Malware Analysis Report

2025-08-05 16:33

Sample ID 240611-cwes1a1fkl
Target 240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe
SHA256 a27b90a9c4862bcbca01d2e2a1830c3a31a5477067e5e09d617329bdbea90439
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a27b90a9c4862bcbca01d2e2a1830c3a31a5477067e5e09d617329bdbea90439

Threat Level: Known bad

The file 240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 02:25

Reported

2024-06-11 02:27

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfeddafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfeddafl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqjepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chhjkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddokpmfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enihne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ealnephf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djefobmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnpnndgp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddokpmfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gopkmhjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkihhhnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpocfncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hellne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhjhkq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hodpgjha.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjddchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlhaqogk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icbimi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieqeidnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihoafpmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilknfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioijbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfeddafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddokpmfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddokpmfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File created C:\Windows\SysWOW64\Gpekfank.dll C:\Windows\SysWOW64\Ghmiam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Dgnijonn.dll C:\Windows\SysWOW64\Ilknfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Enihne32.exe N/A
File created C:\Windows\SysWOW64\Lnnhje32.dll C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe C:\Windows\SysWOW64\Gbijhg32.exe N/A
File created C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Cciemedf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dhmcfkme.exe N/A
File created C:\Windows\SysWOW64\Dhflmk32.dll C:\Windows\SysWOW64\Dqjepm32.exe N/A
File created C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Dmafennb.exe N/A
File opened for modification C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Nejeco32.dll C:\Windows\SysWOW64\Cfeddafl.exe N/A
File created C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dbbkja32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Iecimppi.dll C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hellne32.exe N/A
File created C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Chhjkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Eajaoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File created C:\Windows\SysWOW64\Kdanej32.dll C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File created C:\Windows\SysWOW64\Cakqnc32.dll C:\Windows\SysWOW64\Fpfdalii.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File created C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Elbepj32.dll C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Djefobmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Emeopn32.exe N/A
File created C:\Windows\SysWOW64\Bnpmlfkm.dll C:\Windows\SysWOW64\Enihne32.exe N/A
File created C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Ealnephf.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hellne32.exe N/A
File created C:\Windows\SysWOW64\Ljenlcfa.dll C:\Windows\SysWOW64\Djefobmk.exe N/A
File created C:\Windows\SysWOW64\Liqebf32.dll C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Hodpgjha.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Hodpgjha.exe N/A
File created C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File created C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Ecmkgokh.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Qlidlf32.dll C:\Windows\SysWOW64\Fmjejphb.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hlhaqogk.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Dmljjm32.dll C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Cobbhfhg.exe N/A
File created C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqhhknjp.exe N/A
File created C:\Windows\SysWOW64\Kgcampld.dll C:\Windows\SysWOW64\Eeqdep32.exe N/A
File created C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Glqllcbf.dll C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Hlhaqogk.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe N/A
File created C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Emeopn32.exe N/A
File created C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Cfeddafl.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Ecpgmhai.exe N/A
File created C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" C:\Windows\SysWOW64\Ddokpmfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbepj32.dll" C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" C:\Windows\SysWOW64\Hellne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll" C:\Windows\SysWOW64\Cfeddafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enihne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqjepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" C:\Windows\SysWOW64\Cobbhfhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmjejphb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cciemedf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddokpmfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkihhhnm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 3028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfeddafl.exe
PID 2012 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2012 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2012 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2012 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cfeddafl.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2840 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 2840 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 2840 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 2840 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Ckdjbh32.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Chhjkl32.exe
PID 2560 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 2560 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 2560 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 2560 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Chhjkl32.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Ddokpmfo.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Ddokpmfo.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Ddokpmfo.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Ddokpmfo.exe
PID 2668 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2668 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2668 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2668 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Ddokpmfo.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2964 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2964 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2964 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2964 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 1324 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1324 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1324 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1324 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 2948 wrote to memory of 716 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 2948 wrote to memory of 716 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 2948 wrote to memory of 716 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 2948 wrote to memory of 716 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 716 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 716 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 716 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 716 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 1672 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 1672 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 1672 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 1672 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 2020 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2020 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2020 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2020 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2776 wrote to memory of 648 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 2776 wrote to memory of 648 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 2776 wrote to memory of 648 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 2776 wrote to memory of 648 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Djefobmk.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 648 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Djefobmk.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1376 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 1376 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 1376 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 1376 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Emeopn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Cfeddafl.exe

C:\Windows\system32\Cfeddafl.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Chhjkl32.exe

C:\Windows\system32\Chhjkl32.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Ddokpmfo.exe

C:\Windows\system32\Ddokpmfo.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dqjepm32.exe

C:\Windows\system32\Dqjepm32.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 140

Network

N/A

Files

memory/3028-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Cfeddafl.exe

MD5 4194798a86ad9612eda7bc85d6f8a2ac
SHA1 36dfa65451df2b2b4a9f94c213f5917f95e2acda
SHA256 b9b98d22d82313ee52c0c78c93043892f5ac6bc792b2bd69cec1f6e6acf5b699
SHA512 c31aa713955585b3eaaad26be0717894572ebd64b3f068d8d81c2f3ebd3a43db4cee1d7bd7bcc8481f416e1c85ced4bbef67d90a22f7c5e599eab4292bdc975c

memory/3028-6-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2012-14-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Cciemedf.exe

MD5 e1e320d30a7629ca6ed1e8614e58c7ff
SHA1 bf15b7d165c656acbdeae91ba8b297ada24f354f
SHA256 53082dea7b055e4019c0704aaef8523d242b48c5cb6da0e254c93e560c44648c
SHA512 24d013c317c3a56be43feb5169fea36ef746e526666c2496ab486264f982a771ba11c74473799cbd5a0fb2b76a8ba023b7ec4fd00add6909d8e642a0ba7b365d

memory/2012-25-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2840-27-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ckdjbh32.exe

MD5 b6fd79e7ddd0eee67e875b780d3674c1
SHA1 43fc1581d953bb1b7ac3ede4dadaceb640dd2f90
SHA256 bcdeaa8fade7c8dbe9f70416068a882fbcccde5c8b2372f90e4cf596ba8a747f
SHA512 3833ec888170e6300bfd43843a0607dba9b27c87e8b51eefb16dceac033e7f5e5a05a3f56bb33571819d8caef9be4a498ac171303a9edb72685a8c4ea3a3c120

memory/2840-35-0x0000000000270000-0x00000000002B0000-memory.dmp

\Windows\SysWOW64\Chhjkl32.exe

MD5 20d94d76a66f0fd8a24a31a2af1d5bd0
SHA1 80a0a9b42ea8250ab4c6fb976071fc999b978c0b
SHA256 a39417b776f8eae7bcf1f18b1393e871dbb3351c024ead34cd9215bd4f423b36
SHA512 9df940b3086c608878269731513b68d127adc8f930bf7f86aa1e87943b1f3de088abd4c186126ed62d28e0e93260489a66318ee934765656a9389e3875b98dae

memory/2560-53-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Cobbhfhg.exe

MD5 fb3f0e72bef660d028022303a7d50cd1
SHA1 95272334165128d068c5cd4b7f75a4fb6800181f
SHA256 04d100b6204150916494bfde3f9550aa31d7252e9e4661be727743f4319a9215
SHA512 ea343bbd131239692b16d5a4395802eb58ab549770f103778da310590b67fc0bda3e8c3b6e31a9e77bebba13e90824a3c77b69a8b3dd029b6dc16230c85f9d64

memory/2560-62-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2624-68-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ddokpmfo.exe

MD5 b80c04c50e0f78931444bc7d327140bb
SHA1 cfd03f788a6aa0d3da7034234f84ebfb3e94c417
SHA256 f547f7c87f1da7e793f713eabfaccbb3ce5ba729aa088e8304b0db7d4cf07941
SHA512 59bf371a641530cbb5c9ce366236ac40d30016d58b248eb5e2b6d67fc717e2fa67ec641f914516d12bb0c9e16ff7cba69c15d639a413e965c64c1861276a385a

memory/2668-80-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dbbkja32.exe

MD5 0d344f987827a333279ae50a3370acf2
SHA1 71780c7dcfc5ca4dd85402c3fa1f5655af037599
SHA256 7053a624a07922b8a8bb9334dd833b6576e1365354095fdf72a2242181f32dcc
SHA512 bf4917af7a36038607e9b8d71fd29e17b59e397e4e469bd0a1ea89bac3002426b5dd1c4e29f4c44a60ebc7008ef9d1eea2ed732005de6354105f00821acda792

memory/2964-100-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dhmcfkme.exe

MD5 5ffd91889db3333d7ac49ddc799a6ff8
SHA1 724d23c2c92301ba7dce3b5b92f6059a0512ca42
SHA256 4d0f1654980c22a6df969d8ea587878a8da69ac2ca8d0438ba5436a66c90c256
SHA512 b98d7439b90099703901269e0f5c2967f25ed6d4bdd87e8ff394c430879d8f50ce9fcd83dfab2130db2b335c7b14349edcb5f7e0f023114cd83dbf47cb96ba03

memory/1324-106-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dqhhknjp.exe

MD5 0a2f567fc887172a74711eafe8d1eaab
SHA1 eafb8bc274a80c5f5de261f306a00aa2125dfd85
SHA256 36c0e2a0c21e65582139e769b4cbfdf52df4c4ee56e1fed5039dbeadeb3b0b93
SHA512 4ba57c54be1c167113fbcad509dafc20ef028745d07d010510e052ed74a9ca964178dea103b4f6885083f2ce6e9486fdd5d86185eeea77180d6e0920fd39b21d

memory/1324-113-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Dkmmhf32.exe

MD5 3af678ec24f13b21802971e115a0c8b5
SHA1 ed22fe1c34d02976cc3f8e62fff342d480b12643
SHA256 649390ccdc94038dd5ba076c5436d2814c44dbbbfe911ea3176c53b993aab94e
SHA512 b89ce1e7977e1e1fa46a6c14940950787c1cd74647f93a07bad6093657664fd5ae87435d865e25920c526358e416f2b2f00c8fb0957ba129a13d48f7d14b637b

memory/716-132-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dqjepm32.exe

MD5 ff56c1df6772c4ab7239199c41855041
SHA1 fcc561bf3396d7f29f24b7ac5420bf92ba95966b
SHA256 de6c8e495bcca621e86fcae4dd110be1df50fe04561efc31478784f575fb7292
SHA512 fafcc623d1b6e4b0ebdf123d2da1a7ad3882129f4e2923e02a450ace4c53e65af08471ec57f20d4b8e031cde030370569de9550457e7757dbb5ddb94fbcb4a81

C:\Windows\SysWOW64\Dgdmmgpj.exe

MD5 090f278b8fe8079a0a0961b78cb1f499
SHA1 a124950ee0f27cd780281886c96dcedc09fff105
SHA256 91d082b79465055be27ab3e2a506d05de488b18d9a03282548d498c57a217e40
SHA512 0d079525403eed2ca5d68ac69db02a718140a2c4a2fb91f7a7c9b5e9a1bb241fa0fbc825ad71773a802182bee154fd00b6fc1d6616d355b6f36a711bb9e15b00

memory/1672-158-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1672-151-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dmafennb.exe

MD5 541e5cb45a96992a2f58b0e017c75c91
SHA1 b668506d3e3ea4d55731ddf4192f040ca41f24db
SHA256 201b09a8e2072521b83ebbd75857e8f70909f164b00a2d83aa07ef028b034e13
SHA512 16a4a1096c5b1973c31bb6d781bb7dd2e6652b9cb33865c7c8f864b37f1b5cab4886e17391397aec9c0123ad4dd81041ec379dd245f25272bdf40b4ddea31672

memory/2020-166-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Djefobmk.exe

MD5 45545048d259f4c73cd1cf632a7cd32c
SHA1 e0e069be2d3db3e6b531462262f440f54d0cdc43
SHA256 fb178cb71c3b848f06fecf6f3b5124f6cad1ec513c4450fe5c04c17e70b12dfa
SHA512 f4392f6d64a37d22c3b91b52d3b1e3b4a672e209ec88aab227205b66ba8184d897387e93c704a6814bda936cb8f7a5fc76ab262df95861ba02b17a85a295d63c

memory/648-184-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ecmkghcl.exe

MD5 56b41a369a2bf9800dd298e5ce8ceee2
SHA1 a8d0ecb3134ff9f274d8d18efab11acda93242ba
SHA256 e924f252d4c5998fd8e25272fbc9f96983dd5d96d998d1ed7b20c19eee84533d
SHA512 7f4f4af08e25b4f8c46b648395ab6b660cbdca1d5502fd008414d2070b5b5141a2bcccd95ad6dfa9506a4b22402fa0c68d7e6ff10a21f2af2407d99a98a46c43

memory/648-196-0x00000000002D0000-0x0000000000310000-memory.dmp

\Windows\SysWOW64\Emeopn32.exe

MD5 9d04ae27588553d8592be90bec520c9e
SHA1 38368fbed84ab08232a15b9163f89ee5d846f1d8
SHA256 11f68686ab5391fa4f4e168ad1c718718c76aa5b238d06e6c689f77195b610f5
SHA512 f12087ad697563261f6a82c7eab0ea65043cfaebde6d49570580e838c35ed5451772071ea4ff4caf964ca22e6590e4a9740ad9bbf367021d41058b21eac03488

memory/2308-210-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ecpgmhai.exe

MD5 34b7af1f24a424d00389a51d83de25ab
SHA1 480d25f83b4e127bf529e063c3630466de4710b3
SHA256 41f1257e182612817386cd00458ae1adeef5bbb3138f02e7b5fb3637f5d65556
SHA512 547b873775db025c3fc83ede9b46e57592202c26e990f852156e22a75338cb084f28b8e510659f04a9bf6d7982928d88690ad42344e79ae20c56603d04017f6a

memory/2416-220-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 7b4820eae629e9aa50b8564aa2d42929
SHA1 69e25ceecf87558a584cf3498e9a99b7999a9916
SHA256 83a660628c2a76651b7bb3d76c923c983668256292442c8e0c95eb72a5460a1a
SHA512 3fe039522b6d1021dc0d048f2f4807f3ac4fa3c5ba165fd8fa0732bd48227c3e44d8e2dac0a6ea8a5d06499a06bb242a610bbe5e7348a6e3cc1f53c76b1ebd07

memory/564-233-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 2735bc8000e90cea9046654ee4c0d3ef
SHA1 1e5637b8590be9e9ad4406e9d2d790de510962b2
SHA256 16171fcf9b4a0f534d0ef543eff35579f721a0b5d5e1d7bea21d34af007ae865
SHA512 5892d9f883a6f57f7dfafa244a3f668fea63e24efb2a127e6c073747167b36bef892a789321331bc3cbbc4edf0604d3a15fba6e4ea7269d240f3ca81ba8eb74b

memory/1648-240-0x0000000000400000-0x0000000000440000-memory.dmp

memory/564-239-0x0000000000250000-0x0000000000290000-memory.dmp

memory/564-238-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Enihne32.exe

MD5 65f71fe1a294b3e2db989bac2b80de65
SHA1 c09c9a5f3dbcb9ebca48595191a36536e16ff318
SHA256 65415d7a960aae50a2d319f803d14467eb68902ffa3313db0d143384d5729845
SHA512 b78e0d68db328c693d486d09777a31b8af8dc4a1a837efb06c16496990bf52cfaa2645bd097c3eb8f744888d28853b5aaadfbf959971f19010951746157560b3

memory/1648-250-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/1396-251-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1648-249-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/1396-260-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 3e3c216fe2ef4a30008f30ecc16e8940
SHA1 38e50f28955c97734d66de980a1b6f55350f05d9
SHA256 23b0a7029e515ce0a98e2525bec8562b869a87e34a55d3e3700aed6bf3f3b037
SHA512 baa008025afe0662d8136488edbc57b9bc1106e64c94f44b84bec49701f023a2024dad37790bb0670834210dde14d1b13319a2d84fcaaf9a794ce0c421fb56d4

memory/1876-262-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1396-261-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/920-273-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1876-272-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1876-271-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 667d8f71965c900d86e4fe1da62a86e8
SHA1 ab2831af0c398b78ab12911f1f939e278753305b
SHA256 6a7d579aec98e68a0a481642da322d0cbed9e57f21b1f36a162c909331fdaa37
SHA512 bfc4f402cc828b12e2d122616dc48621171ac919d3341b63fe240f37876f895024cb22a3d264701581546f15544b00ee9a980838ccd9a923b6f8343a5faccd36

C:\Windows\SysWOW64\Ealnephf.exe

MD5 2cf2f2641a17eeffae90b31b15a13fa9
SHA1 6892bca20a4d3f93c3bee6ee954db1b3952a3b85
SHA256 a2e20e87bf1551df78bce5a59f4fb36755690f524cca73412d961acdc8d48713
SHA512 bf29d6782bb452ca967a3273d57a9c95503a24674fa6f06e67a76ca931773bd479aed3632276b65f71867dc01b56c8eac064719eb7ac3e2b587cb2ba535eb706

memory/920-283-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/920-282-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Windows\SysWOW64\Flabbihl.exe

MD5 2fbd5cefd200e4c9712980d12c8eadc4
SHA1 30056395174d32c8c36ba8f9373c8cbafe7b1602
SHA256 eedac908d206ae7bcea8c24ec16d43e51da14d8fbcfd99cea1e9403c4ca63c11
SHA512 ffcbb3d8219ae68a9a3c4155dfcd9b8518fb4ad8601e7df6c28acc4e123a58d684ff8958f5bf3bc333951daa1820269557b458d993e64e3a6b73fbdf37448fca

memory/2164-292-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2116-298-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2164-296-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2164-293-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2116-304-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/912-306-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2116-305-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 c62ffdf675e099dcea16960b9847aad8
SHA1 e0d4485f478c223af843a7cbbcdbc7170a4c9bb2
SHA256 d60e500b4f036616e414dbf55ce0d4da8c1ae955dabbb176a4bf413335879a87
SHA512 8d3655f4e52afb7374b6e224144bd0ed3a37e7b4c3ab9571a4edefa113ab34c44a999a01aeaf27e38a04fb7a9882c2865eb51be07bf1eb219250ef3e96930086

memory/1272-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/912-316-0x0000000000250000-0x0000000000290000-memory.dmp

memory/912-315-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 903d1b949686d568a7144d67c072926f
SHA1 85971ec3ed45e048fd510181eca246156677c4cd
SHA256 bade2410bf36896816cbbdb31cd74f4073b3499c7f8b53172f24497d01a9fd47
SHA512 3202f20f0d5080ae7e5b064b18f461f35e92d74879b7aa6a098908c8ecdbf836430f882d0220696cdff9ee4095d1f820a0a648747fda235b0b63b66de2967616

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 22069c0f2a12737ad839d649c4bd96df
SHA1 2cf6855dadff609ac88babf715278f045ec6e859
SHA256 bb7c448ae2b9e4038269e47778e7ed9e6e7b5ef60d0a9ce2c7813c3191c5589b
SHA512 eaf0e778ad134b50a7810ba327e5e94790226bad02ed2414961043e7b063212be6475fc82de662d5f6f080de1011140d37a025d41159982c448532a265e74492

memory/1272-326-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2748-328-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1272-327-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2748-334-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 6c16cefbe62964d23f14dc221d84e6ab
SHA1 bb36398a4aaeb94fef8855f2de3bce84752c5ffd
SHA256 d79d154ae5e94f852201d4594474a6b456a9c80e4b5df48e286a2db9515e4f89
SHA512 be1ca89fb1c613742d07ad4ffae0403035f511d204c467064e937bd6e75ffc862f81f46162e86289c17c5b08bce77fc63b6c67563b0b212ff929fd7aeadb482b

memory/2188-339-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2748-338-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 78a1d0095ac4d36a98610ce2d808168f
SHA1 6ec8db237951ea8b44f257cbd8431bb805dbabea
SHA256 99d57b59ec4e7934b6036d69c8bb1b847d4dae4ad93491db66b93d6b0aee0050
SHA512 6a263f0de3d717571d0039a4d7f797959493857eab9fce566a24c94584cbe84c450a828b52e37f91dcd3c2907b6c891aeaa6efc4b67ec5a3b98ddc544a006511

memory/2188-349-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2188-348-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2256-350-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 64149cda3fc68bb9794dce3b9bfaea4f
SHA1 294636dee1d7eb3effbcfaf22326c1c766a81485
SHA256 eb0d6758b75ed2fe394cd36e0176884d7c15c335d56ed87d656054e0f4401f47
SHA512 4fdff66550f58634a3408490108dcbcf027cd93a43c2e8e1da0a1c9faf37705b869c29202b5569fc92aa9af60c58e32e3d72c31024751a5d20f795b24edfd4c3

memory/2564-361-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2256-360-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2256-359-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2564-367-0x0000000000290000-0x00000000002D0000-memory.dmp

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 4a127e424f77ad40a2e8334dae590d6a
SHA1 b6ba3d545ef3e474d12f95e9e93c2ad3057d9f48
SHA256 d72ddefce4749a6c8e2ffca81bfe7e980c82d219b3871f1b64c07e6199923180
SHA512 bc7633bb7230babbbc2c9131f0837aa1731fb57d79418ff590d0e8f8741c60ae2d9bb4f15fda78c7090ba43a6328e0090d14b9de0aa6f2bb9e02b55e4e72759c

memory/2724-376-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 b7bf70cd575315603c704536439b436f
SHA1 0c99d6d2f3a16890ad9219b9b97a2c0081cb568f
SHA256 aab418d48d2910a217b35278a10f20ec731e887633972dbf16ee6eb77362faf4
SHA512 867d1540bc57fc384bb243d2807d154749cbe123d40460fd952694deb046a579a0d4d56f47c1b354fd281d93ebbfc1306ac52cc6541d2fbfaf7d52f2f52ac59b

memory/2480-381-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2724-380-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2480-387-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 2e820fa7c8840da33504fbf11f1b5045
SHA1 9bf9fff5cf71c351a0f063e79048491ca16a018a
SHA256 05a531f8d7b503d220e27d1cd08ce62d14fa2789a78284ad5a213dffbb9fa550
SHA512 201adcbef04aabc0f6ea044f2bd38f70bbcdb56bc2ee00d9409737ffa674e038779a29f13849fe821a97ffd9dee24d36289b8b30d17dc830f8e0df5e2d7fa70e

memory/2476-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2480-394-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 fa6bd9073120513b41b7e951343e5427
SHA1 ab21e6399de939c5b325e67cf6f09a3bcacb0eb4
SHA256 5a80281325ba377e4b41be83cbe4bf4edc720c1adfb3ebef64c2f2409bd44fcf
SHA512 2ca5d5e8bae66a2c1761c3d307f3f6b86c43c4b4d7321966fe21632f799814b9aaf5691f5861650d3b5b4798c48257e6322e3788d5df06102cc024d1f3a278e9

memory/2960-403-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2476-402-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2476-398-0x0000000000270000-0x00000000002B0000-memory.dmp

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 27b7a542730c89b572cd45555ce25fab
SHA1 0e78c9f8820bbb160b7d43573cd4bffd0b7be9eb
SHA256 5936aa0815672c110ec6540ca8dca8d7fada4cc868f30bd1a72d4d01af596139
SHA512 46e16637d16c243813ba32e0c8203dc2b5ac442d943f7637d5ed3ec4e861e73c145240f88ad95a74d4b039657ce8df9bd10132f4fee2b71b6c681270fe956d63

memory/2756-414-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2960-413-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2960-412-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 e032ab7e5c4ba6ce103d13ee1bf74812
SHA1 1602968ae638024172c20ca345870db80d814902
SHA256 842869eec39ee7ba49f894b0623e74a37230f5000bf17811d0c6b07be6fd2221
SHA512 3107be833bd1ba1638f1addd036057e9de66bc5e3046b4d030153968a2ade1d2b52f4298c7e678fee19a0798ca745b4af33979710cd46ae0bfdad22a6a50bd9c

memory/2936-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2756-424-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2756-423-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 516bba989467c0489099dcfffbff82f9
SHA1 bbcae018f5dac484b1930643dd4a519fce3c157d
SHA256 67e17d14fc5827fd9bc3a80a9d29c25d4272b68a7657ca180ae1f89cea0e7c55
SHA512 cdca950cee8dc5ae85baf04c508c0d1b4d810112a605dc01ef041298bb0bc30aa934fa2a3b5bffd217197e712703e70cb6a9195011d03f606b2537b3e1be4d81

memory/3000-436-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2936-435-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2936-434-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 b0839513d387fd3f01d2fdebaaa233d4
SHA1 50d33457bb853725fffcc2f93d2c8cac5adf25b6
SHA256 4c7f2503274395b42be83a40e57c4642cf77350cbbe7c5590ab814805ee777cc
SHA512 1f97f99148671bbbeb0a188a15f5ced5a16d0557e713a1e1ce5cd3e7b0d41b459594e4ea9fb0192e407397ddfefcfb2b92388fe10b70b4c480b6059978ecdaa2

memory/2620-447-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3000-446-0x0000000001F50000-0x0000000001F90000-memory.dmp

memory/3000-445-0x0000000001F50000-0x0000000001F90000-memory.dmp

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 ccaf3aa6af4b35f203b063c97502c241
SHA1 02860133be34bbd660475ac3c9e6a560388356d9
SHA256 a72ce75fda8027349fce952c5b757dfa8fd7569eb1c712731ae78a936bb4073d
SHA512 a1412f7a33493334a66d1f82bbb3fff6982679ef6b0dbdbc66376a70307145671e86ef21efc144f4d30e9de825f321873de52d3bc1edf5dd50e616cdab2e8ea6

memory/2620-457-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2620-456-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2680-458-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3028-467-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 55ef546b1b49fc53930cde4fcf04745c
SHA1 8fbed681d90a5883dd3e7a04270593d26cf19e8e
SHA256 53f410fdee542c5085fb0a7178a0765cb5c7029cc20a0279df002075d4011fd4
SHA512 1cefc665d08da70b8c3734957081c5e1e781738b9e027094bcecbe6dbad9a0819a821cd3084497b2b02febbc01158b57a634939b11de96b7c0641bf2f45c5a5f

memory/1096-468-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 72c7b888652ca5c0c88ffb71bd83d236
SHA1 77ad9abf6d89b10c759c432a6b48c2fd9ec12043
SHA256 135ca8728c03e9bb7a5a16fe12d1fc6b9805148cf67117ef2da77b1472a14abc
SHA512 414ceaba16e7e566f42af7bf176c4eb28ba2e74522257004824052c1b3b95905638ae31573251527a3986b4b0c0dcb6aaee877cb781305894c1f55327a84a48a

memory/2268-490-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1640-489-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/2012-488-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 d64419c535341d8b407f19391534f813
SHA1 61de45e8083b6b20fc5e666cb43ad017097a055c
SHA256 45995e8bf4bdbc3e55bc7e8bab117b5ce5ad494f586de440aa94d29ab99875c7
SHA512 7d5962ecd4285d2ab94ee5232ea7f41d15d61b6ef702c85721f1e68cd6bc9f437a3ae7c9aab5240fe23e95e388b4c9f39ee50a02ba86bbfe580a3e7c9fcab334

memory/1640-482-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1096-481-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/1096-480-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Windows\SysWOW64\Hggomh32.exe

MD5 25f955679eeb5d2c781fb3e0f62e4493
SHA1 ea11e0cb3b0bc8e4776410ebe3d42567a80f8a91
SHA256 eda0491b2349e4c16f4608fc9f1466790173abe6edaf09d95189783cb25c6346
SHA512 8704e54e6ffe55f1fbf1a9eaccd7a0aca932132996d1534711e58657624babf9102b81124af88ecb79250740efb9dd4096ee62cf9c45b5439652cf06a40201fe

memory/2840-500-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2268-499-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hiekid32.exe

MD5 26eddbba890ceba4594dc80b468e7847
SHA1 295432243ef3f0ccc6d651c8f11031f0c005f192
SHA256 b32e8f0883384d5ce8b8211d5adba111df033ab7c07beb3ef78d2d29f003dec3
SHA512 5fafc9763e2eb9c12f0eb21186b441310b8b03845f1a1ab142e435e0e4146cd90974f7733410190563793eb0d22286e46df712e17564978b85e192126bcefa91

memory/1776-509-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1260-513-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1776-515-0x0000000000320000-0x0000000000360000-memory.dmp

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 8c894de6955c3c4d6e0eb15fb6650844
SHA1 42eb2c064252bad73dd0f816519e9408889e82b1
SHA256 2240f3fb12ada54aefbf58458c75c36b97d24b1953907203fe60bcf34fdb13f1
SHA512 b186a49ecdbd9825b4bb239d17d3fc22c4e1b1d1dceeccf880cfb7365c3c712fdbaab27007b85d37fa8c9958894368839c97d58c1f366f50f1a8f1d599f11897

C:\Windows\SysWOW64\Hellne32.exe

MD5 4d6ca8a24fb7ba2aaef878217df100cd
SHA1 0274757103585e4a669a6fd57ca71fd07a2e6a4b
SHA256 c9c4c48aa554c4a3a0230828e6b5ff4bfb6415258e72d2012f34ff8aee7a0fd8
SHA512 7ffed32104886f333007829e49750ef69568e30c1ecaeb5aef8548be29064a79d4ae59877fa08e41dd262e3240d7ecc569772116e4991cb4d080aa75f0aee955

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 58a86d77e76ba2bf4dac29cc123f789d
SHA1 5f02385a2049139c68b0fb4a66f08e385dddd045
SHA256 2837c66acb0f98313a1e7ca6a97b982a5e48ac88b3139ca358ff127ef5320074
SHA512 2754d875809449f4763510501487713bfc30aa34d93381c263516673fe3eb718307b72ee0211917dd1ec6ff57c7322bf98c2accf20abd4e6fc644487bb2ac382

C:\Windows\SysWOW64\Hpapln32.exe

MD5 acb0f3257c34ce8d94d633a79e6a91c1
SHA1 27ced21f793dd85b98f9c6a430398d0d666ea06c
SHA256 163db47e13c0059fc3fc53033fd1b77059fb20fd7a39e833cad03a8fda7d11e4
SHA512 43985c24e9ea982e953a9ba944c32c883f61f61a220bbbfd2c0be53b76550ab607a3053eb2a60656c1ccbdeda8d501935df56c204de5a060f42544f5d0d36192

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 27d27b34ea85e1d2d266f0c76b359943
SHA1 b2af05a892e80666d6e0b3e4b8411d30d18834fc
SHA256 5e06dc8662b270569ade8273fc7769c08e33741e60da4b60c1f2288122a714bd
SHA512 b81ca4c21dfaf459f4a707ee80283305721fdc45ee1181f69f014e0d455d4d09390b3ab2af7818cb61d5fb33c4f8d97d34f661751aeaee40d612eb6f45f25b7c

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 27547dccc84a389ed8a8d1d13b9b4f4e
SHA1 401a33c0532305f0f775b5b9d44f53bf74be68b3
SHA256 ae2bc0632e830c58a703d1cdeeb256c30801576e703fbb9c66cde7d002378bdb
SHA512 a81a46938f8bf30408ffdfe6ad912956ce691d419a42a44fafbc4209fbec7e6e41a56d24a8ffa155395ae98c52b93060cf12de373475dd5dcffbcd858914c1bc

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 5986318a932ed57d8f260588a4bf8abd
SHA1 222f7b8f71e57d37fc7e7c755ccb4014901cee7a
SHA256 19ec208ab4929db389b0bb9a93048f6901b3e76d93c79daa189bf2db959daf81
SHA512 42c9d0e782b86631c88e12823797581607d8c4ac31384742dd331ac5c0e59c3cae422d4326451d47f9469f8c7dd0f52e89273c231f44d62238520a50f7a93404

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 37b95b2edb19cfadeedcca3be2d386a8
SHA1 a8ffe25b172f38a8ed90d49d8a3a6d5294f9e2e1
SHA256 3c6bae35288dccc1cf6330e95c634872a55b759394656cc13ad86113e816a1ba
SHA512 cfa6fab0f7e49b9737859558c6ed89b5f073b5422088d4bc5f6f9a0ee2817f0d35aab8fc7540aeca28af2614408de73aaea5a4012f194de3ff55603df8c755ec

C:\Windows\SysWOW64\Icbimi32.exe

MD5 d85d53ec54d71f4ccdffc1e4304061c8
SHA1 c598a4b93c802c972fe31b4e42895ef5315cf7e6
SHA256 cd9d1e3f4b3d4c392f6f851b98c964cb3a1beeee7883a61e599ce24f85240537
SHA512 2919703c1c3e5de65312d75fbf2acfa66eecf61b4436d3d46297227c894d011dd30068dc16d54e857c813aa98dbf65ff9b3670fb56cdbd4e5be6e53f4b605c5e

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 8ab283bc92c670aaedbe1636a20a7817
SHA1 563f084ae521d876b3bf623e15ddd1e1be422eaa
SHA256 380076e2eaee6a5aad6eba4bf00fb4b459fa80136de171b141a775916af5b2b6
SHA512 e125368276111d20932324ba5de7f07d9ddfbb94922d8286f48e353f41d86fe76ff575499cf1c00cfc405e21cecd8aca3cef93e3d875d06138ea6d96c634d5dc

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 63af092ca775896ad3e414e4d3bb1fcd
SHA1 f5c975c4aaec021cb14805121618ae1462f72c58
SHA256 9729bf78c99c047d0289c884d3ae2dfc1d1eadb38a5104cc64791f8c082e376e
SHA512 f799c5c22907cefbffb5cf7117e343421fecbdf82c4f48e2bc764a637ab6fa90de7f46051405d75b6a55c655a08e9566fc24fc981387ad148cbcdfff053c83b2

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 592c7e41845e41433ab2d4882227387b
SHA1 14d8f320cbb48c85b3605f0cc7260b49a4d1c16c
SHA256 bf136234bc5917b156b4d986a2853801cebf95060d1ce682f3ca419ec6316691
SHA512 24e055e67d5695b1a18400208e954802dedf2f45cc740c25be2ddf2a52535db438fe7d3f63c6fa04c304460fde32345d4fa42213836ace1fc563a28c1efa7631

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 d6471fbd24a45454408757ab5105fda8
SHA1 9864b74a90044730d39a0d1ddae5630bc92d3483
SHA256 3302bff6e27fff1d2aae0f3241ca56ab8ad85672085e08fda8ed456beff80c67
SHA512 a0df84fdff8157fcd6b5dd9c52f07d57a25c1efd3912c410d49e0ca9b1278bfc13e7d7110381184816b9a98535ea3dbb8e8f7184204a9320754eb2f3dfca0a12

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 3958042c3ae94c4f0b856268e993add8
SHA1 28ec1cfb2167abde771f68bac208e3f06d4f8778
SHA256 81dd96cc8193a323430b7b43ade5df903502c9b50b2f6efdc200186023347dfb
SHA512 03c355551dc8a50564b96ffbfb1ba854d4e322be78b79f47669e2f2452a9bb147d5354705b8a22afda153abeca2898e8dfc34067dd99ba8b72bea188c399de97

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 02:25

Reported

2024-06-11 02:27

Platform

win10v2004-20240508-en

Max time kernel

62s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kipkhdeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kplpjn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmijbcpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ikpaldog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jplfcpin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcllonma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okeieh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cogmkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdkcde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onmhgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaepqjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Elbmlmml.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kikame32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdcbom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Medgncoe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hckjacjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfankifm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dohfbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eleiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmoahijl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgciaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjpaooda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ehljfnpn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgjfkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ikpaldog.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pggbkagp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlmllkja.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjpiha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfhlejnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lepncd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgnilpah.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aniajnnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldjhpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmidog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chbnia32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deanodkh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcmnpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llgjjnlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcpnhfhf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgpagm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aabmqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkbkamnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbjlfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlopkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bobcpmfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkalchij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojopad32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kmnjhioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkamnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Liekmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcmofolg.exe N/A
N/A N/A C:\Windows\SysWOW64\Liggbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laopdgcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Laalifad.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldohebqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkiqbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhmng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgpagm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjjdgee.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphfpbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgbnmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mahbje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdfofakp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgekbljc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkpgck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgghhlhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkhapfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A
N/A N/A C:\Windows\SysWOW64\Maohkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpaifalo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mglack32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnfipekh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpdelajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdpalp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njljefql.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacbfdao.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqfbaq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Nklfoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafokcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddkgonp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncgkcl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkncdifl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhkac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqklmpdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngedij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkqpjidj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnolfdcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbkhfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfmke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnaikd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqpego32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnadk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okeieh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oboaabga.exe N/A
N/A N/A C:\Windows\SysWOW64\Odnnnnfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogljjiei.exe N/A
N/A N/A C:\Windows\SysWOW64\Okhfjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onfbfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqdoboli.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File created C:\Windows\SysWOW64\Eapedd32.exe C:\Windows\SysWOW64\Elbmlmml.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkhbdg32.exe C:\Windows\SysWOW64\Glebhjlg.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfmepi32.exe C:\Windows\SysWOW64\Kbaipkbi.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Ojaelm32.exe N/A
File created C:\Windows\SysWOW64\Bjmjdbam.dll C:\Windows\SysWOW64\Pjjhbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File created C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Jcoegc32.dll C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Bmnjlc32.dll C:\Windows\SysWOW64\Aldomc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkmefd32.exe C:\Windows\SysWOW64\Hioiji32.exe N/A
File created C:\Windows\SysWOW64\Qnnanphk.exe C:\Windows\SysWOW64\Qgciaf32.exe N/A
File created C:\Windows\SysWOW64\Kmijbcpl.exe C:\Windows\SysWOW64\Kebbafoj.exe N/A
File created C:\Windows\SysWOW64\Pgllfp32.exe C:\Windows\SysWOW64\Pdmpje32.exe N/A
File created C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Lcmofolg.exe N/A
File created C:\Windows\SysWOW64\Oqdoboli.exe C:\Windows\SysWOW64\Onfbfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdainc32.exe C:\Windows\SysWOW64\Cacmah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fakdpb32.exe C:\Windows\SysWOW64\Fkalchij.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncnadk32.exe C:\Windows\SysWOW64\Nqpego32.exe N/A
File created C:\Windows\SysWOW64\Bbjiol32.dll C:\Windows\SysWOW64\Mibpda32.exe N/A
File created C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Odapnf32.exe N/A
File created C:\Windows\SysWOW64\Gallfmbn.dll C:\Windows\SysWOW64\Bmemac32.exe N/A
File created C:\Windows\SysWOW64\Jlnpomfk.dll C:\Windows\SysWOW64\Nafokcol.exe N/A
File created C:\Windows\SysWOW64\Qcldhk32.dll C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Lepncd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Melnob32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgciaf32.exe C:\Windows\SysWOW64\Qchmagie.exe N/A
File created C:\Windows\SysWOW64\Ligqhc32.exe C:\Windows\SysWOW64\Lekehdgp.exe N/A
File created C:\Windows\SysWOW64\Melnob32.exe C:\Windows\SysWOW64\Mdjagjco.exe N/A
File created C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Liekmj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Onmhgb32.exe C:\Windows\SysWOW64\Okolkg32.exe N/A
File created C:\Windows\SysWOW64\Lpkman32.dll C:\Windows\SysWOW64\Pqpnombl.exe N/A
File created C:\Windows\SysWOW64\Iclnemml.dll C:\Windows\SysWOW64\Aegikj32.exe N/A
File created C:\Windows\SysWOW64\Defbnajo.dll C:\Windows\SysWOW64\Glebhjlg.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfankifm.exe C:\Windows\SysWOW64\Kdcbom32.exe N/A
File created C:\Windows\SysWOW64\Eifnachf.dll C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File created C:\Windows\SysWOW64\Pipfna32.dll C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bobcpmfc.exe C:\Windows\SysWOW64\Bhikcb32.exe N/A
File created C:\Windows\SysWOW64\Popodg32.dll C:\Windows\SysWOW64\Pdifoehl.exe N/A
File created C:\Windows\SysWOW64\Hfggmg32.dll C:\Windows\SysWOW64\Bfhhoi32.exe N/A
File created C:\Windows\SysWOW64\Maickled.dll C:\Windows\SysWOW64\Chokikeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Kkbkamnl.exe N/A
File created C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Aegikj32.exe N/A
File created C:\Windows\SysWOW64\Mnkhmbin.dll C:\Windows\SysWOW64\Miemjaci.exe N/A
File created C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Njefqo32.exe N/A
File created C:\Windows\SysWOW64\Kgldjcmk.dll C:\Windows\SysWOW64\Qnhahj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File created C:\Windows\SysWOW64\Imdgqfbd.exe C:\Windows\SysWOW64\Ibnccmbo.exe N/A
File created C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Aldomc32.exe N/A
File created C:\Windows\SysWOW64\Ibnccmbo.exe C:\Windows\SysWOW64\Ildkgc32.exe N/A
File created C:\Windows\SysWOW64\Pdmpje32.exe C:\Windows\SysWOW64\Pmfhig32.exe N/A
File created C:\Windows\SysWOW64\Hmphmhjc.dll C:\Windows\SysWOW64\Pgnilpah.exe N/A
File opened for modification C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Aqncedbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File created C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Ebooppnl.dll C:\Windows\SysWOW64\Ojmcld32.exe N/A
File created C:\Windows\SysWOW64\Naekcf32.dll C:\Windows\SysWOW64\Olkhmi32.exe N/A
File created C:\Windows\SysWOW64\Nhdlom32.dll C:\Windows\SysWOW64\Ffkjlp32.exe N/A
File created C:\Windows\SysWOW64\Kpgfooop.exe C:\Windows\SysWOW64\Kmijbcpl.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahoimd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddbbeade.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmdqgd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llcpoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" C:\Windows\SysWOW64\Aclpap32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiapmca.dll" C:\Windows\SysWOW64\Njfmke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odbgim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pflplnlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgallfcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fakdpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" C:\Windows\SysWOW64\Ghaliknf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll" C:\Windows\SysWOW64\Medgncoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmidog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oboaabga.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fcfhof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" C:\Windows\SysWOW64\Qgallfcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhindhb.dll" C:\Windows\SysWOW64\Fcmnpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndokbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Occkojkm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnbbbabh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qgciaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhkhibmc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghlcnk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Heocnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmbmidf.dll" C:\Windows\SysWOW64\Oqkdcn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmabdibj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Echknh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oqkdcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anbkio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll" C:\Windows\SysWOW64\Iejcji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll" C:\Windows\SysWOW64\Jcllonma.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obfhba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeijge32.dll" C:\Windows\SysWOW64\Ajkhdp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jplfcpin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kibgmdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll" C:\Windows\SysWOW64\Hmabdibj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll" C:\Windows\SysWOW64\Llemdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll" C:\Windows\SysWOW64\Llgjjnlj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odbgim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghaliknf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgnjkdco.dll" C:\Windows\SysWOW64\Balfaiil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Edkdkplj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll" C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cegdnopg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kmnjhioc.exe
PID 3112 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kmnjhioc.exe
PID 3112 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Kmnjhioc.exe
PID 4968 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 4968 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 4968 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Kmnjhioc.exe C:\Windows\SysWOW64\Kpmfddnf.exe
PID 2236 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 2236 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 2236 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kckbqpnj.exe
PID 3044 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kkbkamnl.exe
PID 3044 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kkbkamnl.exe
PID 3044 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kkbkamnl.exe
PID 1820 wrote to memory of 428 N/A C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Liekmj32.exe
PID 1820 wrote to memory of 428 N/A C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Liekmj32.exe
PID 1820 wrote to memory of 428 N/A C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Liekmj32.exe
PID 428 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 428 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 428 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 4492 wrote to memory of 5008 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 4492 wrote to memory of 5008 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 4492 wrote to memory of 5008 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 5008 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 5008 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 5008 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 4996 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Laopdgcg.exe
PID 4996 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Laopdgcg.exe
PID 4996 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Laopdgcg.exe
PID 2724 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Laopdgcg.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 2724 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Laopdgcg.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 2724 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Laopdgcg.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 4928 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 4928 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 4928 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 3752 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Laalifad.exe
PID 3752 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Laalifad.exe
PID 3752 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Laalifad.exe
PID 1736 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Ldohebqh.exe
PID 1736 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Ldohebqh.exe
PID 1736 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Ldohebqh.exe
PID 4608 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Ldohebqh.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 4608 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Ldohebqh.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 4608 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Ldohebqh.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 4856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 4856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 4856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 1864 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 1864 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 1864 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 4132 wrote to memory of 4180 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lgpagm32.exe
PID 4132 wrote to memory of 4180 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lgpagm32.exe
PID 4132 wrote to memory of 4180 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lgpagm32.exe
PID 4180 wrote to memory of 376 N/A C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 4180 wrote to memory of 376 N/A C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 4180 wrote to memory of 376 N/A C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 376 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lphfpbdi.exe
PID 376 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lphfpbdi.exe
PID 376 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lphfpbdi.exe
PID 1504 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Lgbnmm32.exe
PID 1504 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Lgbnmm32.exe
PID 1504 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Lgbnmm32.exe
PID 2812 wrote to memory of 3140 N/A C:\Windows\SysWOW64\Lgbnmm32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 2812 wrote to memory of 3140 N/A C:\Windows\SysWOW64\Lgbnmm32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 2812 wrote to memory of 3140 N/A C:\Windows\SysWOW64\Lgbnmm32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 3140 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mdfofakp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\240e8612d7024d4fca353a020c41ccb0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Kmnjhioc.exe

C:\Windows\system32\Kmnjhioc.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Nnaikd32.exe

C:\Windows\system32\Nnaikd32.exe

C:\Windows\SysWOW64\Nqpego32.exe

C:\Windows\system32\Nqpego32.exe

C:\Windows\SysWOW64\Ncnadk32.exe

C:\Windows\system32\Ncnadk32.exe

C:\Windows\SysWOW64\Okeieh32.exe

C:\Windows\system32\Okeieh32.exe

C:\Windows\SysWOW64\Oboaabga.exe

C:\Windows\system32\Oboaabga.exe

C:\Windows\SysWOW64\Odnnnnfe.exe

C:\Windows\system32\Odnnnnfe.exe

C:\Windows\SysWOW64\Ogljjiei.exe

C:\Windows\system32\Ogljjiei.exe

C:\Windows\SysWOW64\Okhfjh32.exe

C:\Windows\system32\Okhfjh32.exe

C:\Windows\SysWOW64\Onfbfc32.exe

C:\Windows\system32\Onfbfc32.exe

C:\Windows\SysWOW64\Oqdoboli.exe

C:\Windows\system32\Oqdoboli.exe

C:\Windows\SysWOW64\Occkojkm.exe

C:\Windows\system32\Occkojkm.exe

C:\Windows\SysWOW64\Ogogoi32.exe

C:\Windows\system32\Ogogoi32.exe

C:\Windows\SysWOW64\Ojmcld32.exe

C:\Windows\system32\Ojmcld32.exe

C:\Windows\SysWOW64\Obdkma32.exe

C:\Windows\system32\Obdkma32.exe

C:\Windows\SysWOW64\Odbgim32.exe

C:\Windows\system32\Odbgim32.exe

C:\Windows\SysWOW64\Ogaceh32.exe

C:\Windows\system32\Ogaceh32.exe

C:\Windows\SysWOW64\Ojopad32.exe

C:\Windows\system32\Ojopad32.exe

C:\Windows\SysWOW64\Obfhba32.exe

C:\Windows\system32\Obfhba32.exe

C:\Windows\SysWOW64\Odednmpm.exe

C:\Windows\system32\Odednmpm.exe

C:\Windows\SysWOW64\Okolkg32.exe

C:\Windows\system32\Okolkg32.exe

C:\Windows\SysWOW64\Onmhgb32.exe

C:\Windows\system32\Onmhgb32.exe

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Pkaiqf32.exe

C:\Windows\system32\Pkaiqf32.exe

C:\Windows\SysWOW64\Pnpemb32.exe

C:\Windows\system32\Pnpemb32.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Pghieg32.exe

C:\Windows\system32\Pghieg32.exe

C:\Windows\SysWOW64\Pnbbbabh.exe

C:\Windows\system32\Pnbbbabh.exe

C:\Windows\SysWOW64\Pqpnombl.exe

C:\Windows\system32\Pqpnombl.exe

C:\Windows\SysWOW64\Pgjfkg32.exe

C:\Windows\system32\Pgjfkg32.exe

C:\Windows\SysWOW64\Pjhbgb32.exe

C:\Windows\system32\Pjhbgb32.exe

C:\Windows\SysWOW64\Pabkdmpi.exe

C:\Windows\system32\Pabkdmpi.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Pgopffec.exe

C:\Windows\system32\Pgopffec.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qjpiha32.exe

C:\Windows\system32\Qjpiha32.exe

C:\Windows\SysWOW64\Qajadlja.exe

C:\Windows\system32\Qajadlja.exe

C:\Windows\SysWOW64\Qchmagie.exe

C:\Windows\system32\Qchmagie.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Aegikj32.exe

C:\Windows\system32\Aegikj32.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Aejfpjne.exe

C:\Windows\system32\Aejfpjne.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aaqgek32.exe

C:\Windows\system32\Aaqgek32.exe

C:\Windows\SysWOW64\Ahkobekf.exe

C:\Windows\system32\Ahkobekf.exe

C:\Windows\SysWOW64\Ajiknpjj.exe

C:\Windows\system32\Ajiknpjj.exe

C:\Windows\SysWOW64\Alhhhcal.exe

C:\Windows\system32\Alhhhcal.exe

C:\Windows\SysWOW64\Ajkhdp32.exe

C:\Windows\system32\Ajkhdp32.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Aealah32.exe

C:\Windows\system32\Aealah32.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Aniajnnn.exe

C:\Windows\system32\Aniajnnn.exe

C:\Windows\SysWOW64\Bahmfj32.exe

C:\Windows\system32\Bahmfj32.exe

C:\Windows\SysWOW64\Bdfibe32.exe

C:\Windows\system32\Bdfibe32.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Bjpaooda.exe

C:\Windows\system32\Bjpaooda.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Blpnib32.exe

C:\Windows\system32\Blpnib32.exe

C:\Windows\SysWOW64\Balfaiil.exe

C:\Windows\system32\Balfaiil.exe

C:\Windows\SysWOW64\Bdkcmdhp.exe

C:\Windows\system32\Bdkcmdhp.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Bopgjmhe.exe

C:\Windows\system32\Bopgjmhe.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Bhikcb32.exe

C:\Windows\system32\Bhikcb32.exe

C:\Windows\SysWOW64\Bobcpmfc.exe

C:\Windows\system32\Bobcpmfc.exe

C:\Windows\SysWOW64\Bhkhibmc.exe

C:\Windows\system32\Bhkhibmc.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cacmah32.exe

C:\Windows\system32\Cacmah32.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Ceaehfjj.exe

C:\Windows\system32\Ceaehfjj.exe

C:\Windows\SysWOW64\Clkndpag.exe

C:\Windows\system32\Clkndpag.exe

C:\Windows\SysWOW64\Cahfmgoo.exe

C:\Windows\system32\Cahfmgoo.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Ddmhja32.exe

C:\Windows\system32\Ddmhja32.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Dboigi32.exe

C:\Windows\system32\Dboigi32.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Ddbbeade.exe

C:\Windows\system32\Ddbbeade.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dkoggkjo.exe

C:\Windows\system32\Dkoggkjo.exe

C:\Windows\SysWOW64\Dedkdcie.exe

C:\Windows\system32\Dedkdcie.exe

C:\Windows\SysWOW64\Ddgkpp32.exe

C:\Windows\system32\Ddgkpp32.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Eaklidoi.exe

C:\Windows\system32\Eaklidoi.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Eapedd32.exe

C:\Windows\system32\Eapedd32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Ehljfnpn.exe

C:\Windows\system32\Ehljfnpn.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fllpbldb.exe

C:\Windows\system32\Fllpbldb.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Fdialn32.exe

C:\Windows\system32\Fdialn32.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fbnafb32.exe

C:\Windows\system32\Fbnafb32.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Glebhjlg.exe

C:\Windows\system32\Glebhjlg.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Ghlcnk32.exe

C:\Windows\system32\Ghlcnk32.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gomakdcp.exe

C:\Windows\system32\Gomakdcp.exe

C:\Windows\SysWOW64\Gfgjgo32.exe

C:\Windows\system32\Gfgjgo32.exe

C:\Windows\SysWOW64\Hmabdibj.exe

C:\Windows\system32\Hmabdibj.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hobkfd32.exe

C:\Windows\system32\Hobkfd32.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hbbdholl.exe

C:\Windows\system32\Hbbdholl.exe

C:\Windows\SysWOW64\Hmhhehlb.exe

C:\Windows\system32\Hmhhehlb.exe

C:\Windows\SysWOW64\Hbeqmoji.exe

C:\Windows\system32\Hbeqmoji.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hkmefd32.exe

C:\Windows\system32\Hkmefd32.exe

C:\Windows\SysWOW64\Hcdmga32.exe

C:\Windows\system32\Hcdmga32.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Ikpaldog.exe

C:\Windows\system32\Ikpaldog.exe

C:\Windows\SysWOW64\Ifefimom.exe

C:\Windows\system32\Ifefimom.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Ilidbbgl.exe

C:\Windows\system32\Ilidbbgl.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jeaikh32.exe

C:\Windows\system32\Jeaikh32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jpijnqkp.exe

C:\Windows\system32\Jpijnqkp.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jplfcpin.exe

C:\Windows\system32\Jplfcpin.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jlbgha32.exe

C:\Windows\system32\Jlbgha32.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jfhlejnh.exe

C:\Windows\system32\Jfhlejnh.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jlednamo.exe

C:\Windows\system32\Jlednamo.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kmdqgd32.exe

C:\Windows\system32\Kmdqgd32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kfmepi32.exe

C:\Windows\system32\Kfmepi32.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kebbafoj.exe

C:\Windows\system32\Kebbafoj.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kpgfooop.exe

C:\Windows\system32\Kpgfooop.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Klngdpdd.exe

C:\Windows\system32\Klngdpdd.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Lboeaifi.exe

C:\Windows\system32\Lboeaifi.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Llgjjnlj.exe

C:\Windows\system32\Llgjjnlj.exe

C:\Windows\SysWOW64\Lbabgh32.exe

C:\Windows\system32\Lbabgh32.exe

C:\Windows\SysWOW64\Lepncd32.exe

C:\Windows\system32\Lepncd32.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Odkjng32.exe

C:\Windows\system32\Odkjng32.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 9924 -ip 9924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9924 -s 404

Network

Files

memory/3112-1-0x0000000000431000-0x0000000000432000-memory.dmp

memory/3112-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4968-8-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kmnjhioc.exe

MD5 62ea64c2236fce06c77628ff0e11f2a2
SHA1 4cdafb8d5682188c78f9495bb7694cf25d1caa2c
SHA256 df33e1805a9e2505a1d94f2d1a572ed7c818df6e04e863719063fc0a2364a18b
SHA512 3278fda459b394268880689c04162372223340776ce0c941b61793ba562547348fbaa3cb9133c60ffac73fa5f06b63f924f10fff73c3bfccee6f0cfd3ade1f9d

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 614676de4f5c5e28f9121267603264e0
SHA1 feda5633a98d67d1c779447fa5bfeed5e12453fd
SHA256 d5b964d0af47eba92a5720372959c4b2915f9aad7726e47df3ba92eaa603a9d1
SHA512 dbdd1cae5e90833788182984615b25a3e758962f05d6cf652b00298f7be6afb1612412caa416966c1bed322c2090b6a312a76d422d38dc750b34f67dd03e1cd7

memory/2236-21-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kckbqpnj.exe

MD5 9beb0c32833cfec41b23f3199d42bd1f
SHA1 85bb1d964bfbd62de9b616c27ea9c48c0b7bd2b6
SHA256 1d942dc9d76e7951fea5c5bdd59a8c2b3937c20ad4290d284899e93bb66e7305
SHA512 b5f8d6ec7e0adbeff50a5c203d4ded21e9908d8aaf19dfdf9f9d7e17123433a6ffa3597a821503b0bcec8bf7b55d203c59c09f56d963fe0b0df9c25f65475994

memory/3044-29-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kkbkamnl.exe

MD5 88744d6acfbf68e0bd58c4883fa6e670
SHA1 06b807230cfd6e1231ce614a93fd1be8cab5ae50
SHA256 89f20b896613768503a9582aa07e6b2064553225b6703fc081eacfa2b9025dfe
SHA512 a10f80dd346ddfa5fe860d1d46da2ef9be4e29ae63115b368f0d800f4225775d7db9653e24a62f80ec305eedaf568e0ff3503b50f22ad4180fe564014c406f63

C:\Windows\SysWOW64\Liekmj32.exe

MD5 7a358bebc9472923cab969bcb4e55fde
SHA1 1fdd7a6da913d9f5bb0667cb1b65e4acd7db5cb4
SHA256 395a880acf34c1ba0c51f2feb1039de83849c5ba46fbb776d48d17ab92cf3aad
SHA512 2c1c807f6fb4f4f2837334ab68032a37c1bcd337c817976ec4acdcda3a7d823f128728be9630bd00a6afa0de357bea1a4fd4d0805dc9d34da9fddf390fffd989

memory/1820-37-0x0000000000400000-0x0000000000440000-memory.dmp

memory/428-41-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 27a9f9e7608e1dc4ec370239d5d11837
SHA1 f5000ccf52c1a9681ad23fe2661f7534450086b7
SHA256 77dd8f666382c79f05c9b87c7a7829e7c2a03089c3a9cc0120c66274021a97c0
SHA512 8be95fae2a02095b25fa6c4630ffddf10ac2a8eb9f4a3bb128f7d2760b6f45ba8615f8331332e6e61f175153a9d7fdc23026e452ba6549b7e2d908eb7f5dee78

memory/4492-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lcmofolg.exe

MD5 2a12a4abe43424bb3d9e8cc5c8974b58
SHA1 585c8ec60bf3b61d96226831b38bf1829405abaf
SHA256 a97ec002b1fc74ed11551f82a4e691489d3f269e81620cfc4faf8a723a37faca
SHA512 04e65c0af64fa3473b8897b0b6f914ebc35ef4a9c2db652de1255e72a69bf38967816ce4d382c6465227474b511a09fb4f542da294740d53f2d8ea0cacb1fbfc

memory/5008-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Liggbi32.exe

MD5 40d1bc0609306fd4787c9a1c310559bb
SHA1 4d7b1e3fd5b53a89f25f4e47fae413ae9823e288
SHA256 5b3d8c0f17be324d77f49af961829d7cc3f44235744b4d1f7352dabdad9bae3a
SHA512 4e622713c33635afdd2039f870538d0b33ab7ee1367bc1b402f7567a52677877d5748f72104b97156b7e47d14bac5673eb34f997d92f4e36ce4555b526e7b37d

memory/4996-69-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Laopdgcg.exe

MD5 fdea6fbdd68c94c5251b7ee832763146
SHA1 f148e53d235d3998601b1a62e45d98d5f2acbcbd
SHA256 475bc765dbe95423a5adac9917619855af0df651b33d7edf188946dfb85b4c41
SHA512 61b2a1e50fb8eda824c27dcbb59e56db83415d6b910d5df48d64cc598faaf2948b40f55e6dfb68a89a1b596809b6bc28f5fada3eb161d4fbbaf488f6dbb0eac7

memory/2724-76-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 dfa27c0a4033f1a3452a2ac6ea549764
SHA1 1821ba45bb2a4521c3584c36b24ea994149e904e
SHA256 31858153cd9cf0a7ba39bf8b850015cf4adda15af315f5826d2fee429ef2046f
SHA512 da3be19c48105dace50239ab8ddcc9192026405e3540dff250cc701acea460c438c0222785fa124a5a288d9906b189365f6145e7364ecad14959c7e151fc2b70

memory/4928-81-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lijdhiaa.exe

MD5 29a1399c47b2bb8a1c4fdbc570cea086
SHA1 44e1a17158ce34ca494228fb4283e6f69203ef14
SHA256 c77672afbba87acc2cc0d994857cc9f00630edb2f2eb47c472cc38b246a04836
SHA512 6efe4d8f0d8d9173e44ab45e26ad69ab38094b9d210047f449427a52643bbe13a10af28d857bb97d5f7109efa67b308772ea344f5da9ada1be5ab5bee1178ed1

memory/3752-88-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Laalifad.exe

MD5 0c1f25d9d557418e50da79ec0226a953
SHA1 feffb4a1165c5c11cda37986a78a16eaa591cab2
SHA256 925e220b1bb7ffbc23a2a57ae44abc447fa2a291590bf3125243e9375b1bba33
SHA512 a967d02e257782e881d4dc9c0ccf4f3b4489f3b47426597abd387807c4f1c5063a88e876e70f0abd8426f0996b4fe1611c005a938fd9bbf6542a0ef939d37c3c

memory/1736-97-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ldohebqh.exe

MD5 ffd7c1a1c3dfa99e9648726f54b3f606
SHA1 a651bb0b2960c0a91b4228af67e9928443977772
SHA256 5c83de82e91e102a5793922833bf7b74773e957eb5c9158bacb9d2a035a6b4b2
SHA512 dce895e919daed9ce58dfa37f1d4f9ea1a6d73a69016163ad990431315745a3d6843aa83da541df39a0a467d5842aece6a3dae746aa9667ab47a9c4144a980bd

memory/4608-105-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lkiqbl32.exe

MD5 eead8a82362d45c5ce00eaf95fe693a4
SHA1 539d1249196fac259b04e9c4e9f606f960c6d46a
SHA256 c8463a9aa72e7dbdaf5e38620aa6abaea9f369494e7acbc2408aa876942aa6df
SHA512 1f748f64dca5e0bb4dd6ad03959f4dc7e2fb811afecaa75ff5ee66ecd9c5873536728c7122f350cd67f907ac05eafdf6bd157bc66b6a419c2b9b93e0c87423d2

memory/4856-113-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lnhmng32.exe

MD5 c802a4b50d6c999786585e5260c15727
SHA1 8ca204de43e3a483a198342356d7eaef56393a95
SHA256 1fc6cccf1fa12aa3a10116883e5d638d9ced4aa0349368a9de1616fedcbaf800
SHA512 398fa707a563a88aff8bff31ceced9ac8f8e4840916cf5de52e5772626f203070a0ecdd5f73f04cd41298be2339be0c14291554afcad92e6159682e2c5ff9a27

memory/1864-120-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ldaeka32.exe

MD5 678fe6bcd1ac294f213390724b09be84
SHA1 8147c86da9eb256602714b7f1e900aece02876d6
SHA256 91ab164913b9f8f84377d86611d4c5f0511f7c172373f7a10fa851757def1f41
SHA512 c5b1c4411857cb1b8bd5502d1120c52f9aa6028deaef904f5a646210c9048c80d456d15d37f8ff0c45c7b1ed5737cc6965878b29b00f89120dcb43ea3bf0e713

memory/4132-128-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lgpagm32.exe

MD5 2694a392efefbc9b6e066426b59e315e
SHA1 1e24097f316c40347bcf77b6f3f47735e9a221a0
SHA256 56015d6eb0645242bb1c111e86532071a65abc9995236c9017c7b5caf6e54fb2
SHA512 40f7ffa8ed89cd8b4b997cdda15cbde4c2f01705d5c431618a46fa59f42be3e018eae940b258029deb96bfe18dc87fe33c89e2cec186272d85e6901804a86edb

memory/4180-136-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 761c79dd533e403c32ab642fee664cf9
SHA1 0e5f425f5f3a90edcfa84692558db08dcb55db56
SHA256 19a5215f35a77014279d51bc17db66fb583f867b83987d7b019f7687af121016
SHA512 81cb5140eed5278c96db4fe07c8b118b3343d711e82f65285b68ae5d0ec3b63ced250137af957c35118560dffd612a12d61569b75c1501b1f89152bfe2ef111b

memory/376-145-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lphfpbdi.exe

MD5 5f53ecda399b2a08ecbaab0ec6f8d408
SHA1 e8111abda049944915290eaf448664ef6630df96
SHA256 42b4175f2a369e0f66bd69fac26c835ee55f113e750cd54cb552dc19acfd14ac
SHA512 10afa3363b45dc22892c1040f6cd0f92d07d417f4cb9ed1bf5f70f355348bc52eae06c5b4e468de5527e6dbfbe50063e7c101ca21b31b597bad0ac1dd9318ffb

memory/1504-153-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lgbnmm32.exe

MD5 7c1db6d27a0541607263795d5f3deb67
SHA1 a4bf2c65fd4c334c6e16e1ea93182bac9fd532c9
SHA256 63f674e4f83d0bd2062e1d401b05fb97e04e6c6aae5c0efdb899648eb3206dc8
SHA512 c78df0437cb4188af89204d77b84ebee5984df1bf87b38c1bcbc39663df299c186fd23917d6de589654e712cf604e6cabee85ce69b35b933496b0420ad2b7dbf

memory/2812-160-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mahbje32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Mahbje32.exe

MD5 0d2c0eb53771694561d1afb1fef5a33a
SHA1 05eb3af688a7954991738f8567927c72080edc9e
SHA256 ab44d38fcc17853e545ff9c6673122a1743d64ae7183880b4fac86a13cf7c55f
SHA512 b169859673b9f38af81770f1cc76bf6e0fde19ecf264b98d8215d1587f19a7b2f51077c3df749f91beba52a5d35d88ee619e74682b79e67f1764200102a750d4

memory/3140-168-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mdfofakp.exe

MD5 a30c30a22d90f6f9da1a93eb4098d750
SHA1 a4825d22275b04ebbd4d6817d57b58014018b5bc
SHA256 181da11bb7164bd133b08b1550930f21125dca203fa873fe565c557b2951982a
SHA512 62c4f35cd911056b1933dd863918affbe46cf8f438ef81718f725a3fcd16940e7747ccecfcdaf6ac60c3048b31acfa7f93e638654ee061ed452cfc026a57952e

memory/3384-176-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mgekbljc.exe

MD5 5a3a0672adc5431f25915815764b114d
SHA1 43a31df23b656469f6ab49af65ed79df81209af8
SHA256 f52c2306711d96638f80fc07076451501d5c7a35620f400465c063a478e45661
SHA512 a8f4c32c8908f8b436e819027f5cd630ea78930b47357fafea9dd76b04a98998c3e3229d4604aa50dd6160336beb60202432582610e1444ab740fe834e6fa9ed

memory/3200-189-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mkpgck32.exe

MD5 8ac987dacf46f9a7834d67b08c9e2223
SHA1 41bd84eda4fe49171d5488d557a28e8217d3d29b
SHA256 456d13176a2dbdf3d986cbbad16a1f2551a055e30547bfc969405eb65d317693
SHA512 49f361921cef20ae97c2cba36451e09493154372127ccb88c984637bcdfdd90939f937204ad811068cdcd07b108f5b69c908a73945fae61df284623149ccf08a

memory/4316-193-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mpmokb32.exe

MD5 1306f0410c8d5ed6430053f91a0fceec
SHA1 9020e37855b3e21a152164cba3ec0769eb26ce62
SHA256 5239326c943191a298f264165f52f13840a4f10058a8b27d3630e3d5e34a725b
SHA512 8c53d91568ab51f3ade9cd545d2ab45a052166f0c1c566f6333dc37518e856d1ce1995ad565d1027a1dd88faab97ac81b9faf3a2842652f11d3d1fa8356d9d47

memory/2968-201-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 8d6c319d07a53c5fe9147473d14c8387
SHA1 4c1277266291f87f76c5841a7a49a3984ee20642
SHA256 8574827b11b78c8697662fb217fcd3ea24372a9779b872e33812ecddaa21da7c
SHA512 dd2e182cce4c69a19ac0cb0cc48d9ab6e6dc96e83bd5b8dd1088bb5076b8280a6ae57d03356c0151f28b06e9485cf53ec9cf834a29ff51c02d89ffcab54e8d50

memory/728-209-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 db6716b9020d55c93a2c34dabae29afe
SHA1 ad6aa556ade1b7c90eaccbf9586f1b8c46e803c9
SHA256 26b5eb98733f29de71c79690751856c81838bca27992282aa502336d45bb7ac6
SHA512 ade30f196b76a7fa1c334801fd24042b5fafd524126f209f00551019bb300428b9ad2020a4ba9665d23d80799aae5a43c01a6ca61a5e3cac8ee7701a2b98ea6a

memory/4484-217-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mdkhapfj.exe

MD5 cec3cc1a0e9f1729faa47ee32155c28c
SHA1 4ec99a94be99b06e5a6c3b765c469ff200fdcc24
SHA256 b6db04390589fee8d263f1bad220bd84a59c8963f7ba26a8d0cba3587b77abdc
SHA512 068eb42fca1febb16bb57574a2af8ccbf11d90532bfd62f2f00476e1d33831ea2eb3cb49ff37ea00681071aa22067c636d145e328cc971dc09150eefa374e484

memory/3588-224-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mkepnjng.exe

MD5 f1be874ba7c05ee9a81e16ba250acf3c
SHA1 b614f061c3d115c682b65e9bbcb85d2ed72a2572
SHA256 dd3205cdbc6d78e3d859b86bc0ec6eb6b55a9f8cf8a6b33af859997ad34bb8ca
SHA512 2a5f548d21696ce57bdb2d0fa9de3bf5f966fa23f96b92971265ac8f4e042a20d480752a2be9be650ec61a34ee5897d5b7bb7113bdf0d3f851ac148b4bab4120

memory/4396-233-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Maohkd32.exe

MD5 ad383c7dd52f0893cde6964b5324c53b
SHA1 f152ec48dc32d71a30d956c4530b7cb0507303b2
SHA256 5c792f8e417829499c33851e6a810017dd4462d7500ac3e0ed2fadd96e23bd3e
SHA512 8aa1428ca7532079d57c7a129f78524442318d56d631459bb76e5c5470e0329d235596a73dca9eb350dc5d8805849fe74dd3c3eb5cec4df85873e44ac4297c32

memory/4840-243-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mpaifalo.exe

MD5 a92467e17ccf3c5269f4104ba42a3143
SHA1 31f96767e2ff31ba72f3667ca2982e62037ea51a
SHA256 285d45453d96a38ace35c5fd02c7d18c323727e0b1ab21fc08eee730b95f1985
SHA512 0ab20b6c944a214e54af3f2cdcd90413cf7313e1c0256c125d02f2d1af8476c10f0fde30473d0dc8d6994529685de99dfdd17bc6b8d85f0cf49cf6db04768dbc

memory/4636-249-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mglack32.exe

MD5 b403716c696d1e5c9efa06332b42b531
SHA1 077facc03c5a89dd4266c4ff049e44224bbcdbbe
SHA256 25766d818c99a0a915eab288b2fc3d87033707d3fa0902634e046b6f836eff3d
SHA512 fdbef0b4e5f8ada7eccc9cf15bf57784d5eaaa47080f4519676aa14ef1e0dc63dd6d31e59742c9903809f3acef7324b76b1a31e61c41e981aabd68e4e9f954cd

memory/636-257-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3204-263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3144-274-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2652-279-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1420-286-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3432-291-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1640-298-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4480-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/436-309-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4560-311-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5060-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3428-327-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1964-333-0x0000000000400000-0x0000000000440000-memory.dmp

memory/676-335-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2400-345-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3192-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4252-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1088-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3960-370-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4092-375-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3636-377-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4580-387-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2360-393-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3036-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1768-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4016-411-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4204-413-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2472-419-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1156-429-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4864-435-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2916-441-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4432-447-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2868-454-0x0000000000400000-0x0000000000440000-memory.dmp

memory/664-460-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4940-465-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3668-471-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1988-473-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4572-482-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3536-486-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3892-496-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1004-497-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3992-503-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1248-513-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1196-517-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2668-521-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4112-527-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2436-534-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3112-533-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4544-540-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-550-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4968-552-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3524-557-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2236-559-0x0000000000400000-0x0000000000440000-memory.dmp

memory/956-564-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2032-570-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2584-572-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4768-579-0x0000000000400000-0x0000000000440000-memory.dmp

memory/428-578-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1120-586-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4492-585-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pnfkma32.exe

MD5 76eef52a4ffe98b34e8e2dd205873926
SHA1 b244c53b4a17faa5329972c63e62d2ce437f3cb6
SHA256 9ed9c6690e89007fb69463216d350287dcf24a15a102b94718fff1f20df9271c
SHA512 aa5bbf79eadbac5e9eab7884bbe882ecfcdced8b60c19a6ad1a9184cf207cdb5ae5d9cda0f680e7ad9bc1b92fe51910fb6dd8a0f9319487f0e661fe48057fe0e

memory/5008-592-0x0000000000400000-0x0000000000440000-memory.dmp

memory/940-593-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4436-599-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pjmlbbdg.exe

MD5 89f22bfbe3add527e35bf4bead925c33
SHA1 1aa52d2b0508b8281a966d8c1fa340f72ee2e1ee
SHA256 b6fdf061344ab6a2ddef94293cbbdf7bca53e09804ba4f94ca275bfba50e20dd
SHA512 40fb24df9ba8f7f0711c7fa7dea92689fe59134bb44368da6a3943705346fe93bce05cd97e629ee09ee12b2fbccba1d9de64af39ae3ad7dbe8888b582fa4ae46

C:\Windows\SysWOW64\Qnnanphk.exe

MD5 86b49ae2fbdf8de29061081a5e8c7487
SHA1 97b35b91cb369e748fb27ce4a22acd183a0b248b
SHA256 654829bdf43af81f58f1291557ee6609b91f934963c59a7eb2c60fd945c07e2f
SHA512 6abcc41622e857329b1b4ebbb363ad5c6cd88c7ba252430d2854d2f7a41ecd64b96a8ac3f13aba9539a4998915a3e053199eca1dd95a1b193181b9d5f4c530cf

C:\Windows\SysWOW64\Aejfpjne.exe

MD5 a6d2816b7f2ee7dc3273c0ac40cb8c8e
SHA1 aa981a214696346041f60594ba955479279ddea2
SHA256 a1c5d04cea5b07aa4c400c0b23aa2bcb12d772aa5f69d394331b896de716b6f5
SHA512 fa96587e81e6a4cf170bd53993242d46a4f0c230b066659285ca23484fec96cf100117928e7165067f68a25a07155157fe758ae7111383cfea4205b45fc2b596

C:\Windows\SysWOW64\Alhhhcal.exe

MD5 22f627e32828fbd5b3e4df9cdb87a02e
SHA1 408ae22980fc850918aed9db12e72e496d0df036
SHA256 a79b39fc662ad6af5669f9d57ea9c9301208dea138ade8f94f6cf9e94bea0098
SHA512 2d89a69dafe4e326e5c0d4c9937315637beb58dc0ccd7f750cf7abe9785d160122760815ae93f56dd078c6bd090adf65a59e8a1ae774110dae80ccd47e0829b6

C:\Windows\SysWOW64\Bahmfj32.exe

MD5 d29e723718b7e0c185bf308bf842d023
SHA1 9dd5913156122c7618a8d2653d9fee45d44edfe3
SHA256 6d5f5a3e5e9ac1654429dfe6ca891826cf4cb5c99787677c22ede144f035cecc
SHA512 977dcf0de4795a892a645af7d4f14387f687113c38d51087fa038bd0127ea172663150acefe6d343872d2c7eb917b8938c412a3e6b1b0257918bcf432e7277d8

C:\Windows\SysWOW64\Beeflhdh.exe

MD5 6f6a8b0aa10d31672abf0d1c08ea1c29
SHA1 c04bb31379a3a678b42325d37aef471d51f10062
SHA256 9ebee33dee72348d35c62004ea0c04a068d43aa2ce0097299d7ccce034c43123
SHA512 20de6e629d491e37bc291309fd6d6aac40445fa38961849960f674de7265344cddb5c0b252e87b2d6a461a19b45713558921fc762acd9b0c7a551b6c9d8cb093

C:\Windows\SysWOW64\Blbknaib.exe

MD5 b87a33bbfcfaafeba171ae1e018e15ce
SHA1 8f13ffa7fa16ca5b1cab494f72d0fa8aa6ef40ad
SHA256 a632ad71eb42aa4ed52366c12d9566ca9d2ac914486b26182eaae244d3a12153
SHA512 d9190dba0f58c95c655863662cd97f716062d50b5edfedfb78df3986d2bceace05613eedee9b6e94f54d3243122b2204bf820ec815f3fce73709fc295b6efdc4

C:\Windows\SysWOW64\Bhikcb32.exe

MD5 5f38525666bb52c2907655dd65a58ae1
SHA1 56f8abe2969c71340a6e8f42876733e73e6e7e5f
SHA256 57ebb3858acedcf4b70b4cc5372da04232fc9d61dbef9d27822ae486686d574e
SHA512 349e4514b5633126aec847b458ef8f373437550e2a7f4bf08e342911320a878eba13f0a592ed5791f0b0c89fdb36abda238f14904266db63b6abeef71e0501bf

C:\Windows\SysWOW64\Bobcpmfc.exe

MD5 34f641841b8f83d64c8f25a958488b2a
SHA1 b885cd185cf2871d2ee34f61d32462666f1b34e2
SHA256 f830c6824c4b5a08566dcee40640ceb499a341464332bcb5a2a4733602e4941a
SHA512 d15b3afc01a9bf986f6184f2e2de05d1dcc07675187906273c16963ca4ab7af8d4dd86d9ab3af1117d3686b27d5e47121388a98ed9fce878213cd992064555c8

C:\Windows\SysWOW64\Clkndpag.exe

MD5 a83d992a7934e2893b91ca4b2ef19393
SHA1 c8f8e396b5d9eb3bdf7ac9f774ca68b2c48a02a7
SHA256 48df3fe2f8cb5a10876e5266d866ca69906b54129ab78029ccf12b1d0846757e
SHA512 0e947ee0f2ec73777d28aa86ed59729a1eb5c89ea1cb5ef149112d2a1585b639c749eed3d3b66287097a5e3a44f0db6d28b422542ce6f8b3de550d6674241756

C:\Windows\SysWOW64\Chdkoa32.exe

MD5 f3263111cc574ef26b63fbea60aebc58
SHA1 1c2df98856a610c42b8ca224ff82772914ea1eba
SHA256 f032f65f97330228cf18c3b1c6241aef5f2b90c3097bd0b39738e59814f6cc5a
SHA512 fd1a5e71ffceeca2f1d434d6fd257f6ce9ac3d7524973d5b1442b46a3bf5005ef2e1ee014e35da0a6cd84b9117e174529cf79390b29236f87e8c655d43a83fac

C:\Windows\SysWOW64\Cehkhecb.exe

MD5 2185412755deed0f939fb899e708f212
SHA1 2e3602b111c8b1158fbb01d8b4011670db006244
SHA256 391119dd3c780c341c49ab1333bc9b7643d606629b78400362b4d839462e9340
SHA512 4cf661f29567aa2ccaf2a0889ffe46d5d7c2bbe290e238864fad8193b22329e3c5fdc13a452760f2a2eeb27c8893bae6d1ecf985eb40445cf6b7001e8425ed40

C:\Windows\SysWOW64\Ddmhja32.exe

MD5 66374317cc0ed2cca06bf5b9fbaf95d3
SHA1 86b3f71ec6b9715f881a4b0a93398a4f39c152bf
SHA256 1d19ecd2db7efa75ee4dc0c88ad7b88fadccaf6f5afa1dd9d6baad61252ce623
SHA512 d37a17fb6349a466f33f0c90e86b09b864dc397ea33897d4a0764e46acc835eb15f69e611196093532297acbdb08d17982883475b98307c6856adfbef6a7b21d

C:\Windows\SysWOW64\Dboigi32.exe

MD5 de016984a9e94c950b622e01afbf39d9
SHA1 977a47bfce95dedc11f346ab6a75aa737a4ec232
SHA256 988a86b7d258a14fdb133d1267f1490835825ffa2a04ceda7d24c593a75231f3
SHA512 427150de76b59be2b138ea3f3a6a2d684eb43642eb6a39e5b40c2f0a358ccaf7368c6b4d18b6e3767d8f5f9bf9c7726a0833bf30a21d40760f00f36a60926313

C:\Windows\SysWOW64\Ddbbeade.exe

MD5 b5948c937dd276842e2be83c9f097ae9
SHA1 fec5fe560bd3c77d19ce657c0f624cc72b66fe08
SHA256 6b3eefc00979040830e914170c2788ccac7466d77929dc5781b2dde60716419d
SHA512 4f437d1691777221cb0b4443e546af4c60624db2c5dc0c5fb980f3b4256d8a8c6d2699c96e5137524e6514def8e6d02cd3d619a49329bd5c4c5efe3bae80eb98

C:\Windows\SysWOW64\Dkoggkjo.exe

MD5 c331eaf862fad20e231181b2e735cbff
SHA1 a0e94067ce60183149244660fe3cc4f31b5ee6c0
SHA256 249bb8ed5688dcbd02a84b7d877c8d202559968ed97640cd571498bb008e7672
SHA512 e9351207c53548abcf52893b75dc555a5bb88d516b50fc32a91b7ad9d500bed1494e3462090237496a91b86abeaebc9fb87e4523708c6b2ff0958a2c1afc31e8

C:\Windows\SysWOW64\Ddgkpp32.exe

MD5 89529421be3fa371007afe1f687682a4
SHA1 c727818d15522919177bbfb2890588a98f2e3cf5
SHA256 3c926d393529173f06bbe42eeeb292f47abddc5a955909e8d032af6862858da8
SHA512 61050edbc56bec403ef2089e5de293d81d923652c2a21b5f2dbba41848ed6d575b7eb2201ad817711d480f8e2dc4a3864520d377997b0741c1a11728246a681c

C:\Windows\SysWOW64\Eaklidoi.exe

MD5 df86de644396d2f3514d86d45d7f60df
SHA1 747768fb45295a480253cdcc4a4454663113bffc
SHA256 3f48a64c3607f7b786565f4e8fcdbeeb39da89121302813703905fa6fc349017
SHA512 cf8e263bf2436eeefedcb011b9c8251e7c64e94462e547228d031bd7d22246772ee118399ad9177ff8ed760664f54761f5cb4b7b7a25640d049cc3ef57ca1a03

C:\Windows\SysWOW64\Edkdkplj.exe

MD5 f88ae4f7be392519537c75a174538b82
SHA1 3ece338fc413114861b75443364fc93e5c3ed5b3
SHA256 c1350da797ac188b311c215971c38019db9033f298706a27b36ad6bc6a4d796c
SHA512 47550740f65c8378e17efb086eebe6c1ab108ce945ac7784735c3dbca4abb220c294b5b8c5dbf6f7de77c3651eb18b79b7f2ebc9b0a8c18c5789896f9d06d368

C:\Windows\SysWOW64\Eapedd32.exe

MD5 5d2932554436ad3c213be61cdbe530ad
SHA1 0b83c77de8ec48d28b8cb0f8934a64f0ac5009e9
SHA256 9921af76a34d6e0b001899351f0a5cb8769a387c478b981ad87b05b249bf4a99
SHA512 8da7d455bbdcb15f2b2fc0c6e00825c97bf20a904a659351881875161f3856eee9c5128552f6c60254c294eadf2c8b2d6c9fb7c3713e4caba0cedae464bbcd23

C:\Windows\SysWOW64\Eabbjc32.exe

MD5 9e5dc8bbbd2c33ffb8389525f8b15256
SHA1 a6c237109f35f971ea1f827b4c57720fc542d83b
SHA256 e993c56f9fcdc5e7978348ec56bb8e2bb5b598b327791460e5ae4bff5c866397
SHA512 dd730e8d0e2e081baf196e514b4c380f6dec60e6429bb6019159ca00a7562fc4dc97115d87d4f2bc6e1b0f43c4793d8ff2c5e63eb31115449be3e867b2b27f26

C:\Windows\SysWOW64\Eadopc32.exe

MD5 752e82cec244f68e9ca71a88ad510c0d
SHA1 b40c231609634991dcdca4645b7dda05c1d4999b
SHA256 9771fc39970fe0ee97287fd787b48daf62af47732ce8363c6997fc0e77b45324
SHA512 29be5c4ed83c8e29440bfa447955fa9bf9538d6ce834d3060c853237d21c43a6cea930f89b1c872929a2125ed39ea9a11ed1b63ad1e3316e517ea6c1f6799b05

C:\Windows\SysWOW64\Fllpbldb.exe

MD5 bb63fd34200b1b2ebec06eb634ec68c2
SHA1 353caf1d09ba0aa0eb40245af012b1aa2eefe50f
SHA256 57886fad39c8747476fe63e3b3b33f4c6271cbaed42dd27cf4e39e9716919eab
SHA512 e0ee8c1a3a5f6d180ed32dd694b2186d06f2db153baaa292efcf1a42d62061e9eba9aa5b831de6ffe4f06d72aba3aec12e08a93baea47d0a5702c25467d0700b

C:\Windows\SysWOW64\Fkalchij.exe

MD5 f2862439cccac8c4af5e4947ff664b68
SHA1 03e17c41817766f9ac6a7cf5c2b83ab732e28b60
SHA256 242f696181c016d72ab357226144ff4468a1eb99524308120037a138eef98d35
SHA512 1f8f439918c9af3794bdf18837520f53786657cefe2b8a9a40d1211abfb107b080467fbee23b89e94022c8ff0b86fd38c0f3032a30a517baffb9025a785cd810

C:\Windows\SysWOW64\Fooeif32.exe

MD5 b14745bc3232aa564c165e7f243d1eed
SHA1 25e18cf3b525ff76e30bf1a19812c85a56471559
SHA256 fbbac63efbaca78af6a1e0c5d1fa28bc7dc2e8e3d80125b6638935f4e1556ce1
SHA512 51956337111083c83d86fd67965894ed8608db42a0a169280c7ae8cb2d3a4364cab0a80c91b83623c5f17b096c1bb469413d2a1a860624a289909d1a5d5994d9

C:\Windows\SysWOW64\Flceckoj.exe

MD5 0c4628b259851c6f2869d5386d87bac9
SHA1 97dd633d481c92a9ca5df6eb7014c9bed489e057
SHA256 d24d2647f7fca8c496e597af2ce14954df336740340da644b6014c3b9b58fc72
SHA512 8fec8b65044fc1c75839503b66e1fb10889e0c27d244abf5fe4091b342d36dcf3af407348b6e76c0d9a62d5f227375c51ea44049793c0c9b61ffb6ac004deaa0

C:\Windows\SysWOW64\Ghlcnk32.exe

MD5 1dcc0c02f2a508562ace67b68511f1fe
SHA1 4f6f3e3c1d181749d5d12eb97cb5b9d1ba3d107e
SHA256 11e6f744972f4b11e24b65d9700c0eaf648920c7c7d066122cdbacc8f838b606
SHA512 f59cee54c12006044bb8372a848ef9abb6116817ff20ced504cc62144c363f0943fd693b0cd5271afa8db33ba321b1800fe4701ac1eddec4a2e02100ec3d9486

C:\Windows\SysWOW64\Gohhpe32.exe

MD5 d7c207f25cd3582e466e9c8b2ef7b26f
SHA1 3cd8d636f2d517e0d3d2428e636a7dabac7eb854
SHA256 1037b345b6570e790c63fdc4f70010764bdbb7b32302ce01e7148fae881db81c
SHA512 74f3eacb80a1c32f428ce807f7bb81e21b213ec57352803182be888c78d251a6472167f1f24a99593309cea285cc3f8ca505c3b547eec8a41af69c611392ca60

C:\Windows\SysWOW64\Ghaliknf.exe

MD5 893ca971a247fee6edcbac35b93d5f55
SHA1 1d823f584cc5b919b4eb0b785ff088a05a20b712
SHA256 69ec5af0ebc5a6bb549bc2e2353447a2c671c7e63fbeb6c81a11f97bb090a83e
SHA512 4516878fcd4059760423dfbe2f4f7b2a437049859f8e7360c5f9c333e3444aad828281d603ccbf0832214267e2bdb61347fb343d14622b6b407815eccb9b996a

C:\Windows\SysWOW64\Hmabdibj.exe

MD5 a2a0958fe8ff89c5941b8e59b8a11462
SHA1 e7c5395b7e9a0843bb574dce2e5e6d58e26e3282
SHA256 48944e6968b1c4c96453078eeaa694e6ce6f0dd978066787a17c1319c3cea86c
SHA512 319263fc7b34b8add617c1dc7887724ea5a1ed5e843172735ab57f6d6cddb13620b16dcfcf025e9de0199ec16e5e4d132157e139d6011cbab4c9d00dfe988419

C:\Windows\SysWOW64\Hbeqmoji.exe

MD5 bdf856030788e09ecda2c7dd0739c2ce
SHA1 4f00d3ffa02c1a8e513caab49d56465b79995c25
SHA256 817acffb2e2b30073e27d643616bd47fa10555201876310f3059232dd632b875
SHA512 33a2f18d12009ebdaf60cd4903ea02954c0caed83cc78d2c8f731dc17dccbc4afb3b7177197fbf224090631f8663aa9875e832a87cccc5162af1a658d062db56

C:\Windows\SysWOW64\Iefioj32.exe

MD5 275500aa1449625a9170fa6c2bfb12c0
SHA1 e2eeb6682052bed0da069ea2c11fda06c79c3c0c
SHA256 309cedfab073a86051b30dd7da964368b72cbd006ad0ef4ace4d03e3c73093f1
SHA512 386cfe15e0fdaf0d3510156f301c03bb96737c301c748ecb46d1c7495b9079ede5199398d97031305e6dec1c5dd7d48010327f0ffe566da43802ba51511dcf2f

C:\Windows\SysWOW64\Icifbang.exe

MD5 e9cff69e90ac468b179929a08e6796fc
SHA1 12d39aa515856c3ec0ad5c61e5935e4b9b297c5f
SHA256 caccd87aa8bc4d38214a0fb8636be4a0d7e466a4766266a2278c48f795638095
SHA512 dc94bd196ab416dd4fa440eb4fbc09299aa6adc2d22f56e9f0340d91ad3129844bac7d8d39a7f50c11eec109d22f483abaf518845f6ece00b7589f4c918d7c95

C:\Windows\SysWOW64\Ieolehop.exe

MD5 dad97656f53e385459a613a05290e17a
SHA1 e24cec2bb8fba926a929886876c2234eedad572a
SHA256 903b2b93f2e8eb3557f3b61d1e8f3191fab9706fddc2c2d82e57548b4cff6d1e
SHA512 da743129f0a0107d621cf8c95ed01183ec86ae8dfd2fcc5822c6bcf15d7b267d1f51a7344a7bc0a46818cffa87ecae3d1f178582b68fc302bb646d17f001dc50

C:\Windows\SysWOW64\Jeaikh32.exe

MD5 8ef713f80bcb2adff691fcd52a754ab1
SHA1 af5197f37da09e7964464c4ae61029b715e70a72
SHA256 162f518968bd60c8bf76b98b94a5565305c876512447261352cecb51aab15cca
SHA512 9e99fe54a76977d12f1422a35ce8a4f2519c7a51d534ed6cdbaf65d3afbfe129c507de7c3710bd9f8047c88b29dabe85d7de14c8ec2b0416d7f249fe31f8588d

C:\Windows\SysWOW64\Jedeph32.exe

MD5 e4c99deec621506dbdd6a3c8a18d19fb
SHA1 feb72b378c78613dee32cc5dbf0ad36f05163dba
SHA256 b97de60350b5dcf4eb874fe0565a7bfcfb35c0280380fcd75616ed5c56f4093d
SHA512 86183e2f75adab292a885211ffc1e38c4f26b088b4da9133a5718d560c1bdaa704c54f9322205e38a5fd38295a882e1116f696661817a502309df02b91fe51cb

C:\Windows\SysWOW64\Jpijnqkp.exe

MD5 6c7354dd54d652e26cf217851a23459f
SHA1 0e27a0893be57dbc46f6bd273936911eeb8fb2a8
SHA256 7d59b5ded3f481651764ebcd8c5b1de7552c2f768fde15b863b4fa9067e530c1
SHA512 24ed66729d0cc16f29c1fe2b4c9298bee98a940df1311d8844fc02edf25802e53916c36f44a00ee1bde32d409a296747afae67a990d53258898490bbff5c3562

C:\Windows\SysWOW64\Jfcbjk32.exe

MD5 39b6e80489848ab4e81a7c50ee30e8a2
SHA1 92d45cff9f5a53a9a47f6c543fa8bc8cccc1c8d6
SHA256 a40f3407e67ac1d18d9033f534d7c0a922763f5ca38c9762429e0f76931c719c
SHA512 c1a062db409010350fd3dd62481ea6bf2ba2366d0c7c48cc2bfc4a7171a440f3c75646584f4be2f3afb31918487c015c57fbe87cec78059921f6255fd4d47827

C:\Windows\SysWOW64\Jplfcpin.exe

MD5 40aa739070af3416291a416777f4f8a4
SHA1 34523366c7705af200941e8f2d4c01801d86413a
SHA256 afc9e195de91eaa39121cb5f8a98195ba5db36113197d3073480a0104b2d3f5f
SHA512 292691d0a9668801d4fb01c871a526372683d9fd5e5ea2702a18faea80eb06777214a1424bc5eed199f20dc8b136414a4796c148d9b9777bccdca34bb676ae4b

C:\Windows\SysWOW64\Jpnchp32.exe

MD5 f18a8b8ab7dec98cc30df835eca2ff4f
SHA1 0a6149302153e45f989fe503e4e7736c3bf299ff
SHA256 a71a9f8e59400a0a77be88edf2aacec24e15ee3871228a1e2a1760c0c74d7e6e
SHA512 931cee1deb0370f5081c8406e61b1fdaed3516ff004416c3f66e40d3a3d177a8d063c825b089b7765a649f8b1018321591c5ac67bb577af3c5e1fd4ad02f32ad

C:\Windows\SysWOW64\Kiidgeki.exe

MD5 c667a9647bb79a90e8c8df2b9c7d448c
SHA1 1c2b8dce82c44edd476cd9cef948337c152b211e
SHA256 192ecd278d7c7903882c4bfbe6c1a96a4ee4c3d44fff96dd73285eec69dd7cce
SHA512 270dc8f7f7e3e8a2d186ccad479c9c7b18f9d3ec533a3cae1eb1187d00268872742f08ba86977e6236f115fbe10e047396f38477aaf593a37a2565e068e7ff8b

C:\Windows\SysWOW64\Kbceejpf.exe

MD5 cb52e7e52b1e7c63fe10f66e97693731
SHA1 c00468cb89d2436c1af5e0993837e0dc3e21495b
SHA256 e5d26f9682f1e9a3673b97a43df4165b0686556c7b4d1834813cbdc201912028
SHA512 b202327b1d93ae128e6952dba3a3a4bfa8b43462a52ad0ce86d8a61332151c8c39d9c33d7ff1c591ba6196aef1e41bd87161298d63bbef9581f0e15f0a02b5be

C:\Windows\SysWOW64\Liimncmf.exe

MD5 bdd766a1d1bd464599ce524f768a9994
SHA1 d83a153eff921c10b881c4d247b1226e74933aaa
SHA256 369ffee3bbd3bc2c67fe7c0fd7455ae8f67962e1e237d5ebfbb26d15d7fc0d37
SHA512 5ab12dbd3209ef2a141752987446da36f6b0b26f01a7669016f98697692bcf7cf2a5cb5263f5f25db1218677d6062971b5516eb861f146427bb4d7221565c6b4

C:\Windows\SysWOW64\Mplhql32.exe

MD5 64c22ed7408bad4ccf85cbe41c435827
SHA1 7daddcdd1f7a7d66abd1183cffecd86ddc271e3e
SHA256 ceaf95a19b686ae1529eefde79bd71bfd18ae293125c9b91e3e196fb328e13da
SHA512 524c10e2fecb2c4fe4a3909d2533026678db1e5d11a56f14e5cafac63930454bc3d123126fff70cc60a41908f9076121e446c9d0980862b5b721f74d5575fe31

C:\Windows\SysWOW64\Mcpnhfhf.exe

MD5 dc7254a8a3a93151b4d7aae33847fd63
SHA1 ab7ec02bd2cf32742284d9cff732fccaa3b548ff
SHA256 5defa9822676cddbc552746f60b3a61f1994716aaa6f3ed16270a91d23138f85
SHA512 2fb7535058d36692f56d5d983101698fe09acb714d1b5cba22c1f2ab764c0aedbf1804547c9cc557cc6ed5010678a84ae59fe937eea9d1fcc5c896a461e89e15

C:\Windows\SysWOW64\Nebdoa32.exe

MD5 ab987a02b00dc1180d6adddd15d905cd
SHA1 6e12ac6cf79f08648847a5b0359c7caed06b1fc0
SHA256 09253502540b401f022620f7fbeba31affcb5d384f2c2be17c169d69e9b139d3
SHA512 9e51f6ed1810495e0464989e0e98ff4a2538a4606ac645c99c6514bd99f4ea2eb58cb708e28e38cbaf39346c8e927f8df45a0a1570aba8c73e40a18b687d6bdc

C:\Windows\SysWOW64\Ncfdie32.exe

MD5 20c8cdc68ef346d5c12a149acec21389
SHA1 eeeba57d639ea3317a7cd5583ae7f3bab7e341be
SHA256 f6ddef44beae0712ac70b8e5e14540de795afc92eaecfa2d5807255f49b816be
SHA512 b134ae381376d97e54ab89fc1c209fc2faf978dad00f3f257c2419ae757508d7538351389f9a5edc59464f66e685db4005ff3f02d7a7d323ba5dc2467a955ae7

C:\Windows\SysWOW64\Nfgmjqop.exe

MD5 bbf033b384b8ca670bfae585a218ae27
SHA1 08f7af0beb3248d3301f48e6843effb272506ddd
SHA256 fb0fa46d4f0c39449fbdaec3ad441866f2de63c80d665d6c90c4cd7a8a2297ce
SHA512 1090613372f7a1e90ff6581fbdd6428eded26dad45c87b8c453e3d45d91298d8446e47bea714b1531b8c12b4c34e98a42b978aa3c71274744deb1dc6d2663c72

C:\Windows\SysWOW64\Ndhmhh32.exe

MD5 b3bb618c7e0a5bc7556b8021564513a1
SHA1 2dfa13657399d66690f5e503d8b74a6e2d84adba
SHA256 31f3b1e07f50e55e8ecd90cf4fea697dd88829af9b87e065a5dca85ac164733d
SHA512 fef5386081ff4a90c634090dfcb9be50468528f27f67b0a0eaf6affc5eb8b2fbeb6628645c8f9c5a7c3285a90f745889197253446e193b6e4aff1a6814392dc6

C:\Windows\SysWOW64\Olfobjbg.exe

MD5 a47f5aff9a03b1287b445e6a3442dd57
SHA1 1d220302365bad111936e3154b6bd2af80094373
SHA256 6646ae5f93262b52607e4eb3f34729dc11f3e8de3304b7ff9caf5290164347a8
SHA512 341d19b37917fe7a64033a4eddcaeae41d4a55c7cd4901808efe6c1a664c9de3a5f859db9da31259c6361cbc573d8d2b318d355343dbbe21904682fc56554e8f

C:\Windows\SysWOW64\Ojllan32.exe

MD5 227cebc54e23f95c7fa9fc62f1891b28
SHA1 93a6f029c805f203c66be302307f643c7d385d94
SHA256 e1fac3df7b518953b42b407b7add00fc6fda526c908881fe0a083f67e715b068
SHA512 d1eb1d5fb93fd10eb0356c66b245c27ecaf3dce15a7493a74e4f9a4e82955f07e0709b83d3ebadc4fd47b7b8a8df4cb784abe1f99586863d882a5bf1c06a8b1d

C:\Windows\SysWOW64\Ojaelm32.exe

MD5 55475544d292a187aaf10bb0d28aac7f
SHA1 4816edc76f9f977144325fa61c3796e7f034e651
SHA256 4b9299d9933526548ac274f2b47927da5657611381cf2ce8e1a75d9234c08cdf
SHA512 7743466513f94d2c223af1b068287641232819b8eb59fbe1a8f12b14fcc467cda6ce177b08f1264a1932ed8ebeadf7b154db46b166713f0886c97cab7cdd5a1c

C:\Windows\SysWOW64\Pmannhhj.exe

MD5 93111eaf2885bf844f0a21149e8674ea
SHA1 67b694d3c235346bf15a58dc7fdcf09d26a602ff
SHA256 9c1a8b7b5d53e62cb16d51cbe3fd229437da4fe5cc20d5e498ba89fb03e04582
SHA512 c905480fed77734c2bf1dc9d27836e727fefdd37732740e59eb409b2cf264b2de76d7fcc85c24ef5138f1cc49deb026c424165f35ec85079735f7814c91db595

C:\Windows\SysWOW64\Pmidog32.exe

MD5 1a4a3ecf4b8f4eb20373ee486ed056ef
SHA1 966db4f454f40677ec28caf3c9dabf6bf8980a5e
SHA256 ab5c105e2b5213a7a7d04cf7878fe48e4e5513b9deaa19cc0256f719a336265d
SHA512 7d0a32bf0a25df68f7e3fc65db40332bc39b1b8c68c9cbf2b621f5c8fe017164db852d69d383d0287d801695a3f87b3bacbd957006745390e74fe93ae88f73f7

C:\Windows\SysWOW64\Qdbiedpa.exe

MD5 40c629036fb5300c4af2ae8862d4b681
SHA1 4fbf704aef58f048053b9b66eaa524a7ff106a92
SHA256 4064ce2aaf2c4c0cdf0cb6f90508c459b1d2111627e1872924565c428ade16c0
SHA512 8b03bf267b5b747478e0aa95183fb880b0895267ff4a4ebd2d440193ab9260f12ac280de5e61610231686dc822ae49d9ca92a6e89f016161f74d8cbc5136a002

C:\Windows\SysWOW64\Aqncedbp.exe

MD5 00abbd69e0d3a04a9cfe19d00e7d7e32
SHA1 b8276a94b6f2328c252df0e47f29d84fd4727335
SHA256 c660f95a2d1f8520f21932900997dd00f8580e4fe9427223d3584f15bf5dd1d1
SHA512 584b0f455c06dc53a3fec1001572bd6f5d2e0801e503b526d0fabc1c885eabf456c9562d7fb7f2662ed492112ff0f6cbe95d60e8bbca0ea44213f85d5a2b9d3f

C:\Windows\SysWOW64\Anadoi32.exe

MD5 8f59b453a263f90849dd7578aefee068
SHA1 1e4d0b16a4d1d59c873030d6bd19e25e8599b15b
SHA256 ca1018bf985c4ce8513cadf75de0fb8e22aa252a7c5cd5ded048a4b2faf7743c
SHA512 99523f0e12672d1db031b05be4d3dc92f1995865d22b9f4fba308cc648386629eb0a3a26efb071a5520917ef0a29b2ad0ea9d81b4506dee6261bcfbffb4fb5e4

C:\Windows\SysWOW64\Andqdh32.exe

MD5 fd49d4fd282bdbbc9f105de37343e0b8
SHA1 242b2854b8ca528c486ff1e659f3e2108ff99c98
SHA256 bb7068a48450e7b385eba1e3558444fc9aba2885839d62ca705a4a756c71300c
SHA512 b3bc0f97d08cb10fa57dffe71257071d7345b01b920d9bb647ed3f9bf8c087e7ebf3d6a2e8cc04854c54f18878eefaed006bd9ace379f7ed5899253cb0f2b4cf

C:\Windows\SysWOW64\Ajkaii32.exe

MD5 b611ce07d0be522cc2af1c329a654378
SHA1 64bebfe94894ec10cda2ed537be13a92eb3c8156
SHA256 a6debc16d3fe38ad604a813486758308842b23fe191dd3dda37370917d0cac43
SHA512 38794e345adf56020c8de715e48c4924b7701325706b1c0355a3fe66d1a78e92969079169cac7210ff9a30578fe3c2b3ca29f194d84dcee986da20004f33a402

C:\Windows\SysWOW64\Agoabn32.exe

MD5 9341fe53d2fe93025ec6f0a9b0a21330
SHA1 743f19960a55c2a3a831d1a3dcea5a9c0fea1765
SHA256 9789256f594415094b208a3184d37aabde3a4b4a4cf1025a0eb25a2a60e1bcc7
SHA512 296e78194aac8750706866f1f0e5f6ffdd83b8767e20c22c2a0ef6ca8f48edf4a7c8ff1b44e39d5a58bbf2d58584e36dc1d741a5e695c8f4d1c03f74a54ca57e

C:\Windows\SysWOW64\Bebblb32.exe

MD5 0072cdb2d8982e4e0a1a42f8bc6303dd
SHA1 42a07c52f4a0e6bf1f8cd859130af3585329ccc4
SHA256 6c6f2dafbe6a2016c20dc7a01c8607e0c843962e0aaea6ed0e4eb5b8d6e68319
SHA512 ce9b2f74a162521f5a2823bc1e0bdbb92ab837da9a1d7e98e69e39b3a0ccb6092456cf0d78228d6e2c3e660b6947c8064db9a6a5e79b7509405c26259e913611

C:\Windows\SysWOW64\Bmngqdpj.exe

MD5 550cb186c6ab803c8126a6637b9b88c7
SHA1 58abf75bb464b6adbd6ba60d9efdb7e24bf8f950
SHA256 2a9bacdc5afa3e1e66dd981092a3928081e55278b972ff6a09e249b3eda4de99
SHA512 3bbacccff64642a77583e652ac35be348c1435da7188fc0dfd84dcd00ea90f48efb7a1f0ffde3c85a96520b22c045fe669dd53adec19d33748d2fd86893ca6fa

C:\Windows\SysWOW64\Balpgb32.exe

MD5 d9c7686f21e5fa518655a8ac35f952a7
SHA1 c0c5d9b08485ea56e17861909d90d8fde26e3010
SHA256 a6d648fc4af216e6473c6a82ae5348631ed940af2c33d33c6aaa9d8f1c3207d1
SHA512 b7842544ad21b5397029a8b88b43b9c24930a59ed5daa5d612909546f752ba5389e3f13d914c12abdf19f00d4402cc33f68e0d8ee6b0e96eef0c46566712909f

C:\Windows\SysWOW64\Bfkedibe.exe

MD5 5204c90452200d0aa851422c03ee8b04
SHA1 70a3a8789af25f3a021f12fdcb00bdc6f5cea9e8
SHA256 fd64825768b4fd1a6e553d71b1111f2b9bedea72d1226573102068ed27309572
SHA512 e8520d5e648be1d6de7e5f996c62e46672ff1e13d16b8bdcccaa25da336b467a233c6ac43e9ad1fdc48449edad15e11d44963ded8b9c986b384a49a70f852b41

C:\Windows\SysWOW64\Cabfga32.exe

MD5 6d12c871f6b763494827ea41d3f205f3
SHA1 b2917263d3b2d1c4c60a296f7b05a5240a35e320
SHA256 0db1f3880d237db515b30653eea3d85d9a0bffeb458f8fdf3bd854ba11990d94
SHA512 15e2aae2cbc2d4d976b5979410d9c37df0b14ad59800553bbe103ae7ba4f6997c4d85a56fa98c09ea4f6781dc2f7ecb98d9920e1f11bc63d2c1396fd9ba88016

C:\Windows\SysWOW64\Cdhhdlid.exe

MD5 1cb1210a1588733999d20ca51e0faebf
SHA1 5eadbb8c786a8bb42ac06147e5bd57bf6226f75d
SHA256 077a5ba8ca34e934cedeefd6cedc19feddea3c85221726360c6cf732c2051b5f
SHA512 12789d0b6415028e44c831afc70a442114fc32df2a759c2da10f22348c568d7972c986d896a071697b885249ba9f5f338c8d219eaddca6571073907834e7ceb8

C:\Windows\SysWOW64\Djdmffnn.exe

MD5 6aa7d728df2f713f9ef99aaf2c24e977
SHA1 f34d3b3be6b4f6edb2d4d8220e07e3ebaa6f01ae
SHA256 ba642cd752417dbfb8c00a3e24de53ad3ec83b96bd53056c730bc5a846f66a9c
SHA512 1cfbd988ad9c0e287e7870b15fcb9a6407b91079cb295d619dc07ef4e168cb941d59b794e640c56c600b1b9a67266d21350b0fbe4c252a06d68373d788283713

C:\Windows\SysWOW64\Dmefhako.exe

MD5 c0670475967d9d8f1a25ee07ce5dcf2b
SHA1 f6f81183015803660a662091b6e1958142c6bc14
SHA256 0561194b9d03817c773738bf2cc1e2cf53efbf05681f966ccf8a464bf58d9ad2
SHA512 c91f130f5e7662fca642d6a65039a2cd6b590677ecc8097a0c5dbad5ca76b2228f1eaed4cff1bcc395a7d6d0fcdb39219a0ba8d3d91c14000a4783c3dd7ff1a8

C:\Windows\SysWOW64\Daconoae.exe

MD5 01501b1268f60fb7ca41ca4071a65d4a
SHA1 c74a488d3697f3045ad5877e7f88ff2e3cb92a26
SHA256 87fb07d86626d8d5d1ccb3bcca29e4c6c27adf032a22a83dded68d310e0947c5
SHA512 d364d209cf97649c7bc5ed47c4766a66f5c8328f96160e4bdef720acc0cacd9b233fd70979b265dc04347e0d8fbb70cc69a211cf64fc87510edb9f4013a2f3d4

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 541d3d60d99a240070ac23f70e5b1b24
SHA1 819e47382cc76259c983a3f08aca5beeb1da0890
SHA256 57cf2d3a47d2fe5a4b7bd876a3d6f4a7b51390e06e4e63cc28ebfae0f4054446
SHA512 3b98a3f86cb5eb37644371ef574b6d43cdb45c24281b1b64a40499732002cdb00072c4baf586205fcc56091482b1d0824d08920e82a0f47e44abbd1b31a50d43