c0a302b1a2c6bb36f47d5821a6c6b3e0f8f6
SHA256 28333e3512dc316134d787c4df4451c5506e22b09f7fc8d684910b2a8558c708
SHA512 dd8abea4f76bf9483935738ddd3b0618180fca778bbddc4f947bfd114a53387beccf766cea3fd7ff4aa26ce59c5b5456ff418d8170d1bf98fd9e6bcc40935d0a

C:\Windows\SysWOW64\Egdilkbf.exe

MD5 1006ec96d8c54360844ffb8967bd7574
SHA1 bad02e4c91f4f41bb7753f08753fb565fbc094fe
SHA256 72d0d83086bccdd8cf6c0cc90a0ceebe6e7ee1fd83064aad0ff6eb9164385707
SHA512 2a9760f4d6cd6be936f6b15e397426aa1275373bfdd2fb286cd6eedb4e995eb5128e18ed19ceee6d402bc6cea42e3f93b1f68e6a377279fa65f49afc15e0560b

C:\Windows\SysWOW64\Ennaieib.exe

MD5 3ae226bc2b942041390501e151d04b2b
SHA1 b69d8a1fb5906329f1ab12825db9a7cd06227de6
SHA256 92bf925e53af208308385db51a8b16c7c7af456141512f331b4d4d6d3b331df7
SHA512 12d75152720b38422d07f2f010a8145c239dff4a6c761039d0778b384e7f6fd9756473611da48627ab627b91a6396bb9e8b8c92a9cd2e89e6d71ae65ce340de6

C:\Windows\SysWOW64\Ealnephf.exe

MD5 468035c53b5e04347e244fe066b11032
SHA1 5d975faad2ae3077974d3de57b6268667362b264
SHA256 2a24495f914304194c24f0c7645627f395bc09974dba8fca2ba4362bdb1d3494
SHA512 298b7dca692d54a9268ec0277611ea043535f10bd80e91a98b1b0d9c32f6353a31d2f571efd9de6cb1e6db966a971a17dff1c8d493dc2d4d7f1be1e8dafbb645

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 0f976a7d7fdc48c4ac601eaf1307b100
SHA1 5631f6895c42078868aa572dcbfe24551e12dd96
SHA256 94569803084fd064d014ed3bf55854505716520958c546464c4a565a79c7b1a6
SHA512 94283f3b6344a700f02f71e10d78fff61db8f9babd05e8e022f2a6fff49ffb5b0676c158f999aa3d2bc366b9d838a3c577aad0e0e8537291e25c5c701b6b51d5

C:\Windows\SysWOW64\Flabbihl.exe

MD5 edd37fcf6492884f47cf501bb7ebca53
SHA1 954b8dba3a9eb2c1d4e9fd62b6d351235cf826af
SHA256 b6f2879caed2263f37a6d0a0d2a543b302adadae19130c8d8143c14c2182b208
SHA512 a47272f4e52faec52ec1ae96787135c74d557a32c1c6f21083fb5fc7f276167ad1cdf38c6bacb6a39a2cc782712adae10b573e7e52db808e06b3f2ae787a17de

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 9e33bf27025a345dded00f5c6ebd55f7
SHA1 42c921c722c5cc839367bb5fd88bbd8dd65fe5f3
SHA256 11b4a4b32d75f4790975c34feb185e4ed8402394d2816bf584549110c9526f73
SHA512 5a4ad32dada1305c923e71060922f14885d8e83bbdce7305b687856ff920dfd39b253874212464595c14404938eee7100fc15276faf2f52de2daa448b3dca179

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 4d535698daa1f8f482c36a00586507be
SHA1 0fe2bb0908af0b3409288862ec03905192bc9605
SHA256 ea559d07baf7bba4060a3e9973bdd43dce263331e50f142498a44950a976bf11
SHA512 9127e035ad326fb0c9df7e318dda333e39b32c5b1dec715b5a198610b4c20fdcec6d3f89e40b402aefc2c6484fc500a219f3af24b65cd20156e7c643a58d5c42

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 fdc545bc47be4a9707d073bb99116575
SHA1 f7f460be0b85682a29bba3175469ccf8388e7b13
SHA256 23847454bb3383a56052985ec3aa57a26bd61900a4eb29542aa42ae699551d6c
SHA512 6da61a414e15e97b5f8f2ecbed5847438e6fd1d8a05f24cdcb3287593c5a0492cd0506e5be339b7970cd8919a9be034364081a81392510e20af72146e3f08e1a

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 21eb94954385fb28b7ee542b1ca73e49
SHA1 60348d2a4c25bdc9c2e28c9302be6657d55fd42f
SHA256 021510fba4fef6c9795ed95e8f437990bfbc5f9adaf4422ee728ca51a52b3ef0
SHA512 13dffe68139152bb7edddc74b3a97a730039a121e5ca49bfd4e71b0f66e27d1323fd10f0e6cce7fa05c03e254ad39df921a8c9c231e9254cbaaa584cbd350c38

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 b8793a2fff0d09d091033e45eb986e0e
SHA1 a7859fa8b9162594533b19f6302c14c0ec47354c
SHA256 af2f7c2a6be134d0da6cbb4fbc7c0338926c8c802dbdec73d85f9c9f01f3519e
SHA512 ee87cda9fda812f9644e3a7ff2118c92b20ade0c0cbce0276310af34b0fac822ead1a061342309f2a78d254a0f91240e5edfdb11e074f1ae422a56e1d0319a50

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 972bcc50e9a10ed13427cc3d96edf58d
SHA1 3f6c57b4f77a375217a628e30844620634de4df8
SHA256 3a3f076a3cd01fde5a5c532075dd642bb97762ddb3e785a7e3a4cae2f80ec7a5
SHA512 5cf6e271cf1b7f50a9165f915cdc317c95339213f625ce71f91c79e1e1a28b41068cdd360d3d95c7a9833f4aee0cfa1f94586101630e13040c1d0564ccf7f860

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 b230ddde39aaa2c7a2ea21babcd1b005
SHA1 bf4b866ef72392d549c52d5c734b33659dd27df6
SHA256 d16c3dc82044bfb180321cf1371de92a1f439f86662f33f67ce2b74dd3bd0313
SHA512 4903f3949f03e70caa37f78dca39b57253d0f4f7fd0afaf27df85c94f87bb98640a35ab5cff121e259faaa78a55e9718dbbf7b02d13d62a08d0b1b84af14539d

C:\Windows\SysWOW64\Fjilieka.exe

MD5 20a97fceed7e5ac4b2395b2922a68be7
SHA1 bf38cffc8a8c1900909f93d7e4b381fff8e1d96b
SHA256 462a005bf84f892437bab87f7b934265f567aada0f771ead3f875fdb3788267c
SHA512 2ed697fc7f6f0020c2bd0fc258d461571ae327c2cb392de942b66be54309336e1898cd6b1e63878e09de97f9a035f1b9c586fe4ed42cf71870c8c0141151d661

C:\Windows\SysWOW64\Facdeo32.exe

MD5 ff2bce077ffea6aae0f4e7eb5ea12768
SHA1 c613eb550c11fa71e7c499c39d6cd0327ad2e528
SHA256 f397ba4247d6f772a90c257ceaa40b3cae9c9b62c0e0773fec004252a1220103
SHA512 90cce24125f09e4feb9bd5e6c65c74099037e55240e1a5f6791c64670f2accdb362374164e30cd168bfe57af8ee0397b749af07e929524d051c23c368692cbb7

C:\Windows\SysWOW64\Fdapak32.exe

MD5 f3266e212459607e432f985d8b12b473
SHA1 c636f36a7c5899b720c14906758f17aa67b8dcd0
SHA256 2d630be5394bd9d0f20037b02c7ad23b3da13021d463a6343533c63ea904a7b1
SHA512 d66da7ce528dd546e480eef96f10939281c2b570381fec0147afc2014c638966c660596306d26c17bb9c314a47acbc49a97f01432f463e169ad1e2b967b7840d

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 3435cb0df010545ccb5a176ccc28929a
SHA1 612c2d7342da7b0284723c48c3670839b6a79372
SHA256 cfd4c902e46934835b3c8183d52ee59820bb044be97e7640f1797ee040776a4b
SHA512 70f6b94ccf122147fbe623f39952bc3c0d503f558df4cbbce5ae687b2a91a4ee107c89c118095d3f5370f187bf7824d72ffb834895cf016360398b2bd9656db9

C:\Windows\SysWOW64\Fioija32.exe

MD5 18c23950a305ca87aa152f3768ea90a2
SHA1 3115d7578a1b919e7a2ca1dae7003212ce217a29
SHA256 cc1bc4b845c07a17f669bb4dfa5e5bb508335c1ed9e296c5110579ef5182253b
SHA512 5fccd640b91b3904229e7e506708bc709b5a72845357f3a265b93823a931684d3d5840afe384d3c14d746d8cb3ce1c25723aedffda91f3c23236e20eef158655

C:\Windows\SysWOW64\Flmefm32.exe

MD5 6ca7e1f9fb222d27563e6be94e21425e
SHA1 577f51103631b4a90652430661a74ab0c65f9a78
SHA256 956dd4fe769043bc6e6f43ff4c370288d6936bda5b0a782e1dc490f296340380
SHA512 78b95b98cbcbd067bb52dca9e0e3ef1cf235dd3f548e0826bcf9fb9d8986aa5dd958366cab8b427e9f6d6b4cf7fc3139efbf224bac4cea9de3ba292c279313ca

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 1c0c69dcf444150f3fe316101cc3d0fd
SHA1 a924805cf8cc5e65618ee92ddf0ac34e4e47fc9b
SHA256 5064cd1fbaf7ac8dc33ab477d095d3e9abd642c640bfde0e7a1f9e2104bedae2
SHA512 3e3775bc395a00bd37e3b48f38be327067b85e553a1d9372045da2fd7016f1971506011cb0cee3972dc6fb95eb30b67b96953c6f41f305807883b92055c5d23f

C:\Windows\SysWOW64\Feeiob32.exe

MD5 da0fd6a9f88fe99865baa56cd2ccb0b1
SHA1 0c2f2e9d2119162bd2bd4cb26fad1a4155d4d49f
SHA256 98f2422322a347876b2f853404a53ed43f62120b0b4b870dca96780af7788a84
SHA512 3777c55a9e0722eedb9cc3020f45fe208b5619fc7895dfec8319348f3663019677ab6bf074b70ea230c516bbd4ccc9be39b3c505daa54a9b3ddc17f39ef61fb0

C:\Windows\SysWOW64\Globlmmj.exe

MD5 74e6c5e35543ac8e036e75281aa44146
SHA1 ce0eda8fb2ee05e919ab16805aa6eca194d0ec8c
SHA256 1e0b6aa4b64c47cc501cda0cf28ecd12fc529f105fb231e442b018f4e8a62b33
SHA512 e4649bc80361d8a6eaa474d754bf6fcc24d3ef93b0118ceb3a5c331a0fbaf517e925bb031033b436468ecee278473e3bc336e2c89a443d1a6b7bdd3da79294a3

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 eb85ee954d8955a6460e34734df621e4
SHA1 e0712f8124e204d85e62c7838a20a7e08bcd8210
SHA256 3ec43f9ae86ea053feabdd624363eea2223bdb1ecdf58bc1976d502329fde630
SHA512 b97c176adcf5bbb1a72331091446545ea874dfc3804e01d8f4939f5560cb35df087ddae22603cccec20e031c4dafca60ddd0417a4413b4ce879682bd59f8b413

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 2585101a2208d0fd7a822f6418e2e9be
SHA1 daa85adac7b00b56898f04465bcb196d2e7b8fa2
SHA256 ede0d72c63cbcd700ea275a908a24dc4ebdae652e8cc6d2e0de32c899e3661c7
SHA512 8d3125fb58bd5416e6c4a71d3453da01d4fab0390d8c5adb9d95c6657de3b6f3ea7a4fd235c0aa0810190b8fd1d09bf26d98cde364f75ef0d7c6ecb913abb9d0

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 3c57fcc56fc6e32d1951685ba57498e4
SHA1 814a5b6636e5dccb803966931520ef08344aeb99
SHA256 eb4788bdd5fb335466c69f5878117599e9cc04300933b03a00ac13cc4dc245f8
SHA512 57d648a72e658b51091e50f66b6aa6e18c837431f05f5aa4dcc06acf0b2eb2c680471f2b7d0d00c998affb01dafa2ba35576ba80cd83a4b87716085d53e18a88

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 028e9dbc3fcba5b41e289b3f9b5be7c9
SHA1 765496834f67037b4960d0e12ec6fdcff12d28d7
SHA256 1a0075b7371202cfb5acadf1b602fe5f07f4d42059f86572059b670bd61fb16c
SHA512 f6d3fef7f50e1408f4331b691d1ae29d8635421615edcedb69d5c84b784377a7e28fe90f922c6f0bc2c3f8c35caf5cff9f37003f1b178059e5c30c75423edea8

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 3d876c9bac068e1c48d65ee9c07c2b19
SHA1 926713cc0f4c1564d7c9a0f881dacfa328e10482
SHA256 05d1e2d4e271fc609b0dc965c08e2b1d5929c11d0520026c498082032043b08b
SHA512 c40aa357c0c8157a5118a2c4de4e47100db9c61fa5d64e0c27b60b72402e5020f7772b361b0425a6e5ce7ece2d0180f0168a5c16b5d2550aa2e8fdd3ea2f5aff

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 4df85c7708e7e3c421c4935970b55154
SHA1 11e8d158d68d97b24133f01f3ba000ff72a64d68
SHA256 a02909a75915f83b51bcc2e6f9a77e11daff2094c702158bcac2c6734db2569c
SHA512 01e82a28d66bb778f3d65cc9f0a83dbf2ed19128cc3b02b25d06c99831c6f3a49d1f10a8351bdf780f345fc08d389547aef99193df43ff1db11ac3a05837826a

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 74292b0aee229fb9cafb91036d07bf09
SHA1 a816901de01e678b6d0208e2b349f8b8533c8bce
SHA256 7e84d4d22064fd4f643823e2de72351837645c9124fb8ef0c4e5a1831cdc6374
SHA512 dd9d895c7edba5edd8de652f15a86d5600f5ad9dd885fb0e6cbf3303bbf1e5db6f2fc7881f5b4777b77bfe602f7c4ff905ba61388d67baa4eaf93adffc98a4f1

C:\Windows\SysWOW64\Gieojq32.exe

MD5 cee7851b6e19bacf4d34b09dae91e1d2
SHA1 b034ad34f0eea6382f5143ee85bd2a616718438f
SHA256 8b1fdc670807d0edcd87d82492ae39bb846d9e84c2789e90c075cb5c2ac37f12
SHA512 f30ff17062ef6b973778cc544b2caf20427085c3e481fdccc5694321cfc02bac868a308b01b2b0a2ca6935864409dfdaadf4959879a1610d033cb3494f4639f0

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 712c5abfd4ce70ea381a5a40a7a0a986
SHA1 4fd951e1992bc08461dbe1860f17f08d83fc8caf
SHA256 84dd12d640580c0b9ecd2f75883723d6b6cfcf4f0175a17fb2c37a1820912d57
SHA512 c891a471de04f3ee76536e608e4343807ff8909dc3758880eb024acaa08135a46961c012d97a50830a411e5f127400db2bef7c457f00f3117a63dc30a9bf790a

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 3bec8589872fff9d998265f61f02a91f
SHA1 09a9287d1d5838477296b4e1b70ee2feda7a662d
SHA256 c757c1356d44faca0dd056e953c870b8d038615252d7bf3fd5d9a90c5dca5a2d
SHA512 8eddaa15c04cff8130848e99464e73460b3c50f8a067f4aa0702d669db4c751fbc01214c6da53b5064f50400fdb64fe28dcb79b5efdb7f85d275b0edf6c25697

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 b3ca32df2225109bb9d4dea5d108b326
SHA1 851e2a9c54bbf508087d62b353fcc437ebad608e
SHA256 18b5e7528d340e74518febf7d692218810e9220f08f6d43c07fea8035b2efac8
SHA512 f44a913152dba1a8596504ec4f212d0df029d756ba34f3a5863a886d3bd103c146e7bfcde86b313bb1a939daf834993e3b4670608da6789d1fd29d803e8c2208

C:\Windows\SysWOW64\Gelppaof.exe

MD5 82c77521ed803c910d54f9f1a53da3b2
SHA1 705d858c173ae04c85d821c5c4a593d3e367c8ce
SHA256 6ca85c8cff04483c2c6327275e8c88c065bb7990d39d9c3e686f77d95c461483
SHA512 7e9a632bc18f2f02dc7f90a190b1e9255d3c5ec1861ba8a547ac5b21a2ae04b594c4ff9863897c3a89ef5aa3fff7710ed66c2b7804beeb09273679951b79a887

C:\Windows\SysWOW64\Glfhll32.exe

MD5 20bb96b9a3f6cc9b31123e4d02fe39ce
SHA1 b917899ca75d6bc9b4c85ea787cdfe08891bfd22
SHA256 621abfd3c3204aaa39d07be83b5ee8a2316e742012eaf8170a81afed42b8baf5
SHA512 6ce8cde6b3ae2e122df4f38d0ed414d8c9b938aa55cc79e8f18ac660cb369883af9dd621998087d63c7fefaf265b55a7fb51d8eb4cf7040da84f0861bae5e000

C:\Windows\SysWOW64\Goddhg32.exe

MD5 1415d876e7fb2d9cea0b271a96471a1d
SHA1 f47228c8d544116c5f73830c3634df3337db1455
SHA256 4743f47491d72b943cd8f509b7c220facf20e31f1e170032a7aea3abd0157a48
SHA512 1ad3d0dd6f04ffdca171d0ea465d369e6429fedc70d56c6ff24ecf0eff6abedc5cb06414fcdac6ca49df7e1d2a1c85a706a020a952d988715edc33d33ce76a36

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 e2dec5eb6cea00470803c7166ca594d3
SHA1 738bbd36e79eb70df34055f85f924db15997084e
SHA256 5b5ba57148bea433321f063e1ad81afea46194591e962fba910de2c641dbb5f3
SHA512 3835c1f89101547e0c15a4473df9dd22e2382f6d3228f6c136ab02908485ef260d12293af4e4aa8227be3daf82b2f723b58bf0f95683f1d66ab3c90af0da2d88

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 2e8021bfe58b2c70c90e71b093d39a1b
SHA1 f3e4f1627919bb4515b1e7b72ef11ce71e8f92d4
SHA256 6370dd826a9af1da5a973df3f313b120463dadfcbb922a4dfa94779b2478b7b7
SHA512 c5f5d3741c037563301a673b90e1a0b20bc455f7aadd655983383dec5cde15354547fab4fe8f9262e4e4d4aec98cf74250ddbaedeefb10408b06df2df29549fc

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 f6359371988bf4afe10b2282e5bebd50
SHA1 44d72f4bf8f8b64fa0a35171c5efbb89dc4a255a
SHA256 6bfba8cdad1cbcc59e90ee75376360af539227a24dee964b90058755e6a6d065
SHA512 04eced7e378400bf68ef802660b44781b1cd79709472e5b1543f7369708f06374a109b8796c446f0f0122ef1474807ee67a513fe9985aebc5316ae06d8decaf3

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 07765cbe2b906a28878502778e654cfb
SHA1 91b3c18419d7bb4417ef23efe506f63de519b2be
SHA256 e3e4bbede1582529227f6a765ab830f4cb5ff30d33693ff1b103f0938d644cc2
SHA512 e9e29c687be845bcc0c5a95edf04ba6520b930cbfccb7d195003b5b77f40923fc164965f8f6812e7d46b77d1b0d6d7728876b2841e1912dd97a4de21341eaf5d

C:\Windows\SysWOW64\Ggpimica.exe

MD5 c0ad62ebdd26dfad8d2916a4358fb06b
SHA1 2de5898b2fa1a3fc84dc4ef7765d3072ee0408fb
SHA256 9b967b1990fe4e67c4227d24676006ee82a167cb76daf3e4b3872ee955c89035
SHA512 faaf0310d8aad5adc3261660666cc9ce6aa3a5f7aa0b943a49324eea33ef156a239e0c9a01472631006400eadb0b2a6fdc410f0415f8f00649364203bf626297

C:\Windows\SysWOW64\Gogangdc.exe

MD5 80093d0db8c9630216f7208e437fa042
SHA1 751d3aa7e9980d39f8dda478c9c1230cdcc1ca59
SHA256 efc4082c40e344eaf4286f51a81725bd7c8bd83743a187246fda215717b258ab
SHA512 348c2f4c8cc3cf5b6da356e3da18ea974a8cf4ee028e65b3b4c3e8fc677530125788d824c3d88f08ecaa2eeba1f7030ba12d40c833366c4e815eaaae4add4915

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 129d24959fbcdc4d5004558bf6993797
SHA1 8fb5d67ec13512efc78ff78ea1a1f9d4afac079e
SHA256 69aa74decb2e9b0c9f44dd7212e138202bd83748045eb4050f067c3e18473244
SHA512 f9aeb45e2303eb7172dfc771cc8b3976843f9255fa29a693f999e5d09a8c23ec98e041e508eb1be8b7cd8dd631743a2d3b1f36b6885849f0b7bc9a04048f9cfb

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 14c687f10e576d610833d867b85f204f
SHA1 9406cdaeadfb4e3307843d60e629f74e8148fd63
SHA256 acf9b84107317d05f1e5d51b01478751ca812f3e21c5ba617bad8e70eab6a919
SHA512 4fb3ca5626862a3987fe173d9ff725bfb136e80d66b16f55fd744c3ca138bfe7d69fe0d855956dcd09f1f0fe8f85b5ec36b4b11aa7413734618c9e545834ed34

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 ed603ff183f4d1d119d10ab96a070535
SHA1 9f470fb968662302b1e835d1f832b0900b93e2df
SHA256 ae07cb9d6e8f9e5069f3fd599fdd3b07deb698de0b266ff2af80dac5306c1976
SHA512 865b016348af7357dddc1c95e311b549b6534a769aa45a850a3cd862ae358f30300fe5c4e853586d5c390a6246588160fecd1074a3e6dfcf5768547ec1dbfe62

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 6a5b4012790bc78d078f8f0615798163
SHA1 1dfc8f41ffb300aca07bf585fd3acaef99f6a4f9
SHA256 ddb625c0cc76f9cdee26ae160ad61973f54482de76c9e10e51ee3f0891bcf083
SHA512 b04d356f8ff2e6e8ff0e62c05a36bf6a018f6b0a67f885a80e39d77a57891edd576180694c7f5efba075a6eaf0fbec2521a2ba9702743024e2a355082ded5d38

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 1e15fe4c518797f28e0b42b34a61d5c6
SHA1 9950d559b7e5ebe6e9203c21b59c0076467d862f
SHA256 da989f8cd43e7726dd321ed90a947dd8aceb3f8a41b8d9f001805ee839d012d3
SHA512 b192fda8ee6531cb7059b18811c2d545fef3b06cb3a49cd660c7f0e87722dfcc3512f38d9182392b3ee2a35ef6f8bb058e6524e1de5d3ff47a5e6e1515bb83e5

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 f36c0fd64411213dc74fc2fdb6e34cc7
SHA1 7619f41d8452ea8c8754f91fbb587759c2a318ba
SHA256 c279a2575c95b8eb00a7dca3bf3f05b9656e32c104f878c9856d3dfc2c8e8b72
SHA512 96dabe0abebb231b48ca853cdf5f1cfcee118d09488f7fe37b6de066acdbf4afe1913a35425549400a4aa99c697012615b4a3074cb425efe2af5424c38d90f7c

C:\Windows\SysWOW64\Hggomh32.exe

MD5 1fe2fd4443b5b4c7784484c02ee5d376
SHA1 9d5027ba18b7c000c5a5889a2ec7d908d28dac9a
SHA256 85d0fc8338560c0d5ef6dcabdbf4987b11047897c803cefaaf36befd52cf6e1d
SHA512 adb8124aed7cf10b57e5c3c0f05ab307314355547b52100be667b7f6eca61e2be13db38afebd8ffa1aa4df475d90b47f03b0720f2831885d217b648c8756195f

C:\Windows\SysWOW64\Hiekid32.exe

MD5 481537294c74b15419f94a17a9f453e3
SHA1 fe8e20cd99bd4c0ca9051491341e92e5cedf1394
SHA256 71ed4979e1953da2e631654700a3ff51b78041d95a7604991809d8bde5355430
SHA512 10fef1623f5664336012528ecdd4771dc2fb70c912275ea66e0606e9c8df29a64dfbf68da906eac871af34777bd642a6df297a77b44a0e3c33c8e5e211f33aa6

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 ea5cbedd6164bd6bfeb6dca2309d2495
SHA1 ebabe3b70b09e86b6f2638a447d1423f872128e8
SHA256 c6516c401083853272c3cefca990ba7cbebff05363c1fa29d1ab96e7d6f8bc63
SHA512 8159d7f2470257dc7adffcd830f798ba8535d1446a3fd9d2301f5cd6ce172b5a033e3a951c3845bc238202ebae72279e7439e3b6fe36c70f7ead2000f7dd2bf0

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 4a62d60c769a0fe1e27eac607c324615
SHA1 12db720595676aa75f2259a1b7e4e236ca45ba71
SHA256 b69dfe6d939b473e5920b7570901efcb6171475c9fce053686387dd92d20bf2f
SHA512 042c1a5b64b6c75cede201604f9448dfc20900335a2cba240a426de2a878035da745aca4a1a5bac34769bf28058b054974cd1ec10e064005c338b5408ac27524

C:\Windows\SysWOW64\Hobcak32.exe

MD5 a08fa1f1393bfcdb61ec1bbe2066013f
SHA1 df16dc19ed5c975c860ed52270a56b74a6073142
SHA256 976f62ef45e4f9959e393a8864f89414c5b2a934ecc570f5eb10a1043a127ca8
SHA512 1226ebb03382c4720e1631091d2b6085e69ea283d374a978876bf55159f30162a853f7bff2b3f23e21d45a8268a55ccc735138897223c449e30358026bb911c3

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 6707d9465fa3ff41d765d0d0ade8499f
SHA1 abf2c38fc52007fd07ba8918e51995726d235da1
SHA256 1702fed550d3208760ab3959e57df836df15d8eb088a7ea382d2e4f46fc9440b
SHA512 32b99fdd21eabb848f7cb0b523be2b97076a8f2349c3cb5c769a5df85bc1fe1854e684cdc40e3574140e2df0597e11ff2b60dac3f01abaddf1569771b5f801b2

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 c1f1cd1d6072a919f5d10bbf58873aed
SHA1 e9b01cfb05353c3d0ef7cca1a6e9f7f929b3bccc
SHA256 7cef17727170af59188294c43b1cbfbab8570431d91fb0ad069f1519c91b22c8
SHA512 c892b1fa70a885143d2ead93740008c03a1dd55ee321c42ae922088a26779bab8a294a951a93613afc9d1ee48526a62279e0ce4218d904f4a472671f7f37a09b

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 832894072dc529bf9af4c90d08d74007
SHA1 26ad1cbb9358d6bbb3d8a340e34a9314ce2505e4
SHA256 54e2369059f236cb7f9fe7a17c26d2ab609c9a978cf088e683840f8e61081331
SHA512 3b7fb1633f6b4fb5c7751859b46344d99fff9123d8674c86aa3582c0abde19f21b78d7b52dca77dcfb80087a5629c5d3fc87a0d93c7cfef0e5d2a302561f4041

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 89dbace42e525535394156cba42c25dd
SHA1 bffb7ee39daacb4b8b7f16568f3d42b7d1100b08
SHA256 c396232d3b1e7b31f470f105d252825ac1c6de17649e36840c9277f595eeab3c
SHA512 16322df1d519bf70a55a7a66f33520c0517610be4549b8e5a6d98bfeac3df725eaa442055e67250ceb57d50dd8870f65513586a1bdcc48ff5df80b9d42a580b1

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 d80c6ed00c1a977f0ee0c68edaa8a923
SHA1 76f8dce76e5311ccf2108f99ca5ed61830a06bb8
SHA256 510e8f743553443aa3eef7df85cae022718cc253a63839d0eed45ac64d535fc4
SHA512 05ff5ca03f0211ce97b0d84b5bf14f413b5ae7426f337c246abf4bd79efa266fb0ca22347b06d3b0605a4615802e41d2ce88e2ac86572e8a873fe526ac80acfd

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 fb9e9764353ce4f41d68a313727356ce
SHA1 09ac0e1163a091015d61cead953b1d89002ec3df
SHA256 7cd6f47653180802704843bda7fa241b9c111f189fefa786129901f7d2f2462d
SHA512 212dff69684755ccbd6bea20fcae39811aaf5f07e9b42ed1a0c7bfaccedd2271d9c5a789f998035748c9de8e119f2bb984c1392203cc3608f4cceb7430ac4598

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 c584bf919e3e384ee579e0e0f163d659
SHA1 96e98970bc26cd04e91e56ce8c73484c541977dc
SHA256 3d6abce0595640cff9a06efd7b233361518431430e1d38477d95902dc1a762f3
SHA512 3d04bb86b2d82c89bad566cafeeb9ad432f103746231be362622f27b1003c9140b7603c1a07d270da8387a4d4b615a7bbb6668b7d30f65bf565ea075ad49fb98

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 a16d1fe546c3ddc1a5615013d3935084
SHA1 5827f32ac9c9989e6aca2251e42094fad90528ee
SHA256 44f52067715ea3f1a783c6b9db03bb58afcbd3191192d125c74316ab8229c69d
SHA512 bc0c430ea56461869bf56a6e7f07d8a557674845d207a0c11c0345858d97d95f4969be87c2e47b35e5edee5bdf72ac6cb2dd437d6f98d932e86b26958de319ab

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 a0365b152848a591a9e269c5ee2f77df
SHA1 ca9dbed392122ec54ce06706bed9c8cae97929b2
SHA256 f408b08dd0adb3d12cc608e4cf092e39d73a6c6b41659b642eb22e7baba3df36
SHA512 bedd40141b1b948124829102c208cc0beae89a969d1072bb6d73b55f271b0d5c095ca7a1452aa8a469e694fc84bb8defbd0269ecbd2c0df6076f1d26ed88290d

C:\Windows\SysWOW64\Idceea32.exe

MD5 203e17fcd0db4c282b06d4be1e50f7ef
SHA1 34e7228ab0a8aa688dcb9f1d390c6c1ca70f631f
SHA256 c17e6df784bfca33f0b170fe95476d8609b966d8d3fbdde82fafebe00211e6da
SHA512 80928e0c3d5913133f1981ae46ff658c7892f90e39258d89cd97658a80e2097bff656fe9e480a338229dc42483a46a57404214750798d291fc016e9b72354fb4

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 ada31b5f444f10ca0341cae83b73306f
SHA1 ff27ac645f1ac50e481f311d2498f4aab4185e7f
SHA256 3e26e4efc94efaf1b3f756a97b2575da7938b451605b69bb579aa28a78f7584e
SHA512 721aa659e1c8bdd5a8f8a93b434b020fc62f6d651305b80c5176a05a4f1595b2d51491c03f4d8a4edc9fdf12c3ec863a417f2955c6cedaf268657d3a621e0c52

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 122becac2951e8676b26cc82ec00ee37
SHA1 5819c2f3cd9fb6f1cc112cd184719434f39aef66
SHA256 fd274025b3fcd38c2ec8feb89f650b14cd7f30312ee2c8ab84b58074d7fafde2
SHA512 848d513413da14a9f140abc65bcda934ca03a83262802235bccee7e85128bdec6a6705940ea521bc55af678596d777293ca0735d51dc0945f3c17499507eded5

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 3622525d1234c3985a3014cefd6db8dd
SHA1 95e38380f145e1f1fbce0267e48009aaf253b868
SHA256 10dadd6271b813b2abfacad5d478629d83ded6d517c2bcc6b250e7fade37365d
SHA512 2675117d54767755145c400992b302183dafee578faf5f7c1762cf38864ca69d24b3d7069f8fb2d3bccd0e5db5b5925753def17a373c0bd46701625bbc0ed596

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 07:06

Reported

2024-06-02 07:08

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfnnlffc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpklpkio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpepcedo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfhqbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjfihc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iffmccbi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goiojk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdemhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpjjod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Icgqggce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ibmmhdhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnocof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gqdbiofi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmpngk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kkkdan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fobiilai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kilhgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lkgdml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Giacca32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibmmhdhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjhmgeao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gmaioo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jiphkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lgneampk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Giofnacd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpklpkio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iiffen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ijfboafl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Laopdgcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmegp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmcjld.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Fcikolnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjcclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmapha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fihqmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fobiilai.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbqefhpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjhmgeao.exe N/A
N/A N/A C:\Windows\SysWOW64\Fodeolof.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfnnlffc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gimjhafg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqdbiofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbenqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Giofnacd.exe N/A
N/A N/A C:\Windows\SysWOW64\Goiojk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbgkfg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Giacca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpklpkio.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfedle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqkhjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbldaffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfhqbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmaioo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hclakimb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmmhjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icgqggce.exe N/A
N/A N/A C:\Windows\SysWOW64\Iffmccbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Iidipnal.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakaql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibmmhdhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiffen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqnahgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijfboafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipckgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iikopmkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipegmg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibccic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijkljp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imihfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdcpcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbfpobpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiphkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdemhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jibeql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaimbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbkjjblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfffjqdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpojcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbmfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdnpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jangmibi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbocea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdopod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkihknfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilhgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpepcedo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgphpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkdan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjqmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ekiidlll.dll C:\Windows\SysWOW64\Lgneampk.exe N/A
File created C:\Windows\SysWOW64\Mnocof32.exe C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Ipegmg32.exe C:\Windows\SysWOW64\Iikopmkd.exe N/A
File created C:\Windows\SysWOW64\Gmlgol32.dll C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Lelgbkio.dll C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nqiogp32.exe N/A
File created C:\Windows\SysWOW64\Gqkhjn32.exe C:\Windows\SysWOW64\Gfedle32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe C:\Windows\SysWOW64\Ijfboafl.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmpngk32.exe C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File created C:\Windows\SysWOW64\Lbdfmi32.dll C:\Windows\SysWOW64\Fmapha32.exe N/A
File created C:\Windows\SysWOW64\Gbgkfg32.exe C:\Windows\SysWOW64\Goiojk32.exe N/A
File created C:\Windows\SysWOW64\Ddpfgd32.dll C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdopod32.exe C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File created C:\Windows\SysWOW64\Akihmf32.dll C:\Windows\SysWOW64\Kpjjod32.exe N/A
File created C:\Windows\SysWOW64\Ekipni32.dll C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Qfiapa32.dll C:\Windows\SysWOW64\Fcikolnh.exe N/A
File created C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Kgbefoji.exe C:\Windows\SysWOW64\Kdcijcke.exe N/A
File created C:\Windows\SysWOW64\Pellipfm.dll C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Jiphogop.dll C:\Windows\SysWOW64\Ipegmg32.exe N/A
File created C:\Windows\SysWOW64\Enbofg32.dll C:\Windows\SysWOW64\Kdopod32.exe N/A
File created C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kmjqmi32.exe N/A
File created C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Giacca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdemhe32.exe C:\Windows\SysWOW64\Jiphkm32.exe N/A
File created C:\Windows\SysWOW64\Bghhihab.dll C:\Windows\SysWOW64\Njcpee32.exe N/A
File created C:\Windows\SysWOW64\Lcnodhch.dll C:\Windows\SysWOW64\Iidipnal.exe N/A
File created C:\Windows\SysWOW64\Kilhgk32.exe C:\Windows\SysWOW64\Kkihknfg.exe N/A
File created C:\Windows\SysWOW64\Joamagmq.dll C:\Windows\SysWOW64\Kmlnbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lgneampk.exe N/A
File created C:\Windows\SysWOW64\Lgabcngj.dll C:\Windows\SysWOW64\Hclakimb.exe N/A
File created C:\Windows\SysWOW64\Cgkghl32.dll C:\Windows\SysWOW64\Gmaioo32.exe N/A
File created C:\Windows\SysWOW64\Jdemhe32.exe C:\Windows\SysWOW64\Jiphkm32.exe N/A
File created C:\Windows\SysWOW64\Mghpbg32.dll C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Diefokle.dll C:\Windows\SysWOW64\Gbldaffp.exe N/A
File created C:\Windows\SysWOW64\Imihfl32.exe C:\Windows\SysWOW64\Ijkljp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nnjbke32.exe N/A
File created C:\Windows\SysWOW64\Lihoogdd.dll C:\Windows\SysWOW64\Ipckgh32.exe N/A
File created C:\Windows\SysWOW64\Ockcknah.dll C:\Windows\SysWOW64\Majopeii.exe N/A
File opened for modification C:\Windows\SysWOW64\Giofnacd.exe C:\Windows\SysWOW64\Gbenqg32.exe N/A
File created C:\Windows\SysWOW64\Mkeebhjc.dll C:\Windows\SysWOW64\Kaemnhla.exe N/A
File created C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kknafn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kmjqmi32.exe N/A
File created C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kgbefoji.exe N/A
File created C:\Windows\SysWOW64\Opocad32.dll C:\Windows\SysWOW64\Hjfihc32.exe N/A
File created C:\Windows\SysWOW64\Onkhkpho.dll C:\Windows\SysWOW64\Icgqggce.exe N/A
File created C:\Windows\SysWOW64\Ajgblndm.dll C:\Windows\SysWOW64\Kkkdan32.exe N/A
File created C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lgneampk.exe N/A
File created C:\Windows\SysWOW64\Bebboiqi.dll C:\Windows\SysWOW64\Mnfipekh.exe N/A
File created C:\Windows\SysWOW64\Kkkdan32.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Jifkeoll.dll C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
File created C:\Windows\SysWOW64\Qcldhk32.dll C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Icgqggce.exe N/A
File created C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Ipqnahgf.exe N/A
File created C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Gpkqnp32.dll C:\Windows\SysWOW64\Gqkhjn32.exe N/A
File created C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Nqfbaq32.exe N/A
File created C:\Windows\SysWOW64\Fihqmb32.exe C:\Windows\SysWOW64\Fmapha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Laopdgcg.exe C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Kdhbec32.exe C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gbgkfg32.exe N/A
File created C:\Windows\SysWOW64\Gkillp32.dll C:\Windows\SysWOW64\Ibmmhdhm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fobiilai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laopdgcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kkkdan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll" C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll" C:\Windows\SysWOW64\Gimjhafg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" C:\Windows\SysWOW64\Iiffen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll" C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll" C:\Windows\SysWOW64\Giacca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll" C:\Windows\SysWOW64\Gmaioo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kgfoan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkgdml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fcikolnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmaioo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" C:\Windows\SysWOW64\Kdffocib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjfihc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fcikolnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipegmg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jaimbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fihqmb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijfboafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaemnhla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgneampk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfhqbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll" C:\Windows\SysWOW64\Hclakimb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" C:\Windows\SysWOW64\Kgbefoji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gqdbiofi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfedle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" C:\Windows\SysWOW64\Gfhqbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll" C:\Windows\SysWOW64\Goiojk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ipqnahgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fihqmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll" C:\Windows\SysWOW64\Gfnnlffc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jdemhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll" C:\Windows\SysWOW64\Jibeql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll" C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll" C:\Windows\SysWOW64\Kgfoan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kphmie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll" C:\Windows\SysWOW64\Fcikolnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Giofnacd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hjfihc32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Fcikolnh.exe
PID 3984 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Fcikolnh.exe
PID 3984 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe C:\Windows\SysWOW64\Fcikolnh.exe
PID 4128 wrote to memory of 980 N/A C:\Windows\SysWOW64\Fcikolnh.exe C:\Windows\SysWOW64\Fjcclf32.exe
PID 4128 wrote to memory of 980 N/A C:\Windows\SysWOW64\Fcikolnh.exe C:\Windows\SysWOW64\Fjcclf32.exe
PID 4128 wrote to memory of 980 N/A C:\Windows\SysWOW64\Fcikolnh.exe C:\Windows\SysWOW64\Fjcclf32.exe
PID 980 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Fjcclf32.exe C:\Windows\SysWOW64\Fmapha32.exe
PID 980 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Fjcclf32.exe C:\Windows\SysWOW64\Fmapha32.exe
PID 980 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Fjcclf32.exe C:\Windows\SysWOW64\Fmapha32.exe
PID 2352 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fihqmb32.exe
PID 2352 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fihqmb32.exe
PID 2352 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fihqmb32.exe
PID 5092 wrote to memory of 732 N/A C:\Windows\SysWOW64\Fihqmb32.exe C:\Windows\SysWOW64\Fobiilai.exe
PID 5092 wrote to memory of 732 N/A C:\Windows\SysWOW64\Fihqmb32.exe C:\Windows\SysWOW64\Fobiilai.exe
PID 5092 wrote to memory of 732 N/A C:\Windows\SysWOW64\Fihqmb32.exe C:\Windows\SysWOW64\Fobiilai.exe
PID 732 wrote to memory of 5528 N/A C:\Windows\SysWOW64\Fobiilai.exe C:\Windows\SysWOW64\Fbqefhpm.exe
PID 732 wrote to memory of 5528 N/A C:\Windows\SysWOW64\Fobiilai.exe C:\Windows\SysWOW64\Fbqefhpm.exe
PID 732 wrote to memory of 5528 N/A C:\Windows\SysWOW64\Fobiilai.exe C:\Windows\SysWOW64\Fbqefhpm.exe
PID 5528 wrote to memory of 864 N/A C:\Windows\SysWOW64\Fbqefhpm.exe C:\Windows\SysWOW64\Fjhmgeao.exe
PID 5528 wrote to memory of 864 N/A C:\Windows\SysWOW64\Fbqefhpm.exe C:\Windows\SysWOW64\Fjhmgeao.exe
PID 5528 wrote to memory of 864 N/A C:\Windows\SysWOW64\Fbqefhpm.exe C:\Windows\SysWOW64\Fjhmgeao.exe
PID 864 wrote to memory of 620 N/A C:\Windows\SysWOW64\Fjhmgeao.exe C:\Windows\SysWOW64\Fodeolof.exe
PID 864 wrote to memory of 620 N/A C:\Windows\SysWOW64\Fjhmgeao.exe C:\Windows\SysWOW64\Fodeolof.exe
PID 864 wrote to memory of 620 N/A C:\Windows\SysWOW64\Fjhmgeao.exe C:\Windows\SysWOW64\Fodeolof.exe
PID 620 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Fodeolof.exe C:\Windows\SysWOW64\Gfnnlffc.exe
PID 620 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Fodeolof.exe C:\Windows\SysWOW64\Gfnnlffc.exe
PID 620 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Fodeolof.exe C:\Windows\SysWOW64\Gfnnlffc.exe
PID 4092 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Gfnnlffc.exe C:\Windows\SysWOW64\Gimjhafg.exe
PID 4092 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Gfnnlffc.exe C:\Windows\SysWOW64\Gimjhafg.exe
PID 4092 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Gfnnlffc.exe C:\Windows\SysWOW64\Gimjhafg.exe
PID 4144 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gqdbiofi.exe
PID 4144 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gqdbiofi.exe
PID 4144 wrote to memory of 4064 N/A C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gqdbiofi.exe
PID 4064 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Gqdbiofi.exe C:\Windows\SysWOW64\Gbenqg32.exe
PID 4064 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Gqdbiofi.exe C:\Windows\SysWOW64\Gbenqg32.exe
PID 4064 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Gqdbiofi.exe C:\Windows\SysWOW64\Gbenqg32.exe
PID 5116 wrote to memory of 5604 N/A C:\Windows\SysWOW64\Gbenqg32.exe C:\Windows\SysWOW64\Giofnacd.exe
PID 5116 wrote to memory of 5604 N/A C:\Windows\SysWOW64\Gbenqg32.exe C:\Windows\SysWOW64\Giofnacd.exe
PID 5116 wrote to memory of 5604 N/A C:\Windows\SysWOW64\Gbenqg32.exe C:\Windows\SysWOW64\Giofnacd.exe
PID 5604 wrote to memory of 3788 N/A C:\Windows\SysWOW64\Giofnacd.exe C:\Windows\SysWOW64\Goiojk32.exe
PID 5604 wrote to memory of 3788 N/A C:\Windows\SysWOW64\Giofnacd.exe C:\Windows\SysWOW64\Goiojk32.exe
PID 5604 wrote to memory of 3788 N/A C:\Windows\SysWOW64\Giofnacd.exe C:\Windows\SysWOW64\Goiojk32.exe
PID 3788 wrote to memory of 5644 N/A C:\Windows\SysWOW64\Goiojk32.exe C:\Windows\SysWOW64\Gbgkfg32.exe
PID 3788 wrote to memory of 5644 N/A C:\Windows\SysWOW64\Goiojk32.exe C:\Windows\SysWOW64\Gbgkfg32.exe
PID 3788 wrote to memory of 5644 N/A C:\Windows\SysWOW64\Goiojk32.exe C:\Windows\SysWOW64\Gbgkfg32.exe
PID 5644 wrote to memory of 5612 N/A C:\Windows\SysWOW64\Gbgkfg32.exe C:\Windows\SysWOW64\Giacca32.exe
PID 5644 wrote to memory of 5612 N/A C:\Windows\SysWOW64\Gbgkfg32.exe C:\Windows\SysWOW64\Giacca32.exe
PID 5644 wrote to memory of 5612 N/A C:\Windows\SysWOW64\Gbgkfg32.exe C:\Windows\SysWOW64\Giacca32.exe
PID 5612 wrote to memory of 5504 N/A C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gpklpkio.exe
PID 5612 wrote to memory of 5504 N/A C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gpklpkio.exe
PID 5612 wrote to memory of 5504 N/A C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gpklpkio.exe
PID 5504 wrote to memory of 5532 N/A C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Gfedle32.exe
PID 5504 wrote to memory of 5532 N/A C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Gfedle32.exe
PID 5504 wrote to memory of 5532 N/A C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Gfedle32.exe
PID 5532 wrote to memory of 3564 N/A C:\Windows\SysWOW64\Gfedle32.exe C:\Windows\SysWOW64\Gqkhjn32.exe
PID 5532 wrote to memory of 3564 N/A C:\Windows\SysWOW64\Gfedle32.exe C:\Windows\SysWOW64\Gqkhjn32.exe
PID 5532 wrote to memory of 3564 N/A C:\Windows\SysWOW64\Gfedle32.exe C:\Windows\SysWOW64\Gqkhjn32.exe
PID 3564 wrote to memory of 5748 N/A C:\Windows\SysWOW64\Gqkhjn32.exe C:\Windows\SysWOW64\Gbldaffp.exe
PID 3564 wrote to memory of 5748 N/A C:\Windows\SysWOW64\Gqkhjn32.exe C:\Windows\SysWOW64\Gbldaffp.exe
PID 3564 wrote to memory of 5748 N/A C:\Windows\SysWOW64\Gqkhjn32.exe C:\Windows\SysWOW64\Gbldaffp.exe
PID 5748 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Gbldaffp.exe C:\Windows\SysWOW64\Gfhqbe32.exe
PID 5748 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Gbldaffp.exe C:\Windows\SysWOW64\Gfhqbe32.exe
PID 5748 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Gbldaffp.exe C:\Windows\SysWOW64\Gfhqbe32.exe
PID 2416 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Gfhqbe32.exe C:\Windows\SysWOW64\Gmaioo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4dade3efcdf11d5d255665c20fd28980_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Fcikolnh.exe

C:\Windows\system32\Fcikolnh.exe

C:\Windows\SysWOW64\Fjcclf32.exe

C:\Windows\system32\Fjcclf32.exe

C:\Windows\SysWOW64\Fmapha32.exe

C:\Windows\system32\Fmapha32.exe

C:\Windows\SysWOW64\Fihqmb32.exe

C:\Windows\system32\Fihqmb32.exe

C:\Windows\SysWOW64\Fobiilai.exe

C:\Windows\system32\Fobiilai.exe

C:\Windows\SysWOW64\Fbqefhpm.exe

C:\Windows\system32\Fbqefhpm.exe

C:\Windows\SysWOW64\Fjhmgeao.exe

C:\Windows\system32\Fjhmgeao.exe

C:\Windows\SysWOW64\Fodeolof.exe

C:\Windows\system32\Fodeolof.exe

C:\Windows\SysWOW64\Gfnnlffc.exe

C:\Windows\system32\Gfnnlffc.exe

C:\Windows\SysWOW64\Gimjhafg.exe

C:\Windows\system32\Gimjhafg.exe

C:\Windows\SysWOW64\Gqdbiofi.exe

C:\Windows\system32\Gqdbiofi.exe

C:\Windows\SysWOW64\Gbenqg32.exe

C:\Windows\system32\Gbenqg32.exe

C:\Windows\SysWOW64\Giofnacd.exe

C:\Windows\system32\Giofnacd.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gbgkfg32.exe

C:\Windows\system32\Gbgkfg32.exe

C:\Windows\SysWOW64\Giacca32.exe

C:\Windows\system32\Giacca32.exe

C:\Windows\SysWOW64\Gpklpkio.exe

C:\Windows\system32\Gpklpkio.exe

C:\Windows\SysWOW64\Gfedle32.exe

C:\Windows\system32\Gfedle32.exe

C:\Windows\SysWOW64\Gqkhjn32.exe

C:\Windows\system32\Gqkhjn32.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gfhqbe32.exe

C:\Windows\system32\Gfhqbe32.exe

C:\Windows\SysWOW64\Gmaioo32.exe

C:\Windows\system32\Gmaioo32.exe

C:\Windows\SysWOW64\Hclakimb.exe

C:\Windows\system32\Hclakimb.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Icgqggce.exe

C:\Windows\system32\Icgqggce.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ibmmhdhm.exe

C:\Windows\system32\Ibmmhdhm.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Ipckgh32.exe

C:\Windows\system32\Ipckgh32.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jdcpcf32.exe

C:\Windows\system32\Jdcpcf32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jiphkm32.exe

C:\Windows\system32\Jiphkm32.exe

C:\Windows\SysWOW64\Jdemhe32.exe

C:\Windows\system32\Jdemhe32.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lkgdml32.exe

C:\Windows\system32\Lkgdml32.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3984-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fcikolnh.exe

MD5 d21d41545a2e5e94ce2a034465cfc119
SHA1 3158230724f8cd68e11015acdd573468fe215498
SHA256 9860d5cd48abce925acceaf2254a4d1a5daf250dfbc1a406157a1bb78c753d1a
SHA512 8242905896d1da0b9d94898069e9551e5f8ac40861f6a7152d087a7145c3f22648677409dfe80fa2c9139c53515a919e3a961af7e1d7be9bcab334254ada9c6d

memory/4128-8-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fjcclf32.exe

MD5 5ff79f95f292e0c90fde66184e313aaa
SHA1 ecc10ee72b735deb0bda33ca6052fabbe275d3e2
SHA256 ee8417b88586c3c27d0b0c7b70f69b62991df8cd165b9f9bdd477a76a08699f6
SHA512 855fd32a091940a8334e73a636cec3ae41813888dbf6ad272d537e74c265b8f82a48487b671fbe074f5d7d22c1b774b3bfa733826a05e9f9b5f617c5699f8128

C:\Windows\SysWOW64\Fjcclf32.exe

MD5 4e475c55de7b5dc102119cb7e522d9fd
SHA1 b6067b8c153e0ae04571a6bc830bbf44492a75ff
SHA256 3281501584ccb375cfcbeed5d41b746df16d407df6974b02a6512a1c70fe1687
SHA512 540d8a31fd05506297de23d7ab4b16fdccca35f26c34ede13b7c1135a89b79fc72a49d20aafe84165ef31aa30f0a5408a9e1f5f8d7f67235475a37f647131637

memory/980-15-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fmapha32.exe

MD5 c51f27d8c8fb2b957b0689c51eeb650b
SHA1 922e75e718b9b5be31c71ca165041a286bf4c20d
SHA256 42880e7a6f727990ac014dece15f67be46689983eb7da7ea656cca8e620504d4
SHA512 1d81cb941b97978f70faf8370f65b7acc98a410c497c60c459aed3bf959dafaec9c05f7f37509d3dbe9be4b2282f737e841b1812ad7b787dfa5a1125e89a8f5c

memory/2352-24-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fihqmb32.exe

MD5 db466ab64602cd289a9ff08a65e5d693
SHA1 e24e5fb309e2535294c6bc5fc4c4ca7edad30493
SHA256 2dc230de42ce2fb168f10f01cba669cb2802428f96edeac0301f039b476d5b16
SHA512 d0324319aa347000e71e3d145b5a3b7ad0aa7b7a9c7f7faa95a3aa949a6ffd3dfac4a2aac05c6a360cce61cd588168bd394badf95d1b20b6963e06bae7ac1e10

memory/5092-32-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Iblilb32.dll

MD5 c72a53a03cfb19adb117e7e0f45c7249
SHA1 db830e90f9a785fd375aabc52a1bd7a2ac21ec45
SHA256 ec2717c3ac2407ae6f18feadfcb3e777c844c1bec051e8e7c822593a7ee6c1d1
SHA512 e531f4c568fd4b5888b5dc0ebd6d0181ac1ddc2f1433b3db391ec242d8f7d5ca2fa02879204dd8e9aa2d923525d3fd85a534d3b42d05098beaef6d2414a985ea

memory/732-40-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fobiilai.exe

MD5 2f6272a0a1f27ae6d8237d6e4aef0268
SHA1 646c5ef67a4c8e497bcfcad5518e4d3467dd1799
SHA256 30023e48bc2f6d6e33bd7fe25c71eea8e02513785e5853821f638bb07f159274
SHA512 166750e0fa421183f4b9f569cc74861e983677851376d6566e1c1da73795665f6945a364374cbe6cebefa7ed920227e98f5fb1994ce187a7fcea81f3f007cc3f

C:\Windows\SysWOW64\Fbqefhpm.exe

MD5 c31e833520e8423d5429e7083e64df2e
SHA1 0a19049a49bed2eaf66bdc1143cc76d11b10f796
SHA256 808067847176c0980a5cce2bdce7de6b5c244cac9969cb494cd90714efe044b4
SHA512 a20d1902a0d1c7dc6a60b14894a7feaa64202b81013e758bd9708e2284fdd24a878f0c4b844479de7c4647de0cd8095a3a252304bc82fb7411d1d43d95c7d8bd

memory/5528-48-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fjhmgeao.exe

MD5 aee639ae40b6c04863d7fdcc99266f8f
SHA1 18b9de0935e2ccc440456f3adc4a9233fd226ad7
SHA256 50833d473aad8db790532b1958351ccebc691a23159a241b79483cd130f52676
SHA512 633ea413c0c16d74bf899b7c5e1d33ffdb266037c5508d09d96967c0fa6455bd34308d1b1044bb527b387bfdd417e2cd4a5392aaa5583c5b5eb8f21aef22f84c

memory/864-56-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fodeolof.exe

MD5 82cad7d6215e59148cbc94db3f76bea4
SHA1 6b29bfa70245ee8dad3cce30646ba2ae4d14b62f
SHA256 3c644d6e4a0d1a38bf42cbea762041364d12e6466f3c8e83ccfbbf9bd1513667
SHA512 6ecef5d7f2bd9b0d28f80f8300169c92968d845cd82ba363403ae5753557c16fe8d362534a6e6a04ea4e71aefc8f0e0937740aa29eba74f9cffd37a9dbe8ce83

memory/620-63-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gfnnlffc.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Gfnnlffc.exe

MD5 87512b5cee35cd4a13365275a37980d2
SHA1 88ed48ffa321e787353ed6d9f2b2906e21521622
SHA256 bbaf89b8b22bc0156eb230479a6e1dab0be1fa69f1d5fa01e38b8cf30d96d1d2
SHA512 051ad4d9c85457c3672f1b78a78ee40c5a43b6f4169e5c783c45bc51b1a66d31d03722c0e067e46cc176f3249848f8c727b35afe4edd0869c3981cf0620c5321

memory/4092-71-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gimjhafg.exe

MD5 67608d0f57819781fe87dbd933c12499
SHA1 b1397a3ea43f039393901ff26d53c5782ab7231b
SHA256 9f9c35be2864ee8df55c9a78cf14636f4059a366237cdfdf014ccc0a95745b9f
SHA512 c6a2647e0d380835a65ddf3d432ed4055c59a32b56de1acaf84439b6fb9fa9d1311ecee2407c3851d3fd80039f17d69da8d59774614bfd11975f83055ec3d879

memory/3984-80-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4144-85-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gqdbiofi.exe

MD5 f2b9baed42d23b14c620fa8248b79f06
SHA1 bff407b74883b63f3d9d66878c7ebbccf54905f8
SHA256 b7a6957d75d603126725751f36b731155fb16c838a2dae7759914775e305c773
SHA512 5e8beb9e70abff41fc58add55855b7ff37ec7ef5f23297df1b437fd9db8399f632ce7ca2b41b2412a13488bb53f711cc99b86fb2430d135d117ea2717f75f841

memory/4128-89-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4064-90-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gbenqg32.exe

MD5 98c9247cc933321d053ee11639d0ab20
SHA1 ffd63e97479942ce4b7af543933e18f5f80d001c
SHA256 c0bbb99a375297952e960431e49df1b0bb9ba4c43c982b0c09fd2f91bc62f753
SHA512 9ad6fe64633a1b9781dd174a7e91e843a2b588af1ebde72f474b6035e8b4a38df2a5dbc1e94453196d5a93e3d2062b2369899e23e316871e8429905cff562f42

memory/980-98-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-99-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Giofnacd.exe

MD5 5624833df3f2493e1d2df7e3d69658be
SHA1 4d582a3a0568d3906837e433eadb00ce76952bd8
SHA256 cf1d5ef4a88b6f27da6b4f80e1a9f35d5e745040e1faab3996fb9998370f0551
SHA512 3c18bdda73d364371fd819f5dde127dafb11e2b9aaaf84278b1e18c25d43aa9dc1c3dd9a067a2de5b04f20222d2c0803b0bf8d178f12c8268a2cf086165cf517

memory/2352-107-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5604-108-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Goiojk32.exe

MD5 f038bde20d19a6923b24793bc042498d
SHA1 031feab550e74b1d8f93b6632c26257060aa8379
SHA256 25a0d79cbad140dec4e2d423c44dabe8372a0ce5b1de43366604eadf7f38d4d1
SHA512 adc6bfd6a41f148a167a18e0b5f1a310d6ddfb7f8d74435bb1ff9abae600014e2c2cc359271aa7d7ff122efe8e96f04cd64364d9ffb4dc23b0109727778371de

memory/5092-116-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3788-117-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gbgkfg32.exe

MD5 575acd2019307a5b7d43a303b87eae79
SHA1 31115f138d5765ac7d1db831385705be1bbd6c23
SHA256 c090b1ca23e802bc0db28d5b6445051b8169cae30cf37351f32905f70ee24c35
SHA512 4cfebbec5a17586cf7be1d52407cb9be05e42ad219e13be4b8651e81a4e44603be995650f3be34c3e85bf0794ac4dfc34e93981ea15a5d4ed0499eb246603229

memory/5644-125-0x0000000000400000-0x000000000043F000-memory.dmp

memory/732-124-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Giacca32.exe

MD5 7926e5076e59fbdf9ecd90e82e258ef7
SHA1 50affa2f220ca72de8cc2c38ce7412fa65831cde
SHA256 9f8ebc4830a24186ad906c9456bb317ec12f9d1fe33b27b7bda6dd0b59af5fd5
SHA512 c73916ecda1e5b06c21ac604000e6d4f1d7a2c43644e224625696268397b6f0efe9081e3a17b7b4e8f3557bb9ce8aa18fdaee536de133a67b2107e1797204470

memory/5612-139-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5528-134-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gpklpkio.exe

MD5 3d40c9497a51e7b350248c538cde57d2
SHA1 da1de3977f40a2dc5ba2d772d8e133d4d5b7a9af
SHA256 622f90ac2a7fca606e20091958bfe94f17052dd51d89f5abe5d2463a686ca8b2
SHA512 5d1a877dcdd3ca983013d4993695b62d6fb1abb6aa24d0084308052610c3964777e432cd32cbd1b0b99642e780fb3818b10116906637189b1a22cf12e4db6fa7

memory/864-143-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5504-144-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gfedle32.exe

MD5 d4500465c3dcf8299a68916603a4442d
SHA1 b5a534265a2aa8a21f38f793e62070978ee68db3
SHA256 42a5be2a7af1e8f08567f32f189be9f3a2513de2ff03cea7fd79c30d58fc5b5d
SHA512 5d57b017867cf8f72fc5ac9ae74165879ee4a91f852fc12884888997afda9dbd9f0202762a64f07f1a9414c9936e5640b17a0e4b1f982cf0232114cf6744db63

memory/620-151-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5532-153-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gqkhjn32.exe

MD5 6ffb2b8204639b6341c719d6d896b834
SHA1 f12e9cf474521ec83f104f62fe99726137604d0e
SHA256 ceed95cfba91e8be0639342419c94b1a6d9605e885970d9a6229f29225248204
SHA512 70b641f87a2dc08c94db93fd7fb003069dd0807b431f1ba3366b0a406846cab6a121b468610501272da68c596eccbb4a5ee4f172b9cddd1115f2677caeaef0c9

memory/4092-161-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3564-162-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gbldaffp.exe

MD5 854a8e802f3de52d013cec631e5aad45
SHA1 483d4302eec675d10878a171f6287e30baa7ba49
SHA256 ea7efec50f67f16f99371ae0fc4e13a748fa7817e860f075b69b49b382c97d30
SHA512 9a1356df8c827a7aa26e41434cfe5b73b20419f4357b672a5fca8c8be52bce466a34c74ee3ff815116d1a93750a978b5f221d0e358442d4f43cb5e88362dd049

memory/4144-172-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5748-175-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gfhqbe32.exe

MD5 f2e9c58fef91a1710892f7c9129e5a16
SHA1 7210e232cffaec991e38d1f4a5eb797662b2293b
SHA256 b1b1e52ef166dc361eed5be094ad94b35e1bd919221caf20c21bd5bea30585ce
SHA512 c3a8a344bcb9325fafc932a51a94b1abff5251c48d244fd8ff5c7597f4a4c204747dbda89fb340bc2a219d7845ed8732f697bc2bc957d66839d71fb75089f090

memory/4064-183-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2416-184-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gmaioo32.exe

MD5 0664a5463617161d24f8d9d2ed73f71e
SHA1 c1c0bd041990b213d5dcfba13f8f65a58c8da211
SHA256 add37270014f12ddf9b583f909e0f513f8b6171c01645c3df837b260879c7391
SHA512 17c7a9e133ab26817242bf2484630cce8f0f984b8d570a0799740f27fcd01f4f2344223fa2d1587769158d3f02ad74def41132a5fd4b1e1b0e9fbcd45e5c56b8

memory/4372-189-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-188-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hclakimb.exe

MD5 90243e9a17f8fffaf67c2aa51edb1852
SHA1 b9a6445d684193d12cf1f4a110c2e0b9c5d15a43
SHA256 f32fa893eb375b28444342b27d53e0eb3db6087f1e47fbe9269f5abf1f154efe
SHA512 753845898dcfaaccd247d88552c1f42497c941d038167833ae96fb0251fe7489aaf1d3abfc3443ecb4d9bc333335a874794e215878630a2566ab50837bcda95b

memory/4916-198-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5604-197-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hjfihc32.exe

MD5 5d134f57d07a753ebe44b7136e3f26eb
SHA1 0a009ce07963db1390238209218d33ff1fd4587a
SHA256 636611e9f2f6245ce084e7716dc450e3e275f70779995685938f90ab3cdebf5a
SHA512 8e8d3a4bf86edbcc266c4c1bd79d331b447f57c694496a4984323187e4562019f33005eab4d1798eee86ccd4dae069aac512090d3f1ad5c2da4f63e8250532c6

memory/888-206-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3788-205-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hmmhjm32.exe

MD5 310257841ca7da13c870803cda3685db
SHA1 0abe0f1fdf85c0f4039c34c88279fc58857ae885
SHA256 3ce8b5b2511b586137ea21cd4e0ed4126b5b3d711da44c1cbf3c07ab85bd6c77
SHA512 d9d62397ff406b58c82d73d55619527cc2f291f729fcd6d476d8ddcaccebd3bc25400bc8eb1fc8e961066ebc58da0c6dea2486648404f9602f7959fb0e32475b

memory/5644-219-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5400-220-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4580-229-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Iffmccbi.exe

MD5 a359bcfce4203403e9a950e317419428
SHA1 b71441e6b87cd0feed54ad6e7b9708ed27d8a90c
SHA256 2fbc96e9f4ebabdeeefb3461d4f21444d74082ca59a334a2a95f5dff649fa009
SHA512 a5b2188c2b8e93b9654075115ea7d8c1102649d88c676c685b852bbc22f339e5ab108708056c49586da6bdec8f45f52a5a3fbb959c1ed0ad029443f42519a8e9

memory/5612-228-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Icgqggce.exe

MD5 152e32e01f898025bba02276f569a320
SHA1 d58b226a1a0548cd2d98414faf42943a549dd9ce
SHA256 16dd8ea3cfc9fd25736b25c25472d783346af330d967d3bd4d89cf6dd2b07e67
SHA512 dc28b81e1f507fa3b5c7d888abdb6f4a453965e062435cf58834428b635cfec7cfd5fc3e84174174d9c7abf93049f820afe899b5ea6411eb4658b304199f2683

C:\Windows\SysWOW64\Iidipnal.exe

MD5 ebad1aaf2dd9cb86e160e50795c4b682
SHA1 46925352557d075cc8f19ed4eef455f3537d87ac
SHA256 92a6821cec4f7508e143633e84cb1a192d4d7d294eeb7ac7274b192b53e90427
SHA512 40cef5be3dbf49046b3785ef6426f562e620e2fc2c8686fb3d67f6d27bd02b9e3d59bb76e2817049348f2c2355c93f11a9ece83bfa1546d739404951de9ff962

memory/2404-238-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Iakaql32.exe

MD5 248f72f6c43e2b8e402e8ddd8d4d67af
SHA1 780c58b99fcccc8a982833f66cd6680152878090
SHA256 f575d4605dfaa920db46047fae7b7f930b5364f69ed81a7ccfdbec5890511d5e
SHA512 92f91ef9e7a17ac6b576b21736d9716c7bd277c32c4b418fcf670246183c219f3d5a2c025f11ce05ee4602924fa4db908f37ff88882f27a45658a539457da93b

memory/2000-247-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5532-246-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3564-256-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ibmmhdhm.exe

MD5 79fbccba9617718cad09f65276645fac
SHA1 60c56a8c2472cdec66d91223d00c77a20128fe4e
SHA256 80047f0e0aca7e4b304f1039f7613d8d1b9186093e27d75b45878d0eacdd5069
SHA512 e825a8f1c45af89b3050426ae1b171211eb743d58c7ca3a5c0c881c042e3c8f1e041db2dbaf51a0998016a193e0f824b2b6c04a3ee754f14866399d673803cdf

memory/2440-264-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1316-257-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Iiffen32.exe

MD5 580b92cb5ed14b961d2c796356005626
SHA1 c53ea4de36089cd3c286b73bebe3fef169786898
SHA256 b4427e1636e61ca42edcd5ecfb39258241b950f661bbaea7377d4012ea9940ac
SHA512 9cf80484bc6e459ea2e1517e82fab27439269059b34dc5a5a5e4a0da3af3febc55d971ea553692b27df4a6637fad99c319c650e142a3e3893e37b339cd1bfdb7

memory/4560-272-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5504-237-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ipqnahgf.exe

MD5 8e7b51b7f30c0ec2006a70adbc40bf9c
SHA1 af7672aefcb791363fafb18a064f1fe9f7a40367
SHA256 043c0fd1457db847c7ffb4228d9be6e219d5fcc7a3e77d37aee67aae4533cd95
SHA512 3fd68d99dbe9ccc3d6670be598e8b52e99ccb170cb5f3eb2f2b8976399f9512b4dbf44f5e2bb2f0453eb3e808cbf7ad18fe32b8bc0932e8519192013783488ff

memory/4240-277-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4372-276-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 00b71216570a6803beb29c19985778b6
SHA1 3d905ab3baf605132c16040d90b7d7110a69fb8d
SHA256 b69c6b784ab3c2feb05387d2ff0530cdc2a56f49c810a667469a2b37a8716f24
SHA512 2cc84668e78bba7b172ce657b5de30f99bab7edad92a8bfc9b1bbc90b7400311716aaef643cba4a574e14f5585b583fefe8a125e9fafb161db06ece7ff6e21f5

memory/1464-284-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4916-283-0x0000000000400000-0x000000000043F000-memory.dmp

memory/888-290-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1840-291-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1052-302-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1888-303-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5708-313-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3748-319-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1972-321-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Jdcpcf32.exe

MD5 43e2beef485dc5aebea7550928c4728a
SHA1 f327010720dd7438cff3ca751e69119dbee3ec8f
SHA256 a819463e5737f1b5536bdcf0f325c7cd3e84443219ec802aa82ed5dcc3da2330
SHA512 087411ea4f8c285221801100fe08ce36327717e97a238ccf0c56b563813471fd24ef469e733794b3d283cd21a9cbc1582fc18256cea9fe57824090021a12f182

memory/1064-331-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2604-333-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5436-340-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4240-339-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3608-351-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1464-349-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1840-353-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4496-354-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5508-360-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3320-367-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1888-366-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2784-378-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3748-379-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5660-380-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1972-386-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3284-387-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4508-393-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2604-399-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4524-404-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3408-411-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5436-406-0x0000000000400000-0x000000000043F000-memory.dmp

memory/908-413-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4472-424-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4496-419-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5508-430-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5168-431-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5020-434-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3320-433-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Kdopod32.exe

MD5 92ea000e17ec0e0e2cadeaeb7e854f32
SHA1 4195a806784e0e6fbfdf9e5a9c8696d3d3e210a7
SHA256 7541480c37eccf107a8f5e3cb451ca066faf153514719ad29c7b8246b4107314
SHA512 f3347f15c6c28e779dd011ba8c6da29f8adb1d79abb27cefda790742b04f00f33e31ed61aadf8a94e7f23db70f7274d4596735b1b03c25836f5a971c5a920f83

memory/5204-440-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3184-447-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5660-446-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Kilhgk32.exe

MD5 a32c9a0d3005c66486518a1d4d3173ad
SHA1 4bda0e55838f353e9608d10421fabd0757d70f7b
SHA256 d8a5513212fbb2f01e56c0cbdb12e9162abf9b2da57a03030ada39e4fedd7d7b
SHA512 3ece2d2356399d8628f6f29902f0616b31e48df5f5589799552873ad05ea8f12dcb2611b3737e3a57ae150fe544a2065fc0dc661a30893bb3d3fbd5a4c9a8cf0

memory/3284-453-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5196-454-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Kdffocib.exe

MD5 c82a6df49855392015f72f9dd21da92b
SHA1 9bb09af5b298f2b69ac3136198e58da2199a9396
SHA256 93ce480e7722804af3e2e80e7baa3c023d47bdf76ae303f34ee08f65a2804bb6
SHA512 82dc9bb84acbd3f271295660741e0d0d183519f4c7a55ac6cc4ed94425dca8b19717c5cda2b50f8b25780c12a324d3559799fc944cdc93aa31f91f4b742914c0

C:\Windows\SysWOW64\Lkiqbl32.exe

MD5 1d07f24dfe2ac93cc69f336099d11ee4
SHA1 dab3d65eefe7cc51bf774ad6d796e106bc6f2e06
SHA256 d6dcb52b327010edd221b1e3d91695ce8aae2dc064357c9365726c9b4908c293
SHA512 95da005cf45aa37a146d117c44d01b3639b38c839eac058312a8e06e0d33b05faa851077c6d5ed3a412aa19a504c7c1079a8a2f82450980c9c54d7aaa52515a4

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 cd9667bc07d3b4bdb89173ed98153406
SHA1 0688a19288e23ac5c8ad1448148d7f1fac8f3d4b
SHA256 781a0d891a0fc580e574d0c86872c450156dddeaab01be09135e769e655892b1
SHA512 13f772fd9c25b4d61125e13db420098def9456ec83504fc5740a432e7a2c6999bd2c127d644c63b42f6d28f68b53ccbc38c124eca8a78588e36cece9db2bc162

C:\Windows\SysWOW64\Mciobn32.exe

MD5 0e2209379673ed2e1e9e4970cf8624ff
SHA1 e9620f4a429d2408c44a238fd0c12546418b9b9d
SHA256 09692937319586a427a79807327aa58720aaa4c49f0b6aa03a3c3f68cff1cf10
SHA512 4f59320784b05b0e3c21673411c5d87d645a6fa3c80ca11aef485ad7c1d827170a14c6cb877d01150378489444a2323674a76ee8c8b1bef3fc61bcd142e5667a

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 3e5c9f67027bdb2323fb913566fc959a
SHA1 ed936751b1c1c2df47e84a632c2cc4380e76ba3a
SHA256 e9019b4c188fd3887c21101dbbc9f91bfa055e36df22ce02fc5fbcc134bb5617
SHA512 feedf84e1bc57b7a699ad104d18b5559f575b7d3ee1c3a63a3f37855664ce3e50b00788f8bdc9f21a6bd1ef715b28c5a921d8dda55c624e286f86ca0264699a1

C:\Windows\SysWOW64\Mjhqjg32.exe

MD5 b3eb7411f278363bb67235dc82f37690
SHA1 1624a3902d39edbc28e9698c7632d4c9b3bc03ae
SHA256 c7205719126feb5dadbfa72286df1554572579117793a3ce7a9e07d512a99c70
SHA512 30c7514b06ba59e6475bc56fe295ed0dbebd8a865906e152ba9c48788a54d686192c779378d957e5d4e319882b076dd93a0101932e0b67a52e33ac50f5d2a0cd

C:\Windows\SysWOW64\Maaepd32.exe

MD5 de019efe64542b028b3bb6f935630217
SHA1 491ad2ed6be91a51ade510e0ed121d4145cd3985
SHA256 9bd56f038fee5fe99609144ff7edb12bab20466c40e234a23eac2079f1597193
SHA512 0c0d19a4fd18fec6752ed64f357d630cdc08eb986987a579dc50a5a56651120387f9c578421fccf91121a921de043313bd82a261402b9b507013eda53259dc14

C:\Windows\SysWOW64\Mpdelajl.exe

MD5 c5667e0ce99bf3afdda8f39816219457
SHA1 96a5efa78f2541c45fdddb4b7b2981fe05a0ed36
SHA256 cccf56d2ea186def2343c16e2feb9c3701df38146ad0e44d615791d0ecf4cffb
SHA512 18bf53f1f99b3322ed0a15f286ca64498c0eda913a0e648cbf2b9fa4a39c190177f82e9f8d87146c57c7c50c5fc4421d583c352c210a43c6ae3185399702b21a