Malware Analysis Report

2025-03-15 00:32

Sample ID 240603-2e69cscc62
Target 0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe
SHA256 11c0f2eb3016a33c62f47764eaaa5874acdc0028cd77003e803e7b2a638623dd
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11c0f2eb3016a33c62f47764eaaa5874acdc0028cd77003e803e7b2a638623dd

Threat Level: Known bad

The file 0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:30

Reported

2024-06-03 22:33

Platform

win7-20240508-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bagpopmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkaqmeah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebedndfa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffnphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqelenlc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhjgal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ffnphf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cllpkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpafkknm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjpqdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bagpopmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djbiicon.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Admemg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkodhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoffmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filldb32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cllpkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Copfbfjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdamqndn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdadamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoffmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahokfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagpopmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cllpkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cllpkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Copfbfjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Copfbfjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Pccobp32.dll C:\Windows\SysWOW64\Aoffmd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Bcaomf32.exe N/A
File created C:\Windows\SysWOW64\Lghegkoc.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
File created C:\Windows\SysWOW64\Cibgai32.dll C:\Windows\SysWOW64\Admemg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Aoffmd32.exe N/A
File created C:\Windows\SysWOW64\Oadqjk32.dll C:\Windows\SysWOW64\Dqelenlc.exe N/A
File created C:\Windows\SysWOW64\Lgahch32.dll C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
File created C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Ooghhh32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Bdhaablp.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Cllpkl32.exe N/A
File created C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Ebedndfa.exe N/A
File opened for modification C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Ebedndfa.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eajaoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Pabfdklg.dll C:\Windows\SysWOW64\Gldkfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Ojhcelga.dll C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Ljenlcfa.dll C:\Windows\SysWOW64\Emcbkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gejcjbah.exe N/A
File created C:\Windows\SysWOW64\Jondlhmp.dll C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File created C:\Windows\SysWOW64\Mmqgncdn.dll C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
File created C:\Windows\SysWOW64\Ndkakief.dll C:\Windows\SysWOW64\Eijcpoac.exe N/A
File created C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Opanhd32.dll C:\Windows\SysWOW64\Bkodhe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Glfhll32.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File created C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Cjpqdp32.exe N/A
File created C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Gddifnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Kjnifgah.dll C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Admemg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Admemg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Doobajme.exe N/A
File created C:\Windows\SysWOW64\Hmhfjo32.dll C:\Windows\SysWOW64\Gicbeald.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bghabf32.exe N/A
File created C:\Windows\SysWOW64\Nlbodgap.dll C:\Windows\SysWOW64\Copfbfjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Djbiicon.exe N/A
File created C:\Windows\SysWOW64\Ajdadamj.exe C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Cndbcc32.exe C:\Windows\SysWOW64\Cdlnkmha.exe N/A
File created C:\Windows\SysWOW64\Naeqjnho.dll C:\Windows\SysWOW64\Dqhhknjp.exe N/A
File created C:\Windows\SysWOW64\Ipjchc32.dll C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Bkfjhd32.exe N/A
File created C:\Windows\SysWOW64\Gfoihbdp.dll C:\Windows\SysWOW64\Fiaeoang.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Djnpnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File created C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Bcaomf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkodhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkaqmeah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" C:\Windows\SysWOW64\Ffnphf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" C:\Windows\SysWOW64\Bkodhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamcl32.dll" C:\Windows\SysWOW64\Cbkeib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dqelenlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bagpopmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" C:\Windows\SysWOW64\Copfbfjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeohn32.dll" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" C:\Windows\SysWOW64\Ajdadamj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cllpkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajdadamj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eijcpoac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 2848 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 2848 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 2848 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Ajdadamj.exe
PID 3028 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Admemg32.exe
PID 3028 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Admemg32.exe
PID 3028 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Admemg32.exe
PID 3028 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Ajdadamj.exe C:\Windows\SysWOW64\Admemg32.exe
PID 2060 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2060 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2060 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2060 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aoffmd32.exe
PID 2752 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2752 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2752 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2752 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Aoffmd32.exe C:\Windows\SysWOW64\Ahokfj32.exe
PID 2744 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bagpopmj.exe
PID 2744 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bagpopmj.exe
PID 2744 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bagpopmj.exe
PID 2744 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Ahokfj32.exe C:\Windows\SysWOW64\Bagpopmj.exe
PID 2196 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Bagpopmj.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2196 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Bagpopmj.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2196 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Bagpopmj.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2196 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Bagpopmj.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2536 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2536 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2536 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2536 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2404 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2404 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2404 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2404 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bkaqmeah.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2584 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2584 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2584 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2584 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 3032 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 3032 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 3032 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 3032 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bkfjhd32.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 2432 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Bkfjhd32.exe C:\Windows\SysWOW64\Bcaomf32.exe
PID 1636 wrote to memory of 344 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 1636 wrote to memory of 344 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 1636 wrote to memory of 344 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 1636 wrote to memory of 344 N/A C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cllpkl32.exe
PID 344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cllpkl32.exe
PID 344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cllpkl32.exe
PID 344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cllpkl32.exe
PID 1276 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Cllpkl32.exe C:\Windows\SysWOW64\Cjpqdp32.exe
PID 1276 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Cllpkl32.exe C:\Windows\SysWOW64\Cjpqdp32.exe
PID 1276 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Cllpkl32.exe C:\Windows\SysWOW64\Cjpqdp32.exe
PID 1276 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Cllpkl32.exe C:\Windows\SysWOW64\Cjpqdp32.exe
PID 1760 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 1760 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 1760 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 1760 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cjpqdp32.exe C:\Windows\SysWOW64\Cbkeib32.exe
PID 2840 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Copfbfjj.exe
PID 2840 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Copfbfjj.exe
PID 2840 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Copfbfjj.exe
PID 2840 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Copfbfjj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Ajdadamj.exe

C:\Windows\system32\Ajdadamj.exe

C:\Windows\SysWOW64\Admemg32.exe

C:\Windows\system32\Admemg32.exe

C:\Windows\SysWOW64\Aoffmd32.exe

C:\Windows\system32\Aoffmd32.exe

C:\Windows\SysWOW64\Ahokfj32.exe

C:\Windows\system32\Ahokfj32.exe

C:\Windows\SysWOW64\Bagpopmj.exe

C:\Windows\system32\Bagpopmj.exe

C:\Windows\SysWOW64\Bkodhe32.exe

C:\Windows\system32\Bkodhe32.exe

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Cllpkl32.exe

C:\Windows\system32\Cllpkl32.exe

C:\Windows\SysWOW64\Cjpqdp32.exe

C:\Windows\system32\Cjpqdp32.exe

C:\Windows\SysWOW64\Cbkeib32.exe

C:\Windows\system32\Cbkeib32.exe

C:\Windows\SysWOW64\Copfbfjj.exe

C:\Windows\system32\Copfbfjj.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dqelenlc.exe

C:\Windows\system32\Dqelenlc.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 140

Network

N/A

Files

memory/2848-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-6-0x0000000000290000-0x00000000002C3000-memory.dmp

\Windows\SysWOW64\Ajdadamj.exe

MD5 fa5d4d63d856a2d0c22473340e03fafe
SHA1 c07c65f3c822296b6295c819266dd078738b075b
SHA256 450b136fdb2ace29a9a964c355a5ff62b34ca53fd56116fb8dfa0fa240cb10e2
SHA512 e2d6bde486d08816827391a90d3ceefcfd5317a0eda8dcfe91f81894b358efa8065f2b874ba5e2429818cf9a7ab8a35603366c82b711e1c28b69950ffbdf38cf

memory/3028-13-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Admemg32.exe

MD5 03058f2522f5cc1d63712a405cde473e
SHA1 b1016baf1255251f817b79a7c8a8c58416fb3ef8
SHA256 c1d47c8d30908a0bcc028ae012485a0f9c129ebefe1a0a777ad19e2d35ea111d
SHA512 9c44d2d0ee0285ef02f84487beed5737491da3ca3bc019f24ea008482c49e73754439c26ccfa25f571c53acabc19592fe7757449194f75b2c8883e3ced898654

memory/2060-28-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-27-0x0000000000440000-0x0000000000473000-memory.dmp

memory/3028-26-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Aoffmd32.exe

MD5 23a68fe4c96ece4d81bea3397684cf02
SHA1 f0530e863af04fe6d0c43e066f8b7d51b12ffcf7
SHA256 39143feb072b4386cdc265ebde1bae0b7d84f53f7d1a284f785375fbf7d57c1a
SHA512 d2cd0d15c9c17faa0a9bda8b5311269233d52c4fe4659bc53339c2751b9f4d3f024077a367de3d901d0dd3b1b3465337a4a9ac8859c5e0757089aff0a2248c82

memory/2060-37-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2752-42-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Ahokfj32.exe

MD5 b11d2c00b268c836a2ccf4d18867af88
SHA1 4801b83734f5a8fad7c8f246626fc3b6d5afba1f
SHA256 e4cb0eb5e0b5d78044096e28156efc729cff777ec3aea26b222a78ffc15e4a64
SHA512 7aefeac52f2e0e751c6b15fb304efc05f1abb83f7425e91afaae0c33598d2ebad5bbce3a14b110f9755fee097cb6af31e9b4250a0dd3a5d156412163be4b6fe9

memory/2744-55-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jkdalhhc.dll

MD5 9a6e36987b77b0bb3ce2b445f129882b
SHA1 fdd829aa049828af49185af1e193bdc27bff8a1b
SHA256 b1a67fe5fd7fffaebe7dc41b48c24e116298042eaed15bea99c8a896e03d30fb
SHA512 933a65126b0c6081f01c8b9081a3a76a46411b3b94f78d8b857405e55e0fbe77387d2610e6f6dfd3ac0f172468108c91eaa5f140ee1bf0db578d95b20faaefc4

\Windows\SysWOW64\Bagpopmj.exe

MD5 c3748dd17476cfab6925e27169806d2d
SHA1 40d57b473f22c47af003afa9c43a97b76dc06b85
SHA256 280a86b43310050d062ca4d655b31e18209b5d17a7234363d46e13e80dd4c9bc
SHA512 ff71b7184cb2b4848866973ec1e0418ea943c246e29c2ca25f358f886cafb6967944f9a3d906b17c7b6386756d993fea73ab7abe429bbda0e93acf16a9182d67

memory/2744-65-0x0000000000280000-0x00000000002B3000-memory.dmp

\Windows\SysWOW64\Bkodhe32.exe

MD5 56cf2816c7db1744707b30d83cd47b88
SHA1 dcef8c05165192c4820e4735668058eefaeb070f
SHA256 b737816023f68846236fd43d062d4df43dbca5dcc1ba0ba9525eb7a069f32428
SHA512 b6371ae6e0642b481dab755f56d0631c00d0655ca3f19f7780a5d01e890198180ac5bb558cd0bb623b94ef60d629799db2e918af4dded2dc7a05811ab22f8963

memory/2536-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2196-81-0x0000000000310000-0x0000000000343000-memory.dmp

\Windows\SysWOW64\Bkaqmeah.exe

MD5 ae38ab291f4367214664162ddbe3aeed
SHA1 9924836b427a564fb261b6d6d7bdfc3033d58d05
SHA256 249d023d1c7615e53a6c6e43326ff8ac481926d85cc2b60ad24e344a7c316523
SHA512 dc3046ba7d1f9f4326e6ed90715648d100dff97b80c16afbb5c62e76d4a834d15481c8a55f3078901faff995d998abdbc533b043fbb406916eab0f4ff293a5ac

memory/2536-94-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2404-96-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bghabf32.exe

MD5 fd12521507f38faf50efbcbdc005fd86
SHA1 0ce8f1dcf2e0c4df02aba1a2afffe0a197fee1aa
SHA256 c9dda46f193e9dd5444b18bcbd0ed7406deb682d54d95b9415dccad9144e1611
SHA512 059f62b80c00e995c37ddbfeb5b382771c6da957106b7565cc526843872d64a44a0295bdd6576b576b86f05b664551724dac215e32a399f034576fb438b962d9

memory/2584-109-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2584-117-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Bpafkknm.exe

MD5 716f0fbcb18d9ad03f791d11297c4133
SHA1 1377b260082bf591049f8e73ebd9020a94cc860e
SHA256 56f05247ee707a9d54f6989cf132db23ac0b8fe8bb6550fb1fc95604c652b3d7
SHA512 1cfdf8eb7c7d06b6370ad51cc8e870337bf85426756c47ef7bf02fc5ebd7aa1221e14b4eacf6feac5118dd4cb8dd2665768a88d36a40bb4d877d576f501f6381

\Windows\SysWOW64\Bkfjhd32.exe

MD5 1b20bf538c8d16be6194acae8b52f460
SHA1 037da6e216d137a95d4e19a8b7d5cf98ad62a355
SHA256 2015e9e9c6accd1f028803656df46eea7d532667525acac2d1f40074111ceb72
SHA512 356d1c65c9a9a9f3317d3d34b9ac4315eac0c9dc2c2d17361a491ea80b75d90c8119e574482d6a8760e2efc1db87a22c2354124fffbe51d1d7c76b31580e35ec

memory/2432-135-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bcaomf32.exe

MD5 05fbf358db5af076dfcc2d4bf58ac481
SHA1 933ef6add53d84232f3948306f0b7dbd5475a1ce
SHA256 20c7b58dbe588f23514dfd536957263b9feab6d043ae9c94509b634563c8f40c
SHA512 11ed43362807b871d3389ef69a6c708929f01efb1a4b6e38cfe93cf52e242e1e0fe1671f1b94c12eafff61b6b34442f9a3ce9051be19a262a0fc045928a71108

memory/2432-147-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1636-149-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Cljcelan.exe

MD5 a897a5c6a2e23d71585d65e6db2bf2f9
SHA1 a182c576f29e96ee66181f313cef8f2f63d1d9a9
SHA256 d0fb12b8329223a0edcf1cc7647ee5273314b403434d0ebfca36d376654f24a6
SHA512 e2c9d9fe3fa6eddf67c8ceed4ae6b1f81cd94a64737d187e857a0a84d409fdb4fe1fda09bf5dcde643e1e5deac6e41e973f143b781e607e306085b0d1c5b4b22

memory/344-162-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Cllpkl32.exe

MD5 88589cfbeda5fff638adce627a5c82ed
SHA1 4685eb81bd210a8896b7d08ecedbb1a556ec7ff1
SHA256 a8da72732be265e120c37b7d63408a49c3634798147715286b1141db661f5888
SHA512 d06503faf2032d760373910e5de6d11b50e7fd37e7e9357caf71dcd715664a040f2b2babf15b0806ba6be7197855f71b6c2ed07271fca838d7149e9e169f1585

memory/344-169-0x0000000000290000-0x00000000002C3000-memory.dmp

\Windows\SysWOW64\Cjpqdp32.exe

MD5 dd527651d89666a42286ac3c76956781
SHA1 c33dcbc00d9d91b247fc8c40cbecf977c4ddb7ee
SHA256 90d322031ef6006f05c7585b8667dface09ff91a03dd6ed64845b4f90a99e4b7
SHA512 2aa4b51daff8683e588b13f4ee190fa3e40d45893b77737e0ffb56dc47545da81dcde1053f7e08ca9bbee3368ea86a6daf6ae0ed756fc60619726856d50d610a

memory/1760-189-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1276-188-0x00000000002E0000-0x0000000000313000-memory.dmp

\Windows\SysWOW64\Cbkeib32.exe

MD5 e6d360f4a9d57204b31df0b21e5dd088
SHA1 b1590c3aa086eb9e6272cc0356848b8cd955db89
SHA256 d967699f67020f259edbd8f22dcde8887ed3b6dbcb222c5c3fed679e54091e9e
SHA512 413a8044ed05c6ff042a753d1d22bfcc588d66facfc65ef1bec34d997f4f6d6a90dc4beb1cb6d546e84fbdef1b312bb904348ad1912f087e1f6c5eb1c6aa21d5

memory/1760-201-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2840-203-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Copfbfjj.exe

MD5 5b540529b1c3d0a212c4f888bc3afe94
SHA1 718c522dc99ba021fa9a2ca60f19e0052ddf1cb2
SHA256 a7df8dd13ac7a31749b0d55fc217efdb9f56697a4056e1cb3e00a399bf57c860
SHA512 784ca013576167966ef269a66d4f0ca95748cef68b9cd18f2d24cc5c3ddab397e25e6b3721311a3edc520c229252bf85689c660db663b023a07e22b8a333b28d

memory/2240-216-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2296-227-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2240-226-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 f411dd70daadc16ff6eac7d91f6c4f11
SHA1 8fef5fd260aa871d122baaca2e5e1c277f4950bd
SHA256 eb63ced04d768d8973664fb8d160e4340f960b0771c88ae4446079b95c9eb54b
SHA512 0a4168ae8990817ac384cd0473068cc85652bb17774ad05097baeb1828a51df237db1f96963ba3874c12efd3854e54d726cb521a49da2d65d43bb3ebfb06db65

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 2c56cc989938a543d1cf2a605fc09c21
SHA1 26ac93ffa28c08165b764c2bce4b932bb647501e
SHA256 0a1ea448f16cfdfd81533644784e68e9894a640605c3a405e6fa464287c4db92
SHA512 edf62366863ced089ded5a19ba4ee2faf84fe1dfc9b57576348fcdfd46c769ae75e7445f4eccdcfcd8dc6144a16c69370c0bd6bf22b97d7655a5122367d3fdf6

memory/2296-236-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/960-237-0x0000000000400000-0x0000000000433000-memory.dmp

memory/960-243-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 e4d99ff14216e0d3da36ddfa8d344d83
SHA1 26d18c0a8021117f86abe2ce922a6dfbe0a991f8
SHA256 7fbeede6d2b2edab1439d7460807bca608f1e3aa0624ddc9220dac770124227f
SHA512 2e70e41c1e60bd8d6bc419d1440fd5519b86f170bfaa66ba6c33960d3d45ff5b5de2c126a42ec1e9f7ede2f562e122e11a64d59378e6f2428fbd1492f6ea54c2

memory/1988-247-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dqelenlc.exe

MD5 1f06a9c3b75ab4aa687bba77c860618e
SHA1 a175a89a1b69cc048b9af6e71361e1373c7ecc5f
SHA256 ecd074c2776465e33418dcf4893a7d616c3d945c554f16df8f34bf3369b0d210
SHA512 5d7ff9be728e917173e706a8f295ef76510f9d48b8e220f7e9817d19394129fa6fa5628112e3f1ecf8f2bc92e3828e30a6373eaad3581494f188bd03537e7020

memory/1988-256-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1520-257-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 dbb40ed9085a8a05182f8e0c143e49c7
SHA1 adbf369c9c7d43fccaed39a6b909e31dcbe419a9
SHA256 5e7c898bd1eb87e0eb3c509656e9fede0167d687cc7010279027d7393e1f0b57
SHA512 c46cc4a8de83e44c34e78f95552969af9074f308fe3039bca298659ec3517c958b3392f31ff2d2cb97e0d1e614ea810b2c77502d962b1b9a36c59d96f4276207

memory/1520-263-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/1100-267-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 e253b6f4ec6b3a402244c2467c9e4ff8
SHA1 092c1125e59557581c65a275877097d1da6552e5
SHA256 a98f7abddb30c39baaf9861194c7b3b9053dd7702391bc36283c7ded3cfb5f02
SHA512 a2d6fd79959d82e1b6b71f558d0411ee6cac32c749eb8e41dabe0ab6c04e9f9728982fe04adaf68ae89eda4ff0355e4363d72119ac2012a00cc1c4f8a0917990

memory/1072-277-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1100-276-0x00000000007A0000-0x00000000007D3000-memory.dmp

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 4726c08275ad46ca4684bd177a60c7f9
SHA1 617987298cf13e2f2fd7ad96cd7f6fa8030a8e9c
SHA256 2e049b57977feff90f6743f0464f7ea817c35bab1d3a186b2a258ccf9fd7da88
SHA512 2e1d3d314a3a8ef5d97a584526ae3b56e8335e29b1f187dfef5a7489036598577e00eece02fd69dc9b735818d4ab4deb91107f7f04b42aa0043f740a61c98965

memory/1012-289-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 0e4e26ec004d7104261755e82a00b6ad
SHA1 72852731b4597353240f250c8b80986313ddb341
SHA256 f40ec528327bb5d0af0c47310e1e443344a90d719e76ce591a3044b30fbb0afc
SHA512 01777e7470dd9dfca8a06fdab5a28eb27e9eb28d40f84e0cebf94dacdcf8c5779996275aabab5067a2001d2aeb4caea1b4a0ffc5c9f076c6ecc85cd151ff9730

memory/1756-296-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1012-295-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/1756-302-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Djbiicon.exe

MD5 5b8a59408f63bf1191df771fe9bc4af0
SHA1 d7384d710e4a3cccee09c26faccf44062a1ac22b
SHA256 ec39272fb55d910fbf46f49c9c1889bbaac6be9e89a552f774b21c89e84189f4
SHA512 df5a67bea511f3ac8f706d3006c9043c9e34046566c000290eb59ec401973c83d074b53309e5c43bbe926ac2e664e59873aa0eedad569389d24759efeff85643

memory/1756-306-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2820-307-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Doobajme.exe

MD5 146fbabe8930bb1eb0fbc4e5930f945c
SHA1 3601234e0cd5384fa0ba25a40c58cc100aefbd92
SHA256 d04330a5db44b6d2f8894ecb9e15f3431cde2919ade9e20dbb79258607e9c874
SHA512 799e870105907a93071e5919cdb8f3ec26f11990a1b2badca6efd583f0510e6fea23a57f21becc74ad3ea7d42fa298abd013eeb8bd8a861cf6b454c9334a27f8

memory/1820-318-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2820-317-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2820-316-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dgfjbgmh.exe

MD5 ae47ea8be70c735f255b9c3b31738d05
SHA1 59bebbe90c66398f960f0daf39f4fb86851805a6
SHA256 c8c08bdf429de0335984a3ce006d37fb7b7e2cc7c64890eec024b42d3ad59fb1
SHA512 31da32a03e9df6e2862a1ca407baf983cd66cb149a3cb65b1e939894d2a6bdff3816d2d44877d2636d20eaada7b43d79df1463257a7da7ae150696c58ab28d3e

memory/1820-327-0x0000000001F70000-0x0000000001FA3000-memory.dmp

memory/1820-328-0x0000000001F70000-0x0000000001FA3000-memory.dmp

memory/1704-333-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 0413aa9c5863156b1d8ece16075851db
SHA1 8badb9f738a9609c22afac61aeca170cfa4b28c0
SHA256 dece7905ccd5582e6456a8734999265a4a2ccf2e11a2b1a5165fb0ac5d0fb047
SHA512 0f1645c5d2188b060616f6380e63df94d4c955b5ff8218d7accce851d180903ab876552d35b9a9ea559520cfef429b5c25fa080c362a5ecfed2075ee94b67b76

memory/1552-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1704-342-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1704-338-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1552-346-0x00000000002A0000-0x00000000002D3000-memory.dmp

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 cbfc7260b16a3f9d436a7134fe73f6c8
SHA1 2bb607143b1e75aad4d6080ee1c88a0728448bc3
SHA256 9dacf2d7d16ab083c4d25c2af2e4427b62938254fbb7b7e4fc766c42523da694
SHA512 9fd43743f20d8b7ae167a3f5a19d585c14c7f2f05198b8506fb9925167289d99f591421b479f5c6777adb8aafcdc5f2e44dcd402908bb586c764d84a3c457043

memory/1552-354-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/1056-361-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1056-360-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 86657bcc7828a3f817fd50a7e10ff99a
SHA1 1d5010b840bea1b1442aea54d90013a6eb24bdd2
SHA256 e7e033584362559476c0adbcaddc0870d0034c356fc9a71f4a15a933234d2e30
SHA512 5ce74151322d9b05263c49a811bca05da2a0372c754730fe8f7f436572b239bccd308e0caeaa1d2c80a945aacdd0dad1b63445db7e94794c3bd8184ff4bbb65f

memory/1056-356-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2728-362-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2728-371-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 5a0bc5c0352c467c53f7528795e0aed2
SHA1 edb60b760ffc6fa78eb9051470b9248c5bebbb43
SHA256 c8ea96c4861aad87018f3e8b779da332a9147975c7676d9ff8ad6b16d1d1511d
SHA512 2470429eff4cd22596890db04a0078413c597bb50812bd371e877df748aadeea061adc6da23ed21eeb95d8b2634eff6e23471aa8c7e3a8a613fa059d8f210d0e

memory/2784-373-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2728-372-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 fabfdc3d3e9b02fa8719c61f6919f31a
SHA1 f3725180c43714579755d9a4c05e8bd6f84de726
SHA256 9179402b44cd062a4d5f9cdd4d506d32fffd28f5c2d8b4f3ef88ae51b54af230
SHA512 504ae37fdd29d2243991e2ab7959a0e052bcfe17987a25b67360b8cb474dbd465bc802da7a1a20b05b66ffbfcdd99ad96efa6fc8abdc514cca41a82b669aeab7

memory/2784-383-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2548-384-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2784-382-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Elmigj32.exe

MD5 0e762bd30024f25032fd151e257aa09e
SHA1 68ce1b65811902d578ecded7512acd8875b417de
SHA256 1d324426269bd014f85ab73b818f744fe59fd6d6f44321bd3456274142f90b8f
SHA512 ff2216c6156b1ab3279176d7f7778363d9a8aefcfe0173d1ef3966965e760af0148fd9fa874a434064be2090bad6a42360226b1b44bd4ce13184b1a4e3924291

memory/2520-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2548-394-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2548-393-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2520-404-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2940-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2520-405-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 3afecc64c17c81deb5ceb65815388948
SHA1 9ca287446b167e37910e8ce90279e9faaf7967dc
SHA256 acead1b7bd714f859e51f828cdd6f4f55db3efd426a8b53f10b89140d4dd7a9f
SHA512 a611cd2aaecb4404c00972641701c259f7614b1dd8e859a0c232e9d51f301b0d9beea9c03e515d5abbf2954ad0e504b96d93b09702eae2278abc536b03750d70

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 117a93b14a934d8d752946f4efb3dfcc
SHA1 8018dc74ccadeefefdfe0979b6b625224cd7c633
SHA256 c7043a077f82baed4d9afabef2f175487c8a1fc6df89ae604d51fa1088b24045
SHA512 8360ca556c0b83d57975f0ab3183a12628433cb324c3f2411f2b2d18f5cbad3a82c71f66671d2c5129a9ba36e4cf222ac37f9fedbef21b1d77620ddaed83379e

memory/2940-419-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1448-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2940-420-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1448-423-0x0000000000340000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Ebinic32.exe

MD5 90c5909f979640265d2a3eb73086c23e
SHA1 9f2cb762c20513684cb48a962102a8c86841aca2
SHA256 0f995464410e7065c8439b25579d9080bb7f6cddc71abada1565dc4fbae8cc40
SHA512 3617df5608458d5e0ed4334bc6f85ebd15b326e98cf9a12bd89211123416ef6f399151a750c4bb379906e8c6ea35d20203a78cf04656459481e3f4492d8d5a99

memory/2844-428-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1448-427-0x0000000000340000-0x0000000000373000-memory.dmp

memory/2336-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-438-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2844-437-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 68a14dc3979d90fdd876be5b9327ff40
SHA1 607d8b56522c92fe078c3c30f20d6adb21c5aa79
SHA256 82cc5c0624c2d21cb589ae4dc13abdf7f7c6e7f70f6f18361345296763505902
SHA512 c7649816db424fb3e2ef77e0b89961ca983bef2088a3f5a67f5fb3ba95d5f7f322cbb36aa8923dc4e3461f96d994fcb16416b9d297ff3fdc0ab8a9b64e5080ae

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 67718ec32c9f78f7f13715f093b5b692
SHA1 50a62314f5992a1ad5e6dbc2c5a1b48dc4df0633
SHA256 ef685bfeabdc80fc9c9dab4dd1bbfa8c6c2ffc635b378b2c97c41444c2b33e6f
SHA512 da87d2b6ca6f2ac6971e78beb44715d1a1e8b217f959b79bf304a065bdb3dc245a94789e15e1b426b7bcb41f9fe24a1901e9deabcf35f6ee978ee05933061237

memory/1292-450-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2336-449-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2336-448-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1292-459-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/1292-460-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/308-461-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 b82363664a3c514e083273a6cc740628
SHA1 e6c8ca0876988e968c2244f96a4796ab467e391b
SHA256 161108d89a609212edd1180af66e9fead97bc8defbb506a13d6912688a2c8b2c
SHA512 6fba86800fec7894a860e7eb1498ec5cb39e57fee51857b667521f93b718726f32bd16689f5e83b3e7d46359eef078e438c2630414cbb4f48bfc73007200e640

C:\Windows\SysWOW64\Faagpp32.exe

MD5 3c5d31efe1fc15aa1f1e0d12cb4f21f7
SHA1 c88657bd2b903c0db8e380c77916b8baa68ac9c4
SHA256 a0383226c29fa135e7c2a9fb80e766c18b388e85c1fab853e9366651a5d23c54
SHA512 ec878b612ea76ba79e100b550c530d794885d5e573aef5912d05509031366daab11964a9a6c936839c2f748cffc918fa18f870ae54f23a57af87ffa70e36de87

memory/1508-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/308-471-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/308-470-0x00000000002B0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 31fc4c1a99029b2a470d6bcf51d99eb2
SHA1 b764c81d93994d0bf2aacacd9707ecb5d207b6f7
SHA256 1e7fe18c87c5aaafbabebcd916cb02dc0eb4c498f5b033a88474693c2e11d8a8
SHA512 5b5c4538645e06b6ddf50666a77e293f8f36a88c305337cccad71bf1a71da649efb6e796e5c8b076f6cb98f7fdda15903402c64bbfc8a0722e5f7da1bdb843a2

memory/1256-483-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1508-482-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/1508-481-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Filldb32.exe

MD5 3e27f06c65626e603fbaa3bdd2c2da43
SHA1 a7471ebae4d63205edccb06887a288abd5dc3ac6
SHA256 2b4ed49bac9a2024322163b0d46ff5a1488508cf6f2d40572ff1cdfe3e73ca57
SHA512 5a946e559f261b6713934a4eaf21598daea302653bddcd9f2c3c578aed6a16bb4b9eea619cae836d809fe4f3dcd479f7b9125f395394b7c42dbfc81a05e36c1d

memory/1256-492-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2264-494-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1256-493-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Fdapak32.exe

MD5 3acaac81d924664c5f2a232f2f8d79cf
SHA1 5a245db3c453b26ec057a98d2d78342faceb31f9
SHA256 19bf24712049bf0288bf2afb6b6ea2f4773236d4367a7e288784c09d18275199
SHA512 ef0a0410df9d03721a279f87eb5d4de7c9fd043c4a290ce93303e5a62537e8e8472e5b97f1dda251bc295bfd7545efe213bed53a5d20664839939e35758af29e

memory/2264-500-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 1d7bbd199418c818b6d8c64e2fd7c266
SHA1 0dbb67e8e2bbdfb050e9e783719ae94ea46a09b5
SHA256 238f0715ad31ec756fb55d9b7d4c98f5f11118bec4eb0768043f83dcb7d67e77
SHA512 898b4fed12eb96f07a77cea123793388bbd6987e6190edc9ac294d0d3876791153f9cd4b0b397a71cdc9159c1b34688fa982d4e0f7cd4fa15cf8f9f71efd3ac8

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 4d345148070c99e3fa6fe5495750b830
SHA1 fd6ba3c38b856ca93284de8255fe10a4981617d0
SHA256 fe9c6101e86ef6fb8d93e96a781f546c4358da46b1729b227e38413f000cfca8
SHA512 da2ea310ea678b7c0f993512c6e9d214566e7b94f5ffee98d3b053f670c494c6e2a4536fe37d56dba7becd25cc41ebc555d4c41a7924c12725f111f883224f4a

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 d02afdf756015b275a1d13ab7fba68fd
SHA1 ba49bc73050efdae3902e0d05a67c94a9dee3fcc
SHA256 a72ede8242bf2084c994e3504993ca4adb5e18bb98b610f0d0b9b708980b1042
SHA512 2909ddd97d9c5f4808cbf6c919fc486b87f1d90d53b8cc47715b72a0801e3342f9b042214925bcfaf951983e8563becac3302373d4fb0cdf780ab8ba7353d547

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 8e1311be9b81e1b833f9d12d77e9cda2
SHA1 631f610997520699ca91ded721b3f11759398b08
SHA256 b7abde5a1da85fd289180a176bea6c72e45566884300d114ad9e4bbecfa0d462
SHA512 8dcdd660b8d4d8a680ce3be1a22710b218fc30a022550db3db1bedbd94b886247fb86883447a8209cd6680f99c49fb512ac191786636ca812e50b38fa294c5bb

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 4f5ad76bd5d49b79b4013cab9ae0d354
SHA1 623749560aa3f53b4878e57d734356d52133f9ac
SHA256 7b47a146d19634f01325ca6133412a9981b3631cd26cb033ad5e297e3a5cf83c
SHA512 4569391283369cbb41d36b4275de79d13e1c2ac20479890e25397b1ee2384820530af4013cc041807ba5d6eb7178a8d5d266b2778b3dc7924ae10034ddc056b8

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 7ed5559402b889ebc698ef1116673973
SHA1 0eb7fded30a13eef875c4238d69a8ce38381b254
SHA256 28c5129c71bf32ae66b54f5c894efa9046ae8c64dd479545ae93b1aa80a38279
SHA512 1c820411cd6b6ccd79c529a9544a6d82339fc98a8056c72d616b52247f87c496b646f9cf40e7667002bc517de9db998a99ff3e7394eb019aa744b3bd283942f0

C:\Windows\SysWOW64\Gicbeald.exe

MD5 10fc83e09342571b66cdb1dea83d137a
SHA1 f4639e673c32c17306a76c9133b4e6a992572415
SHA256 c805e197bd02cf0864ca414959558968319187acc00cd7a5d6b32fc37e57af87
SHA512 d99b4b27f5881bc63200d863508963bd52d113b525e609f10062e567b5f62d3f072b0e2a95282eb8163ceff2eb5c3d746962bbab5fdf1c1f353ad25a8e431b03

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 d077da832e33574742dd0203973b3bac
SHA1 ad3a91303a46718c2c0cf67bfa4de1f87ea98637
SHA256 cc5314afbe2b117e42da6f6578f682db64069a018c934bcc07ede1e51a3641ed
SHA512 0941a8aeff25fd79f70922846b50dd505e22afd64c58329772d0eb9b775c54572192096fa5380c0c0f9de2d7ce429170ae2cc911b28c904725fabe8f38bcf0f7

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 309ffa994529eef3fb34a544e31491d9
SHA1 0b160ef8bec422749c5a9e67c7c4127840cd3c0a
SHA256 dab435a6d4b154a489f24cb54311742ada0657c23362cf78421d43ac0476336b
SHA512 8f8757a3339a69acded7a6047fa14d05560ccd8f2c025aa9b58ae2e1761dd1a46557c4e5b52b41c31b2c7f94584fc2cdfb80610bc98a3eda6b818da57f099076

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 6df370f452e31886c543e5797db07256
SHA1 1eeed8940612fd6d16a0a66e04a4d12fbb2f67c9
SHA256 17518f31329310c4773f610527a11d32a7f3d1c14cfed97b66b60f478fe57351
SHA512 1483b3b3cbce642bc07c4bc6b11b7cbac2c56420c6405536a97647c0280595de161293b071006834990cefe52795542cd87e4bfe43b973c609c8fae959f4311f

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 63f262b546e9126be13e062f57ba4751
SHA1 be68eb53c8cda6c337da6186ab92d89cdd1febda
SHA256 e3c08058b1459e88b23c8d1684462a68722d1c3c405ef4c5e36ab8fa17adc2ba
SHA512 a1b6a7d5091f9e905666607e7bbd27579391a5c74ae6080c8aa6be28f46590f4aab5e82c9560c9d9e6b7be3ecd82df8e66769d340e68a6159c9f0138404dd778

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 dadc06bae9b7da2372786747c1eaafce
SHA1 b6890415764e47fea1593c05933aa508ba3ca058
SHA256 8164af798c539ed4599e5afde17d7462a786c46dccface35632cd8d8d8ff26a2
SHA512 337634438ec155b17e9d3d2a72143b7da8d3dab46db6eda2e0e9c5cad92526ec9e546e84cd3b7b0e5fa439bf951ccca4c7e45855100e61e8836e00ec7f39b6f5

C:\Windows\SysWOW64\Glfhll32.exe

MD5 0e20a57b8fb1e27f108616ad4acb1f35
SHA1 0712090ce82d2a7d4ae4b45928d26b25098c4041
SHA256 415ebd4faac155c9ba9bb5a083ea9403ff982d7af6882d3e6e47e350440d2388
SHA512 97933b3653649f991764036543afb983c93ff651e050919141b65f2f11b318ffa4c80d7d6bbb7a5c6d0e53bb3095cd1931846a7c836bd8d54f9fad40e384a008

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 792df3d64a4ba14a7df43b715ca0f11f
SHA1 4d848812e249413dbdfe453dea6dc15881d5225b
SHA256 6f1a48b3f77be2ff88fd52e15e15eb32b502ef73d8109774f63f4b06b5c85308
SHA512 5a0e09adeb39de2da272d4ca71677bb7243f29d236c5be89e931ec7f467e7a025929ca03b9d2578bc44efcbe8e37c3b6b4a645133906e4d2473ae6f9c260baa3

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 f4e960a562cb99a3b1ab369494cdaf0d
SHA1 f9c861266fdfe8d52c934aba701922bb39be47e1
SHA256 8cb464d21a2ab61323f742da947536e3a8af89bd5964526edf3c25e8b1b1780d
SHA512 e2ba7e093fbd0029a5d41be39a7e52a35fe684ce69548491e026950513335b5b297eba4a37f1770e4e22183da4654e62d66b541fa1e84d54e3745908cb063985

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 f17a046dd9aaf4aa9a3d19b5a994b2ff
SHA1 003bad15641fcb88fccf99f3525b7db7b815a1c4
SHA256 120108ea43bd30f77a73057e53ebeab9867398815df29c67c466da1952395e8d
SHA512 6981ecb7f41faa609cccf71676b16494073b06f5f69f8cad4154b695e00b9b2d455d38dbcbc6b7641f0056215efe2722d71baaedabc218be57af33e53457c05a

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 50f4a6cc37ad1af7059a9a4655384255
SHA1 ab4b55ccc7e66de52758133abd74b4347701112d
SHA256 96419fc3246c1613a260fa7dcca150669f399e56b4b135900a8619bae0ecc440
SHA512 061ad43b3c908e52a19a04e4acffbb9b1edc55a0898c6ac1bf67c698c7587e3bf04cebf68d05d298aed035eb0d93c1193e7dcfe0eab15ef3129d8a70e71bda28

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 6daafd936d65fac362442bd3dc368222
SHA1 0f78019a1f810bfdc904eccfe3358d6842442e29
SHA256 4162c6815228ff8d23c9607b509420aae0c80041563c6b3ebb39d666301880ba
SHA512 935d01af1d82a9e7a63ff9d7705f4cf4911ebb6e8cb5942f362c8d59db1cb233251deeaa1cefc4c279dbf2aecc5e1d7a21dd29e5435d6174286ba477857dae5c

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 a64712259c7cf307e42154da7992e1d7
SHA1 c6df8e579ec585fcd432e265ea7ab79e9399e61b
SHA256 de31f33f91931d951b852dc0aaa4d02168960435886196c063764e2ed622ce40
SHA512 efb9549b0f9b2b9ef0c40653c25738144cec7037bc9db1434a10b813b499316449749c497ad578c99160cc557300d05fa7fe37ccd81a460d4632e3fee21fdda5

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 a21ef94b3ac7e93a7e03637b4c397505
SHA1 59184683c7944028a360cb9413cf94910c34e4ab
SHA256 13bb0b88d17cc2f82fde909c4f44f98a9de6775a7b4e20423dbe483af53e8c16
SHA512 ad9cd2d365b35d8d7c08a5731d71e0344a587fa68d2a604aa0c9e0621b5f7d3f0c9d1060be0f86b7020dd194803b590db3a365a8132b28cdc62761d159ac8641

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 bd8a7d6c5e56585c47d9ff3ef50c2f74
SHA1 4ee9f294ffd655f81bf0a91e2474f28d98e9cabf
SHA256 71d8a12dbc9530eb6cf24bbe00adca45bb57f6bffbb2695c7cdda8729dab16a7
SHA512 7e9af5e4684b4433c522c5b9101baca43f0c81c5c4ee20dd2f282f390a710c3c352b2f95b4e38b1a5bf1a5250172615ef581b3d98af743d560ba847ac885a7f1

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 484b9d03c2c1a2b77047808d001faead
SHA1 c282b79d526542af5a6e9c040499182f6ef83907
SHA256 9b43607c8a6cca18e90238b895ce443b966729a088b9b328c1f1fc81cd112449
SHA512 804a173a28c943e760d6c2a189ad59c732daf0a49bbd9a14fd676345182f59cb1e1b72afa43885a8da831f054243a2f7c358176645422cd78c4dbd921fcb791c

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 c62efd3cd2afd28308615b5790e66f8d
SHA1 43974cb864b924de114f501bd58edd4353511836
SHA256 e554f04e3a04919f9c2689fdadc55d6e6dff5a1ae54ca923731e676a38a7f498
SHA512 b0415d21cb6677d5915ad791d594e4b3fd97ad465f64605b8409f0a9c53e4f0c11d0571ab6a2ab451eda4a95da5bcaef3b051db6188e279208f756c398a2a83e

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 8fe2c48cda28210c377b5b2f51216171
SHA1 0c36fd174364d33fa6f54d64bf077103ac23da1c
SHA256 fb07790aeb388e82b726c3d362a41f5a363552730b409664270ad1cdbbcce2e7
SHA512 1b96b73c5ffe5bd580a5edda6208028877e011f8a1e05a3f1637a592ac4c8a113b40020415334b05eae25ea476cba553371c6052d1a253e9b1473c313be5fb5e

C:\Windows\SysWOW64\Hggomh32.exe

MD5 133472fdc4ff518ca5378fe05ce7486f
SHA1 eddb33f3fd30849a10dcec76aced6ad675d79a0d
SHA256 b112798f47e7431f50a76e45b99b05dec020abdedf952b8d9f66ec49302dc977
SHA512 de921bb9eb45fcb8b2b5ee323ce4fd0626b8c0e0a2773667951b705950badf84c4e09778c3fd693cf904f5323cab1868f5d39897d11cddc7b89d1760cb593ecf

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 4f22af363a76884de7af57b0415a638a
SHA1 9d1f69792e7cc1ca90f4b44f6d9ce41048fae8c8
SHA256 8fb7ef9d3aedcec5edfff5aee337713148ca183a32220cbdea20d28e79d7e92a
SHA512 75f809ce6e6a4f499bd30e6bbef0b5c0dc7540cedd326e9c6be1a40c9710db96becf8ffb258c84d190349ca1b545a4664fe77161723633fa2618c24cd80aae18

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 78466693381caf1438d869dac09cf482
SHA1 ab15160d8966a65d76e5a9b2e8085b39e1315064
SHA256 55c25cc8b15efabad6f78848f4a6fed9423593cf94179754b5b2e1aedd9a1de6
SHA512 f3a2083d543d237bc7d5a3accf056dfa8fc7dfcb45fa8b6bafd3dae0bf400e3bd000ca045d8e55843173cbbb31c2a70f1824846cd5cc2953931ca95aac38b2d0

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 a4b61dd43a9bb199fb91420caa25127e
SHA1 4c5df1a8029225c8a6377db7ee26565204cdd4e9
SHA256 40940763000f0d5a6f417af1b26e2bd93d6f8f030c136483c9bf61fd99e611a0
SHA512 15282a52e0083a89ef7594987cd832380faec18660b36e5ba20e0a517241417f91bd5b4259226f5b7eafe84f103c3102c986cf7951c3d84fcf9e092e196dc7ca

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 10648169b8537059fc6f1399684bb8e1
SHA1 d0d435f0c527b4fe59a88dada6d3783eed0dbcc7
SHA256 af69756b4940682f5f0443ffece9ce4d6118cdf464c093acc33e2976d8bc220f
SHA512 046feccb904de37ed1d190487540bac3800bb1bb94913660dbecc53be389de46a1566005712b49fe392c680731e34e502e0251fdba777c18c819869e35f88ca0

C:\Windows\SysWOW64\Henidd32.exe

MD5 b9c1709624bd0cf2354e7be859f39e1e
SHA1 6553f25f3dd431dc8823138098349d0580d19d24
SHA256 a88ecb7af8bc6f92246dfac88453befdf8756416d9733b898198d5778fd94ab3
SHA512 3d370c22fe76d9f2f545bbe0169e5e8b68ebf46ebdebff1988639ba720034d9b8214d8baa596aa1b877dd3a9a3491526505f8e2040498511961248914feb8f9a

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 65dca769fcaf6b48963e08c0a367526f
SHA1 c0222c51e824055a4d6c9f8a906ac162ee901231
SHA256 45129d73f5e3f97146eb6d6a8a895eaeaf479d7160b7b7aeb1c237aa81a4b3b0
SHA512 6a46a6eb6d70eb37d43815f3b8e7120c5b65828074db0ccfc8506e469a3b1fff03ebac25ae0892d7d1e13f11063ebf813f304c4582685b2298c61de3646f5d06

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 9d531bfd9ac11cdf3292296549ee8bf6
SHA1 e538cf1131df3e31726f775ee8942b143da7129e
SHA256 55cda2f9b9ce33ea668f5ea306df518ae283594692f3486fc76fb7a71d13612f
SHA512 92d6161225b070a009933e2c9cac081501847dbe904c045b38e29c517575002285ba3cc9baefb67799d84a592fbd4fc12b575a34ac414364d3cbd347625e14d0

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 e754242a24c13570821edfbc01cbbb28
SHA1 ec9876f2cba5e61d3c0c622542c63bbca27f8d01
SHA256 b4703054b4ed45e81f1457f27d638bb24adad759d88371240ccdb5f7202ca335
SHA512 08f18a46f7ec9491926df75e854e672d86f991d5374e74c8b10ea311c6bf59fb234f1611e1081f44a12718c36e2731739ba546160e18e5b009426655df37f517

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 87e4180e6908e014509cdc953c962323
SHA1 2018ecaf80a8d9bfc84e5214c0e364fc9821fded
SHA256 7b0b2ad2f908dbfcc24ee91d7fb841a1d1796c14b98b500e6d19d5949503a05f
SHA512 145cf17132e2c7ef5faefb789c4d7bc1b4b5826a1a006a255f6e4a463b4705a1721348f65382641ecf68fb56621a30eb07c8b81f4af3a17ee750188becd056ce

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 1359c65e106dbfda263129c88fa5bbe9
SHA1 59b5456f36464c62e2cd22abcac6f695d2c01483
SHA256 ed5722977e5e29c5f87483228b90c4b0d6dd4f810b9f408c8ee695dec07c439c
SHA512 c2bba477c40fa45a165210904477da5d57e93fdab61bb66207aa14452d0e4859e6be90d133b269dc3ab0a2fafbafda3fe620c06c9b3d816576fe1f3df2bef2be

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 ae4fba12244c2ad73def97cdc69ebf24
SHA1 b18b49fde26f8fbd46b310f05a29f5413e0d3da3
SHA256 790266fa59c6ac3ec0c2e47de580633e91737e5a92757182542b9e03fe248ba5
SHA512 a957259cc50f9a4d160863e05120eb01529110f6c0967b7364fa0667ff3d6bbf3ed79e5da0e62f7ef17fe2ae6f8437ab5078c684ff9537f783e8d7d72025d7cf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:30

Reported

2024-06-03 22:33

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gofkje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jfaedkdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpijnqkp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jplfcpin.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmppcbjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ehnglm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkfoeega.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgddhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acjclpcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cojjqlpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pmidog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liddbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eamhodmf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdgdgnbm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Heocnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpnchp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flnlhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kiidgeki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Likjcbkc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acnlgp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Belebq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Onholckc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiefcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lebkhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpjlklok.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afjlnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnlnon32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkciihgg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pjhlml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jpgmha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mdjagjco.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffimfqgm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcpclbfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Beglgani.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ilidbbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jlpkba32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqppkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dddojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fojlngce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gblngpbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmfkoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Andqdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Peqcjkfp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bopgjmhe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eoolbinc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mbfkbhpa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Okjbpglo.exe N/A
N/A N/A C:\Windows\SysWOW64\Onholckc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqgkhnjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogaceh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojopad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okolkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obidhaog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgemphmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pclneicb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbmncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcojkhap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhbgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcagphom.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbbgnpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Peqcjkfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecppkdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjpiha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qajadlja.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjbena32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qalnjkgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Alabgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aejfpjne.exe N/A
N/A N/A C:\Windows\SysWOW64\Aldomc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaqgek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahkobekf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeopki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajkhdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaepqjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniajnnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhaebcen.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnlnon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdhfhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnnjen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbifelba.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkcmdhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfonc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopgjmhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejogg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhikcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbnpqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdolhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkidenlg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceoibflm.exe N/A
N/A N/A C:\Windows\SysWOW64\Cliaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogmkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceaehfjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Clkndpag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cojjqlpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cecbmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckpjfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbgbgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdiooblp.exe N/A
N/A N/A C:\Windows\SysWOW64\Clpgpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbjoljdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Chghdqbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckedalaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Daolnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhidjpqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkgqfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddpeoafg.exe N/A
N/A N/A C:\Windows\SysWOW64\Doeiljfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Deoaid32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Jefbfgig.exe C:\Windows\SysWOW64\Jbhfjljd.exe N/A
File created C:\Windows\SysWOW64\Mpablkhc.exe C:\Windows\SysWOW64\Mmbfpp32.exe N/A
File created C:\Windows\SysWOW64\Kboeke32.dll C:\Windows\SysWOW64\Acjclpcf.exe N/A
File created C:\Windows\SysWOW64\Aabmqd32.exe C:\Windows\SysWOW64\Andqdh32.exe N/A
File created C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Ajkhdp32.exe N/A
File created C:\Windows\SysWOW64\Flfelggh.dll C:\Windows\SysWOW64\Mdhdajea.exe N/A
File created C:\Windows\SysWOW64\Aqppkd32.exe C:\Windows\SysWOW64\Anadoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File created C:\Windows\SysWOW64\Gfghpl32.dll C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe C:\Windows\SysWOW64\Pdkcde32.exe N/A
File created C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File created C:\Windows\SysWOW64\Liddbc32.exe C:\Windows\SysWOW64\Lffhfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpebpm32.exe C:\Windows\SysWOW64\Lljfpnjg.exe N/A
File created C:\Windows\SysWOW64\Phkjck32.dll C:\Windows\SysWOW64\Lmiciaaj.exe N/A
File created C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mlopkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfngap32.exe C:\Windows\SysWOW64\Gcojed32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbjoljdo.exe C:\Windows\SysWOW64\Clpgpp32.exe N/A
File created C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Ajkaii32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbceejpf.exe C:\Windows\SysWOW64\Kpeiioac.exe N/A
File created C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Ldanqkki.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdhdajea.exe C:\Windows\SysWOW64\Mlampmdo.exe N/A
File created C:\Windows\SysWOW64\Njqmepik.exe C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdkcmdhp.exe C:\Windows\SysWOW64\Bbifelba.exe N/A
File created C:\Windows\SysWOW64\Agkbbg32.dll C:\Windows\SysWOW64\Daolnf32.exe N/A
File created C:\Windows\SysWOW64\Collmj32.dll C:\Windows\SysWOW64\Edpnfo32.exe N/A
File created C:\Windows\SysWOW64\Ikpaldog.exe C:\Windows\SysWOW64\Iefioj32.exe N/A
File created C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aglemn32.exe N/A
File created C:\Windows\SysWOW64\Cdlgno32.dll C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Gblngpbd.exe C:\Windows\SysWOW64\Gkaejf32.exe N/A
File created C:\Windows\SysWOW64\Lffhfh32.exe C:\Windows\SysWOW64\Kdgljmcd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojjolnaq.exe C:\Windows\SysWOW64\Ocpgod32.exe N/A
File created C:\Windows\SysWOW64\Dfdjmlhn.dll C:\Windows\SysWOW64\Ofqpqo32.exe N/A
File created C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qceiaa32.exe N/A
File created C:\Windows\SysWOW64\Linjpeof.dll C:\Windows\SysWOW64\Eolpmi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gohhpe32.exe C:\Windows\SysWOW64\Gmjlcj32.exe N/A
File created C:\Windows\SysWOW64\Gdhmnlcj.exe C:\Windows\SysWOW64\Gbiaapdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Njqmepik.exe C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckpjfm32.exe C:\Windows\SysWOW64\Cecbmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Klljnp32.exe C:\Windows\SysWOW64\Kebbafoj.exe N/A
File created C:\Windows\SysWOW64\Klqcioba.exe C:\Windows\SysWOW64\Kibgmdcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Ligqhc32.exe N/A
File created C:\Windows\SysWOW64\Dboiieof.dll C:\Windows\SysWOW64\Obidhaog.exe N/A
File created C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Lmiciaaj.exe N/A
File created C:\Windows\SysWOW64\Gnpllc32.dll C:\Windows\SysWOW64\Nggjdc32.exe N/A
File created C:\Windows\SysWOW64\Icnpmp32.exe C:\Windows\SysWOW64\Ilghlc32.exe N/A
File created C:\Windows\SysWOW64\Bmhnkg32.dll C:\Windows\SysWOW64\Balpgb32.exe N/A
File created C:\Windows\SysWOW64\Cacamdcd.dll C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Aejfpjne.exe C:\Windows\SysWOW64\Alabgd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfoiokfb.exe C:\Windows\SysWOW64\Ibcmom32.exe N/A
File created C:\Windows\SysWOW64\Khchklef.dll C:\Windows\SysWOW64\Jpnchp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Acqimo32.exe N/A
File created C:\Windows\SysWOW64\Iihkpg32.exe C:\Windows\SysWOW64\Ibnccmbo.exe N/A
File created C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaqgek32.exe C:\Windows\SysWOW64\Aldomc32.exe N/A
File created C:\Windows\SysWOW64\Gbiaapdf.exe C:\Windows\SysWOW64\Gkoiefmj.exe N/A
File created C:\Windows\SysWOW64\Jcjpfk32.dll C:\Windows\SysWOW64\Lgmngglp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Cnicfe32.exe N/A
File created C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcllonma.exe C:\Windows\SysWOW64\Jmbdbd32.exe N/A
File created C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Melnob32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe C:\Windows\SysWOW64\Aclpap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Beihma32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" C:\Windows\SysWOW64\Ffkjlp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll" C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll" C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbdgfa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Iblfnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Melnob32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bdolhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" C:\Windows\SysWOW64\Edpnfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jplfcpin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll" C:\Windows\SysWOW64\Acjclpcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjljbfog.dll" C:\Windows\SysWOW64\Fkciihgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lekehdgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deagdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll" C:\Windows\SysWOW64\Ogbipa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" C:\Windows\SysWOW64\Ajkaii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahamf32.dll" C:\Windows\SysWOW64\Aaqgek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnenbk32.dll" C:\Windows\SysWOW64\Cbjoljdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll" C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icnpmp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mlopkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oflgep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cbjoljdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" C:\Windows\SysWOW64\Ndfqbhia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pcbmka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qjpiha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppelifin.dll" C:\Windows\SysWOW64\Qajadlja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fojlngce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lboeaifi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgnafam.dll" C:\Windows\SysWOW64\Dhidjpqc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fdgdgnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkoiefmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll" C:\Windows\SysWOW64\Ildkgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll" C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Peqcjkfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlbaq32.dll" C:\Windows\SysWOW64\Gcojed32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmann32.dll" C:\Windows\SysWOW64\Gfngap32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gofkje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfeopj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lpcfkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bhikcb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cogmkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll" C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" C:\Windows\SysWOW64\Mnebeogl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnonbk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll" C:\Windows\SysWOW64\Jpnchp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qceiaa32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Okjbpglo.exe
PID 836 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Okjbpglo.exe
PID 836 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe C:\Windows\SysWOW64\Okjbpglo.exe
PID 3092 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Okjbpglo.exe C:\Windows\SysWOW64\Onholckc.exe
PID 3092 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Okjbpglo.exe C:\Windows\SysWOW64\Onholckc.exe
PID 3092 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Okjbpglo.exe C:\Windows\SysWOW64\Onholckc.exe
PID 2152 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Onholckc.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 2152 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Onholckc.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 2152 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Onholckc.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 4496 wrote to memory of 1012 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Ogaceh32.exe
PID 4496 wrote to memory of 1012 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Ogaceh32.exe
PID 4496 wrote to memory of 1012 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Ogaceh32.exe
PID 1012 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Ogaceh32.exe C:\Windows\SysWOW64\Ojopad32.exe
PID 1012 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Ogaceh32.exe C:\Windows\SysWOW64\Ojopad32.exe
PID 1012 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Ogaceh32.exe C:\Windows\SysWOW64\Ojopad32.exe
PID 4768 wrote to memory of 888 N/A C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 4768 wrote to memory of 888 N/A C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 4768 wrote to memory of 888 N/A C:\Windows\SysWOW64\Ojopad32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 888 wrote to memory of 336 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Obidhaog.exe
PID 888 wrote to memory of 336 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Obidhaog.exe
PID 888 wrote to memory of 336 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Obidhaog.exe
PID 336 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Obidhaog.exe C:\Windows\SysWOW64\Pgemphmn.exe
PID 336 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Obidhaog.exe C:\Windows\SysWOW64\Pgemphmn.exe
PID 336 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Obidhaog.exe C:\Windows\SysWOW64\Pgemphmn.exe
PID 4232 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Pgemphmn.exe C:\Windows\SysWOW64\Pclneicb.exe
PID 4232 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Pgemphmn.exe C:\Windows\SysWOW64\Pclneicb.exe
PID 4232 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Pgemphmn.exe C:\Windows\SysWOW64\Pclneicb.exe
PID 3000 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Pclneicb.exe C:\Windows\SysWOW64\Pbmncp32.exe
PID 3000 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Pclneicb.exe C:\Windows\SysWOW64\Pbmncp32.exe
PID 3000 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Pclneicb.exe C:\Windows\SysWOW64\Pbmncp32.exe
PID 1472 wrote to memory of 452 N/A C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pcojkhap.exe
PID 1472 wrote to memory of 452 N/A C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pcojkhap.exe
PID 1472 wrote to memory of 452 N/A C:\Windows\SysWOW64\Pbmncp32.exe C:\Windows\SysWOW64\Pcojkhap.exe
PID 452 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Pcojkhap.exe C:\Windows\SysWOW64\Pjhbgb32.exe
PID 452 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Pcojkhap.exe C:\Windows\SysWOW64\Pjhbgb32.exe
PID 452 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Pcojkhap.exe C:\Windows\SysWOW64\Pjhbgb32.exe
PID 1692 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Pjhbgb32.exe C:\Windows\SysWOW64\Pcagphom.exe
PID 1692 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Pjhbgb32.exe C:\Windows\SysWOW64\Pcagphom.exe
PID 1692 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Pjhbgb32.exe C:\Windows\SysWOW64\Pcagphom.exe
PID 1288 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pbbgnpgl.exe
PID 1288 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pbbgnpgl.exe
PID 1288 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Pcagphom.exe C:\Windows\SysWOW64\Pbbgnpgl.exe
PID 1904 wrote to memory of 4500 N/A C:\Windows\SysWOW64\Pbbgnpgl.exe C:\Windows\SysWOW64\Peqcjkfp.exe
PID 1904 wrote to memory of 4500 N/A C:\Windows\SysWOW64\Pbbgnpgl.exe C:\Windows\SysWOW64\Peqcjkfp.exe
PID 1904 wrote to memory of 4500 N/A C:\Windows\SysWOW64\Pbbgnpgl.exe C:\Windows\SysWOW64\Peqcjkfp.exe
PID 4500 wrote to memory of 860 N/A C:\Windows\SysWOW64\Peqcjkfp.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 4500 wrote to memory of 860 N/A C:\Windows\SysWOW64\Peqcjkfp.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 4500 wrote to memory of 860 N/A C:\Windows\SysWOW64\Peqcjkfp.exe C:\Windows\SysWOW64\Pjmlbbdg.exe
PID 860 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 860 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 860 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 2876 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qjpiha32.exe
PID 2876 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qjpiha32.exe
PID 2876 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qjpiha32.exe
PID 1676 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Qjpiha32.exe C:\Windows\SysWOW64\Qajadlja.exe
PID 1676 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Qjpiha32.exe C:\Windows\SysWOW64\Qajadlja.exe
PID 1676 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Qjpiha32.exe C:\Windows\SysWOW64\Qajadlja.exe
PID 1204 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Qajadlja.exe C:\Windows\SysWOW64\Qjbena32.exe
PID 1204 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Qajadlja.exe C:\Windows\SysWOW64\Qjbena32.exe
PID 1204 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Qajadlja.exe C:\Windows\SysWOW64\Qjbena32.exe
PID 2856 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Qjbena32.exe C:\Windows\SysWOW64\Qalnjkgo.exe
PID 2856 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Qjbena32.exe C:\Windows\SysWOW64\Qalnjkgo.exe
PID 2856 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Qjbena32.exe C:\Windows\SysWOW64\Qalnjkgo.exe
PID 5024 wrote to memory of 1252 N/A C:\Windows\SysWOW64\Qalnjkgo.exe C:\Windows\SysWOW64\Alabgd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0b691cbfb9e3c0cf7593c3d31c2d7f00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Okjbpglo.exe

C:\Windows\system32\Okjbpglo.exe

C:\Windows\SysWOW64\Onholckc.exe

C:\Windows\system32\Onholckc.exe

C:\Windows\SysWOW64\Oqgkhnjf.exe

C:\Windows\system32\Oqgkhnjf.exe

C:\Windows\SysWOW64\Ogaceh32.exe

C:\Windows\system32\Ogaceh32.exe

C:\Windows\SysWOW64\Ojopad32.exe

C:\Windows\system32\Ojopad32.exe

C:\Windows\SysWOW64\Okolkg32.exe

C:\Windows\system32\Okolkg32.exe

C:\Windows\SysWOW64\Obidhaog.exe

C:\Windows\system32\Obidhaog.exe

C:\Windows\SysWOW64\Pgemphmn.exe

C:\Windows\system32\Pgemphmn.exe

C:\Windows\SysWOW64\Pclneicb.exe

C:\Windows\system32\Pclneicb.exe

C:\Windows\SysWOW64\Pbmncp32.exe

C:\Windows\system32\Pbmncp32.exe

C:\Windows\SysWOW64\Pcojkhap.exe

C:\Windows\system32\Pcojkhap.exe

C:\Windows\SysWOW64\Pjhbgb32.exe

C:\Windows\system32\Pjhbgb32.exe

C:\Windows\SysWOW64\Pcagphom.exe

C:\Windows\system32\Pcagphom.exe

C:\Windows\SysWOW64\Pbbgnpgl.exe

C:\Windows\system32\Pbbgnpgl.exe

C:\Windows\SysWOW64\Peqcjkfp.exe

C:\Windows\system32\Peqcjkfp.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qjpiha32.exe

C:\Windows\system32\Qjpiha32.exe

C:\Windows\SysWOW64\Qajadlja.exe

C:\Windows\system32\Qajadlja.exe

C:\Windows\SysWOW64\Qjbena32.exe

C:\Windows\system32\Qjbena32.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Alabgd32.exe

C:\Windows\system32\Alabgd32.exe

C:\Windows\SysWOW64\Aejfpjne.exe

C:\Windows\system32\Aejfpjne.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Aaqgek32.exe

C:\Windows\system32\Aaqgek32.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Ajkhdp32.exe

C:\Windows\system32\Ajkhdp32.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Aniajnnn.exe

C:\Windows\system32\Aniajnnn.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Bnlnon32.exe

C:\Windows\system32\Bnlnon32.exe

C:\Windows\SysWOW64\Bdhfhe32.exe

C:\Windows\system32\Bdhfhe32.exe

C:\Windows\SysWOW64\Bnnjen32.exe

C:\Windows\system32\Bnnjen32.exe

C:\Windows\SysWOW64\Bbifelba.exe

C:\Windows\system32\Bbifelba.exe

C:\Windows\SysWOW64\Bdkcmdhp.exe

C:\Windows\system32\Bdkcmdhp.exe

C:\Windows\SysWOW64\Bhfonc32.exe

C:\Windows\system32\Bhfonc32.exe

C:\Windows\SysWOW64\Bopgjmhe.exe

C:\Windows\system32\Bopgjmhe.exe

C:\Windows\SysWOW64\Bejogg32.exe

C:\Windows\system32\Bejogg32.exe

C:\Windows\SysWOW64\Bhikcb32.exe

C:\Windows\system32\Bhikcb32.exe

C:\Windows\SysWOW64\Bbnpqk32.exe

C:\Windows\system32\Bbnpqk32.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Ceoibflm.exe

C:\Windows\system32\Ceoibflm.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Ceaehfjj.exe

C:\Windows\system32\Ceaehfjj.exe

C:\Windows\SysWOW64\Clkndpag.exe

C:\Windows\system32\Clkndpag.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cecbmf32.exe

C:\Windows\system32\Cecbmf32.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Cbgbgj32.exe

C:\Windows\system32\Cbgbgj32.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Clpgpp32.exe

C:\Windows\system32\Clpgpp32.exe

C:\Windows\SysWOW64\Cbjoljdo.exe

C:\Windows\system32\Cbjoljdo.exe

C:\Windows\SysWOW64\Chghdqbf.exe

C:\Windows\system32\Chghdqbf.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Daolnf32.exe

C:\Windows\system32\Daolnf32.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Ddpeoafg.exe

C:\Windows\system32\Ddpeoafg.exe

C:\Windows\SysWOW64\Doeiljfn.exe

C:\Windows\system32\Doeiljfn.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dlijfneg.exe

C:\Windows\system32\Dlijfneg.exe

C:\Windows\SysWOW64\Dccbbhld.exe

C:\Windows\system32\Dccbbhld.exe

C:\Windows\SysWOW64\Dddojq32.exe

C:\Windows\system32\Dddojq32.exe

C:\Windows\SysWOW64\Dkoggkjo.exe

C:\Windows\system32\Dkoggkjo.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Eolpmi32.exe

C:\Windows\system32\Eolpmi32.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Eoolbinc.exe

C:\Windows\system32\Eoolbinc.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Ehgqln32.exe

C:\Windows\system32\Ehgqln32.exe

C:\Windows\SysWOW64\Ekemhj32.exe

C:\Windows\system32\Ekemhj32.exe

C:\Windows\SysWOW64\Eekaebcm.exe

C:\Windows\system32\Eekaebcm.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Ekhjmiad.exe

C:\Windows\system32\Ekhjmiad.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fojlngce.exe

C:\Windows\system32\Fojlngce.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Flnlhk32.exe

C:\Windows\system32\Flnlhk32.exe

C:\Windows\SysWOW64\Fchddejl.exe

C:\Windows\system32\Fchddejl.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Fkciihgg.exe

C:\Windows\system32\Fkciihgg.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Ffimfqgm.exe

C:\Windows\system32\Ffimfqgm.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gcojed32.exe

C:\Windows\system32\Gcojed32.exe

C:\Windows\SysWOW64\Gfngap32.exe

C:\Windows\system32\Gfngap32.exe

C:\Windows\SysWOW64\Ghlcnk32.exe

C:\Windows\system32\Ghlcnk32.exe

C:\Windows\SysWOW64\Gofkje32.exe

C:\Windows\system32\Gofkje32.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gkoiefmj.exe

C:\Windows\system32\Gkoiefmj.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gdhmnlcj.exe

C:\Windows\system32\Gdhmnlcj.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hbnjmp32.exe

C:\Windows\system32\Hbnjmp32.exe

C:\Windows\SysWOW64\Helfik32.exe

C:\Windows\system32\Helfik32.exe

C:\Windows\SysWOW64\Hmcojh32.exe

C:\Windows\system32\Hmcojh32.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Ikpaldog.exe

C:\Windows\system32\Ikpaldog.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Ipnjab32.exe

C:\Windows\system32\Ipnjab32.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iihkpg32.exe

C:\Windows\system32\Iihkpg32.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Ifllil32.exe

C:\Windows\system32\Ifllil32.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Ilidbbgl.exe

C:\Windows\system32\Ilidbbgl.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jimekgff.exe

C:\Windows\system32\Jimekgff.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jfaedkdp.exe

C:\Windows\system32\Jfaedkdp.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jpijnqkp.exe

C:\Windows\system32\Jpijnqkp.exe

C:\Windows\SysWOW64\Jbhfjljd.exe

C:\Windows\system32\Jbhfjljd.exe

C:\Windows\SysWOW64\Jefbfgig.exe

C:\Windows\system32\Jefbfgig.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jplfcpin.exe

C:\Windows\system32\Jplfcpin.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kfjhkjle.exe

C:\Windows\system32\Kfjhkjle.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Klgqcqkl.exe

C:\Windows\system32\Klgqcqkl.exe

C:\Windows\SysWOW64\Kdnidn32.exe

C:\Windows\system32\Kdnidn32.exe

C:\Windows\SysWOW64\Klimip32.exe

C:\Windows\system32\Klimip32.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kebbafoj.exe

C:\Windows\system32\Kebbafoj.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kbfbkj32.exe

C:\Windows\system32\Kbfbkj32.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Lffhfh32.exe

C:\Windows\system32\Lffhfh32.exe

C:\Windows\SysWOW64\Liddbc32.exe

C:\Windows\system32\Liddbc32.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Lpnlpnih.exe

C:\Windows\system32\Lpnlpnih.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lboeaifi.exe

C:\Windows\system32\Lboeaifi.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lebkhc32.exe

C:\Windows\system32\Lebkhc32.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mbfkbhpa.exe

C:\Windows\system32\Mbfkbhpa.exe

C:\Windows\SysWOW64\Mgagbf32.exe

C:\Windows\system32\Mgagbf32.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mdehlk32.exe

C:\Windows\system32\Mdehlk32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pnakhkol.exe

C:\Windows\system32\Pnakhkol.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 9324 -ip 9324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9324 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/836-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Okjbpglo.exe

MD5 939bb1b39458fdadfc765ff7e6647b52
SHA1 35b26382b99d4b958ab27d91871f47752bd17ad3
SHA256 7a8b3c7e1e8840c01858b2b8814ea6ba874c46b4deb3f00386bd4bffeb5ba166
SHA512 1bf248af7c86beb9043abb5fad603833f7d75b018febc6e873b782557762df96fc8afcb24eb74000372784e10589641dad2fc04559d43d15c601063c6c100a8d

C:\Windows\SysWOW64\Onholckc.exe

MD5 adecc417737203a2b3b40b97c849e1f2
SHA1 b43f45af33d131be9d69b5a2961ce376a3d0d94a
SHA256 07d4106ec33db2132075050fb1d8a43990eb20a520dddd1f3ebcc17820f0095a
SHA512 bb8720a4656c3c606233ebf66efd7f385d81cfca15a2669966c6f5d9ca4f87b7fa36b2e27e90e88c6e49515f3306097fb9549c350de55516c2da89dad3c38d03

memory/2152-20-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3092-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4496-28-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ogaceh32.exe

MD5 ec07c92b3e661e90a7d3faf44d65bfa3
SHA1 120b897aa665cee1c47fef93bcda1df4986598ea
SHA256 b0d0e33af18f9d827b825b1c8d16aa60c9837b69cd0d3cd972450b865095f3fe
SHA512 10a7d514df5d20347e9eb5ab42d4d52b4e8400581f08f05f935fefb81523911f99f2de1687a4a30a55dd3b5158e8703f0607c99e584723d1218488a40fef2d96

memory/1012-36-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ojopad32.exe

MD5 f517485281f67f003953fd0d395ef93a
SHA1 e6ab81110421c2865c389b6c003b603add2f184f
SHA256 a21772760022cddc7eb60f7e2f3d6555e2633e0f5d8f2416f8449e369d7ed389
SHA512 2827170914a5bb62493bafafe9c7f6f8c2f056775efad784dedc3827527cb1537cbd2788faee62a75ac9e9b13514ffe2b73fd3a202132fc1d07ceb590df6a36c

memory/4768-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qgphkcho.dll

MD5 5350fffeb6aed09123c97d93bccccd96
SHA1 4ea12c1cb3a7e95372c0476c501493593072790e
SHA256 c6d861df1a8214c1fc9423d50c212748e300c83faf4b0d1d94dde48d94f8f9a7
SHA512 38012da8c857ea62ba2b1befe54b6ff5cb80b7152ba0c4dd9c783e304f9243a6c9d385d77b002cf73d905fcd3c20ae19eec0f8f72be4d5a2fc0e34b6620ec1cd

C:\Windows\SysWOW64\Oqgkhnjf.exe

MD5 6dfa4eaf1afb3ab2178b89f4a76861fb
SHA1 f506404355d8a99a28895a9ae8c1287fba70fd3c
SHA256 11b096bdce8d675a2d30c5be9f9ad414bdd429930e761dd872162f0aebf7a562
SHA512 7a4fdcaef2aacb628a465debf84973419f33f5cdcfe38437046b81ac70355e31eb714f45427d0773277e6e4281e9efae463ec5baffd938b8f5188b7d8cf777e9

C:\Windows\SysWOW64\Okolkg32.exe

MD5 b3645eee553b94aa3108d2ea75097b89
SHA1 cca022a984505e3de2d94484389ea641f989ce7a
SHA256 386684c2a5ced57603c5cccecf39a13b726eb8057aae7ec3cde27a04153ab6f1
SHA512 9fb31b3989f2836f3108cedcb08bafc5f0e7502b016bb5d1dcb72c545749b6ad35b6d19ddbf1c8068e4202fbaeba5be4c4528d27b8ff4b22b1e0ff0d219a9690

memory/888-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Obidhaog.exe

MD5 71e87174383dff51298011f8495224f1
SHA1 c1c41ead8b60c48e89dea8004cb5bb9bf5bcc37e
SHA256 32d5d81d478f54f77ac9bd7fa5fb425a2a2ffb9a26ba5b4408e602f9c71ef896
SHA512 3dcab4a8ee2343032189ae30e4e9cb5d980f2a2a3b597fa34dbdcf14778134937450f545d224d15951649103d178f42ef66b9a85edaf2f29eda1b59f9b9b7735

memory/336-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pgemphmn.exe

MD5 12cfbe5967d045dba2a2a3398b025f2b
SHA1 c34d5d471b028405bfcb6e0be0a068e86582d247
SHA256 30a6f4b934596f5e91f6b6bc07b7db3e75627185b17d69b2a930934211b63caa
SHA512 b26caa001e0f7e7d000fd7ec5569c58105ba0dcc30565903a48187e707b7cd07781857497cc992cd1d6dd6832325c598f376ac898bee5367b20f505a59b23000

memory/4232-63-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pclneicb.exe

MD5 6685c24caf061d31054bb08d9f97df17
SHA1 98c05e0c8fd0bf5eb43976b465b2cb64fe58bfb0
SHA256 643789ea8076f3734cda64a351a610f8227d939319e4cb8693561f03f013ea64
SHA512 434963f56bbed6e08aa7e68c451a27b1ed5b25df958066e6e1aadec7382708627795ee2626cbbc0c546a491bf5482b98e5ce89c03a2149b5af8f53d2625f22e2

memory/3000-71-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pbmncp32.exe

MD5 9f1b52b98473c88b397a5e1775c83b1d
SHA1 c52e105bef20463272594b82562adf3d121cacd1
SHA256 173f4ab3272408085b7659945132d0f9b745e2279e9981335bbcf320501d6b5a
SHA512 82e69928e0228caee8bb5976895150b02663cd6536142f4d60b5b7694764e74ff9649e9283cc4ba2917fa96ab5b6799d2d62f500f05879fc1c3985c7f8ad1203

memory/1472-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pcojkhap.exe

MD5 dce619d91c1e6defc3de7bc51ba22ff4
SHA1 678a7df3797cf0f6dd9b341bc4c77303f6a69033
SHA256 9f9dc0d351ad69033820135fe1c810792d24a5f6d52943ad4e291f7132e1713e
SHA512 382655223041e985fc0ebb727c5524f1073d8d74e0d8a1d8f5657a2e1d20a3b12e6ccb3adf11e96da40bc19065c321294737d3e1e331c4f17a140cb03e289b4c

memory/452-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pjhbgb32.exe

MD5 116439f559fef0297b58e6dae3802ffe
SHA1 815b009b7ea5e837199524ce751b86d135d29639
SHA256 435a8fcb4bfeb1bd1aa747ad51e6f6a2311aed00185037adfb8aefec4a6c9580
SHA512 30e0c7a8def02e01c113e753a05b4bbc4e1cc82f3b885471755bdd39010a838292c50d18d2eaee38967b5b9c1d50790418885f3f2cfd8a27afc7cfddc4c6f7dd

memory/1692-95-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pcagphom.exe

MD5 47f404a2e0a42c7d92f5799897648dbc
SHA1 5903a6540ed89f0066ae51d61c8df23466c8c9c5
SHA256 26af60c71180a75a35ef34bcc388fcdd81a8558f0ca85ef85bae4494059f38e7
SHA512 66b21e9950f4e08320bb70719de985c2122858a51f83d0afac4082106c2920293b4b6b17b87b3c14f2a49c426f0f7f5218d5c14a49425033d7d37a1f1fcbbdf9

memory/1288-103-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pbbgnpgl.exe

MD5 2c800b94a27c17ee2ffe203b4eb2ff1e
SHA1 81b30d711667036c74ef960356bfedbc4c315894
SHA256 71519c6d683b5c4676b15209d6dddb8d864c3bdd89b405fa8d4aefa0fce610dc
SHA512 f08e3153745842480a187cae83fa637452ed8f6125441303a8abbe908ef46787dec592261cafd0f616b101a29698caae688bc5014751d4026a37a9fb7d7a6408

memory/1904-111-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Peqcjkfp.exe

MD5 10580c67ec2178dad057c5cf8a109685
SHA1 9629e57a2dd5925a01f98c064ca8438c8d393900
SHA256 80890bf276926053ea75c529d3356a13368f74809c010b29c0c9c3d8e40836be
SHA512 79fae70203c2b2ec060fa2f961fc473fde4e517ac853f225e2dda7b273c070729ab1eb552083d20249a6b6d59226b1246b9361d22efc0c804a4855209480bdda

memory/4500-120-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pjmlbbdg.exe

MD5 ff4ea61039c31e2561c861de467616c9
SHA1 97c2abecd86b36d1a58a956832e86dfc4f4de080
SHA256 9e58905a0f8163ee722dea0f59b3fe6800975e4f11d0a11f813e6a134eafec3a
SHA512 d6b9ef3598b665fa77e218d11dbb9dd497fee15e458bad20c74af79f64bff13a69d92179dd3a7618372e5bf92400308ca8760086cb58a88016a65d112570491a

memory/860-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qecppkdm.exe

MD5 ec6f28cf8190cd5b351195053e6b42da
SHA1 f6c50a8cffcb5feb15ce4ac993e41110490e0b1d
SHA256 971baf1bf31b24380d0d1e99c73d91a4ba441c0d03f43261589dd7e46af81d5f
SHA512 92d1f4b9e602f163c16e2fe1998730bc6308ee46d93a974cf60fc0db4569e66b31499c0b16d36fcb41b8c2c18ec273904189000026a86990607177a3d324ed55

memory/2876-136-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qjpiha32.exe

MD5 3aae1b87e25601e2c75c3874d37488e8
SHA1 670627aa5017b8a12a52ca6e3be0c41dc277b54d
SHA256 f918f9e421ff21c04063b97fe06d970522255d1e9361378182803186b7be6c3f
SHA512 a0e9aedcdedd7280aa21d3b7ebb48b648f42a5be0e40e01bd03ff00f9ebdd525da90cbacb13b7b852341b7ba09b59989c1c427f764e8461890bb3211734cd937

memory/1676-143-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qajadlja.exe

MD5 76c2fad9776c8e30254073166d33b58f
SHA1 5edaf12fc363924256a3d94a9ad23632552d36dc
SHA256 0e04ac3959bed828165ff36246122fbb10cc9ea6a9f226b5cd36a4f7002daee9
SHA512 34929e68dc6977c20a27ac226054c896056c22b010ec02dd06966c08f39bd03254c9dc2328db6815f7c17eabe7393c2ccd8a86ce65b6fa8e9585b78c7003290c

memory/1204-151-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qjbena32.exe

MD5 41968c100884792264409994ffd195d6
SHA1 4227090cdbb3e73e980f41db196cdfceaf2b38c2
SHA256 87120ac36c5494f5a14dfb4ab80a1c0236c60395e9ccd54ec56e226b39245666
SHA512 3c20c92f664696cac1a780e33585a8626d3787ee25d870c75689160aa9da590504326fcc516c1af2d76901872bde6c364bbeccb44331d9e0c3aab32f8600209d

memory/2856-159-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qalnjkgo.exe

MD5 5d7c406f54da10ade75deb3b9dd67159
SHA1 56fc979676bb3a0dc93ef94fc25c8f33ad2c8643
SHA256 755337eba8c395ab7ea18ef32f2c355ede502fceedeb30e0b969914398c05929
SHA512 a5c89baf71436a27508e71159bd1966dfddc019966621c6f41e431a896965bca62259bcbf8a65472a0e0071786eb86f23c02a4e5ab6b6389d96892390ed41f48

memory/5024-168-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alabgd32.exe

MD5 3c6a0e187f34e9aaa8e1c66bdb9d667c
SHA1 0e9938afca6c1ddc02322eac7b7179f8cd1a0cb7
SHA256 cffdf862642d7da6c03dbbfe64b823a0596c42d792a52d7cde3a59183821af42
SHA512 28ed8d7f1cc61c3b3b76fe91f23737502f20c0bdd1c2fe18936bcfebdbe60539035f0b06fdc493f533d2878b0386ff96aa27412e8373e9af50201ccd33d930ac

memory/1252-175-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aejfpjne.exe

MD5 48b5d64034e82a06df4d295295346500
SHA1 d69830ec31b1bb7c401bde1babdae8813c548821
SHA256 a8f9877ee96e3dceaed2b4e962fd38b4ba148dd47fb72a73d89c191126aa8262
SHA512 d06d34cbd2060fc95885781f85e18fac2a45f4e08b3fcef6cec27f5f178513eb701d3659516bf9d8e22e83eab2368b7a7dcab14aaaccef3abfaf22aa13234c92

memory/4416-184-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aldomc32.exe

MD5 85d31a6fb88d9de2c36677289b8c0226
SHA1 c04765bc79ec72852f6e58a5481bcb91669df38e
SHA256 82aa773e9a7d8b1fcc2e918633fc3001e9dc0584a771d8f120ef7b9efbc146bd
SHA512 6391b1aa0bf68c40d2e7743c14915a87a3e8f15ad7d9770632e801bc0d9765c06130fbc2fe5c5ddafb9c3607b657d50d684c2870378066105c5bb9353d845dd2

memory/2716-191-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3292-204-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aaqgek32.exe

MD5 e3285147cbde7562fec2ab5b2e4fd490
SHA1 fcb829c14964e800e69fe0a181cd3f246888aadd
SHA256 4933a8832d7845ad1bd585fb5744aeeba0eaa016405d59787e63bedaf6bb5fe7
SHA512 e7c3a2f47f50149f24a806b47774d2bc88e08226f3464199bb7fcad1035efad92f848fba051e80282a9fbd1026d5016171c2c62bfc9cb2aae12baa9bec47a9f5

C:\Windows\SysWOW64\Ahkobekf.exe

MD5 e006c7549b5b641f47c72c98185ffaf9
SHA1 e0800997ca0434d6d98143a1a654ce66dc38ba01
SHA256 dfa0743465b5e85959f619cddbd23ff2afc428853ce1f72e83005a7c840869ca
SHA512 f2c40356987e7e585dca7acc34f0f079e375e332453492250f07ae198d2891d692b08fbb38f6af0ac6b7dbe82e2fd309b9012a5732d34d9c321ef4a3cc54b9b9

memory/2020-208-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aeopki32.exe

MD5 fc9d8ef4ae8c973d4c33a53ba8e4b77a
SHA1 f383da3d8f11c0e616885bd29eed3eeb231060ad
SHA256 c422e4d47351c7d5206e797c8d4b43a6922167e441e934483be3a35205e49afa
SHA512 2d387b7377319f0910d2cc020d19c2e3b83666cad47ed17270da8fa45ad874be98253d8054e3e1fcdc0fd3e74b9d937f2f344ad44289a28a0c6b60571e04afc8

C:\Windows\SysWOW64\Ajkhdp32.exe

MD5 9ad60c3ebf63e5a732b814edf8af8ba9
SHA1 66d80cacdb8f8586e260c26e0c9d263f9bfc82f2
SHA256 299c64bb2c80ac689fc6ecc6a683ee9b07d905d3235b90d07e13ddf4a2ff1faf
SHA512 fbd23eef8cab00ef616abfda8ffea5e8237c706587686ee6c48e1cf229ed6ff90de2a0e75d628a023e8952c46a536c5229d96256f77dd0ec219e4fa45b98e362

memory/3592-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1228-224-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1992-231-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aaepqjpd.exe

MD5 ad41f45aceae6536e77e661ff7d88e6d
SHA1 cca9d68fe398ea24581da4b0fec5dd0622dcc6a1
SHA256 b1ebb7eb2a9b42960ecd1e029aa04b2a7a878a1e954c1a900bf633921e375841
SHA512 d4c6876da1dc14fa4700d4e55d632c2445cd00809ed5136c7379cceb70427b309cb6213ae7e809c875b40660d5a63aa6ccf2cc7adcca1422dba9d937f825643c

C:\Windows\SysWOW64\Aniajnnn.exe

MD5 762e05b2f2f2cb91d4f2dfb5eb70e53f
SHA1 591df31455a7bdfe0c0eafd7bef0d2701f606bdc
SHA256 2d3dd90c69ae41d75725f8ff9d7e7e59a99995f65a0fff31cc0a98085b3f7902
SHA512 b31e052c4c753d167ec82dbb154cf6764d8b069adf885a321da8096bab495a6b9c58233d876349f50b9a2cbbb61ae09f6467dbedc3c5602295185947d83c8d7d

memory/1084-240-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bhaebcen.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bhaebcen.exe

MD5 d46c7cbab315e67e7c9763147463008d
SHA1 cc14ccc076149fac88a47e870f7e96abf4990fb7
SHA256 752cfeb2e75f97a448ec3ab09b69c419cd02d5440827262a729ddf59a479e8bd
SHA512 9329b40fbd1b6c654a5964f121b4e8ac2a5a2dc874e7c9d6a6f5f49e6a2bb626e4635d21c9b4acec776bf81f0924df965cd1a7db99ee9cbb5c8cafc58b6b0ab6

memory/4324-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnlnon32.exe

MD5 f7fa995652e0e6a13efd7a973c434ade
SHA1 3396af4e79eb38179f14283469a80c44b267daad
SHA256 b781a5d464e23e28c232de1fa1b4dbd015b35938e54016f6be81cc297f321272
SHA512 1987114b92bcd6b2c2b17511f8b9f92acbfa11be24ff2bfe5ffb156eecd58c530e3ec4987d6a11294b94308c85a141562bd5b11a4a9d15123bd365b04abe29fb

memory/2896-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3040-262-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1844-272-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1376-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1580-284-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1752-286-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3208-292-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bhikcb32.exe

MD5 4835e015befafd7ecf32efd141b98fde
SHA1 6ec5ec379f6c4ce41918c9a927e9801bbf7511eb
SHA256 a88f9f12ec28b1b5e1b86eedd3d6972c8a00c3f60f5204141ff28eecd4a0c8ff
SHA512 aa6640c9aaf0d41344c558ff64ead8f1ef234a2003df0bf47b700b1879c67d3f7ced78083ed6d3961b102c170c0897db53860995909d2ff56a740e36c3f63351

memory/4044-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3108-304-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3116-310-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1040-320-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3924-322-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4528-328-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4104-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2620-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1624-346-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4560-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3148-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3660-364-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4312-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4804-378-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1688-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3356-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4384-394-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4040-400-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Chghdqbf.exe

MD5 b9415abc8e1fe08d538cf9557f3543e7
SHA1 de7a36ff2fd08553342a2490c84176b2653c1ef7
SHA256 18583da67ed7082c9ba7b85e559bb964c6839f9e1eda46b2fbe4d70ba3c6a2a2
SHA512 dd5eda04f19fdac1fe9b971a7517adfa107f36330e9cde9d0bf1f2aa466a2fbcce575363247ea94548397acfa4272a805742001adbc40b6da64fcf020b0b3433

memory/4920-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/640-412-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-418-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1000-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1068-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1896-440-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1680-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4576-448-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3308-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4292-464-0x0000000000400000-0x0000000000433000-memory.dmp

memory/432-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/636-478-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3760-484-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4332-485-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3096-491-0x0000000000400000-0x0000000000433000-memory.dmp

memory/400-497-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2488-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2532-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1004-515-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3612-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3376-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1404-532-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eabbjc32.exe

MD5 c04bc0aa3a9b5462ed2aa791bce2b6c0
SHA1 76cba9e8d583e86633c8dd03b1c143d5cf434ae3
SHA256 092b0d185d9c5c6ce95bee31f9a9dff7aea338cc01006f99987697bd735573e3
SHA512 b5a94356cb91d7ab6a4f45b087529ca506e6ccf72b46824ebc1dbafa5373c8bb0be5bfac3272857b6fd2d6a59900f1927f9a36898482de6e0405731421ce95aa

memory/836-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4108-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2472-552-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4956-562-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4640-568-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4768-570-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3596-571-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4396-578-0x0000000000400000-0x0000000000433000-memory.dmp

memory/888-577-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5136-585-0x0000000000400000-0x0000000000433000-memory.dmp

memory/336-584-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4232-591-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5180-595-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3000-598-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5224-599-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hcbpab32.exe

MD5 958c60dcad7e41f39fc0a44fe16d624d
SHA1 b7923cb29754523a558d3971512d0fad794cea2f
SHA256 2fa325249938744f5ec5e4f0da0a356eb81c1c5c64e7ea2a5befb935ec318c6a
SHA512 e6c9494b70b8bee832e5dc1222ab8b4078c7e1b20db38d48baa279402d4e3e4a77a3a1d55eb3c6fa040d23a824f58b098460ca81d02c3ed7e84e02c691dac9bf

C:\Windows\SysWOW64\Jcbihpel.exe

MD5 b79862c0dae9fcc052761f99fbf0ceb5
SHA1 f77425ae797a473602d1766a067dad2a5d4c3665
SHA256 60b5f3b31032368bfa8e12f2ec65bce97bea13f8b77c5a82c5dace5227a90132
SHA512 1c6c7551288f4351786f2334b72fb277d02dee385533e4978be101b146f381969372b2e94ffc761fa848a6c5d95c7adba5e2da858f077cc66c82cdbfd18977a9

C:\Windows\SysWOW64\Jplfcpin.exe

MD5 6b4ffccfe259667f54b3eae6161f589f
SHA1 96b1c7ddcdef531b4a88f6141dc8f08b6a150844
SHA256 14958a083861164b3c15f9c78e573e9d11c4a1d88bda17f78b89605a6f4474d8
SHA512 834e95e739eded3c7ffbeaf68b0487319997d44273e110aa8a1a58fa3eb5897dc66d160170c2ab9ad70f1e76f0df025730cd7d2b9559e21999e9b3f1789e0afc

C:\Windows\SysWOW64\Jehokgge.exe

MD5 6d2fe3ec4e25b7f75a09a5e40a8047c6
SHA1 26c7a3606d3c6ad320c172b7a399a071b947a756
SHA256 497cbe5c082fb25f185d1866dca466b239669ec8800e6f9340bc4ba86fee4c06
SHA512 bb2a6d28f450991b54114d6ee568422eeb5bed0246a918c3dcd8720f474181cfc23fb9fe9c75fc1a5f06d07d1e72be5e8665e6f2b4a8d206b06e6c1cfd3d738b

C:\Windows\SysWOW64\Kdnidn32.exe

MD5 c181c738379ad562d18ac901b950a12d
SHA1 6a9658a3bbc1a97f0f4940b9f10a3caeb30ac423
SHA256 bfb3bc6f9d49db4417d65e5359e5cac85032bbb65895eafdb112fa43f38617b6
SHA512 930ea291a2b4fc09d0185c940b077f8a1577b0b2829b35a924a862f9ffa4fc45eaea1a53c9af87fbc8f521aa54bea83d53944984bcc91f095791aa1a91a62fd6

C:\Windows\SysWOW64\Kbfbkj32.exe

MD5 d6a236dfdd3959fb6ee38350e18712f4
SHA1 e34fe404379e7a0ade76cae55a78e712dc4c8216
SHA256 325ae265f060c7477aed2876342b740e5150b90a5d0c0091faad91735175537a
SHA512 11ce3d8b7cf4702d4974cf2beae5256f6da78f78c31f1d1c8c644ea6068d4cd608d663608510fd220bc63781258a82fd71fde254ccaad428201b6c539cae33e6

C:\Windows\SysWOW64\Kdeoemeg.exe

MD5 c5511bb3b4197d03ebd287b9236e0391
SHA1 21c478348343e19db0cf7fb506409d915a720e0f
SHA256 11797096b7eae5078033c72fac25106ccd549e31c027fa154bc7cd1e534b4a7b
SHA512 8dd9b73b7fcdb0f38ffa16268d4ead63293cfbfd1eac14113d10874b85260dbb126546f90fb04fd6dba4cbca813d7e8e2b06875eb754676d98dd52a48a379b52

C:\Windows\SysWOW64\Lboeaifi.exe

MD5 c74a7dce700d1d9e5f59002c2b5201de
SHA1 97b0b1b6716391337241592498c005443c97339a
SHA256 2a926f1ef92ee77547b5e23d07a363885e526e4511a2b0ae342043821132d352
SHA512 67df96903c735fc24d2a49097466b508997b0f555f801dcadb602791f8e318a65d3bf548243e54fdbc04d4c999a919fc1b2f4a04cde1bafa2d0e06142f848d9b

C:\Windows\SysWOW64\Lgmngglp.exe

MD5 ed9c2bae5366c43ba7659a547bd41958
SHA1 0244cd4d6478582e8d036f613b00210a567de568
SHA256 1cdd28ed0c23637e76fc2bfd1c17de3ff04bb9b68e5a7ca19c3bcfa7be1c3a94
SHA512 268d0fba8e199a9ae93cafef8ce85585ed55637913d4ef2238d5902805c1aeee264b5f30c162cee29b7b1e7cf468e2ab8a51f442b6c75d4c5e3b1d26c7dda352

C:\Windows\SysWOW64\Mbfkbhpa.exe

MD5 0cf5b469114bd149b5ad9a3b330815b1
SHA1 292938890f2042a411d81bc631e5116c814d3614
SHA256 5d5332dcb2f8b1ad0e803844229ef63df44078e750af913878ede8d3d1708c2c
SHA512 98657c3c3c05185765c52b75fb2ded3313ec377265649053fdcf607ac9da88be51e577a29c6f855ed02042baabfb76d99e2afcefefec46df78b20f067b033337

C:\Windows\SysWOW64\Mcmabg32.exe

MD5 60ecad299423c0afd3737577fd847994
SHA1 867abbbf6ed93011a390051544c182ff3cf484b2
SHA256 383901cb9ba7bd8f1f46cea3200f6189650965b611d72b9f98373dc5f5e2037b
SHA512 ee8516d172c98cda6d7ed64a04be39dc91e05a074d8125ef03566d1e117d40124bfd6430ffff75247192333e3d5f3cbdce5ba28e5bb626ef48fc8053e5acde62

C:\Windows\SysWOW64\Mnebeogl.exe

MD5 01298b3bd803b19e4f97dffc8c263751
SHA1 61f31951fad47195bb577eeb2f9639ca5f582959
SHA256 594f43c46e7aefbbf276ad17076aa095ac6f79c3d141cb30e6231df61c915913
SHA512 be4f7c979d5edce3430c401cc9e465a7bb12bbacce77ade0e7a0b829b4f2a2e114a2fee42bb6474af7cf341387bcb0f6f11f89f56624f94d3c5ec170edad4a77

C:\Windows\SysWOW64\Ngmgne32.exe

MD5 b558e0238cb9be08611719e9ee4f8b55
SHA1 66730a0cc032f876f1486eddbb57a55eeb54c647
SHA256 7d55a291a9701dc6301530458867314856cdebb3cf3dfcc365e43204dbf1c8b3
SHA512 ef947ee9be15281d95f2f2936e0006d7fdafc617d136bd704e3d9be71366ca1e91815b6bd5f9d27ccf40f1b63d1c0227ad133f34acb21b2871eae5ecf773b1fd

C:\Windows\SysWOW64\Njqmepik.exe

MD5 33cb2e53df74fec56f85a52265807319
SHA1 75d74e0407a7a0b9564d4a4e08d6ba7de19c0276
SHA256 4720db71ef17c05f26542aa765f6a3c3a83aef9e56deea344d340a3c8c655648
SHA512 f9d9a99d14018d92b7937f169a913130da2b260e514eaaaa0dac6827dfd09983ee79c12c8cb88d8996cf9c5e445dfe7313ba61a8f75b0aadd123b749ce297ff2

C:\Windows\SysWOW64\Ocnjidkf.exe

MD5 76cc0343ed80aa7ff42d4ee763cdfa02
SHA1 84e71e00886eb166cb17175c3dece68382e1892b
SHA256 7d3d9402d48ec0bde148fc735d1f0e2d9e01cf43b8749d9031b26b45424af82d
SHA512 99e9792108ec79401cb996a18e37cd6ea91508959c644cbe3b9ca738dad01d83e3063e0bfac9f74c611e85c711a7cbe08cb7287aba18424c129e45753d7258f0

C:\Windows\SysWOW64\Ocpgod32.exe

MD5 a87d213f63e4b2505a0482e2c85e71fd
SHA1 c4e4b2ebc8ed2758fb7549caf33b09b57e56d921
SHA256 1ab53739df8c15fafe10f176321d998ca43c1bce5ea3f688dfa2fb28cf3f9a4a
SHA512 dab80013760822eeb6c95a22018733d52bb4e2fa4102d43eff577e3e5f5ea0fef79f476a6d7f9efe94ee1983459e7c267182a22a8e708f54c47c3b47d72c0986

C:\Windows\SysWOW64\Ocdqjceo.exe

MD5 773f50f22fd06ec4c67e46910edcdd91
SHA1 a3b7c591c6e4769080f4da86a26c41417451708d
SHA256 0100a4da717edbc72dac2c659bf962bcbede0965c9f1d4699373e689fd19647f
SHA512 652b8b98cc31c236acaab8a809990fd5920827f5fa79cc089d89331ce64f86cf52cf242f0541dd1b5b14fea90654d0ecba890d119e0aa65c0d3db811a33cf720

C:\Windows\SysWOW64\Pmoahijl.exe

MD5 89dc4bd19f97402f2648c39190a90492
SHA1 4b7f25be09efe392c540530f278b7c1d5fb6f0cc
SHA256 29845316e63cbe95467d4b984d42ee8b14f14371aa0017cce4e2457b1e372be5
SHA512 3b45134dc225cf5d72dcf58d30e63e1210bf15a4d517cc9d3e55897be9e118329f02d43c4e97d30c6a6074653c8ffcf529c8cb33cd418c931c9ab8b8680d2ddb

C:\Windows\SysWOW64\Pclgkb32.exe

MD5 8ee6fac5c113d96247bfb9be46768c92
SHA1 e4f1328fce8d3bf4064c1e5889d191cd61c655ff
SHA256 15053e4e7d6f700d7c6a8722e9c63b2bd6820ea7f81539cbb337d017a888d783
SHA512 abb25eaa8f0bcb735cea896fb13608aba37ce651290b45c1ca35870d1fd6e3fd9308f9bd4491d0eefd864c34762c75c5ea3bc312c88eb6864a38deb6d7ae3d5a

C:\Windows\SysWOW64\Qceiaa32.exe

MD5 793762f3a2db3dc200c782d7974389b3
SHA1 d1f138291f049dacff7bbb9ffcebc2c6c3a904bb
SHA256 0c8178eea5bd3a44d4872c6ed663634504fe0b02d7d38c3e8fe5a6ffde1f34e4
SHA512 ca60a00f16dd7bef535903f605611c6a3984c52967a9fb1b539b1914ec68cf17a424f90d385a0a67efe090e9a01d31547a7fdc1631f79299ed0330e9247bea06

C:\Windows\SysWOW64\Qgcbgo32.exe

MD5 604a3dc9db2f277b91be7373b732afaf
SHA1 b6791448dd016cb8bd421a71857786966cb1242a
SHA256 c8471b2d20486554a3cd87572b520c6275c6fa304bea266145c8d0e1351ad7ec
SHA512 ac6fc3d46755ac2497cb8056ac4e30a436fd3196765a9eb572b9bd924134db5ff4d21162eb0f57b76d7d25c43ceedd016c5d227406d78ab459e13a22372052c8

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 a5d817314fa0d62539a1b7a61bec1f1a
SHA1 77d091e9231829982afe853a8ea1b4e3ad9b6e29
SHA256 29db3ad74b983c9769023ac69c0e24ccf798de92752c24956caa825b328727db
SHA512 3bcf2f034fcfe2dd0c990741bbcd3ea4194da33d4717804d71d7a8dffe0e2f8dacd25d4c7eba12c7075ced2691468ae2984f0fee704f1e0d415310c06a28a869

C:\Windows\SysWOW64\Cabfga32.exe

MD5 8076d07a247d4711e4265b9ed22274bd
SHA1 8db9cb581a47a897b606a009b52f33c5bbf45fc3
SHA256 53d51a2a40370293f80230c1a812e8976e4203d9fd84d0d2a68254f241de32ce
SHA512 48786fad9fff0ada8e83ac0dfdfda51d1c117dddc26e45e2fc594e034f2feb58883415fec45e9b6d68d9f60aae5283a7c168e7ff5819693761c23e95fd267333

C:\Windows\SysWOW64\Ceqnmpfo.exe

MD5 2720db5769195c41d2294bdf6f506a4a
SHA1 66b415e3dfe86649f7b68d6a940d74898e0b6811
SHA256 de7772d52c35d1cea375079845139cf268a9bc3ec726d3a95928461d0181df09
SHA512 1eb382fbc32ab27e77ac19285f81d7e13c1f6f4e9ed4ba843ec2e72eb27887ee472879b4a6157a517574eba46c9d6d24bbc6c90c9de04aefec67ef35f32a6735

C:\Windows\SysWOW64\Dopigd32.exe

MD5 4097b5f34e2b3a066d03362787dc0e0f
SHA1 6943f2d37bdbc360fd295748a00d016c7ee149db
SHA256 a0a2d87c6c89132487c2cf518de557d35c39ffb341e11c67a6c2a8c29204e366
SHA512 ed16f2fa98f76948443d623eb0b136e42d1e77bfb821bd79ed10a0679579454be363f83e6440a062f9a25202dfd25d02090c9deff9fba5960891c4530266cad1

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 175d87257d099388b2690d2db41c4f76
SHA1 fd1a789159af4bac42095ecbd8f6276c8f179f33
SHA256 c50793aa22715227812f2364cfc7d07ff72a0c704c79bbac9268a1123c6de73e
SHA512 508bf2ab0128352a68c78f3c476b327c4b4a2912f02cf24f161d250ab1bd0656d0142d6307868b208695ba074d7d33aa1f6100277fd554f89d44257fb55546a9