Malware Analysis Report

2025-01-18 14:05

Sample ID 240613-c989rs1hqg
Target 586501eefb385abef3305e5060b47100_NeikiAnalytics.exe
SHA256 25c1912b161ab3ae629ae55119f9717a02344db3a305b509162b2634f0552c1b
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25c1912b161ab3ae629ae55119f9717a02344db3a305b509162b2634f0552c1b

Threat Level: Known bad

The file 586501eefb385abef3305e5060b47100_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:47

Reported

2024-06-13 02:50

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eilpeooq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmcoja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Egamfkdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiomkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eilpeooq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmlnoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnojdcfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnpbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hacmcfge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjddchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hogmmjfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaeiieeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Idceea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihoafpmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioijbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Ecpgmhai.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Jpajnpao.dll C:\Windows\SysWOW64\Gmjaic32.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Ojhcelga.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Ebgacddo.exe C:\Windows\SysWOW64\Egamfkdh.exe N/A
File created C:\Windows\SysWOW64\Elpbcapg.dll C:\Windows\SysWOW64\Glfhll32.exe N/A
File created C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Aimkgn32.dll C:\Windows\SysWOW64\Gogangdc.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Hogmmjfo.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Odbhmo32.dll C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Glpjaf32.dll C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Dchfknpg.dll C:\Windows\SysWOW64\Fehjeo32.exe N/A
File created C:\Windows\SysWOW64\Ikkbnm32.dll C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File created C:\Windows\SysWOW64\Hmlnoc32.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File created C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Kgcampld.dll C:\Windows\SysWOW64\Eilpeooq.exe N/A
File created C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Fjlhneio.exe N/A
File created C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Fjlhneio.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Eiomkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Globlmmj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Dekpaqgc.dll C:\Windows\SysWOW64\Epdkli32.exe N/A
File created C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Emhlfmgj.exe N/A
File created C:\Windows\SysWOW64\Clnlnhop.dll C:\Windows\SysWOW64\Egamfkdh.exe N/A
File created C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Ghhofmql.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Gacpdbej.exe N/A
File created C:\Windows\SysWOW64\Hlakpp32.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Hacmcfge.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Bnpmlfkm.dll C:\Windows\SysWOW64\Eiomkn32.exe N/A
File created C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Mhfkbo32.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File created C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File created C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fehjeo32.exe N/A
File created C:\Windows\SysWOW64\Bccnbmal.dll C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Ncolgf32.dll C:\Windows\SysWOW64\Hknach32.exe N/A
File created C:\Windows\SysWOW64\Nbniiffi.dll C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File created C:\Windows\SysWOW64\Lghegkoc.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Glfhll32.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Hllopfgo.dll C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Aloeodfi.dll C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File created C:\Windows\SysWOW64\Mncnkh32.dll C:\Windows\SysWOW64\Gpmjak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Khejeajg.dll C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Eflgccbp.exe N/A
File created C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Ecpgmhai.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ebgacddo.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjlhneio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" C:\Windows\SysWOW64\Ebgacddo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" C:\Windows\SysWOW64\Eeempocb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eilpeooq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll" C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" C:\Windows\SysWOW64\Fehjeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emhlfmgj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 620 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2980 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2676 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2676 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2676 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2676 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Ecpgmhai.exe
PID 2712 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2712 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2712 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2712 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Ecpgmhai.exe C:\Windows\SysWOW64\Eilpeooq.exe
PID 2496 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2496 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2496 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2496 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Eilpeooq.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 2656 wrote to memory of 1352 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eiomkn32.exe
PID 1352 wrote to memory of 752 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 1352 wrote to memory of 752 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 1352 wrote to memory of 752 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 1352 wrote to memory of 752 N/A C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Egamfkdh.exe
PID 752 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Ebgacddo.exe
PID 752 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Ebgacddo.exe
PID 752 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Ebgacddo.exe
PID 752 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Ebgacddo.exe
PID 2636 wrote to memory of 608 N/A C:\Windows\SysWOW64\Ebgacddo.exe C:\Windows\SysWOW64\Eeempocb.exe
PID 2636 wrote to memory of 608 N/A C:\Windows\SysWOW64\Ebgacddo.exe C:\Windows\SysWOW64\Eeempocb.exe
PID 2636 wrote to memory of 608 N/A C:\Windows\SysWOW64\Ebgacddo.exe C:\Windows\SysWOW64\Eeempocb.exe
PID 2636 wrote to memory of 608 N/A C:\Windows\SysWOW64\Ebgacddo.exe C:\Windows\SysWOW64\Eeempocb.exe
PID 608 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ennaieib.exe
PID 608 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ennaieib.exe
PID 608 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ennaieib.exe
PID 608 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ennaieib.exe
PID 1576 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Fehjeo32.exe
PID 1576 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Fehjeo32.exe
PID 1576 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Fehjeo32.exe
PID 1576 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Fehjeo32.exe
PID 1436 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 1436 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 1436 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 1436 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 1224 wrote to memory of 652 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fmcoja32.exe
PID 1224 wrote to memory of 652 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fmcoja32.exe
PID 1224 wrote to memory of 652 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fmcoja32.exe
PID 1224 wrote to memory of 652 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fmcoja32.exe
PID 652 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Ffkcbgek.exe
PID 652 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Ffkcbgek.exe
PID 652 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Ffkcbgek.exe
PID 652 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Ffkcbgek.exe
PID 2024 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2024 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2024 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2024 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Ffkcbgek.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fpdhklkl.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fpdhklkl.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fpdhklkl.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fpdhklkl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Ebgacddo.exe

C:\Windows\system32\Ebgacddo.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 140

Network

N/A

Files

memory/620-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 b2c49247472a89e02862514172b6b763
SHA1 cbec9840c6c4995dcea02a41fa69ba8f935e27c3
SHA256 369ac473009b47fbc24c3afb1750d51934e6b7763ccff44854d5fe6b3bfd01f6
SHA512 ba070aa24f90d10f9c0b4c4bf0a799c8ac5335e4d3fa6bd7b2826246c157082761727c02029f8d7deb808142dded6c54dc9f5d1d7b5022e6e71c73da48761598

memory/2980-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/620-12-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Epdkli32.exe

MD5 b044626b38519e709473daab44c3cd8f
SHA1 6dea522945d03bfec85b53d2251f61d5b587a828
SHA256 afd09b2b2eb19cbd4581a2e18257a6b43d2db34f93eeb60dadab3dc67fa024d8
SHA512 ea402c7c4dd75762b8323e9bca85147c62db3bf3f4bb2f60e6d17b2d9e55bca967b01e75f2a1144a9216ae89cade36cdc9a484f607d421b845ef2f6ed208fae0

\Windows\SysWOW64\Ecpgmhai.exe

MD5 2f996c023564b8527af69c1cf008040a
SHA1 01f090244a5f6da2dedccd98f408cc65bfb2ffc3
SHA256 dc9f0d330e8142afd8f05ff1080124c78bd27179ae162072eafafecef5c24e90
SHA512 9fa6ee011fcb8f4dc076d0c922289a1b391165967b20fe4695b74f19389c632cdc5589dd6df906d4ca75999385dbcf9192aab7f13bf7b93f208e5dab57d89cbc

memory/2676-31-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eilpeooq.exe

MD5 38580dbec5729b3a35290c869a632afa
SHA1 b1f0d91d8929b43cd32b0d4d2fa93605f827edb1
SHA256 d246ce3766052b5b5a74c4e165ea825fe5b29fcbb2ced5d063b0ce4bf30f1d5d
SHA512 29a405cd4123757baf0a32aa4c1125d9af170270db3fd42928c7eee435a4872745e229721b9635a2ed509a4aee8347e3a4243c63defd95afd493e9af395ba7c1

\Windows\SysWOW64\Emhlfmgj.exe

MD5 67bb068a8d0e0de77ed9fea426f89893
SHA1 e15135b5c2257e8447f00bb102fc4e2824a37017
SHA256 f8de25bc093152a2e090d505b71cc4574e3432633bc3f5b7162ef05d2204beb5
SHA512 8c7c23ea5cc5aa7c068bb4a2540d36b6eeaa25e5eef6f59395bdfbfaf860186ca66bca9a57f06da718fc9c0e50491530ea2e64401cd68a8ec4cbb7a6c592f368

memory/2496-58-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kgcampld.dll

MD5 4d88155d91146492bc4e38f9ea84d13b
SHA1 0c12b948f6352381d5cc93b65ead8c5f4c3be7a6
SHA256 7afaff543021b3ee812f1cc0b6c86ab6a3091cc6febcbfb7e0aaae21542b13d0
SHA512 e1e0b5e34d131f6d1882fee2f0f9af689dad6244fbbfbe8eb9ea2a44e1ebd93ca185024ed2c84e2cd48d1fc8334211060d824fea8688e19a5a62a92832f50fa5

memory/2712-51-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2676-50-0x0000000000350000-0x0000000000392000-memory.dmp

memory/2656-66-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eiomkn32.exe

MD5 32b00c67c315eff101fd8f3f3d8234e1
SHA1 30f8d8d4a1a838b3a77c7d553553f004fe460969
SHA256 144ca4785c542234e490233e4d2603d607b053bfad43cf5db2514caf40bac419
SHA512 1abbe46ca547e9a28572c81a2be0e2bc097cd6a3c5ac853591705957a5ca38ee47a31131951b6327d2d2565b94f462e4ea2688065849222d86517bf3a190d76e

\Windows\SysWOW64\Egamfkdh.exe

MD5 f1e2892a91eb53111daef8b5e3936d3e
SHA1 ee7614c602835f09a49607416d1133464939d769
SHA256 22a987a8622b23199990be8562f230683a741e33f5b314d5c6f026e287d17596
SHA512 58fd295b7c7274d668c2aa298b24c0afbe3cbef3088b263e91837ed1f16f26ee60f04a08ce068b1b0756547cd2e923e46a7b13572662245c23985e91554dfa6a

memory/1352-84-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2656-78-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/752-98-0x0000000000400000-0x0000000000442000-memory.dmp

memory/752-101-0x00000000002D0000-0x0000000000312000-memory.dmp

\Windows\SysWOW64\Ebgacddo.exe

MD5 324bccc3440deefa3115d8cb6c447f8e
SHA1 0b680ffc08d5ec4ada55243996aa2045ee30f40f
SHA256 739df1e46e52bcbfa532d6e8685986b6e90dfa039a716f2b1f6ff8a6eae9a4da
SHA512 97a78fb66ab728f93c8cb1f501cb0b01d7161bf8e0488d63f53cd7b88937dee1f692ed2ca4d3d4fa49a3025041690dc02f6c56f5be826321373e3fa335f8e87a

memory/2636-111-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eeempocb.exe

MD5 9ceb28aacdeb9d987bd8319e6fb037a9
SHA1 60c67fddc34806c35eeb12d2eed657c8c266ef1a
SHA256 fb9fe7a87e2c116c2db2c6957a6bdb4bd5c025df7f4eabb157855e070b380ab5
SHA512 1ab55b99e0aa1b9f41f1531ae9caffd8b6ee06485e08dcde491698d12919e8d13ca5f5fc961cd32f8dda60884bd1f4ab65054e2be6db04ac45adf948a2a1cb40

memory/608-121-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2636-119-0x0000000000310000-0x0000000000352000-memory.dmp

\Windows\SysWOW64\Ennaieib.exe

MD5 b3bf2da809423f2cc7e0bd47b2e5ac1f
SHA1 573906de217f8350411301e07ac60263c94a66ca
SHA256 df677977fa3234e1af41a89b48622396a4b40df5d60ccda8f38f28348db42a75
SHA512 a234cd5b3614a8c37fdd218148dfb2d2249429d1b7e5c777e48e21dfd7f495bec2dc8243b200d823f10d398cb3215a91ea4f957d7d932389fd60bcbbc1742188

memory/608-129-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1576-140-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Fehjeo32.exe

MD5 546db29c7291649dfcfc29a226e77234
SHA1 4ede575b52560b96da629e9d4bdcc278d3c5efcb
SHA256 f8bffedc781ecd4b2462e93dcfd620378068b6a550dc69c6c28c76473fccff70
SHA512 c4aadf80eaf393e6532ed32957f6dd1508874a9afcf708a0f55aaf9a17b4111e9c4f10abd2b8b91a142a2f29edd1d553470ddfc03a9865d668e4d53a2b1ac661

memory/1436-148-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Fjdbnf32.exe

MD5 de3493c26697603cc08a720c54ce4bad
SHA1 3d5eb564153515d045bdf6c0270e746ab0eca394
SHA256 30b058b0b936207c07ab459d106fcbd99a23601624b916dafa0ac4af5c55a1dc
SHA512 7e2732516d4942087c54929d091e63707105629b89fa466260a79e242e9f953d766c3643c8e13e00a488d68127ec663a6ec3a735011d285acbe73193d0bc2f78

\Windows\SysWOW64\Fmcoja32.exe

MD5 972412d75e0a6419d4ef89ecb5d0027c
SHA1 6f8662cb12aa89ac3e20b648f569a1691ad023dc
SHA256 4dcf5080070edbfba2ef6361e9d1d32ec6df67987541675fc578eb5a569ecc65
SHA512 78cc349f10c36bb81d66273bcaba19fb16535ffd25375ae0bff180f37cdad07401f27bfbc78cd0e88400e84e460667acfa970f6df755042ee58dbb6f00d92f52

memory/1224-165-0x0000000000400000-0x0000000000442000-memory.dmp

memory/652-174-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Ffkcbgek.exe

MD5 c0ac47633a3c96974c678a3260a4d122
SHA1 556728b085fce57d76bf6a7271fc4bc2a4a9429a
SHA256 6f334cad7375aa7a8d3abff2dd756e02e149f90942327075c70c89ce1cf58890
SHA512 d82e612a913251b790a8d4815eb2398e134fd0f3e5b844096b7dacadea16a95af6f86ecf0217665bb3872e4ea23b0a77b15b3f6607abf1091cac572be25f4355

memory/2024-198-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2548-200-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 7e425626a7ac2a6bf66c2775ba593e51
SHA1 3875711778e2efeb1166ead10baf5152eaddd35b
SHA256 d46ec38fe47698e5c11a35a646f56197d51645268be35f77f404ff5fe3187f6c
SHA512 d1d7b9350363f2b49a777cb8e855462ad0b541ccd5809b9e48ced36b27d33acd8eb6b97d13f83269affb40f0e269d6465ddf94a00ec961b4e66c36c5af7a0b01

\Windows\SysWOW64\Fpdhklkl.exe

MD5 499e2a758e2413c1964325650944092f
SHA1 a92aeabe7452cec79c82070a5f3aa4a90a7ff148
SHA256 1beb144257c29451e642f5ca7bebff953db38863c20b9f19cc9ca09aff63d7d9
SHA512 69af484790ae7993df90cabd459baa72977450d6b13c35a2b2f9a35ba2e0d279fac6631cb8eb2a80726d190c7d88845a162ad25cc486ada60c6d288e73ea68df

memory/2228-218-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 600b87c61560fceb96575484edb9bef7
SHA1 f62c475faf96952b40dd144930fec2b088dca100
SHA256 76ed5cc15278df27de3f61a511d7b9dbcd6f67734bbd10a4a171a59f04efa7d6
SHA512 762e8086f2136b4a76550a540de037d07004bd7475d13d5b37cd07d7892fd0f0c37bca65b57ad7f0d7bc50b1277a6c136690bd075947f73b6c83f4f7a12ff061

memory/2500-227-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2500-232-0x0000000000260000-0x00000000002A2000-memory.dmp

C:\Windows\SysWOW64\Fjilieka.exe

MD5 b2476f7b1b6935eacbec5f5e1db0e1ee
SHA1 645f885fe80bb4e7fe66dbc8ddc6ac945b28d07b
SHA256 61b992b201b1139897d632755c2dcd753464cb0f66fbe7c187d81b0695c85487
SHA512 4a8ff7fc28929083e3c54da53011ecd7c69dd57e814d8eae8e1991121b14b7e396c713c1d5579226b415d7d9c99b9f3df58d8f21eac47cf7ee38e1e8a83847dd

memory/2896-237-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 2e3af573203b02ef86bb34b36f4c1157
SHA1 68b6811d829539d8b125578d6a2cc23710d41e37
SHA256 0ee964e27737e96a92636a18b1a178386070b42d4b1b1efa20ac4d6b946170f0
SHA512 071f4db9bd1d72b72a55b0facff0504e163d5c4c0451de386860b1f2fc76546ba6ed2e5d6b0cd9cc084db878e2186aedb088c83f036f0f0b72ceb98c0a79ff9f

memory/1108-243-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2896-242-0x0000000000290000-0x00000000002D2000-memory.dmp

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 6da0e589f6d5f3f7a6b21fbf9d98bc85
SHA1 6b48014c9a775556e4fa4d32be90e515e2e44e2e
SHA256 6e7792597c872ece2b7fcfc96a1108da42dc0a0ee0bb12029e49c4a1450a6848
SHA512 937ccaab4b7cc962068a819dcd41daf9157744f2c3493be8231675a09df84ed140f6524c5d9acb87398626a735684b445883a85125ba3e627d36fe513ab3e512

memory/1108-252-0x0000000000300000-0x0000000000342000-memory.dmp

memory/2344-254-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1108-253-0x0000000000300000-0x0000000000342000-memory.dmp

memory/2344-260-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 8b8af12e1aad859b2de87ed5b62e45ca
SHA1 3033b0156f5b673ff0742e8e624b6e51ee5ec099
SHA256 15f7ee726513c15a9d540914351d61d8b9e309e1fba7cb8da82fef579fdee3a0
SHA512 44f2b70ef1b28a88f8daa8eb72e35bad7cd61d7ebfdc19586f323024b06fe277c7e1b25477b3f99faf6393ada284da5b5970921e83bba61de04e81ee40cd2d1c

memory/1948-265-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2344-264-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 0ebbc0cd5ccc638dff8a81ed0c50f473
SHA1 1649a1a1ef8b65b69b997023abccd1ba402ac03c
SHA256 45b537455c2ca32dfa816cb427868a5d1e9e78110e1b5301d9f5be928748ab9b
SHA512 4ca90b2da258f143e842db98433021127f912e112c74a31e8f65b410a64a2a95ba988cdd75a3d5c98fd9b486d0ef5a9a4642fb8378cd38badf20768ea942fc88

memory/1588-285-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/112-287-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1588-286-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/1588-284-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1948-283-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1948-282-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 de51c85361e0191e6964f4b54c5e6341
SHA1 d2dc22f7094bc91a17c9bff55d43a47f9e04d40f
SHA256 fa254a0eeb4f2981e1d4999262f1d3e5008b56c4a4b23de2a8a3204e520f99fa
SHA512 c170de72b032870b2a3771d0da6d1149e7de13fc7d418e2c09a23758bd9cbaf149953971c0aac34660428074aa0c85a74b820e8eefc0757ff81bc66aee8fb575

memory/112-297-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/112-296-0x0000000000280000-0x00000000002C2000-memory.dmp

C:\Windows\SysWOW64\Globlmmj.exe

MD5 433f6b149e145eb6c66c0b67dc79c24b
SHA1 b16e54a2e3a7c5ed86c3e8945d4dc17b2a5816fd
SHA256 fffc8b95cc3822a1b31787671b08362ef7d25a84332e7a5e4d5f143c3092e6c6
SHA512 d6f7266ff9d6672918a94746d4818e611e7fa5ba749e577ac43bdd290a2dc7862a0a03cea418c1919e544e94bce7e9044fff8429434257eecabfbe14a21853aa

memory/828-302-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 38b1ce3050abaec5b39ab208d9dd521e
SHA1 b6f4790c857acbaf970c92f90cd9eb9a234e1ae5
SHA256 de900d995dac83d1c460091c5e3ce711e6f8c1b30b714ff781aead4bd8056b37
SHA512 074b3b7553bb406322a2e34a63c7bc187f88daf5ba274a37f2b3c52fdd05c2f12f0d4d181b73dddcd7956717aa08513829d963d74eb9ed047ca1904e546fc012

memory/828-308-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/1472-309-0x0000000000400000-0x0000000000442000-memory.dmp

memory/828-307-0x00000000002E0000-0x0000000000322000-memory.dmp

C:\Windows\SysWOW64\Gicbeald.exe

MD5 23e95b70c6156b55992e2b5ab2d1d827
SHA1 87b12af46770832237931e81632faddf7d669d29
SHA256 a4c40c0d42a5b2dbcce2392dfa75081cbcede64359a142adcf616c9233b7e66c
SHA512 ec6d54f173b00db7576edeb8c7737b721d6bdfd4ca40b371a0a359792c12c03c16437f6abc35770142ce671cd274fe77900895aa16aca065ab236b9f39f65c16

memory/1472-318-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/1472-319-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/1728-320-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1728-322-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/1728-321-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/1520-326-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gangic32.exe

MD5 29b522d553aa5dea139437b0674ef04d
SHA1 0aa4812f04db839e188cc04e840068772af41902
SHA256 84f56f0d2073a960d6f6b66a85c74538472f7119504b4252de02bfca8c4051f7
SHA512 d86e8252cb425be0e3460f86c16bd13f6a5232c240306bdb8bee1b50e301b6471db418d61a748d55da81264b25c68b5df13b6edb17da26bb302c54f086b34c4f

memory/2744-340-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2744-337-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1520-333-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1520-332-0x0000000000310000-0x0000000000352000-memory.dmp

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 67c236ac663596f27bf7e5e0933816ec
SHA1 a1237aceeebba828c50cc256a7b2c45276d27984
SHA256 57c258b58c1f8060b3d372b102b586442d5865b584e8d9ac5b2cbc0e1e85ffd4
SHA512 afc505e52ea9182a09d68e9937592e43b7f8ebb1c21943e1377fe7946861b0fd4dab47f96380d79002f04f2c62fa1b907f4e1852052ec680f5115e3f03f41871

memory/2604-345-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-344-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 289f630af66ec82de65f71dee1a8af24
SHA1 b459dab4d7c01c8d124cfcd7ad8f482e8aa7e4da
SHA256 00f0691a059bd26e7f3861284a5c81123f5182efd0bff3b3582a7a8ecd0dc534
SHA512 a54f159ed54eca6433b6c3450fe1c48c5b6a2fd3cf4ace5fca20b41c6216cfb94031d974f9e5a016ab60c32f0f700386e21d08f2703553870786a9f93433041f

memory/2604-355-0x0000000000270000-0x00000000002B2000-memory.dmp

memory/2604-354-0x0000000000270000-0x00000000002B2000-memory.dmp

memory/2620-356-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2620-366-0x0000000000320000-0x0000000000362000-memory.dmp

memory/2620-365-0x0000000000320000-0x0000000000362000-memory.dmp

C:\Windows\SysWOW64\Glfhll32.exe

MD5 c33704ea2fef12633993845245e2e3d2
SHA1 81fdbabb0fce8ae3d6b19e1953fe4f42adf33ad9
SHA256 4548ba2c9068eb2d0e22573af831598069bc467bdfcefb200895ab9311b49ec1
SHA512 d98f604d57edb58e96a6d799f2e7fbeb6d7016c2bfd41abe1dc4b37a69d669ab0e306be703ae08cf6cc621c5918ca8a6283245902dd6dcce150b88e0798011c7

memory/2652-367-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 39b882a70ad5d88751c8ad825e68fd1c
SHA1 b18f7da07af22be93a648fff9c52e5ed37cea693
SHA256 ca95eacc871ebbc92b40942f8b1e67be855735ee189ee291b64e03f7ed90468f
SHA512 c53ccc5346c3d5a1a91d5e40bd5dce038031cca2192452fb3ade20ea904605c30161506a7162a9f9c56f138f93062c3fa82ef0f3bfa9460e465ddc5747beb0c7

memory/2460-388-0x0000000000310000-0x0000000000352000-memory.dmp

memory/2460-387-0x0000000000310000-0x0000000000352000-memory.dmp

memory/2460-386-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-385-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/2652-384-0x0000000000280000-0x00000000002C2000-memory.dmp

C:\Windows\SysWOW64\Geolea32.exe

MD5 e53d41f16d3585f235c741ac624891a0
SHA1 55b4d7a3b2ec402c92c3c56187c1c075233e26bf
SHA256 2d3a9485889915943dae3d2bd204ab5b21c0bc8f0a543d7759c093b9d3d91543
SHA512 be8c3c576e4253bc222cd8b1f5b07a68add59a38548838936af1bf13394682739b875c1c92f1ccc021f8812dc9161a52615e158f1ccd44d8197ab9aa37a94f48

memory/2952-389-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gogangdc.exe

MD5 6128a7f6e01114c316cc0cf34f299d77
SHA1 7175826d02fb4946db977ff3414a3cdbb3916f73
SHA256 0269de69f8aaf0d61fbac681c4b2cbf653237291b4b1eb879035805e666a8a92
SHA512 e4ba1a35f939e826187b24c3ca574b62103c04fa956ced28220ebc24e4a0f107ce014957862dd4d4cef665f332f8eff9b26d5e5a305fca5684279b520713075f

memory/2952-398-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2952-399-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2528-404-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 5595c2c96f06a3c300eaa3a840b8051a
SHA1 d1e7d4f935ab0c3a7164ed0ce1103c6054642129
SHA256 edb7de7ad540222557e56d2dab46a6f730e1a847fa1ce0c338314290bf4786a5
SHA512 36959d88191051cc8dbd7a53b8dd919ac0ee47420df862055bebb8600e45b0685cc9a588997a5810f3aa6e00285ceaac5564e19756eca339573507cbf8a271f1

memory/2520-412-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2528-411-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/2528-410-0x0000000000290000-0x00000000002D2000-memory.dmp

memory/620-409-0x0000000000400000-0x0000000000442000-memory.dmp

memory/620-421-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2980-422-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hknach32.exe

MD5 54020b57427609b59c36607ca1c440e8
SHA1 6b17f05ae8c5c7851dce9e210befc8b4e52bd72c
SHA256 10536fd6582695111a42c37b1ac673157ca4014a370dbb7202eb368258cf27ff
SHA512 b8c421cc3c796fdb560603f0a18cf242d246d1a0f9b408655b0f76a466e9588a123ef998f649db3326effe2bcc297737369e4384b17f79497ab6e58f1851c87e

memory/2772-433-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2772-432-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2772-431-0x0000000000400000-0x0000000000442000-memory.dmp

memory/348-434-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 b0cd98c2e9cc0b1764ee6cf13cd2fc9b
SHA1 0130f665618bd09f8a0d8eb7cc6fbd777b2737bf
SHA256 81ddd0f0507aad0be4dc449b967c3faaf4471efbbf15339584629cdd0a479513
SHA512 b3b8d8f2961c07c822a203a66929162ad1a5604236974c89599652b8484e8ff8149e2c4488811f2fe1332f061a50d9dbc8a013e9a7644d87dcdcbfe6468298cb

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 4d86532e7e225e0a8ac79c756ac41e05
SHA1 6b38c231fa1d69c1132b558addbc5c46585f1006
SHA256 7690a7fa25523a44480de8d53248f78d53333427ff1c11bdb50f4b102f563264
SHA512 eec43578bff4a34120f35637c272b1991a8960b908748925a48249d9f3fc801f59f7d5b2d2f02f8b8b80cbb2bc6648825a7ca65b31a730bdee199f19acd9ae05

memory/348-448-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Hicodd32.exe

MD5 ff5e9fef29e149b8de0610869a918f36
SHA1 8a6c45381ba3ef5a341893b5a943da286550db46
SHA256 67044c82227e5a6c1604aebea6b5b84e11cbbc44ad3085dbce2748e49fd26b6d
SHA512 aeb0ac5ca41d088e7d418b78fe1d8308d1b86571a3bc8a8264e5d90bd19fe3b6e9638be9e970269f8e7f0c3ca14d80871501a60432ce579a1d0e8883bf3e8f56

memory/2352-453-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2172-452-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 d024b14e41ca8858d9b96e51eaf840f1
SHA1 c1b468ae9e41148ecfc671529920b6f39863dc45
SHA256 46c3af49a9e77a7608078a16590b5c5f8671f195f080a92de088168573327813
SHA512 a0b297397d38740d43f65b2e434418da49093076000e6fb09b7fb89dcd2292eac27d3d2be759e75897690bf1e1c44a158a72e3eb8fc09b6288678edc1b02a7b7

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 0893410ec60c6c56c91db35a6101a174
SHA1 1abf8e4aea3d98f11bbfb7ea5b6847d1985912ae
SHA256 6dac40e86e44e283bf180475a97e62ed12150fdaadfc69b65e9db83d77fde573
SHA512 fe8f23b4bae38fccaeadb8f8256750d8fad55ddbd55f272b5cfc2f7de7e7a5709a7ea165a793a33e9afbf1ed94bfa908c057383e016457e437efaa26e5c85bac

memory/2168-472-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/2168-471-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/2168-470-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2020-473-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2656-482-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 8090fa575b98a37914439b93fc60b007
SHA1 19e07462fe2302d47ea2c0dc2140b3f645468679
SHA256 d6b6caa60525f750bdf80bad8389a8fde10b8577616d7425d748ec1cf4893f60
SHA512 2c33b04b74e03df1389da59e3d901884700a0b2796662e8aa735512cef3bcf8738b8f3686669124b6e4156c3c5e1c0d107f07a6a9a6c9e41f565d105c41b3263

memory/2920-486-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hiekid32.exe

MD5 5c5b36cd1be0def94478ebdfaf98190d
SHA1 4eebf1dc0acd861c7b3fda5b86755b33f17eb7d8
SHA256 02b0ffa2780685a548b1a6298ec77b2178c13c4dd1157b5255532c005ee130df
SHA512 4ee2106ad8ccc4a56466a8837e613d6171131b74c81e880ff4f98046c52821f5fb6f07a4e0439c72b4a52a1bbd73dafff8ca17e84a543f1a47b26db0743904bc

memory/2836-493-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1352-492-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 20571cbbaf69879fa6e892ceca3af640
SHA1 3d4fc0dedc5c8c3b33f014ab565e0aa88dfd38b8
SHA256 ae2ce08ffb9a7af6c780cfd6cf0f474868f3e4b076d388873716fa13b304f685
SHA512 45f52406c28ecbb9fd0fa36daf338f85456be1d3560da7b2fdf384954828c5a60b85aad9a2ad5d736e24b945515f2b2bfac8183a815ddeb6214eb9f1d53b4ce3

memory/2836-511-0x0000000000320000-0x0000000000362000-memory.dmp

memory/2836-510-0x0000000000320000-0x0000000000362000-memory.dmp

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 87a2eef8f697c4b221022d6323061bab
SHA1 b7497a75b585c803d3d8c183e2b24b24353255dd
SHA256 7877fc1cde059367b9d261b147f057bda76790d4bd4465c9aa62e34dcbf76fe0
SHA512 f74ec1f41c0c391997a925a7c32c876c2409d8e40ccc1b446e1ae48334b3fe07e68dc69abdfbca484df69d2b0828a2a3c0a0cf7bb879916b7904b584ca8c4115

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 b22b6d5ed8c7826d2b9a0899eff8c657
SHA1 db5e0ec102017ef389353ab5ba2ccd28d5fb6b57
SHA256 4bdc8b6c0d827c886a516393d5b67480e59f186be43d6746f3531dda887c9141
SHA512 fdbd5e746b384c48a9feba2e9d191547e307991d0147bb23d219bad2a9536d99a16d98b5250aeafe34395159d4df3859854438393700f176dd6f6adf21db1296

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 24b1b522b829b747922129a7e97b4244
SHA1 4ecbbc4b9b9e7ff8bf0a8f41cc33bad2870150c9
SHA256 778452c1e7e66adf8d534ba694e36c71ae4bc33c13d961313fbfdca9fa08cc09
SHA512 885d32660c873078fdd7965c894375509d8c7e1c9c74bf0e7ee5853eccbe33ec8335de8b96ae00e03cab8752f9052cf6019cd374705ad13afcd9b52766409701

C:\Windows\SysWOW64\Hpapln32.exe

MD5 54e45eade8ddfae75c6a4adc691f33ff
SHA1 892ff3a5ec6d0558444592457a061a20f904021d
SHA256 244d18bd1738b10bbcd402368044e03e5536858198b0871db1bfb45111f97f81
SHA512 4024afbb7a187b039ccfb38fc43bb80de98ce55c94d50dfbdc656200e70bb1f5e84d4a457659cb712b50638bea4d7812de080a5c35c03de9d7c82d469f3e7fee

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 0b38706909302abe74fe1598d290a23f
SHA1 404d724193d993fd2ccad648fa0a02057ad69c7a
SHA256 cf88ed95ae2cbac87a1af0e75e6a073bdec486522437e63c07b22004fd223df0
SHA512 82318577a961c39bd6deebeb1b4fe8ad958cbc4c2ed73ba47cbdf9519364299e496dd4204ce470700021e5889a88b43039e3574429f359c2334e9eabd8189b46

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 9026a6da43c70faec3bf8a0f5ebcc7be
SHA1 8e375ea50fe81a6cf27d7ff4875bfab98db7e309
SHA256 0e505afd6f6e507d6e8321caf33d8c917428756303933a05c5586084aa003f43
SHA512 dd228c7fe89d9ad12f0a41409cfaf1b8ece2eaa42aa5b627ef0cce0abdc78badc9d13cccdf766c3bad5f36da572cc0ae9ed42f6536c0336be9fb3e8083acdf18

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 eccd192e0e1eef8eb6baee8a900016fc
SHA1 989612c71c1d6c6c02503751020a3573ce833029
SHA256 0af3ac5c40a22d036fb98239e1298018a6140db47dc655fd63e44eaf230087cd
SHA512 38f373522196c330d20f198fd8ad5b9a0d6f171979f85a53ce790d33547187c6ceca5872a7b23483fd184c85b4f276035388abd89b392eb75a9b34fcd847a2d7

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 f60a2cb136d7ddd5adbe110860633bbf
SHA1 fc2e90be7909eccf07a8a03df3647dbe13c75b5c
SHA256 d663e221e6a3e9f3732ae245c40880e32346f69a5dbadc8c4c4c27a7e32985d7
SHA512 5d07ecb5578ed9967858aa8b49d5e32893c55455e605c073e5da74936c0ac6b1b0034f6439cfc57b39200e05597795c28f174705e7dd3fb3c958224e09887166

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 cfe2d735a4622c7992b3818769b61ff5
SHA1 8c067dfdc50d6b4b11a26efeccc740824d14a5c7
SHA256 93a89d8e5cda24f4a0f91bac5d959b61020831129c7110ac72bf12e94aad4c61
SHA512 2426c07d1c87fd7150e24ba328b63b8f0ef5ffb0656874f97c6008e399e742586282d02f8d802581fd7b0707f4d8fdb17c84d3973c0fe1d5da540a418aee0c9c

C:\Windows\SysWOW64\Idceea32.exe

MD5 67c659b88280e4c18f7436b7e628ced2
SHA1 0b2adebb23c7915715a9ea333972c8892f122337
SHA256 a8feb828483bb5ee1d1921642f400a02a2408e834847a35ece3cbf5efdc1d122
SHA512 1230548228a6202347e288da00a2ab07693f76e9d085e9c6399433e51e29970803204ddaad7fd8a973eeffb800cf07624e5472f3216cddc2d83da0411f5523ed

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 6ee97456b297e6383dd1ec7a59bc5fcd
SHA1 0e51a57da8c6e25bb13cdda7fcc27dd610b176c9
SHA256 9fd2ff6d4796498bf8873a48d2aa0ed510a2e8ddf65a0899ec56781a80761981
SHA512 4b630018b765b75da449fb71938fa5193e3944159badef980bdb33c89e362e7dca4fcacd32000fec83a95f790a393a190a794f46fa6732873536de02bbb3ba04

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 7562aaa038786482d2f594136e151fd8
SHA1 98a897d0cfe3439ceaae2607b24a87d4fb19f887
SHA256 00f4e2710c3be52414586bdf8d529bd6e47f76c03eba696276fa497456dd1e79
SHA512 823e88fd78a01340d1859bb1929dcbeb7ba8fc11dc1fa1dbc61a581c1d3ce65d44cf650149535dd63b7aba3af2ce2f72e8dfcc0a41787120d2917f5aed5c51b6

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 426685d859a849caef7c905570d3e54e
SHA1 3a202ec244a6a93651743774f9747e9a78da5a70
SHA256 210acc22f285ec7a5346cc0c4580880e9193bbb721838d6b56e77cb9e2432dfc
SHA512 0e88c0c11eece9eac45563bd3ed897ed62867ec7bf927d6c41ba14ca4a8197203145a23d18e571ba46d758330e69e655796c2c0201982c29d52b641ac67bfc24

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:47

Reported

2024-06-13 02:50

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nphhmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjghpn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceaehfjj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlijfneg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnlnon32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdhmnlcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Melnob32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blfdia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jimekgff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aelcfilb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghlcnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icgjmapi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkmhlekj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Demecd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhpjkojk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dahode32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhjfhl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jlnnmb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oneklm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balfaiil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Doeiljfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miemjaci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmidog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aepefb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngedij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baaplhef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dccbbhld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eefhjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Elgfgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jpnchp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kbceejpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okhfjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oqdoboli.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eoaihhlp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbnafb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flceckoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jblpek32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kikame32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nggjdc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcojkhap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jpgmha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lpebpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Opdghh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qffbbldm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mcbahlip.exe N/A
N/A N/A C:\Windows\SysWOW64\Njljefql.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqfbaq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nceonl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafokcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddkgonp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkncdifl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmopdep.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndghmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngedij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkqpjidj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqmhbpba.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfmke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndkahnhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjmdigk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondeac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqbamo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okhfjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqdoboli.exe N/A
N/A N/A C:\Windows\SysWOW64\Onholckc.exe N/A
N/A N/A C:\Windows\SysWOW64\Odbgim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obfhba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okolkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqkdcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnpemb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pclneicb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbmncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcojkhap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabkdmpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnfkma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pagdol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgallfcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmhlekj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnkdhpjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeemej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjbena32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aegikj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjjfggb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdbcano.exe N/A
N/A N/A C:\Windows\SysWOW64\Aejfpjne.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahhblemi.exe N/A
N/A N/A C:\Windows\SysWOW64\Anbkio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aelcfilb.exe N/A
N/A N/A C:\Windows\SysWOW64\Alfkbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adapgfqj.exe N/A
N/A N/A C:\Windows\SysWOW64\Angddopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbpem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahoimd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniajnnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Becifhfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmacb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnlnon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeflhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Blpnib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balfaiil.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkcmdhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopgjmhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblckl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baocghgi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hikhen32.dll C:\Windows\SysWOW64\Ghlcnk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jlnnmb32.exe C:\Windows\SysWOW64\Jioaqfcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogjmdigk.exe C:\Windows\SysWOW64\Ndkahnhh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cojjqlpk.exe C:\Windows\SysWOW64\Chpada32.exe N/A
File created C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
File created C:\Windows\SysWOW64\Njefqo32.exe C:\Windows\SysWOW64\Nggjdc32.exe N/A
File created C:\Windows\SysWOW64\Aoqimi32.dll C:\Windows\SysWOW64\Qddfkd32.exe N/A
File created C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacmah32.exe C:\Windows\SysWOW64\Boepel32.exe N/A
File created C:\Windows\SysWOW64\Lekehdgp.exe C:\Windows\SysWOW64\Lbmhlihl.exe N/A
File created C:\Windows\SysWOW64\Neeqea32.exe C:\Windows\SysWOW64\Ncfdie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofnckp32.exe C:\Windows\SysWOW64\Opakbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Melnob32.exe C:\Windows\SysWOW64\Mcmabg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Olmeci32.exe C:\Windows\SysWOW64\Ojoign32.exe N/A
File opened for modification C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File created C:\Windows\SysWOW64\Phfkqkek.dll C:\Windows\SysWOW64\Aelcfilb.exe N/A
File created C:\Windows\SysWOW64\Ednaqo32.exe C:\Windows\SysWOW64\Eapedd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ehnglm32.exe C:\Windows\SysWOW64\Eadopc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcmnpe32.exe C:\Windows\SysWOW64\Flceckoj.exe N/A
File created C:\Windows\SysWOW64\Bdkfmkdc.dll C:\Windows\SysWOW64\Klqcioba.exe N/A
File opened for modification C:\Windows\SysWOW64\Afmhck32.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File created C:\Windows\SysWOW64\Mkfdhbpg.dll C:\Windows\SysWOW64\Bclhhnca.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Ceaehfjj.exe C:\Windows\SysWOW64\Cklaknjd.exe N/A
File created C:\Windows\SysWOW64\Chdkoa32.exe C:\Windows\SysWOW64\Cbgbgj32.exe N/A
File created C:\Windows\SysWOW64\Clbceo32.exe C:\Windows\SysWOW64\Camphf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mmnldp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File created C:\Windows\SysWOW64\Alfkbc32.exe C:\Windows\SysWOW64\Aelcfilb.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfgjgo32.exe C:\Windows\SysWOW64\Gcimkc32.exe N/A
File created C:\Windows\SysWOW64\Gifhkeje.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Imoneg32.exe C:\Windows\SysWOW64\Ifefimom.exe N/A
File created C:\Windows\SysWOW64\Mbfkbhpa.exe C:\Windows\SysWOW64\Lphoelqn.exe N/A
File created C:\Windows\SysWOW64\Pgnilpah.exe C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kipkhdeq.exe C:\Windows\SysWOW64\Kbfbkj32.exe N/A
File created C:\Windows\SysWOW64\Mnkhmbin.dll C:\Windows\SysWOW64\Miemjaci.exe N/A
File opened for modification C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Ehjgecbe.dll C:\Windows\SysWOW64\Pnfkma32.exe N/A
File created C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
File created C:\Windows\SysWOW64\Echknh32.exe C:\Windows\SysWOW64\Ekacmjgl.exe N/A
File created C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File created C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Bapiabak.exe N/A
File created C:\Windows\SysWOW64\Acjjfggb.exe C:\Windows\SysWOW64\Aegikj32.exe N/A
File created C:\Windows\SysWOW64\Beeflhdh.exe C:\Windows\SysWOW64\Bnlnon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Clbceo32.exe C:\Windows\SysWOW64\Camphf32.exe N/A
File created C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Ognpebpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Pagdol32.exe C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
File created C:\Windows\SysWOW64\Icgjmapi.exe C:\Windows\SysWOW64\Ikpaldog.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcbihpel.exe C:\Windows\SysWOW64\Jpgmha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nphhmj32.exe C:\Windows\SysWOW64\Nnjlpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Agglboim.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Njfmke32.exe N/A
File created C:\Windows\SysWOW64\Fcfhof32.exe C:\Windows\SysWOW64\Fkopnh32.exe N/A
File created C:\Windows\SysWOW64\Fakdpb32.exe C:\Windows\SysWOW64\Fomhdg32.exe N/A
File created C:\Windows\SysWOW64\Mpnaemnl.dll C:\Windows\SysWOW64\Hoiafcic.exe N/A
File opened for modification C:\Windows\SysWOW64\Miemjaci.exe C:\Windows\SysWOW64\Mgfqmfde.exe N/A
File created C:\Windows\SysWOW64\Lhibca32.dll C:\Windows\SysWOW64\Okolkg32.exe N/A
File created C:\Windows\SysWOW64\Gaelmc32.dll C:\Windows\SysWOW64\Angddopp.exe N/A
File created C:\Windows\SysWOW64\Ohjgdmkj.dll C:\Windows\SysWOW64\Flceckoj.exe N/A
File created C:\Windows\SysWOW64\Ijlbqboa.dll C:\Windows\SysWOW64\Hihbijhn.exe N/A
File opened for modification C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hcmgfbhd.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqkdcn32.exe C:\Windows\SysWOW64\Okolkg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeomnnj.dll" C:\Windows\SysWOW64\Fbnafb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofeilobp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbmncp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abbpem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecoangbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jianff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll" C:\Windows\SysWOW64\Kfoafi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dahode32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gbdgfa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Llcpoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll" C:\Windows\SysWOW64\Lgmngglp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Andqdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcojkhap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Acjjfggb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aejfpjne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahoimd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll" C:\Windows\SysWOW64\Kboljk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll" C:\Windows\SysWOW64\Pabkdmpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnaendmh.dll" C:\Windows\SysWOW64\Bjghpn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcqcc32.dll" C:\Windows\SysWOW64\Hflcbngh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Angddopp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnfkma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deanodkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Himldi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll" C:\Windows\SysWOW64\Jpnchp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll" C:\Windows\SysWOW64\Deanodkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llemdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll" C:\Windows\SysWOW64\Lphoelqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll" C:\Windows\SysWOW64\Andqdh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nilcjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" C:\Windows\SysWOW64\Pgnilpah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alfkbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll" C:\Windows\SysWOW64\Gbdgfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lekehdgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Llemdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mcmabg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eefhjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elbmlmml.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eadopc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfnphn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll" C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cacmah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbgbgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dahode32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opakbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehnglm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pcijeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkaejf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gfngap32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Icifbang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll" C:\Windows\SysWOW64\Lingibiq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 4816 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 4816 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 3924 wrote to memory of 3336 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Njljefql.exe
PID 3924 wrote to memory of 3336 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Njljefql.exe
PID 3924 wrote to memory of 3336 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Njljefql.exe
PID 3336 wrote to memory of 824 N/A C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 3336 wrote to memory of 824 N/A C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 3336 wrote to memory of 824 N/A C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 824 wrote to memory of 876 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 824 wrote to memory of 876 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 824 wrote to memory of 876 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 876 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 876 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 876 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Njogjfoj.exe
PID 1712 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nafokcol.exe
PID 1712 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nafokcol.exe
PID 1712 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Njogjfoj.exe C:\Windows\SysWOW64\Nafokcol.exe
PID 2000 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 2000 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 2000 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 2292 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nkncdifl.exe
PID 2292 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nkncdifl.exe
PID 2292 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nkncdifl.exe
PID 4048 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nnmopdep.exe
PID 4048 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nnmopdep.exe
PID 4048 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nnmopdep.exe
PID 2676 wrote to memory of 412 N/A C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 2676 wrote to memory of 412 N/A C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 2676 wrote to memory of 412 N/A C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 412 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 412 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 412 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 1628 wrote to memory of 3392 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 1628 wrote to memory of 3392 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 1628 wrote to memory of 3392 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 3392 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nqmhbpba.exe
PID 3392 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nqmhbpba.exe
PID 3392 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nqmhbpba.exe
PID 1984 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 1984 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 1984 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 2916 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 2916 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 2916 wrote to memory of 1928 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Njfmke32.exe
PID 1928 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ndkahnhh.exe
PID 1928 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ndkahnhh.exe
PID 1928 wrote to memory of 3160 N/A C:\Windows\SysWOW64\Njfmke32.exe C:\Windows\SysWOW64\Ndkahnhh.exe
PID 3160 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Ogjmdigk.exe
PID 3160 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Ogjmdigk.exe
PID 3160 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ndkahnhh.exe C:\Windows\SysWOW64\Ogjmdigk.exe
PID 432 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ogjmdigk.exe C:\Windows\SysWOW64\Ondeac32.exe
PID 432 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ogjmdigk.exe C:\Windows\SysWOW64\Ondeac32.exe
PID 432 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ogjmdigk.exe C:\Windows\SysWOW64\Ondeac32.exe
PID 3532 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ondeac32.exe C:\Windows\SysWOW64\Oqbamo32.exe
PID 3532 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ondeac32.exe C:\Windows\SysWOW64\Oqbamo32.exe
PID 3532 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ondeac32.exe C:\Windows\SysWOW64\Oqbamo32.exe
PID 4492 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Oqbamo32.exe C:\Windows\SysWOW64\Okhfjh32.exe
PID 4492 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Oqbamo32.exe C:\Windows\SysWOW64\Okhfjh32.exe
PID 4492 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Oqbamo32.exe C:\Windows\SysWOW64\Okhfjh32.exe
PID 2172 wrote to memory of 968 N/A C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Oqdoboli.exe
PID 2172 wrote to memory of 968 N/A C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Oqdoboli.exe
PID 2172 wrote to memory of 968 N/A C:\Windows\SysWOW64\Okhfjh32.exe C:\Windows\SysWOW64\Oqdoboli.exe
PID 968 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Oqdoboli.exe C:\Windows\SysWOW64\Onholckc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\586501eefb385abef3305e5060b47100_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Ndkahnhh.exe

C:\Windows\system32\Ndkahnhh.exe

C:\Windows\SysWOW64\Ogjmdigk.exe

C:\Windows\system32\Ogjmdigk.exe

C:\Windows\SysWOW64\Ondeac32.exe

C:\Windows\system32\Ondeac32.exe

C:\Windows\SysWOW64\Oqbamo32.exe

C:\Windows\system32\Oqbamo32.exe

C:\Windows\SysWOW64\Okhfjh32.exe

C:\Windows\system32\Okhfjh32.exe

C:\Windows\SysWOW64\Oqdoboli.exe

C:\Windows\system32\Oqdoboli.exe

C:\Windows\SysWOW64\Onholckc.exe

C:\Windows\system32\Onholckc.exe

C:\Windows\SysWOW64\Odbgim32.exe

C:\Windows\system32\Odbgim32.exe

C:\Windows\SysWOW64\Obfhba32.exe

C:\Windows\system32\Obfhba32.exe

C:\Windows\SysWOW64\Okolkg32.exe

C:\Windows\system32\Okolkg32.exe

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Pnpemb32.exe

C:\Windows\system32\Pnpemb32.exe

C:\Windows\SysWOW64\Pclneicb.exe

C:\Windows\system32\Pclneicb.exe

C:\Windows\SysWOW64\Pbmncp32.exe

C:\Windows\system32\Pbmncp32.exe

C:\Windows\SysWOW64\Pcojkhap.exe

C:\Windows\system32\Pcojkhap.exe

C:\Windows\SysWOW64\Pabkdmpi.exe

C:\Windows\system32\Pabkdmpi.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Pagdol32.exe

C:\Windows\system32\Pagdol32.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qkmhlekj.exe

C:\Windows\system32\Qkmhlekj.exe

C:\Windows\SysWOW64\Qnkdhpjn.exe

C:\Windows\system32\Qnkdhpjn.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qjbena32.exe

C:\Windows\system32\Qjbena32.exe

C:\Windows\SysWOW64\Aegikj32.exe

C:\Windows\system32\Aegikj32.exe

C:\Windows\SysWOW64\Acjjfggb.exe

C:\Windows\system32\Acjjfggb.exe

C:\Windows\SysWOW64\Ajdbcano.exe

C:\Windows\system32\Ajdbcano.exe

C:\Windows\SysWOW64\Aejfpjne.exe

C:\Windows\system32\Aejfpjne.exe

C:\Windows\SysWOW64\Ahhblemi.exe

C:\Windows\system32\Ahhblemi.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aelcfilb.exe

C:\Windows\system32\Aelcfilb.exe

C:\Windows\SysWOW64\Alfkbc32.exe

C:\Windows\system32\Alfkbc32.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Adapgfqj.exe

C:\Windows\system32\Adapgfqj.exe

C:\Windows\SysWOW64\Angddopp.exe

C:\Windows\system32\Angddopp.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Aniajnnn.exe

C:\Windows\system32\Aniajnnn.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bnlnon32.exe

C:\Windows\system32\Bnlnon32.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Blpnib32.exe

C:\Windows\system32\Blpnib32.exe

C:\Windows\SysWOW64\Balfaiil.exe

C:\Windows\system32\Balfaiil.exe

C:\Windows\SysWOW64\Bdkcmdhp.exe

C:\Windows\system32\Bdkcmdhp.exe

C:\Windows\SysWOW64\Bopgjmhe.exe

C:\Windows\system32\Bopgjmhe.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Baaplhef.exe

C:\Windows\system32\Baaplhef.exe

C:\Windows\SysWOW64\Bemlmgnp.exe

C:\Windows\system32\Bemlmgnp.exe

C:\Windows\SysWOW64\Blfdia32.exe

C:\Windows\system32\Blfdia32.exe

C:\Windows\SysWOW64\Boepel32.exe

C:\Windows\system32\Boepel32.exe

C:\Windows\SysWOW64\Cacmah32.exe

C:\Windows\system32\Cacmah32.exe

C:\Windows\SysWOW64\Chmeobkq.exe

C:\Windows\system32\Chmeobkq.exe

C:\Windows\SysWOW64\Cklaknjd.exe

C:\Windows\system32\Cklaknjd.exe

C:\Windows\SysWOW64\Ceaehfjj.exe

C:\Windows\system32\Ceaehfjj.exe

C:\Windows\SysWOW64\Chpada32.exe

C:\Windows\system32\Chpada32.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Cbgbgj32.exe

C:\Windows\system32\Cbgbgj32.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Clpgpp32.exe

C:\Windows\system32\Clpgpp32.exe

C:\Windows\SysWOW64\Camphf32.exe

C:\Windows\system32\Camphf32.exe

C:\Windows\SysWOW64\Clbceo32.exe

C:\Windows\system32\Clbceo32.exe

C:\Windows\SysWOW64\Doqpak32.exe

C:\Windows\system32\Doqpak32.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Doeiljfn.exe

C:\Windows\system32\Doeiljfn.exe

C:\Windows\SysWOW64\Dlijfneg.exe

C:\Windows\system32\Dlijfneg.exe

C:\Windows\SysWOW64\Dccbbhld.exe

C:\Windows\system32\Dccbbhld.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Ddgkpp32.exe

C:\Windows\system32\Ddgkpp32.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Eefhjc32.exe

C:\Windows\system32\Eefhjc32.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Eoolbinc.exe

C:\Windows\system32\Eoolbinc.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Eoaihhlp.exe

C:\Windows\system32\Eoaihhlp.exe

C:\Windows\SysWOW64\Eapedd32.exe

C:\Windows\system32\Eapedd32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Ekhjmiad.exe

C:\Windows\system32\Ekhjmiad.exe

C:\Windows\SysWOW64\Ecoangbg.exe

C:\Windows\system32\Ecoangbg.exe

C:\Windows\SysWOW64\Elgfgl32.exe

C:\Windows\system32\Elgfgl32.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Fkciihgg.exe

C:\Windows\system32\Fkciihgg.exe

C:\Windows\SysWOW64\Fbnafb32.exe

C:\Windows\system32\Fbnafb32.exe

C:\Windows\SysWOW64\Fdlnbm32.exe

C:\Windows\system32\Fdlnbm32.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Fcmnpe32.exe

C:\Windows\system32\Fcmnpe32.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Glebhjlg.exe

C:\Windows\system32\Glebhjlg.exe

C:\Windows\SysWOW64\Gfngap32.exe

C:\Windows\system32\Gfngap32.exe

C:\Windows\SysWOW64\Ghlcnk32.exe

C:\Windows\system32\Ghlcnk32.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Gkoiefmj.exe

C:\Windows\system32\Gkoiefmj.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gdhmnlcj.exe

C:\Windows\system32\Gdhmnlcj.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Gfgjgo32.exe

C:\Windows\system32\Gfgjgo32.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hopnqdan.exe

C:\Windows\system32\Hopnqdan.exe

C:\Windows\SysWOW64\Hbnjmp32.exe

C:\Windows\system32\Hbnjmp32.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hbeqmoji.exe

C:\Windows\system32\Hbeqmoji.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Ikpaldog.exe

C:\Windows\system32\Ikpaldog.exe

C:\Windows\SysWOW64\Icgjmapi.exe

C:\Windows\system32\Icgjmapi.exe

C:\Windows\SysWOW64\Ifefimom.exe

C:\Windows\system32\Ifefimom.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Ikbnacmd.exe

C:\Windows\system32\Ikbnacmd.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ippggbck.exe

C:\Windows\system32\Ippggbck.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Iihkpg32.exe

C:\Windows\system32\Iihkpg32.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jimekgff.exe

C:\Windows\system32\Jimekgff.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jianff32.exe

C:\Windows\system32\Jianff32.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jpppnp32.exe

C:\Windows\system32\Jpppnp32.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Klgqcqkl.exe

C:\Windows\system32\Klgqcqkl.exe

C:\Windows\SysWOW64\Kdnidn32.exe

C:\Windows\system32\Kdnidn32.exe

C:\Windows\SysWOW64\Kfmepi32.exe

C:\Windows\system32\Kfmepi32.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Klimip32.exe

C:\Windows\system32\Klimip32.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kfoafi32.exe

C:\Windows\system32\Kfoafi32.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kbfbkj32.exe

C:\Windows\system32\Kbfbkj32.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Liddbc32.exe

C:\Windows\system32\Liddbc32.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mbfkbhpa.exe

C:\Windows\system32\Mbfkbhpa.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8768 -ip 8768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8768 -s 408

Network

Files

memory/4816-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mcbahlip.exe

MD5 e8466bacbfb55aaa095cde2299753ccd
SHA1 5b0e7047b91360e596280f8b9ec4281aeddc9cc6
SHA256 cd5aade8b5a34ae6faa4887d1dfc0ba5bcf3df383768897e65b69f7ad4d2df1c
SHA512 b7b0ca608c01b1da6a578f7d981fb76df99c2cdcd79203d14e287f21f7db7fe9f9280d90922ba79cba1a5f71c88c52b79ff229cd8ff3cb97110f7cc2ca494888

memory/3924-7-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Njljefql.exe

MD5 a7cd2a31978ef0b82a9009f59066b781
SHA1 0d5874938008d0fdc172e1c7d2e9956d33f977f1
SHA256 1b82461ac4ba22cf27a63197ec9d8acffac1b3a1ee57cd17612665f888c95724
SHA512 5979a47cb77689348ec020cc9d564e014137e0153324a05e1cbdbbe0c44883cf368ef56555453cb1ae8740e2eed7890ebc4d1edc6710c528e458190941ef39b9

memory/3336-15-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 2300c87fc8d82c07c9c0ea74e50d0e00
SHA1 154734358f7ee7f2706f31b30797bb49cecb11bd
SHA256 d1c0330df2c03a051e83969e14b4cb94002a4959dc2293f5ebe1387a6380b24a
SHA512 ccaa6d08fa84b0c9dfab4a29e33338e8360c0d60b85003cf80f111392620135ba9ae2a027684fe4181742d8e568470c5a914b3c7a096247f5bdc4a8a7165eb40

C:\Windows\SysWOW64\Nceonl32.exe

MD5 2bdd7da01bff443035ca05ec2a228fbe
SHA1 153a47bf85e6fbdf48df7358660b79ae8a7a4736
SHA256 932688eff1d2f7bba47bd9edc1476164e85d05dcec10c9adad3a7e1693776c69
SHA512 722ec88458dbf943b4f200decc5a8db70db14cec47c409c7a7716d7e7890227d63f928f2c3c24ecffc48de6b6b9482f0419d4c86c784599cd49c3e41ada44796

memory/824-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/876-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lfcbokki.dll

MD5 9d148648b0512e9c636f66fc71ee37b8
SHA1 27e1ab1124b4f12a5b0d94c68102af332e773005
SHA256 fc7296677ca278b1ba842c941952b86f6ea6ee76b252009d3f7201bda7867260
SHA512 29f3327a60933cf3a41a0f0a8cbf305c4aa4ec447826c1ce2c1e8233b9b6101cd09df03b4ad664fafb38ace978aacc4125e10328f7e76097e15f5ce48d8955ab

C:\Windows\SysWOW64\Njogjfoj.exe

MD5 8ef19f7f9fd4c16ad3b452a86f47ae1c
SHA1 c3fbc67e64289a8600eab25642748633042ffd9f
SHA256 29ad31cd205ec63462bddce0d90723999f78c7f4085b4d0615905b24347deab2
SHA512 ba1381a3bab82e6cee8da96e8b1311326c81486e7265222296a60d761b424e01448a6d150921029c47cb3e339baf18407ac805e92ad57031d3988e13c4c6778c

memory/1712-40-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nafokcol.exe

MD5 f558e6375814fa86e255a34089babc5a
SHA1 396fd5cfff6e6fc5a50a970cb382821501619e48
SHA256 5b76f2f573eea041daed7c0b2cb1cfc60bb4382c76d76df76f30e5898a485118
SHA512 5dc72cb33cb0d7beea9affb6e10589ef883e2338779bccfc6712d933ab0a860459c2f1401ca5ee45366f6b0288e8660185307e31f65efe2b9cb06959373760c4

memory/2000-48-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nddkgonp.exe

MD5 594cf930d3176eed86f2170e47c87120
SHA1 3c00cb3bcb708b9a86bf8af286861ab9e93d309f
SHA256 6a4767c15097ed7ed8d79b1b5846fab00b4e29d00b0fb4ddddb55bb0a9a97ecd
SHA512 e346b110110a3bb6cc4b0a5d059e1db5398871f411e662f21de04c7f8d194d3e732347fca44ed20e3d25b1621b86563aa568c8e1f978762da741a07d64dccea3

memory/2292-56-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nkncdifl.exe

MD5 42691bdef63ece31779942c511c120e4
SHA1 aa0a6b9d963fbbe4c801ffe27cb6f69028a41fcf
SHA256 b6f66059440fc1122b9069cbca2d6551e7fe6bd239868c75b51f651917a9518b
SHA512 4d0738ce5bd5cdce997ebdc844a4f8b3f2dd520b923c2261a3e29e59f6ec62a9ec5e57c0d4807905f1e2e4e69e64b8fe1d4e22421ac959a0c5afa4d8a918b5fa

memory/4048-64-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nnmopdep.exe

MD5 0770ab1e615480f8c82453b9dd2f6c58
SHA1 b4120a0f3e0425503b3d0a719f6e33f64643375b
SHA256 3fc98bc2bd74d5e99fe124495b4eda05f28610b45407b060281c36107d73c41b
SHA512 b36a18c8f1e54f9daab1537f418d715a09e26dfc9de7e75ff4c80693cde5e8ad93190c9e9ef561575691e0e88dcad60857773cdacb6c24f7f782ab68ee7524d8

memory/2676-72-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ndghmo32.exe

MD5 09279763c732d3278ce14bdf9f758e81
SHA1 d2404c14b9bddab386bb1d581fa181bf463f3c20
SHA256 4c68c423b712721e5eabc404adb74dad8b1ce81922999217510dd62dac343906
SHA512 c05c9dca8ccc519fc7cdbcf7488276b744e74f8adf9a8cbc5d2155ecc7de285b277f52f55ad1247e2f147a399393a2af46eac688afb624809cc2bf8178faf796

memory/412-80-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1628-88-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ngedij32.exe

MD5 cfef4676410d7057d88abc6f26e04dba
SHA1 846d0fc562ebfa6f41e3894c79950606b9c29150
SHA256 62b18904272a5480c91ddba8928042657a7882f664b20f5852cc670b4e420196
SHA512 a2c298c0a13398f137c37b8f7189f35a34075f53e20aab979c8d72a50fb101adfae0c706abdd3879be69d883c1f5b1de63bfa4182c5d6b0bd08940a539c59446

C:\Windows\SysWOW64\Nkqpjidj.exe

MD5 aa3d995f009bcff36e3d7bc9ae448b7a
SHA1 2a70ec8294798782a8366fef2f3d66926a9d0b06
SHA256 5ca1f431c9970820b1530a9ba71ee7ee08fd1fc7d0cb10c581e70a89302f6655
SHA512 7826fb703dc07270ff3bd354c08f99d9c0cf8b61cfaa4894f626f9836eb12fd486daf6563f5ba14ec188a6e5f42ce0a990a22f78e54143f5aa5378896f1dbef6

memory/3392-95-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nqmhbpba.exe

MD5 03ecc7aeb635ea322879bdbbf048be73
SHA1 1e239cd4aa04bda671ca9f82fb66413044f06797
SHA256 eb30e3eb5f55888edc712bb9bc7a946600eee985e03c00c001979adc927bab2b
SHA512 212a3404e34e94c77839392613516bd15aba77c5b19a61898b7c62eecf671639246bf9a29eab1bf33836e35d6314f812e7e4cd8f2a2ad49941704e105307ac22

memory/1984-104-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nggqoj32.exe

MD5 54a04759fe8742ad414372677a2cde5c
SHA1 4bcc0a063a4c9c7b9a938ce6ec4efb47e164d9aa
SHA256 5bd0866859cfda29ad5acc38487889ab9e5801bb6849924e251767647c69da11
SHA512 1bcc094e1df73fa9d162b2035faab031375936ea4267425763aa54f116652cbc7713bb263aa1939732ae594535a87aee8c7be7e6e080d5e5335742ec6369b7a2

memory/2916-112-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Njfmke32.exe

MD5 bbc4b99b975a241f63ac6dada2b715ab
SHA1 31c0a6b600daac564b7e55266f17668c8e102209
SHA256 13b6dc8a7ba5b3b6f11b457c0fb2451bcace9face5a5b3c69ee8785f7654e8f5
SHA512 76d030cd82eaaddbda15d1b496787383c31d9e114e1d3658c0d58f9b67efdeb0087627ab41a920a5c93b1aa6181eb795fbe9007a9024bcec945e3ee2dc68c1fa

memory/1928-120-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ndkahnhh.exe

MD5 b75cf260ecb71184956b0550885a2bd3
SHA1 9d59c83086a317eb135c27f5e9a9e96b2d070137
SHA256 b7ca1c44a658a919e9e43cfafef641e1fdc5892774f5a85529fcfb20364e9b1f
SHA512 05da08c061baaf9e5d2495f8714ff1016a3902018e99d4c775e732e42a423f4a50c73885e755c2011204d856ea285cc8e126e2125e5a42174ba383dce576942a

memory/3160-128-0x0000000000400000-0x0000000000442000-memory.dmp

memory/432-135-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ogjmdigk.exe

MD5 f87cb2a372576f79645ca8ec255ded00
SHA1 2ed0fe4ae34dd084c3efb5ed44a4a8a552a03ce4
SHA256 d923ac1147c00984f54c5708ebd536c866c8fa51574a16d3515ccd863f38da14
SHA512 9b13b2fd0d96d6c715f7d1224be3fe7bd0eefeb854920e33bd35e8e1f9e55d556a8b59882e7b30209eebc98906d146aa35fa83e7ce718fe0333f12b238e5d47e

C:\Windows\SysWOW64\Ondeac32.exe

MD5 4aa431477c2aee781268fb1d60f713fe
SHA1 61e00c8d41b28c16899431bdee71d91589f8a0dd
SHA256 045f0f9d2ee6c4871dc66df1e8945cbfbe8d580fc9a5cd9c7828d87cdbd4084e
SHA512 acbb21b6d973ac3d1b98a2de2252e81c0f51be0195b141b6a614b9d4aca3b969bc5316da57f4045df4826237ea26953a238b7094628f6f790b36ef415f179253

memory/3532-144-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oqbamo32.exe

MD5 31f09271c9c849e2019dbe63d7cb757c
SHA1 d3e2afaa70a81b158da1d0abb802c4d87b2e8dd8
SHA256 22442c0ec38701cd3c214af7c8628bc3d47c19b37c6c72714c4e87dac7463f7a
SHA512 72cdc2edab5a7edfd2d219e4818dc96ace7bf79959cb6fedd9d02c0fd72aab8fc4289d8c9da1550193a77bf5dcbcec92dff5071e5ae09450502c27d35000be45

memory/4492-152-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Okhfjh32.exe

MD5 eac6fbac00d85620673f56d63b64333b
SHA1 ee8a4a9a71f633ab341b7255aab4420a1749d3a0
SHA256 9fa1f2aa7c00776a009062578dbe7ac48890956093425369fc209f01c144ca0c
SHA512 a0e83100af0467a8cd83c1d7bcb191e8a41a2403b44530fee6bc6d6bc9b1503faeaa2f6f8fdc6cf5da67c065a57685d3974dcde752cf94e229fb16e56d966c2b

memory/2172-159-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oqdoboli.exe

MD5 1303cc6dfa2e22ab733ecfdc91085a6e
SHA1 fc2c2efb9f9ed941fd73cb1926a38bebea9a0fe8
SHA256 990f41a9e2094d1dd28c0efc97fb310e1d0d4d16d2dc7f7a68707dd65db58cd5
SHA512 b9fb370d4a3dd972c540649723c5527cbb4caf5722031e8d57e3ed7f17dd6cd19376166e64595423c589c22b91e99a581ad374626536393c1446728bbb40967a

memory/968-167-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Onholckc.exe

MD5 d76659d05e7908e56325262f370c671a
SHA1 8254730d251154724c1a1cb8aeae389c3519dcd1
SHA256 548e557195da8ad94fe77ebbad212626897002e39bb256dc90c3be04d0838afd
SHA512 3d15ac93fd89a2ad96c54d254952d453826299df644d1e342903829d8d1a2073302348a164f54880876c97671f32c72c776e14bca3e036a2993addd7d70e8e5d

memory/4580-176-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Odbgim32.exe

MD5 dbc87d54adb214bb7128ea73492d239e
SHA1 03b2d3824ce4278d94109f337def8aac427fe5a1
SHA256 b64c060a6cd51473163a53cd0d2b0b66ed9d64723f3705576916fbb1afbceb37
SHA512 71fb995633c27cf2900e7a7d2f4a3cc87b684152c9642814488991a548ec2466296714c9da9408a93ffe77daa90caf51a9270e92f3857bf0baac2064b118b5df

memory/4612-183-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Obfhba32.exe

MD5 0a9669300d04bd1b8ab31f9ac026ea70
SHA1 8bbca35ea1db2411e521f7e2a88cfc93f8727785
SHA256 56f88ca1d78679b8ffeecd9143f8bed538acad3d969ed69691a464cc378ab54e
SHA512 4b873480fc106a4e7b770cdf42fa7e69a92e693a1c866e41c9899e2a009fde3cccc8f5ccb002b302cb4ec24785b87c014021b7b69d6b188245d0490fc174ffde

memory/2336-192-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Okolkg32.exe

MD5 1d37f27dca338f65c2f356614d7d1107
SHA1 a89cb1bb4d9ae33ad5fb4c65367ed3e5d0d61650
SHA256 1323c7b3f4c15ac7751329413126c8a4a298f120fb007832c6da3e086c215cad
SHA512 cb37c4f63652addf3b178d2ec512070b577443ec58b6d6cb860eda02cb05530e6b139ffb806aa5e790cdad0ca6d559b486e45cf9d82d689af742baba6789020f

memory/2340-200-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oqkdcn32.exe

MD5 5974a220daad1b7a3d1e1d86b2c9c70a
SHA1 d146924d5ba79350fc8b74789095baa3b84a94eb
SHA256 5ee7ec16cc0df80c418c41d583d84c216c6aae123629f34449a8ec49ef6e1370
SHA512 13999b1d1b28fb4d50e40f280474bcfbcabad2ebb84dfddf651e8bb81b4b6dceb2977daa29a5a7093a48c9b05f5ffe03ab5bf95bd04f946a535c53c2a275bbab

memory/3936-207-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pnpemb32.exe

MD5 9c8afc3af39f0c709410dbd98a2d6550
SHA1 9f7e9f4ff772fcd5e58ba231d6aa325546080b83
SHA256 d3f5cd0f58403b04bb1eca737943bf8baf9a235fbea8b39fa4fe944d21c79094
SHA512 4168e8215c6faafb8784eb91e7f01cdf3f91e68c2550998ced985872241783930a323abe1ff7ec25a9c4ef844c7a5dc3c6c51ab83ce7a28a93fd8a9dc4b7881f

memory/4040-216-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pclneicb.exe

MD5 65af772354fae4d191ae2ed2b1013338
SHA1 7e2c61a9c64dceed28a1d37d8915e5a450706097
SHA256 0f80c2541e18deeddd77516c00fd0bd078fc5491b321909076fe0db101e44cb6
SHA512 42a37fa585ff133011019a6eeef4fdc7ccd808123c7e9a6e80942ac97c8e8dbc746cb69ac35f0cf3ea5a7a2ff21b9beee9bffa4120c1a0d004c663bb5892cb9c

memory/3436-223-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pbmncp32.exe

MD5 d8d9ba8838c9c49b462e008954958067
SHA1 bbe26d4d39dc7a7bbcff83e44591c59b66d585ab
SHA256 430ae80dc6066749062d13b564e94a9c0f2966107a9e3cb2d13c99f7e2f72254
SHA512 d70d10fa00629f63c2d2f01e2d4e93461d7d236595327a5d2d3f17d7085152dbed6501d7ac19f791bc66aa15a9c19007e46e599f2044f6d4ec290220b533ab3a

memory/4928-232-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pcojkhap.exe

MD5 a43c85ecdde187d1bf86502bf72a97e8
SHA1 8ad192c98f97b93450c7ef1640f7de69c0c35969
SHA256 34296a79c6b4f380557faf19e60b380f6285fc196a90463d7d292c5428e3a8dc
SHA512 8e8dec6c123861bc9edaf5a3467e91d3bfa0cf642ab0b609a52dd6c1627a91b07ca24cf643ed14db699da23781bd91165702e1664aa8fbe05ea625b900cc6a23

memory/5084-240-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pabkdmpi.exe

MD5 d84ebca8d96ff06b635ed3e1ad1115f0
SHA1 7436c93f6c10756b34010fa6cfa205ae5f2f6012
SHA256 15269172fe293a5ad98c258e30858cfeb4eca4db0efa71703fa516dc80bbf081
SHA512 d86b0e65c97be36f257e600e3e31ef551455e318173854cbc4e831b30d4c044f66d651905c8dd5a03ea81360f914a93f5cfb9e5afaa0ab490c3569b3bc34c7ad

memory/1616-248-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pnfkma32.exe

MD5 db95f200d3504f81080630244a446919
SHA1 9a66baebf6fce5349aa57a8a14548ac270d9199b
SHA256 e90b3b731bca37f8f4c5cb446ad347f75f89cd3fafa394487b12c4b5c2e7c1fa
SHA512 ef40cf14c02f416c3a0d1aab99dd496a49193031e8418f3d0134daa269514c76a71b6e8741b0f6670864a66ab24dfda539aa733b0969e078f881efe8267ba5c4

memory/4940-256-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3380-262-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3696-268-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4276-274-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3956-280-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3668-286-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2596-292-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4004-298-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Qjbena32.exe

MD5 436b2171bf7b2114e51cdcff6cf6061e
SHA1 16d5f36722674a3cbd3996f7e0e93950f99c5574
SHA256 094a9a7bf7c25ca3d46d144ffd552c2f90f114337e0932a4c02caea7b5f67a8a
SHA512 293095f105f4791dd6e33e9efcb1787059b3f4a92df4d2981bbe910c78707c2e111beef655515c1bfd2b7a3b5943707c6592c16279bf5a9a57025634b898e6bc

memory/3940-304-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4360-310-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4400-316-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4784-322-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1796-328-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2132-334-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4944-340-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4916-346-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3104-352-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2976-358-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Adapgfqj.exe

MD5 21b5c578c048c92cb8b4a39a2dcaf16c
SHA1 e6ea388b64308033e428d431b6cc91a33192db1d
SHA256 e22f27e275995517cab994e7419e8df64eeffedbc3e17435a260801e95570e57
SHA512 43c5677ba40a9e3f2ce2b6fb7411267e5e875648d4f8eae64d67c12c175f9579d9f98385ae7637effb2742df02023cc8abf42a767ee0b66a0989b0db2537812d

memory/1432-364-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4176-370-0x0000000000400000-0x0000000000442000-memory.dmp

memory/816-376-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3836-382-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Aniajnnn.exe

MD5 3d5bf1ad6326a9b62ea5ff4c86e2826b
SHA1 5f68b2bf4efa8735c472877a47c40f4b11a75f9a
SHA256 92e95336d207c0fae29a6923a73325f74e3740602a2b95f069a4f60b4126aab5
SHA512 9b27c5fd0c3e3bf856748c68b190e5827f5ad4c58b19b37aaf76408cce52150b2a0c7414b76f5044ea35f027e2bee434068aec96f97836da1cfb4499ad3e9e95

memory/4640-388-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3708-394-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3656-402-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3920-406-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3964-412-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Blpnib32.exe

MD5 861d92ae9dd9ef260af528ba9b2fbe0b
SHA1 626ad1c931253655f805b6018fd61093726641e2
SHA256 dec0a482f4064e03ba2cd2cb7b64470ba87bbfeb07adc59401240f9c977045c2
SHA512 fca924a4ff745d522de468ccae5c8db7c2c044968aa658e0fed06f9b87c615127099b27057379372f94914af576b6e5b304f61f6ae53e16e738d8881f22591cd

memory/4568-418-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4436-424-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3228-430-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2004-441-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3704-442-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2756-448-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bjghpn32.exe

MD5 dee10b846de60ed3701d96d59714198e
SHA1 1438a40f5d3240a75b496d9fde526af42bc3c7f9
SHA256 31460fef24c02a75c9875d308de48e11516cb3ef671c3b0e1001477190c99b48
SHA512 1997994133e764dcfafa43b49cf5ae414733b2c979e1a0f2baa1f5b971bb6dea8919d3247383886e396be32d43efd1248dc86e72b2cca89f2c7ac5a654e67731

memory/1400-454-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3096-460-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1552-466-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3536-472-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3988-482-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4628-486-0x0000000000400000-0x0000000000442000-memory.dmp

memory/920-490-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1132-496-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ceaehfjj.exe

MD5 dbd22e4679e735fc5ec3446eab8faf3c
SHA1 1112bbc2e12d5e0df4d4c161365c3dbe281c0a84
SHA256 e7f52a6a75f6b11c6275fdaf6c5803cc9b6e254a7ad3fa8678242e50cc4bc921
SHA512 23b41cf673b16e0d348873534f53d6aa15f4283d38b423484c7158eedd9711b99a0ba8cedf445e017bb7b00bea10601106d28292976a6666cc763ed292c8aea6

memory/4532-504-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2940-508-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2540-514-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Chbnia32.exe

MD5 fc1ab853c811b4f4abe9bc1f1d7c79d6
SHA1 43aac4f2b321e0d6ecf31a316577766059970e21
SHA256 9770ffb33dd574312acaec88833473b62b413991afe9067f4c1de817e772be4f
SHA512 be411c1535748e1592655927cf77703fde24281818cae19550dc58aad2c238e6d59c82a170a7030d62b120c84d244479b494c2103f2b07d39affbb2a284dd76f

memory/5008-520-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2900-526-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1360-536-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2220-538-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Camphf32.exe

MD5 8e9d7eb329437b91f624b7241df37ca2
SHA1 db510295787582e528ef832b9f08aba6ef4434d9
SHA256 4aad97992685dcee328d36d5ba77e57adf6f8e5451f63e3e13553223caf55817
SHA512 ea83619c7cd6e758c996899c231402fe179183b1b3d222a388cb04ac25c904a3d295a9bf3cee79728dec6970406fed8914b2c65178b3cc7a4c97fe5ed8b8df9f

memory/868-545-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4816-544-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3924-551-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1980-556-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3336-558-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3672-562-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1416-569-0x0000000000400000-0x0000000000442000-memory.dmp

memory/876-571-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4960-572-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Demecd32.exe

MD5 5bd351f12882a730d5cb7d85eee56911
SHA1 cbe5cb98fddbb4f4707ab3fe00de62bf600bb597
SHA256 8a5d7e46a5f116a2fdbd049da950ddffe046e8c7ade60aec31c2376aab6a14fd
SHA512 8f00d42413d976a05030b209ff923a5d2d2f8ff5c2719288e31e6764bd168c9e093c53b6297683dd6de2d90f112a11c56e7f8e48df612f57cd57448d991c4e11

memory/1532-580-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1712-578-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2000-585-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3544-586-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2292-592-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1584-593-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Dlijfneg.exe

MD5 dac4f37f174c8c46ffacd361c72d573d
SHA1 7f6d548712d8539233834c00513799578dd1e758
SHA256 452314629c44e13210a9522db756583d6ca0d15b651944aa13f4822e9ae6b386
SHA512 72c9687d90dd8bf291cd53a801b811db11b7c16b13099e05c53179610b798650c18e57da6d8c62ab3953f4f924111247e9d8f58f838865d5d56613e1f0e95484

memory/4048-599-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Dhpjkojk.exe

MD5 b6ed4b1a9b7992aa3cb6c12981815f9d
SHA1 d037a983f55667d47bd25b9431d8ebffd7aadc8f
SHA256 23649b74785a42226d12f00a88eea996a1c75bdac72870963474ab4c195f3215
SHA512 babc1761c551d1b6163b568fcbb2279a2f948ca4856394f0eafc70eae0356853df989085dc357c5a8d432a6011616106b9e6e4acd97891afee4024d77f16f43a

C:\Windows\SysWOW64\Echknh32.exe

MD5 70ebc5681a5cbe19e3efba5fa711e338
SHA1 4783a148fe763e91373ccea4be9465c17c388733
SHA256 183e46ba08929b31069b45a5dea86fcb7ef660bffda413f5af17a60f01d7d0b3
SHA512 d1211d034dd6c21bc2bee8c10ad7b5d1923340636277879c53d477a03d149eb19208f84902295538a2497077cc106ef7766e648e65c13fcb8c91c3c1f35922d3

C:\Windows\SysWOW64\Ekhjmiad.exe

MD5 7fef2b8fb36b2d57c7c428a49d239f8a
SHA1 b5084e1495462b6b3544e297b614dae47826dba5
SHA256 7dd455ea343cdd77979e85f790c8c679ff1180f3a27e33a49c7f0d2601271e70
SHA512 f2bd93dfb569d29cccbba2712d3773d4ff73ab23252f9e0a0beed57b4b59c9e239406fd54b26b552710400c1758c41005e3e752e75c7d54e5bf10893af6ed1b7

C:\Windows\SysWOW64\Elgfgl32.exe

MD5 d0bb2317314065acc1556a37a30fb889
SHA1 1e9569e8073fede9c65bd40b8b0e84f8f177b59c
SHA256 d7ef74500c1cf09f15f66f846ba015e6c526e96a9b9ed1855fc7de4e896a152f
SHA512 f850a2bc73b311c7743bbbe5b83c581ed89b49cfdcf607ce0f16b39199f122ac2b4db089fbd5e94b5d16372a2b5464436df5c1804093e18a2b23b3ee99318fc3

C:\Windows\SysWOW64\Ehnglm32.exe

MD5 e5f22cf40f9d222fe89d64bc5bd66261
SHA1 fca1e34a63ce1a9ac60a24cf83013a45b3717d09
SHA256 b4ffa0c9c216d6de57a97f67b2011bbbab9d79744c2874e6760ee8c1ac5a6569
SHA512 7f21e9a523dacf38cd07fe085e346f71b8eeccaa82ce0617dfeb9f30b4c6be3284f825e76b28926cc2facd35538c007493fab94833e614c07df857f51b90a530

C:\Windows\SysWOW64\Fhqcam32.exe

MD5 2fb61f91c30e12149aa7eea02e96b408
SHA1 be59def34e419f0e2f8fa774be264ea1bc9ef5ba
SHA256 dd1036fe6dfd4ac877a0ea6c1726aec1077426db773ffcf76f880bfdf136189b
SHA512 2bbd657f845bd781e99db948a87a42126bb4559c87dcd93d95e2c37d7cbbb8237047ecaa46b1740d24d94c24c7d6093d86d53a3d6d3faac092eab4d1a2c074a3

C:\Windows\SysWOW64\Fkalchij.exe

MD5 2a1fe189eb273ec02613407dd0cade30
SHA1 ca9efa3ddb0be2cd8b67d7a6c71dfba296421c95
SHA256 390aa2550a3fe1b62fea9b26614b2a5900d23a6b3756e48a8ebfd6fe1566b6f8
SHA512 bfb69dda1a5128b5e339ce0e69f8f90513b5018a6b7d6a11b86915660488e69e0ae79a0d9611e674ae69f105536d310e891ccd634bbc2cd87ac28c894f38a2df

C:\Windows\SysWOW64\Fhemmlhc.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Flceckoj.exe

MD5 a85fb6ad37fcc2f096e92329d192abbe
SHA1 ae73dc3310407870fd1e755aad2d4269048458ca
SHA256 65bc43ec227becc63173c534b77917fc4a850afb7a244da853f9e9f611499a86
SHA512 74f16a9269a57b7224379b5439936888e064aab5065c43ccd50fb47945d5f2263fa2cbaef06d18984021a6263f0fc08b3bd995e59cbaa851c259479cd5aa7aa6

C:\Windows\SysWOW64\Gfngap32.exe

MD5 0c15025cac295ad36c0b91e451c74423
SHA1 7fd137ec70e274f38983f433c733e4efdc8bf4cb
SHA256 ecd8ecbbddf2ab332ec4500bfb56c7d62b4465bcd2bdc92f77febedc01dee631
SHA512 86d2b55dd9770b77fb1a30af0b79cd941690c12f8ef7f996d7c7b123e0b108b510b90df83fb15c8a346d2490c6838008f0aeecd6aa69d017f3dda77e836ede70

C:\Windows\SysWOW64\Gkkojgao.exe

MD5 aa10c15b2f5c3f8666cc5b7d83becc77
SHA1 4cdf81e60d0032f48ac249fe2478277b3c4efc88
SHA256 3a58e43c77ba4a9536e91a66028b603655ca3897298194a7acf3d395972a2aa1
SHA512 2a76564949e04d4238b2cde42c1beaabc22265e175e83c54084d9e81b010e228c100cc42cea3319d094b96ac8006b0503dde381d32bdc0321277cc7ee8dd522a

C:\Windows\SysWOW64\Gbgdlq32.exe

MD5 1f059602272a5e02db33a5cee7eccbe3
SHA1 594590d2d04c6bbad611b32c96c32ae88809d24b
SHA256 0fba79dadc03a19265633ecdae5b18c602febe821ca3c12b017aa3d6a607a20a
SHA512 504041c55facec612eb763c9f41b686ff24fc5f2f4782d15726d45ba8b23acd4e39df8d188271bf935b63a4f4a2a76bf6b1705b84abd2ec1d5067941ef0fe698

C:\Windows\SysWOW64\Gdhmnlcj.exe

MD5 865fb85dfc79c326d6f45d41a78dc404
SHA1 94afe66c2799f86bb3f75c30bfcbd48db8f81686
SHA256 88f9101ea28bb31ec8f4462acbaabc5bdf72748e1f0e67025264b4bf74e500bb
SHA512 e5db94065c2d5554cd5e17b33b1d204260767acc71980f3a033cb1dcaeb96e7eeb968e9d62f4975756cc9a4e511411068d3080770fb7cb6a295748b0daa17ae2

C:\Windows\SysWOW64\Hopnqdan.exe

MD5 22127ee8c35bb5b11ca9cb32c5fde18f
SHA1 1b9de4df4827d52e710c5e25232221db723270de
SHA256 378167b8eafbc29e4cd735e2d9ac414dbebc10d412826df7df406d2d971e4e07
SHA512 3452a7b79d19280bcc7bf7bf6df1725a48657d9cfd3fcccf66d6efbe568116939987031d649cab05a23c2fff3c888e4b871485f216d86e75ef566997064c1532

C:\Windows\SysWOW64\Hijooifk.exe

MD5 453a33d4f6da569c1daa54659051f65f
SHA1 195b91040559c917a863c9f4854d3f0bdbe142ce
SHA256 b839cd224c421ea92589097b88c051ed5212ba6efd67a17148e84569319c36b5
SHA512 188927731852506d350f04dbdc466319a9b130d8c4db575b5affd4addeda0d008c2cc938e50f7e88e39fe5ca8ff35960622b3c50eb899b24207dcf18f98a1425

C:\Windows\SysWOW64\Himldi32.exe

MD5 da1976dd2e4fcd2b4b8e1a5f2b1bcf92
SHA1 1c6d8c4c69c0410dd13a5c8a04ad2412af578558
SHA256 23463ee21e0a16a755d68e882dc8eb72742f460c1bc414e91d3854c5bb7ed0a6
SHA512 82f74ef420f4229b265c4f53e47f83ad013fe7b0b8fee74dc0ec5e6d9753dba118e1aef6f3693ddddaeaf36d1593d3c3a9da89d682c4c2ada721364ef1bf66cd

C:\Windows\SysWOW64\Ikpaldog.exe

MD5 465c58177db2581fcc144b69edd72f51
SHA1 af6d408dbbdc36457568342984393808a9e4177b
SHA256 92615a124360e1df4b915cdce1ed2a78c130f15eaa4ec9b185196042815fe0b9
SHA512 383c582592126e53c79a5d5da4485007370bb04bda9b22c3184c208ab8be4ffdb47af3f4a2338c333d24e9e2cb9dc2f6232c3630f2f5dbb3ee73c12015fe22fd

C:\Windows\SysWOW64\Imakkfdg.exe

MD5 fc19f2ece67499b849c74a7ceefdd2ba
SHA1 d9fb0234392d5e9ef7598f595153a63af238d0b8
SHA256 9739217d164e8c3866d934cb09c68e9c91bdf71166f0e2912825343338af863b
SHA512 749ede47b7f589d307c46cd8186996cca8c3aefce760f0b538d5cff4ff78ffc071e692d37ebb803acebfdb83fdc4ea9b9367859fcb2fd295acb1a2212aabeb5c

C:\Windows\SysWOW64\Ibqpimpl.exe

MD5 032eb1f0f70ca124f0c5892d25c23a15
SHA1 bd7176be068efab94ae2c13efca14cc060cbaf25
SHA256 6aa7c7955000a9194c0b36ac9f8db5ada2aead2151c3520ad55cd07e8d5bc905
SHA512 a7ba58b5479df52dfb1a3b3e40583ce5e09e61c539586f2f4b6263326402cb55e9d011bb84f2160acedbb082b307ee554727891712adadf433145c80f5acc661

C:\Windows\SysWOW64\Jimekgff.exe

MD5 7491cedd19b976e03416f4d29da3aaa6
SHA1 52f73d59a64d29d1d7c2c72c31b41a858a08f8ed
SHA256 2f9673a5b93724a5451d68ef30ac916df4e378cdcfa6950ded7c66575b724076
SHA512 70741d9bd88eca36740424c0ddd309257492d800518ef7df60fa6f880a61cbd778311ea319e962b7da54472c0250b6d36a0479bd7bbb7ea5e2a65657de9379b0

C:\Windows\SysWOW64\Jioaqfcc.exe

MD5 28a476999f584ac2c58f1dd234689ab3
SHA1 40b3a9ff74435119ce7553443e99781b955029a6
SHA256 dff674e90880b250473f75f39ea4477f6e4021184e11f4c194f81b9611fafaa1
SHA512 42f68633cbaead7478aa4f0f494c7718edec199e8b23415ac2af783f3bc01e9c953a2590f71c6e08c43c6aba78a0a7374377993828fa599b3dc7cf599aa5898d

C:\Windows\SysWOW64\Jehokgge.exe

MD5 0cde0494077eda00ece3d8395549f3e9
SHA1 46f486f9c4b941863f460c17f8808e7c452ce1bc
SHA256 9f15c51b4910c4b96d88c19dc2515a1e0341476e9002d1e4799b8677598b8faf
SHA512 e6c63a42bf4c55a9a05de090f2b68d712e536bfbf363f3f8d5f373c1d5eb1a9ad24062eaa81b9fc48a4a012a3adbdddac989998272c1c26e543ed85267e0f871

C:\Windows\SysWOW64\Jpppnp32.exe

MD5 3a335bf11a12a7509dd064b41ca13f04
SHA1 2722bde9372694f003c4ba64d535df936e6ea3b3
SHA256 f472fc21aea0d9dca1094a7aafe1219e2e35f4bd93bd1e4acdb4c62fb8eaf688
SHA512 21d602cf99c6f27dd075a48324d4bbd17895652c1bc3722c1acdd8ce1abebb64bf070148cc0cc16dfe87556ebe9083c241c6dfb47cfed862cc463d7ebee01b31

C:\Windows\SysWOW64\Kiidgeki.exe

MD5 68d519ae2ee07c9a042767fd6143cf0b
SHA1 0143caa8a66da373925209a0828ab05ff9604981
SHA256 d974a3c166f4fadad10c63494fb703b02e2b124e0c3b829586c66e0b82cebe36
SHA512 973c60379cb9d00dc98fa2016f081eef0cb0b9e40ced55094317c9cb62b963775483d8c4c9865f2de6f925c562400463de8002f3b9e42c20a4a50e878eea85d1

C:\Windows\SysWOW64\Kipkhdeq.exe

MD5 b250b6f4a7e0d4c98edaaa0b1b404d8d
SHA1 04ef704281004dca0f34bb524bcd7ac1f57ed58c
SHA256 5fd0eb7ecfaab02561bf59329205881e45b0412024c3515d0ff0aeb702afd2f2
SHA512 985f948306b0c57855fb91a40832ff751452dcd692697431bdcf7181bf16a024e4d6792b4175aa725af3a887b8778440d7a60a9509e38ab3e9f9b964d7ffb525

C:\Windows\SysWOW64\Lbjlfi32.exe

MD5 cc86d301f812f231edc47d6c6e700f2f
SHA1 586a4ba21626476ae3b4eacf5ddb9972a76bacad
SHA256 a40b1f7509ae0d624aaeb270a3a4a322f8650bbc9f90fce9adcab30a6e91f608
SHA512 dad74ad9fba2214fb372bf652942e952aa53e1ce93af0a6c8ea9b76841d7cc15caacdf14ea52cfd3507360fbad1937f873f21975dbc24b90ec9081f8ca5abf5a

C:\Windows\SysWOW64\Llemdo32.exe

MD5 f49389697f6a81eb1b8d7e5d643cb9cd
SHA1 ab003047a796f0cb05a436549d0015dcb8d66b9c
SHA256 fd014802bbaca9e9b4b554af7666557a0835ef3f19ffdccfa50be9ac71d370de
SHA512 c3498286a11d24a261294cdd42d87a0824a21688772cd599d233c65fc41d6977fa3ce9c6e91d71d676136b12c5e35480c18f98c4b84fd1ba3e983c5b704e5456

C:\Windows\SysWOW64\Ldoaklml.exe

MD5 9ecc322f24f696099cf379c0f76815e6
SHA1 16db6dc13312f881105b47f1e730442cf53d326b
SHA256 79cab33fbe62ed8ca1d889fb066029db1e173016c9df04c096c3214cd3c65543
SHA512 dee4a305b30e415856cc57a1e3f9bfac9367f74a7ed28c0a47e2cfc9b98d8e0c91b733563057854c6408fb5e53ecac3f5e104ce71a36f63ca39a09a18a6203d7

C:\Windows\SysWOW64\Lpebpm32.exe

MD5 c28a54502f45cfae164d3e0a0d5e7682
SHA1 4e2e066ac0cfbbcf514f5b2984df8d4901f78093
SHA256 9c73ecd65d71b92a2a9dace7e715861a21a5c5ceb89b05f5f3091f956dfd09a0
SHA512 9bbc3577a975afa2bf6558c71b231771f4b4c7faca1c8e2725566f1682656b590d77d3b9a46452bab4f101ad545388f3fe6af2082224e259b0b04c0a3a25bf51

C:\Windows\SysWOW64\Mipcob32.exe

MD5 1c5a77c867b1e941b823f0169a68ed88
SHA1 23c6412efc032b516bf03b0ddbfdc92d7a9cfba7
SHA256 1c0abcbd5dec358cc16131d51cd52587fd64374f3ea6346f203d6ef35c2daefe
SHA512 a7ca7252a9e239cb1205e6a7a699149a058345ee34aadc3ab44e0677992871c780fecb75f9db0159f59f0d9274e49247227b4f05164fa098966ef2f05e42fc39

C:\Windows\SysWOW64\Mmnldp32.exe

MD5 791fdeccc1ddb020454ee8216f902af3
SHA1 6adb301810e247857a8ed4a0912223bd54dd6d4c
SHA256 a163f1d8856db22eab4dc1dbd2fcd67fa22898ef4afa172545ea32097d35546b
SHA512 9c00817507b0da301b34bc1bbd46176713b25e209fc3a218dd8635002c6751ddea2acc34092f2238f277fb370cdfd637a9330979c650b6309fdd5b69b0d9f9ff

C:\Windows\SysWOW64\Mgfqmfde.exe

MD5 f6d4c202d0a1ea2c2a712ee584fc6adb
SHA1 c9c8391b35b23f99ff9dc4f8b87d81bda3192933
SHA256 50cc2c6ce38adbbffc503051d683c0c850c46d71d50df23862c5873caf3c2eb3
SHA512 b9f89b5da2607be05c9e4b1dfe37c384a4d0ca40eba4b211ae2b57621a8ef33e0ca5e714cf128e63d4b981ddad0aecc9eb35cf275fdeff4aae598276836a09a3

C:\Windows\SysWOW64\Mcmabg32.exe

MD5 fa3d3e4c00ffad5a93736e026badb3fe
SHA1 d2dddfff879b27fdcda618614f4298a68969439d
SHA256 0e73fc7d72cd1fda8485d2ba02499bad251869f4357a4ad34f71ffc9d45d185f
SHA512 b4b738cf303c68f40a241f9221d7b06c51144d498f49f891e002295fbd4052544bd67e4e4b2d50198de572cb91f2a9e946fc42eb0f187bfd084d38e16d670cb1

C:\Windows\SysWOW64\Npmagine.exe

MD5 073af784572593f7eb244ae0bd81e580
SHA1 de9e29db43388a38ea557acc6157baa836f988ad
SHA256 57cf4e20d0704abe5f610fd32f6a37f61044297b71308d680b4a1606baf62da7
SHA512 6ea8321c12e375a8bee9728aa19b85833d8c161d1626e7d4cf353258fd897e88fb8910fa2cef6a6d8b4215f8d11fdd174b335442d2f6909acb1868d44ea297fb

C:\Windows\SysWOW64\Ogifjcdp.exe

MD5 a39ac43966962aa293949dea0bd8859d
SHA1 2e79775ca46225fee97c6617cd223a737ff1106c
SHA256 e4896bb3ae3836ee09e32546da6b9fe896504e0527bb932a5a4e66c0ff764534
SHA512 93930f19967ba348b784b1759714a7c9a799f2ebc57b3d49bc49b622ec1f2ac1ff5700454968c957157ce52f468e64e44abb2ac128a45cdfbddb66ec301f4140

C:\Windows\SysWOW64\Onhhamgg.exe

MD5 04667cccfea8105f2e5a8080abb4adaa
SHA1 b2bb8ed2f74e37a7471880c4cebe4f62873c7871
SHA256 759769306ecace75b7c9023d1d1c424e338ab266d842e27c1a964e64ffa4aa78
SHA512 ef02329b9a3332d9f23d8399d18b6cc9f3f2e3b001b564c2112bb16be4b21faaf58b8f77ed6269c035bd91f192550386323ceb54f33595e842aef95133763a8b

C:\Windows\SysWOW64\Pfjcgn32.exe

MD5 cda9b069e74a23d40e81fb5f34207863
SHA1 eda2f450c34ebac631617a2e1fc5aa088a1a4d05
SHA256 64b9ec36daba6e49c1734baddb06eab55fd1ac25229df8f476743cdb1f8d5a81
SHA512 6e03b7b50d217fdf9ad945c1c9ed404fba9d76bd77b10270d5a483659fa62f849968ce384f1893caa99bd01262c361ec1dfc1bfb68c7c46b70a757b86c385963

C:\Windows\SysWOW64\Pdmpje32.exe

MD5 742056995bad9f002dff3463088b3bb4
SHA1 ef5ab154fd7bdefd83d42bc8367df03ad9a7e423
SHA256 a2b7d6eb1fe81c666838d10315da7f09f01d96692ccc3ea807c4fa0ac5006a0c
SHA512 2a42f60f6cf3633fa686dcf25e29f3794764bd1adca74a40a447ef6ce271f550855ca6bccbadd5bae05a955eee4f97b403b2bb6b65c7e0071536551544a2b828

C:\Windows\SysWOW64\Pdpmpdbd.exe

MD5 c3598868d148a5aaf02c7181ae313b15
SHA1 a8b8cd06037d5db2fc3669813dddde87bbc91b71
SHA256 ddb2562b021e69beb14b1ae1a4bf4cc67778a581539b3fd195b47776a41a90e7
SHA512 c599fb9561660e52794cd64724dec9692aa078a346b61c50e68f6f9f67af8aea49ab6426a89a14a3c2a94b1b9555155cc42a3c53e3e5a79d8dec85b09a4cad8f

C:\Windows\SysWOW64\Qdbiedpa.exe

MD5 9c9b8b74833d7b4bd9306fa243770c99
SHA1 52ffffa4f884cd02daccb5705f8259d6f5653f10
SHA256 8cf8cf42036da2725779cf19155ad64e00f71f13b4295fa995c79962b10aef52
SHA512 d81a85cbbbbd0d409d6537d6850557e8e9f2609b7cb88e0fce7831c1f69c8c194139b4960114a1eaee63de6f4b4db8d1a0eef3c0b259fae1ce24b5f3d01a3bd1

C:\Windows\SysWOW64\Qffbbldm.exe

MD5 72bda084b2113d097dac4a3605f0252f
SHA1 34fdea77d5e28b1d17cd015d49595fba04b4fdd9
SHA256 a65848bc6f3b6f3ac38c9719cec9c31448a70676acd78f771cff8d0e49a98a74
SHA512 5f5bc1cd2a796f0396bdab102e1cc98cdb892f58a62a2c73aecedf612cbed15a23a8b850b35eade3858d5b02e1e632c8a15a9e12906923cd280f22ad6c8ece59

C:\Windows\SysWOW64\Aqkgpedc.exe

MD5 5d3d65ca193f0573dbb8bb8e8d6aab63
SHA1 93969650578ea9596fc5824ed18313ad9789e15f
SHA256 755c6166624f2b28d5c4280a3ac0b54fc6e4da4599f8ab76def9be0cd4819af7
SHA512 6985b7740866269b2392bcbfe6af7975a90dc16ef906f15121b41083e10ca82a5da6e50cefa40a9117fb176bcef0a7347dd6aae99ea06cff348ff9e2164251ad

C:\Windows\SysWOW64\Anogiicl.exe

MD5 fc12dc2a6316263bd299fc2b293e6f81
SHA1 96bcd394f5b79eeac0a966803768ce8ae0694d6b
SHA256 cc4e3ed8d39e639c23c0db84c7d46a983f91bf41bbb469f3986dc7019ee59cc3
SHA512 3da892ef1ba936ddd90a3f618a374d767c8b75dc8335d2f41bfc3748c15bdac750fa3634b97895355786d8b4b2cb16c75e59d05fc0ad3721a6198ebe6319ce6d

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 2c09b9808082b360bc8049c3af9c05a9
SHA1 cbd1767d66214796a1966ed5ff588ab03f10d4a3
SHA256 b35b9769b6d4f917e2251e02765342712e4d59004c619d21a5b79a867bc15506
SHA512 e04fb5f778ab89efe0d9a9ddb65ff38d5b800ca52f16f8020b75adcda52641bb3c9d4309dbf04c6b734c51e7043b9e4b25d0e6a44d41007e7f6e775bff72fc97

C:\Windows\SysWOW64\Aeniabfd.exe

MD5 10ff5c05bb7b07843f5405fb8b8c88e9
SHA1 6f3d4816713284f95aaa20ed5c5e9bae8c0235b4
SHA256 c7ea66c00bf4da279a84f7627f0acf9bb256c480f9db6c5bbb38bb2d7784728d
SHA512 5c1771d57f89b3df5e36ad6c812fcf8d5e0facde069806072022a24b1294902b58ae5389839717381511a206b6fb84bcd72fedde856b1618e149ff75c8a99988

C:\Windows\SysWOW64\Bnhjohkb.exe

MD5 e0a19b22dc4277e89ae8355dfe770993
SHA1 b2a86a0e1f0ea5601faf9b23417ea60310f2a33d
SHA256 dcfccfe9e986917e35a6192164867b3789022487e076ebf7e95186492a4706dd
SHA512 bd8dd2b0a29fe1b7e463b89df3162fd52eb749d2dc0c3c23bf84a31c6a2f6972685c53f72a237bef468b5fcbda701a399244c17a2230c820fe35e43fc500eb69

C:\Windows\SysWOW64\Baicac32.exe

MD5 8932d2ac0833b0932a6bdac9376d1053
SHA1 944619649743eb8ea48ce12b64e53eb85beab7c1
SHA256 cf5934b26b803556fddcb98ee8bd811917a0232d5f867f8bf0d58c1ac99cffb1
SHA512 fda80a1547f379abc87127c9d541dbfbdcfff8a39b3b90e9035ed2e0d4b57593b9b622ee21498cb0c64d5bf86fed9991d72490453da563024bda36074fbfe0c9

C:\Windows\SysWOW64\Bjagjhnc.exe

MD5 549eeabedc96063d5f663265d9af8c33
SHA1 bd8be332a2d285bda8009292d76dc444acadc277
SHA256 d28f2366f11e115f3fa9550f3e4eaaeae4cbe0854987c7bf68ea57171815ed14
SHA512 e20f9728333da8b11173384e2f5941bf28fd11794a5adbb92095b13dac44bcffa5aa55704e93f8c3d359d67851f7dd44717f8f9cd7d2d7af347570990cab26b4

C:\Windows\SysWOW64\Bclhhnca.exe

MD5 6fe0556edba2c31caba8a0304e91a4be
SHA1 e1821a09e934fd5aad94c814a7641c6dd8785d9c
SHA256 16d8f993066712879ef8486d292a5e2dc6285c665e48e97b2f5b40f44f5cedc4
SHA512 335b0a1317fcde9c0c0640f5eb63bfe562b3fb2ab6cad54cbcda96e50a13f5b131f8b5a1483f957dcdb81a10d45f226e6cf023e928eae91ecf82febef0a18e8d

C:\Windows\SysWOW64\Chjaol32.exe

MD5 d179e071552bfa0da8f0ee93f057c759
SHA1 0d1ba3ed8c3562028dcbcc391d045ef291dc4a77
SHA256 a9a0ef28494a2e1fb4a5d76bb380948c01cf1ef0a53096687bb9a82a8807b1a9
SHA512 71a7faf57433cb6bf57a5ce5366c2c2339148d7acf1338f722796895e68077d20c1987aac2f1087857a644692160e734202886b100c1dc267cd396a61e145c26

C:\Windows\SysWOW64\Cmlcbbcj.exe

MD5 fe84592cb1a875c8bd4d27ae3d28e69a
SHA1 850c0464f076db2630967da647552995f98ca7c2
SHA256 9818cd86b6306f37c31c8b8a10cd7a377c57ed6adf0c56b4f7183f5089110d61
SHA512 0c70a1f78bfdfef72b7170f5a5fc2e33747a50174a898c1c653f26e6810bd144304433060cc6e02bf682d09c760fc3928a81fc6155b6208a906c72cfe2551a08

C:\Windows\SysWOW64\Chagok32.exe

MD5 3ec8c43b21a5d1f83ae7f8a07977c3f4
SHA1 2e72d8537964d1ed6c2963429754e97c564b2dd5
SHA256 b3691c561cc4f614d08a1ee5b6f10b54801e6597eb49c6a4a7309e74d478ff12
SHA512 6111cca7704b0f67f5542a1d3663c2b472a9ac6ea11f682f1aede479038f330ede1040abd23b46ceaf5c825dd6efa55191b40ddfd69d250befc62a0a9b76df05

C:\Windows\SysWOW64\Cjbpaf32.exe

MD5 a573258db954845caea2b5f735b2ebe9
SHA1 b0603e9a698587d86e03883789d6102a01182c2a
SHA256 b95afe9b459425e0f964a8615b8417e278e90a0cda0c1cde45627513510623d0
SHA512 dd97e39731f4369bd369889a65e0c4029f1187a38f5141bc4d191a228de4c694d4e0e3f6804c7c917281a3098f8afb381ea7b5ad2b500d967325532f2762f2a2

C:\Windows\SysWOW64\Dejacond.exe

MD5 2df791844de2e9fb8624e7b235348979
SHA1 361a09229205203b3d8d4e0e858603753fcc8e4a
SHA256 32b2f00612710f167fa41a71763b975f0d7ab3b88066f3bd556da4b8ca504bfc
SHA512 b52270b1ec70dd9a7facd0107c9c90eac67b316bb9d16ccd1fb30d43cefdf7cf85b24cf2888ed728b293d788b8e69978cc184a086968fc0daee5aa508ee96bc3

C:\Windows\SysWOW64\Daqbip32.exe

MD5 1866b2b32ffd3480087a163d4f83f94b
SHA1 6cf47e9700c7c4dbcb1347cf658a1faeda827376
SHA256 7c1b5ea68cbaaf1e3683de612c109281d1affce2f3c29154854e5e07269acd35
SHA512 314e9bf65a78855faaf79a9a808686ade9eb828814b0c47d24b1a07e868f8675cc7e10d4df1a2db2c194e2b3b2c3aa6a6e288e580027198dcdf4f29144d34b94

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 5847b8ce80f6bbbfd4074280f8fe39e1
SHA1 7a7e9869ab5ff3f8f21f967ccd5898d9c45809e1
SHA256 5d961e13f9448d1fcddeb1e72f9845356b16f89e0f02d557a8668118a6e592ea
SHA512 1d9783597fc621fdfe56459ffba62fa233dedf7dc94b56f558f18ec9d502a7f86bb3f5afb7f345ca9c302fbb35bfb71d6871e1848dac6d4b9e7e683d9b7ee79f

C:\Windows\SysWOW64\Dhocqigp.exe

MD5 089712acb80718418e98eec70cef1502
SHA1 5a4692f7b592276cf072ed5bedf7c94df18358fe
SHA256 c309f176ae3bb7acc32819aebb1b7ac6a583d2ea427a782cb15c6006dfa4ac18
SHA512 016bf492f21a83cac16be2c223c9c79d5b55c445124161691162a7f7a067d9f1b3d98672f1263629fdd11c1b025d63fbdd412e5cbcced11b7aaf4796ed272358

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 833e3d80545caf0bb18b959c2a36b326
SHA1 c5921b2ff2d5f504f516c00201ee9ccd426f52f4
SHA256 19c36cd1ffa418ee95a60feba877ca24bb48931c0b9be641dd3864016a58cd14
SHA512 ca1ba51123d8c5a082e82a01b3a881520376a979cb96fe000f9e5c51a8ae0b633a2a2e63c4a4efd99c723c09967e4fefe7a9993de620b9b36990c946561be9dc