Malware Analysis Report

2024-10-19 09:40

Sample ID 240613-pzc5ssyhqa
Target 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe
SHA256 e0da8e4cb37982904155d625bcbde89039ff853bebeb645548ab872c983f59ee
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0da8e4cb37982904155d625bcbde89039ff853bebeb645548ab872c983f59ee

Threat Level: Known bad

The file 7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 12:45

Reported

2024-06-13 12:48

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojmcld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibcmom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffimfqgm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfembo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iejcji32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miemjaci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmegp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcjapi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkaejf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hckjacjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onjegled.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbbgnpgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddmhja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dahode32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olfobjbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kipkhdeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffkjlp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dldpkoil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdialn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogcpjhoq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmbdbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lfhdlh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdkldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fllpbldb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbbkaako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cenahpha.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojalgcnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcjapi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abbpem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Becifhfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldleel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lljfpnjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnfkma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abemjmgg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbndobo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjbndobo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpjjod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kajfig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfnphn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkljak32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmeig32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Megdccmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndaggimg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eapedd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkjmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilghlc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpjcdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Leihbeib.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gokdeeec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kemhff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baicac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcimkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lingibiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agoabn32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kknafn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmlnbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdbkohf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdhbec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgfoan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpocjdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcmofolg.exe N/A
N/A N/A C:\Windows\SysWOW64\Liggbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpappc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcpllo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijdhiaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpcmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcbiao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhmng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgpagm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljnnch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laefdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcgblncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknjmkdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnlfigcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdfofakp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcgohig.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkbchk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkhapfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A
N/A N/A C:\Windows\SysWOW64\Maohkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mglack32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjjmog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnfipekh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdpalp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njljefql.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacbfdao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbnboqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafokcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddkgonp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Njacpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhkac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndghmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngedij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njcpee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbkhfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfmke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmelbid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndkahnhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjmdigk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojhiqefo.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqbamo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocqnij32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ddmhja32.exe C:\Windows\SysWOW64\Dekhneap.exe N/A
File created C:\Windows\SysWOW64\Iledokkp.dll C:\Windows\SysWOW64\Ildkgc32.exe N/A
File created C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File created C:\Windows\SysWOW64\Chmbmidf.dll C:\Windows\SysWOW64\Pcjapi32.exe N/A
File created C:\Windows\SysWOW64\Ebooppnl.dll C:\Windows\SysWOW64\Ojmcld32.exe N/A
File created C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lljfpnjg.exe N/A
File created C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mipcob32.exe N/A
File created C:\Windows\SysWOW64\Pjcbbmif.exe C:\Windows\SysWOW64\Pdfjifjo.exe N/A
File created C:\Windows\SysWOW64\Acqimo32.exe C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Doilmc32.exe N/A
File created C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Kdhbec32.exe N/A
File created C:\Windows\SysWOW64\Gefncbmc.dll C:\Windows\SysWOW64\Lgpagm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qalnjkgo.exe C:\Windows\SysWOW64\Qnnanphk.exe N/A
File created C:\Windows\SysWOW64\Colffknh.exe C:\Windows\SysWOW64\Ckpjfm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Pclneicb.exe C:\Windows\SysWOW64\Pqnaim32.exe N/A
File created C:\Windows\SysWOW64\Becbkfdh.dll C:\Windows\SysWOW64\Colffknh.exe N/A
File created C:\Windows\SysWOW64\Jlednamo.exe C:\Windows\SysWOW64\Jmbdbd32.exe N/A
File created C:\Windows\SysWOW64\Dodbbdbb.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Kdhbec32.exe N/A
File created C:\Windows\SysWOW64\Filmclmj.dll C:\Windows\SysWOW64\Ocqnij32.exe N/A
File created C:\Windows\SysWOW64\Faihkbci.exe C:\Windows\SysWOW64\Fojlngce.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcpclbfa.exe C:\Windows\SysWOW64\Hodgkc32.exe N/A
File created C:\Windows\SysWOW64\Naqcfnjk.dll C:\Windows\SysWOW64\Faihkbci.exe N/A
File created C:\Windows\SysWOW64\Bjmjdbam.dll C:\Windows\SysWOW64\Pdmpje32.exe N/A
File created C:\Windows\SysWOW64\Bpflfc32.dll C:\Windows\SysWOW64\Anpncp32.exe N/A
File created C:\Windows\SysWOW64\Flioncbc.dll C:\Windows\SysWOW64\Dbaemi32.exe N/A
File created C:\Windows\SysWOW64\Bapolp32.dll C:\Windows\SysWOW64\Dafbne32.exe N/A
File created C:\Windows\SysWOW64\Gbdgfa32.exe C:\Windows\SysWOW64\Gofkje32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Miemjaci.exe N/A
File created C:\Windows\SysWOW64\Pmgmnjcj.dll C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Njcqqgjb.dll C:\Windows\SysWOW64\Mnapdf32.exe N/A
File created C:\Windows\SysWOW64\Njacpf32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Alabgd32.exe C:\Windows\SysWOW64\Acjjfggb.exe N/A
File created C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Aldomc32.exe N/A
File created C:\Windows\SysWOW64\Dafbne32.exe C:\Windows\SysWOW64\Dccbbhld.exe N/A
File created C:\Windows\SysWOW64\Fchddejl.exe C:\Windows\SysWOW64\Fkalchij.exe N/A
File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Njljefql.exe N/A
File created C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ngedij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddmhja32.exe C:\Windows\SysWOW64\Dekhneap.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhqcam32.exe C:\Windows\SysWOW64\Febgea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdcdbl32.exe C:\Windows\SysWOW64\Gfpcgpae.exe N/A
File opened for modification C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Likjcbkc.exe N/A
File created C:\Windows\SysWOW64\Cagecd32.dll C:\Windows\SysWOW64\Pkfblfab.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhaebcen.exe C:\Windows\SysWOW64\Becifhfj.exe N/A
File opened for modification C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Pbddcoei.exe N/A
File created C:\Windows\SysWOW64\Pllfhkno.dll C:\Windows\SysWOW64\Blpnib32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jehokgge.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Ocbakl32.dll C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Pmfhig32.exe C:\Windows\SysWOW64\Pjhlml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File created C:\Windows\SysWOW64\Eocqqdjh.dll C:\Windows\SysWOW64\Demecd32.exe N/A
File created C:\Windows\SysWOW64\Jmmjgejj.exe C:\Windows\SysWOW64\Jfcbjk32.exe N/A
File created C:\Windows\SysWOW64\Hmjehihl.dll C:\Windows\SysWOW64\Dohfbj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe C:\Windows\SysWOW64\Qceiaa32.exe N/A
File created C:\Windows\SysWOW64\Becifhfj.exe C:\Windows\SysWOW64\Abemjmgg.exe N/A
File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe C:\Windows\SysWOW64\Docmgjhp.exe N/A
File created C:\Windows\SysWOW64\Olhlhjpd.exe C:\Windows\SysWOW64\Ofnckp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odocigqg.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Codhke32.dll C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Ffhoqj32.dll C:\Windows\SysWOW64\Kfoafi32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojalgcnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhaebcen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Elgfgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll" C:\Windows\SysWOW64\Ghaliknf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbjoljdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jimekgff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll" C:\Windows\SysWOW64\Jeklag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfoafi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmoeoidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncfdie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjpehcm.dll" C:\Windows\SysWOW64\Obdkma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cojjqlpk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkljak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll" C:\Windows\SysWOW64\Eeidoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eapedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Faihkbci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhgjblfq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ognpebpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpappc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhaebcen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eolpmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Febgea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imfdff32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pclgkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ogogoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" C:\Windows\SysWOW64\Gokdeeec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll" C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojllan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qgallfcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncfdie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckedalaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlncan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmdina32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qnnanphk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hbpgbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqnaim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmcmk32.dll" C:\Windows\SysWOW64\Ajneip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddpeoafg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdqgmmjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndaggimg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odocigqg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Accfbokl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbdgfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hodgkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljnnch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikngm32.dll" C:\Windows\SysWOW64\Pqnaim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeeep32.dll" C:\Windows\SysWOW64\Aealah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll" C:\Windows\SysWOW64\Gbbkaako.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kplpjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhbgqohi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dldpkoil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Kaemnhla.exe
PID 1776 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Kaemnhla.exe
PID 1776 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Kaemnhla.exe
PID 4896 wrote to memory of 216 N/A C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kbfiep32.exe
PID 4896 wrote to memory of 216 N/A C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kbfiep32.exe
PID 4896 wrote to memory of 216 N/A C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kbfiep32.exe
PID 216 wrote to memory of 1092 N/A C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 216 wrote to memory of 1092 N/A C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 216 wrote to memory of 1092 N/A C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 1092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 1092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 1092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kmlnbi32.exe
PID 2880 wrote to memory of 3792 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kpjjod32.exe
PID 2880 wrote to memory of 3792 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kpjjod32.exe
PID 2880 wrote to memory of 3792 N/A C:\Windows\SysWOW64\Kmlnbi32.exe C:\Windows\SysWOW64\Kpjjod32.exe
PID 3792 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Kpjjod32.exe C:\Windows\SysWOW64\Kgdbkohf.exe
PID 3792 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Kpjjod32.exe C:\Windows\SysWOW64\Kgdbkohf.exe
PID 3792 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Kpjjod32.exe C:\Windows\SysWOW64\Kgdbkohf.exe
PID 4092 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 4092 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 4092 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 4148 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kajfig32.exe
PID 4148 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kajfig32.exe
PID 4148 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Kajfig32.exe
PID 5096 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Kajfig32.exe C:\Windows\SysWOW64\Kdhbec32.exe
PID 5096 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Kajfig32.exe C:\Windows\SysWOW64\Kdhbec32.exe
PID 5096 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Kajfig32.exe C:\Windows\SysWOW64\Kdhbec32.exe
PID 1696 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kdhbec32.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 1696 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kdhbec32.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 1696 wrote to memory of 396 N/A C:\Windows\SysWOW64\Kdhbec32.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 396 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Lmqgnhmp.exe
PID 396 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Lmqgnhmp.exe
PID 396 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Lmqgnhmp.exe
PID 2164 wrote to memory of 724 N/A C:\Windows\SysWOW64\Lmqgnhmp.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 2164 wrote to memory of 724 N/A C:\Windows\SysWOW64\Lmqgnhmp.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 2164 wrote to memory of 724 N/A C:\Windows\SysWOW64\Lmqgnhmp.exe C:\Windows\SysWOW64\Lpocjdld.exe
PID 724 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 724 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 724 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 1796 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 1796 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 1796 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 3480 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Lpappc32.exe
PID 3480 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Lpappc32.exe
PID 3480 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Lpappc32.exe
PID 2392 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lcpllo32.exe
PID 2392 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lcpllo32.exe
PID 2392 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Lpappc32.exe C:\Windows\SysWOW64\Lcpllo32.exe
PID 2468 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Lcpllo32.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 2468 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Lcpllo32.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 2468 wrote to memory of 3752 N/A C:\Windows\SysWOW64\Lcpllo32.exe C:\Windows\SysWOW64\Lijdhiaa.exe
PID 3752 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lpcmec32.exe
PID 3752 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lpcmec32.exe
PID 3752 wrote to memory of 1388 N/A C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lpcmec32.exe
PID 1388 wrote to memory of 64 N/A C:\Windows\SysWOW64\Lpcmec32.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 1388 wrote to memory of 64 N/A C:\Windows\SysWOW64\Lpcmec32.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 1388 wrote to memory of 64 N/A C:\Windows\SysWOW64\Lpcmec32.exe C:\Windows\SysWOW64\Lcbiao32.exe
PID 64 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 64 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 64 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Lcbiao32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 1360 wrote to memory of 3996 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 1360 wrote to memory of 3996 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 1360 wrote to memory of 3996 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 3996 wrote to memory of 3388 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lgpagm32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Njfmke32.exe

C:\Windows\system32\Njfmke32.exe

C:\Windows\SysWOW64\Nbmelbid.exe

C:\Windows\system32\Nbmelbid.exe

C:\Windows\SysWOW64\Ndkahnhh.exe

C:\Windows\system32\Ndkahnhh.exe

C:\Windows\SysWOW64\Ogjmdigk.exe

C:\Windows\system32\Ogjmdigk.exe

C:\Windows\SysWOW64\Ojhiqefo.exe

C:\Windows\system32\Ojhiqefo.exe

C:\Windows\SysWOW64\Oqbamo32.exe

C:\Windows\system32\Oqbamo32.exe

C:\Windows\SysWOW64\Ocqnij32.exe

C:\Windows\system32\Ocqnij32.exe

C:\Windows\SysWOW64\Okhfjh32.exe

C:\Windows\system32\Okhfjh32.exe

C:\Windows\SysWOW64\Onfbfc32.exe

C:\Windows\system32\Onfbfc32.exe

C:\Windows\SysWOW64\Odpjcm32.exe

C:\Windows\system32\Odpjcm32.exe

C:\Windows\SysWOW64\Ogogoi32.exe

C:\Windows\system32\Ogogoi32.exe

C:\Windows\SysWOW64\Ojmcld32.exe

C:\Windows\system32\Ojmcld32.exe

C:\Windows\SysWOW64\Obdkma32.exe

C:\Windows\system32\Obdkma32.exe

C:\Windows\SysWOW64\Odbgim32.exe

C:\Windows\system32\Odbgim32.exe

C:\Windows\SysWOW64\Okloegjl.exe

C:\Windows\system32\Okloegjl.exe

C:\Windows\SysWOW64\Onklabip.exe

C:\Windows\system32\Onklabip.exe

C:\Windows\SysWOW64\Oqihnn32.exe

C:\Windows\system32\Oqihnn32.exe

C:\Windows\SysWOW64\Ogcpjhoq.exe

C:\Windows\system32\Ogcpjhoq.exe

C:\Windows\SysWOW64\Ojalgcnd.exe

C:\Windows\system32\Ojalgcnd.exe

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Pcjapi32.exe

C:\Windows\system32\Pcjapi32.exe

C:\Windows\SysWOW64\Pkaiqf32.exe

C:\Windows\system32\Pkaiqf32.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Pclneicb.exe

C:\Windows\system32\Pclneicb.exe

C:\Windows\SysWOW64\Pjffbc32.exe

C:\Windows\system32\Pjffbc32.exe

C:\Windows\SysWOW64\Pnbbbabh.exe

C:\Windows\system32\Pnbbbabh.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pkfblfab.exe

C:\Windows\system32\Pkfblfab.exe

C:\Windows\SysWOW64\Pndohaqe.exe

C:\Windows\system32\Pndohaqe.exe

C:\Windows\SysWOW64\Pabkdmpi.exe

C:\Windows\system32\Pabkdmpi.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Pbbgnpgl.exe

C:\Windows\system32\Pbbgnpgl.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pkjlge32.exe

C:\Windows\system32\Pkjlge32.exe

C:\Windows\SysWOW64\Pnihcq32.exe

C:\Windows\system32\Pnihcq32.exe

C:\Windows\SysWOW64\Pbddcoei.exe

C:\Windows\system32\Pbddcoei.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qnkdhpjn.exe

C:\Windows\system32\Qnkdhpjn.exe

C:\Windows\SysWOW64\Qajadlja.exe

C:\Windows\system32\Qajadlja.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Acjjfggb.exe

C:\Windows\system32\Acjjfggb.exe

C:\Windows\SysWOW64\Alabgd32.exe

C:\Windows\system32\Alabgd32.exe

C:\Windows\SysWOW64\Anpncp32.exe

C:\Windows\system32\Anpncp32.exe

C:\Windows\SysWOW64\Aanjpk32.exe

C:\Windows\system32\Aanjpk32.exe

C:\Windows\SysWOW64\Acmflf32.exe

C:\Windows\system32\Acmflf32.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aaqgek32.exe

C:\Windows\system32\Aaqgek32.exe

C:\Windows\SysWOW64\Acocaf32.exe

C:\Windows\system32\Acocaf32.exe

C:\Windows\SysWOW64\Alfkbc32.exe

C:\Windows\system32\Alfkbc32.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Ahmlgd32.exe

C:\Windows\system32\Ahmlgd32.exe

C:\Windows\SysWOW64\Ajkhdp32.exe

C:\Windows\system32\Ajkhdp32.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Aealah32.exe

C:\Windows\system32\Aealah32.exe

C:\Windows\SysWOW64\Ahoimd32.exe

C:\Windows\system32\Ahoimd32.exe

C:\Windows\SysWOW64\Ajneip32.exe

C:\Windows\system32\Ajneip32.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Bdhfhe32.exe

C:\Windows\system32\Bdhfhe32.exe

C:\Windows\SysWOW64\Blpnib32.exe

C:\Windows\system32\Blpnib32.exe

C:\Windows\SysWOW64\Bjbndobo.exe

C:\Windows\system32\Bjbndobo.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cecbmf32.exe

C:\Windows\system32\Cecbmf32.exe

C:\Windows\SysWOW64\Cdfbibnb.exe

C:\Windows\system32\Cdfbibnb.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Colffknh.exe

C:\Windows\system32\Colffknh.exe

C:\Windows\SysWOW64\Cajcbgml.exe

C:\Windows\system32\Cajcbgml.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Ckcgkldl.exe

C:\Windows\system32\Ckcgkldl.exe

C:\Windows\SysWOW64\Cbjoljdo.exe

C:\Windows\system32\Cbjoljdo.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Cdkldb32.exe

C:\Windows\system32\Cdkldb32.exe

C:\Windows\SysWOW64\Chghdqbf.exe

C:\Windows\system32\Chghdqbf.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Doqpak32.exe

C:\Windows\system32\Doqpak32.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Ddmhja32.exe

C:\Windows\system32\Ddmhja32.exe

C:\Windows\SysWOW64\Dldpkoil.exe

C:\Windows\system32\Dldpkoil.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Ddpeoafg.exe

C:\Windows\system32\Ddpeoafg.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Dbaemi32.exe

C:\Windows\system32\Dbaemi32.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dkljak32.exe

C:\Windows\system32\Dkljak32.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Dccbbhld.exe

C:\Windows\system32\Dccbbhld.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dllfkn32.exe

C:\Windows\system32\Dllfkn32.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Dhbgqohi.exe

C:\Windows\system32\Dhbgqohi.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Eolpmi32.exe

C:\Windows\system32\Eolpmi32.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Eefhjc32.exe

C:\Windows\system32\Eefhjc32.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Eoolbinc.exe

C:\Windows\system32\Eoolbinc.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Eeidoc32.exe

C:\Windows\system32\Eeidoc32.exe

C:\Windows\SysWOW64\Ehgqln32.exe

C:\Windows\system32\Ehgqln32.exe

C:\Windows\SysWOW64\Ekemhj32.exe

C:\Windows\system32\Ekemhj32.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Eapedd32.exe

C:\Windows\system32\Eapedd32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Eocenh32.exe

C:\Windows\system32\Eocenh32.exe

C:\Windows\SysWOW64\Ecoangbg.exe

C:\Windows\system32\Ecoangbg.exe

C:\Windows\SysWOW64\Eemnjbaj.exe

C:\Windows\system32\Eemnjbaj.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Elgfgl32.exe

C:\Windows\system32\Elgfgl32.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Eepjpb32.exe

C:\Windows\system32\Eepjpb32.exe

C:\Windows\SysWOW64\Fljcmlfd.exe

C:\Windows\system32\Fljcmlfd.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Fafkecel.exe

C:\Windows\system32\Fafkecel.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fllpbldb.exe

C:\Windows\system32\Fllpbldb.exe

C:\Windows\SysWOW64\Fojlngce.exe

C:\Windows\system32\Fojlngce.exe

C:\Windows\SysWOW64\Faihkbci.exe

C:\Windows\system32\Faihkbci.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fchddejl.exe

C:\Windows\system32\Fchddejl.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Fdialn32.exe

C:\Windows\system32\Fdialn32.exe

C:\Windows\SysWOW64\Flqimk32.exe

C:\Windows\system32\Flqimk32.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fbnafb32.exe

C:\Windows\system32\Fbnafb32.exe

C:\Windows\SysWOW64\Ffimfqgm.exe

C:\Windows\system32\Ffimfqgm.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Fbpnkama.exe

C:\Windows\system32\Fbpnkama.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gododflk.exe

C:\Windows\system32\Gododflk.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Ghlcnk32.exe

C:\Windows\system32\Ghlcnk32.exe

C:\Windows\SysWOW64\Gofkje32.exe

C:\Windows\system32\Gofkje32.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gfpcgpae.exe

C:\Windows\system32\Gfpcgpae.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gmlhii32.exe

C:\Windows\system32\Gmlhii32.exe

C:\Windows\SysWOW64\Gokdeeec.exe

C:\Windows\system32\Gokdeeec.exe

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Gdjjckag.exe

C:\Windows\system32\Gdjjckag.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hmabdibj.exe

C:\Windows\system32\Hmabdibj.exe

C:\Windows\SysWOW64\Hopnqdan.exe

C:\Windows\system32\Hopnqdan.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hfifmnij.exe

C:\Windows\system32\Hfifmnij.exe

C:\Windows\SysWOW64\Helfik32.exe

C:\Windows\system32\Helfik32.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hobkfd32.exe

C:\Windows\system32\Hobkfd32.exe

C:\Windows\SysWOW64\Hbpgbo32.exe

C:\Windows\system32\Hbpgbo32.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hmhhehlb.exe

C:\Windows\system32\Hmhhehlb.exe

C:\Windows\SysWOW64\Hkkhqd32.exe

C:\Windows\system32\Hkkhqd32.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Immapg32.exe

C:\Windows\system32\Immapg32.exe

C:\Windows\SysWOW64\Ikpaldog.exe

C:\Windows\system32\Ikpaldog.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Ipnjab32.exe

C:\Windows\system32\Ipnjab32.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Iifokh32.exe

C:\Windows\system32\Iifokh32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Ifllil32.exe

C:\Windows\system32\Ifllil32.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Imfdff32.exe

C:\Windows\system32\Imfdff32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jimekgff.exe

C:\Windows\system32\Jimekgff.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jbjcolha.exe

C:\Windows\system32\Jbjcolha.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Jlednamo.exe

C:\Windows\system32\Jlednamo.exe

C:\Windows\SysWOW64\Kemhff32.exe

C:\Windows\system32\Kemhff32.exe

C:\Windows\SysWOW64\Klgqcqkl.exe

C:\Windows\system32\Klgqcqkl.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Klimip32.exe

C:\Windows\system32\Klimip32.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kfoafi32.exe

C:\Windows\system32\Kfoafi32.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kedoge32.exe

C:\Windows\system32\Kedoge32.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kmncnb32.exe

C:\Windows\system32\Kmncnb32.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lebkhc32.exe

C:\Windows\system32\Lebkhc32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mgagbf32.exe

C:\Windows\system32\Mgagbf32.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 11100 -ip 11100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11100 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1776-0-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1776-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Kaemnhla.exe

MD5 eef6340bfcbfc31f9ccfb7a18677cbbc
SHA1 e5b301fd43a6ce9eced74e4a017b4e7ba012b9e8
SHA256 573e69aecd24052fd7f9bea56cd4abb4c9ec17e0e882fb9939c49a5f2e4b1a03
SHA512 a3ec51bc7b64f09fa79a9112baa551db0aabbc3f968eaf79355b1805649fb08951eb70094c3f5954d33431ecfc48381ae89a185af9f42e01cd61a959125cf16c

memory/4896-9-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kbfiep32.exe

MD5 83f1fb590a17919ef6eb652eb7692f12
SHA1 b7862207e067fd4d3534f80f19672bf22de11c9e
SHA256 801684c292c238648c6260a2cf68722a2f26f318406bd3448e40ea99a95f017a
SHA512 abc4afd22f001816b5d60c811096789f0e822a409a151180e880bc02e66feb5966f7b41ee223e7fdb3cf5d8538c51fe1b87edbc6c7e0ed359616b05f57c79f21

memory/216-17-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kknafn32.exe

MD5 d1b8e554bca7584ef116dd1fa6856d54
SHA1 fcdc5b26f20275b2ccbb789a8e1eb9bfcd3ce04d
SHA256 41f02527da81b5c19679085f6ccb353c380ea143f5651d1f388d9e28b5986c15
SHA512 d8d743e809c3a1217c96d332ca81517f1795c5dfdf8c7b8b450dedc85b9e47e1e8bb0675e5962d240ac9c7f682fb6e3f32ab96ad48af890a126576dffd3375da

memory/1092-29-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kmlnbi32.exe

MD5 fd398ad76ec481283b6faa5daad372b6
SHA1 49d66a9afc7e88e101e677c5419a386d5d4d33e6
SHA256 2ad0b1da96ec22f4f85836586dd849a6997b15d008815ff2cec6664b5972e896
SHA512 f9a220942cf811cc77f1f758407c1ce2495e55c48af29091ac94df1b06fdb7ea304e502cc3db4b6a50d4df31bc1ed40f4cdebf4b771cb8bb2ded64c909ab985d

memory/2880-33-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 00aa8ffe70ea6f954e4dbdb0b64b567c
SHA1 39d86d26d618bb9c95a728921207f60665ea57bf
SHA256 a1d1a08ae2f86832af6dec6f4896c1085f97ee5800f26c82d0ac1b99f532e235
SHA512 f1ebe859752ce412f64744f5acac09f0eb394ef11b7e00fb7fe4646af7f9d9e3da579aabd35736af31e08c5ee8f20739eea01316d9bfbd798faf38c4796aad1d

memory/3792-45-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kgdbkohf.exe

MD5 b687d7f97d68ec65271deb2745d938fb
SHA1 dfb1d6d3f5a94e631d50908a4abe87b915b167e5
SHA256 47c410edf235e9c68dcd374ee1cb454f56ddb4900824cc6c4c496ed146b6ed41
SHA512 3e0563709bcc96ac984c2622abc2de6f1f24f06a4cad41c533f4422079728b13d51334919141a2ac2f380e5cd7423a77b11a3b7c3c12afa940db8b6a877d0437

memory/4092-53-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kibnhjgj.exe

MD5 3c572664ab8c536dc8de76842c49ea58
SHA1 97e8a02e9f1f2602de2b9abffc01cd05f26a245b
SHA256 27f37b0ce367791d407e9457d75fc815ce44c494705168be282d014c14cf4d9d
SHA512 e8a072b994b5bf9f2a0d82f5ea8bbf958e95e22d836a6626cfdf388014c372a6d1f59b005c6ba9177ca58fc14122181be04f5eb1fab3e1419f7667e7142510b9

memory/4148-57-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kajfig32.exe

MD5 fcf5df208c7065cc211288f1a6f1592a
SHA1 2448694163722053efe4809bd934c5adf37d078d
SHA256 e7bc1ec9eb8e4337ca432715997bff5164ed7cb89ed66edb3c0c0aec25eaf651
SHA512 4fbd0e0f01e36536da60d0b1350243e8222f49d0cbccf2c1a1e26a7cf4d0316051d461b0e6d4fdb6eb3c0ac3de225ac8ed9f3b7f539230a58b2161694bf2edc6

memory/5096-65-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kdhbec32.exe

MD5 94749194081fe1cd12d1cc586d6cc2e3
SHA1 e57fbebfa355c6f3fe4b1e56342dbd2c983ca364
SHA256 e2665cc43177fe054ac1363633d7812050a2b96065a7c205ba96abb8013ff53b
SHA512 e26a98bff3d575080cfb5de6e3861e39b064da781ae43c7e482aba69b163d63c82087cd667f756f4fe11a474e58b397ac25aa249d7cc03d5ff7c18a63be9dbb0

memory/1696-73-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Kgfoan32.exe

MD5 d9e5154ae4c937a824c4a0e476b87ddc
SHA1 0f9e3e0fb40d66e4251a36b058c2c90453be19a3
SHA256 9b1d29ffc2d5eb256911a75d87fea2d8e59305dd057a54fc90c67eb11066b409
SHA512 dfda0f112be9e751359b5d850fc7ad9742c6936d136641c3d903f04e4e54c2813f6d01f4622bf6ce35ea4db0f6796b62f5e5479db237090eedb89d354861a2a5

memory/396-81-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lmqgnhmp.exe

MD5 40a694b561b5ab3d0dd5e87886daa4ad
SHA1 1ed874e6f5cf20916e81de24f0c55c689af58c83
SHA256 d20a5defcd50b0c764ae0125945d6c982e7031e404db5d4dcf027ac6120258b4
SHA512 ac53b91a47151f9f823756dd1cdbe7d6628205ed4ad123afaf59a5a9bd3823989a31a0cda70de04d7fafd5581a8f7647b7a3ebd5a10fd79d20aff92f41780e5d

memory/2164-89-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 e60bb814eff1205d83f06310d33bd64b
SHA1 d50b48ea3bb61a3cc7b64e33b0c3eb8aaab65adf
SHA256 c266f928e90ad697cfce192b0b760430b34bb28dd1cd1a71a1285c1fa396b0c0
SHA512 3d413d578a5fda794426e5a05d8b4a3a7a69523962a55d0fcc4ec481a844229b62f01037fdbb71a2b651a4977a9ed32414b3c4c8970a7b17b9367e2058c78008

memory/724-97-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcmofolg.exe

MD5 e032334564aa18230dacc752afb1b2df
SHA1 1d0f496da7378614cccba81cc9c738fa50ba736d
SHA256 8ad00944cb0360cffb639fc8c16276483d153d1170464dcf9206558364c7362b
SHA512 d2b10142c5a2b8aa0bf1d39f69e37337cf254297d46331ff391b1d9c0a872e7cd3536a743305d74ceaca432e7bc91e91647be369108a0a2371b67615c6f12e17

memory/1796-105-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Liggbi32.exe

MD5 bd766000d0d8e848180b59b4e25103a8
SHA1 5d09698ad734a2f0f6cb9f20d72baec80a02a37f
SHA256 53f0eac1e04c8b003acc0c4cf43f1b76e6ceff03d160dd5b2419d17e180c7579
SHA512 350fd8ad021ef924171a9723c795576d916b54d27a1f5cc0c8a175054d625e4ec4626adf33ff763eca870d04dcf4d60931a49d1b5d4be5371dd98271ed9709eb

memory/3480-112-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lpappc32.exe

MD5 820ebeb06f1daf6f4dea2aef74a1f000
SHA1 0fcc319688f6140a238d758aa4f5a355179af91a
SHA256 a1285f49ad501321ea2cdf242d362e4510c028d72f4f5da864919e43e42d0fad
SHA512 d34006db01675bf3625f0d5ff31f2a329bd2d82fc12eb5e6df87ed3d6ae251f5e37a7fb2c7476563486583eb607e766085233ae225cfbcf1e193a5da144ed746

memory/2392-121-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcpllo32.exe

MD5 6e92b84bcdf4ad131d6e741d1c9e5a56
SHA1 8910350de17fa80b006bf3d7ca06764e3a34e060
SHA256 142aade024687f746f943bc4bd40d3585b4bd1f7f4b368b1d8250d39f18d68ed
SHA512 456d130439824c36b282bba3a39c7c23432406fb55f8d5ea6fa2cde83df9591e30284bae8244f4201ba14bf22384e55ea790e5fb348c9f114ed7394142adcb53

memory/2468-129-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lijdhiaa.exe

MD5 d1707a1bafd8d84bedf8a520aae4e38a
SHA1 0ebf5e7f7ffdb58f3c995e5f104eda1c09f3aa60
SHA256 938b29955a79edebbe7e7a9c8045c57513a90c3a299f0ba6873f86d0138de2f6
SHA512 3a74fdf3b909ead2bc540872cc248c52bf59903acbdfc8b03baa33ee01e5ed4bb3bc85ca480da219694e2158ccb1a17fde6f6a57c55fd0cb8cc9d8a683b8fd5f

memory/3752-137-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lpcmec32.exe

MD5 7706273f58d9cec4f39dfab1f2f75079
SHA1 2b66014b1d566e6e86423ebc8edf0d4f6a4590c8
SHA256 1edcb33512b759ecad7c5b66c7f8221ae4795361a4508dbc7d84fc00f19d02c1
SHA512 fcd5e337dc5b1e759bb31bb8668e88893ae9c0fb223fabee284375423fe6c3541dd62448c6ebc6fa9f75bd58d33a69ad3918fde00879eac60bb8c42638a75344

memory/1388-145-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcbiao32.exe

MD5 38cb89d911f49def9b7292b089991969
SHA1 6fe02cd25351d185c0456b2d41bda01a8eac1c56
SHA256 14a007798fe67b98fbbb6a1fba1984f088020c3376f6c4aefbf65e2c3e56d693
SHA512 aec608db11b2171d96e829db7c96251864bcdf17b78c16b6807b423e469f7e51b4d6cd6c73f83297417938d9532a99259285a5c2ab73f1a65e9a8d09fa0c9281

memory/64-153-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lnhmng32.exe

MD5 723e34adb035e4acc307cb65a171fa7e
SHA1 84566643b22660315f784949883bb8bca678f0a6
SHA256 103eea2dbc307125ae0d39c3caa96b6b98bb4cd50fcc0c72cec1609d998e58fa
SHA512 8b08236f2a1a9df535eff4bc4b0f0900f2b7e6acdb93ca156277bb01d28fce94b9655daea5de73156a35f16775d4696ec5af9db593839c5039bd705fa7356804

memory/1360-161-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ldaeka32.exe

MD5 ba66c27abdd5a3bbbdf1890d50cb9864
SHA1 baec0738fe76792860959ed050aa3d7cf7b3989c
SHA256 6140e510f53c1ebf3ce207fa12dd358dcd8a2886ade5049fa248a6dcbd1a540c
SHA512 5fc788f5959ea738ada143340d30ddf4218ef5d0f9cdfd7e6ca23b9630a259ad6a5029130eac2ad4a2c73014f0a58f9f1acf0ae66d03d1d7e1c37bc11e462d01

memory/3996-173-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lgpagm32.exe

MD5 7b4983146d8e4261cfbe823ecbb9cc3a
SHA1 3c170ffb8c84e7d2e250240b47108bf73c4fa72d
SHA256 9dd7d3c3844aaa5eb820ffbf293f790b3f53f48236dfc0c80b1ecca7a59e4f90
SHA512 352de9ca91f641e5614caf4e30ece2621f1d30bc4b157af3ce1a03926371169d2a0568e2cfc265f55437737fd41b002c683f96de5f98a098c01bd976c53a109e

memory/3388-177-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ljnnch32.exe

MD5 696a2c32baec1423cdc67ee82bf667d5
SHA1 e7fdf32cb462f68d5d2905c58f4968c20d89a4da
SHA256 d43ba0ea9f001a4e3d3b3332ab97d7676b70dc63f9349d08fe353390cd77bf3c
SHA512 ab123f8120894936605bc3032d5d01a5d8b82eda10bde055e0a024c5530083cf7315f81a85f048f00574ce02eff5de3cf9c123b9533d72cba3e62497f7801b22

memory/5080-185-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Laefdf32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Laefdf32.exe

MD5 1b7befd350d1baa4fe24732a46bd4812
SHA1 9e5c7f83d96a3b47194ad6af69d377ab30b3002e
SHA256 524c4b38fa55f8527e97ef12a35a6f58024ccde8fa8aa70496bfe9a8f36c6ba8
SHA512 03dbca4df9c9f7ad099c4ca4370448a7f7cca739da04dbc0df20445d317c76273eba15ef1564cac33c6011b4ad833e459b428f94ca5861f77d82c9769afb0fa0

memory/3272-193-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lcgblncm.exe

MD5 9108b2b22381b49ff549ad2a0c3b0db4
SHA1 d37a0361bb1b57679be7eccca84d2af5dbc33c21
SHA256 f828a9bc8f40a74dbb8c920864ce6726422553f521d6055bc8a60ff5b18b68ee
SHA512 777bda3a9aed32ecfd9aedf25c7137410f375aea6eaa9585830807409bd3679d4921c34df191f798a165cfc139ab589ee9c86babd894ad4527a22242c62c93fd

memory/2424-205-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Lknjmkdo.exe

MD5 fd622014b98eda55fa93f87613da1567
SHA1 fb9c2619cedb44cc16e0f394991b9e8a20c11374
SHA256 15f6748623056720a7fd3bd254a267510a0f782d3096d1af1474e6e4a85c053f
SHA512 dd3338b0e0e50265e37ebd7c3f5125be6ff0e47c69ffd8a95b850d644957a6aa07c86e4ea299dc6821aa0e9e8aa18d998f91ecdd9b8f2d1957a62d26e4f4c274

memory/4468-209-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mnlfigcc.exe

MD5 4fddf297c41561f078d0fc3e3e10d519
SHA1 2edf683ac6e3cb4d58feb49eb0156181487e4956
SHA256 5035b5d1fc274521b3b2655432471e4c0bbdbd1c2027880edf174d26b0d5f9b2
SHA512 17267074deaf9cd882e4a4e62d1c9803cb2b553c2b8d44a36ac35fdc67749600f792acf770fc8c6a77deea55fb9ca7a70881257f8bc728e53c181a20726d4125

memory/5060-217-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mdfofakp.exe

MD5 200478aa187ea6b220f1b4d7f423e1e6
SHA1 85a9fab1e2a548b38f641cf7a60f23d63711d26f
SHA256 0f363d7bd06286a7fc88b11aa9355dae279fd785627fd8c8639390d868382cb1
SHA512 f63cbd5b562ac77400a121d851e9882c4197d1b883a6e399866d399de879e1a0049f8a5fef81e23264ec6e00f588dc2d930cd1d1231b985de59f0b94dc5a58ba

memory/808-224-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mjcgohig.exe

MD5 84bdcd9ba2c8ec8df55c429bfe538498
SHA1 3580062e796baa9a15f49e1d5ddf6577f46208c4
SHA256 18c7bb82126e4ba04f0e7159d89a23714f2aff1e4085cf9915c10a1e090fc53f
SHA512 1571bb371ccb590bba8f3ffef3435b20989a1426f3f009fce3fb8f4bc8443ce37baeed9ccd50cd5cee8cc29377d2254ce08b2130d06f5e1b016dbfac4c2c9fac

memory/3204-232-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mpmokb32.exe

MD5 d93329c72547bebdc8c3442690014637
SHA1 1ffe8b30b1ae96563c2287ca85936a7acdf9b0cd
SHA256 3c899144fdeba210b6aaf6118a6ba04dbe30afcdf812dd4a959bb4be113bef18
SHA512 4ff206e5e7344863679f445d3e8cb817ec4559fba9ce7eeb14563f4366bd4fe4bcbb3e677a405482c35dc9d4e4fa3c44394a88ac5b2273afd5baf94dfa58d02b

memory/3224-241-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mkbchk32.exe

MD5 d23f0a583bb3cdb76e55e9b29a2de5f8
SHA1 ceb3a59aff981992f1ff1db48577ac21e7ab1760
SHA256 46a9a33cbe65ce8b03cf205696effd4df8ccc63ec74567f95a6f9e445fce5ba4
SHA512 76dcea1333dd51fe6a005b4088ed6d7a0c199412c30f29cf5953c6e6699a474095bb640fa3cf6a9d302163616d3eae6bffea035d37db98916b6b7fe6cca8dbbd

memory/2648-250-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 acbc18d2b63dd85fc3da9b0fc9a3720d
SHA1 06cda309c1fbda6f24e78493c3ae91f759fd6db6
SHA256 1d16f228868ee9e113eef98b7099ee2771ad2165382b5ad54b4a8b3022aaf3b4
SHA512 68f8408e5bda1b0a661b9df3dd74dc496caadb9b8f766794590fd4005ee8ba21d7a263c12c93d5e8a31bb9b8db76d2e2aae448663a21e29f99661f33e36ac783

memory/1280-256-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4032-263-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1636-269-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4028-275-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3908-285-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4808-287-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1560-293-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2300-303-0x0000000000400000-0x0000000000443000-memory.dmp

memory/944-305-0x0000000000400000-0x0000000000443000-memory.dmp

memory/656-315-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4272-317-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2044-323-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3648-329-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4828-339-0x0000000000400000-0x0000000000443000-memory.dmp

memory/700-341-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4056-347-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3800-357-0x0000000000400000-0x0000000000443000-memory.dmp

memory/612-363-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4408-365-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4620-371-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2804-377-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4940-383-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3088-389-0x0000000000400000-0x0000000000443000-memory.dmp

memory/884-395-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1552-405-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3664-410-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2640-413-0x0000000000400000-0x0000000000443000-memory.dmp

memory/776-423-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4568-429-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4420-431-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1516-437-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3848-445-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4832-454-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Onfbfc32.exe

MD5 be74bcf511a5235afcc56bd694b76769
SHA1 064cb9e27928e8b7e7facb2b06df0f2c42a62f69
SHA256 ada91b84c74b14129f7a1ca83d4f54b95b2f04c6761c629a5646e0e9c50a0853
SHA512 acce29831dbfc109a9cd9fc74e5dcdf5e98e6e757325aabfd4521f8e24f2414ea0ee1250b5b91b43b30095aa0695c917adb5567667adbf3e8f8f78f4414839b1

memory/1740-455-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2504-464-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2336-471-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2920-477-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1656-479-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4292-491-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4024-490-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5012-501-0x0000000000400000-0x0000000000443000-memory.dmp

memory/860-506-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1876-509-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ogcpjhoq.exe

MD5 23ce1d2e84f8ef1d74e7414fca761928
SHA1 ec92d908a84376c5c64878e6865e7a0e4151b53d
SHA256 5d69e38ebe077e2f28748ba3d4e59e951aa8eed5a27cc4f5d109aea58dc45161
SHA512 021357febe389cbc655de2346c936f04978ba26d55b1406916f4e2ea6620e4116d26db6690a6ec84eb528c7f4e8bf5ae467642876f76e69750ededeba4da6e1a

memory/2412-515-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2168-525-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2432-531-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3852-536-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1776-539-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1896-540-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Pqnaim32.exe

MD5 5debbaa6e531b392ae529e4758b9b31f
SHA1 535f5ca6c39862d075f858cb584cd80ab6c9579e
SHA256 bf02d0a0eb7a81bb2d144db1c1b4073eae0b54c66ac44b39088c2d081bafa90d
SHA512 541e55a0eb2192b492968a25c1ee6a4549c2ab21aeeb9b653b6cc26ad66c45da7ba99bc98a9794f3f896c32a40de748322221513bf31e6ef10b9b7258d1c83d6

memory/3676-550-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4328-553-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4896-552-0x0000000000400000-0x0000000000443000-memory.dmp

memory/880-564-0x0000000000400000-0x0000000000443000-memory.dmp

memory/216-559-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2296-566-0x0000000000400000-0x0000000000443000-memory.dmp

memory/820-573-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2880-572-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3792-579-0x0000000000400000-0x0000000000443000-memory.dmp

memory/512-583-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4600-586-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4720-595-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4148-592-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5096-599-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Qnkdhpjn.exe

MD5 03f8d4f8936139375d9a23337245c760
SHA1 f6c669b9b656a557309f8b8e99434f946c114ac3
SHA256 9fb97bd713d15c0d98172d3a9b8f9ea7ec515fdf30175f0c1233ceef94cb1c2e
SHA512 68300226c1b38934823819d0d1ad4bc05c6cd6ba8f96c4092ac682b0b84af48ff5d6bda741bacc43c1c52b8b7f282dccab35dbeea26339851e3ab489edd189be

C:\Windows\SysWOW64\Qgciaf32.exe

MD5 7528c4362640e0960acd466b97bd098e
SHA1 07b38423030926ac2defc618b8a15d721414cd1c
SHA256 ba52109e0e945287171abe2fac757976cb3a0d9ff559de07a3be221599d8b872
SHA512 03ae6fcb5fd8dde932cc00def9edd3006953c1253f4b78799ce59ad9487a4e730d8db1ff57b58073b8ba3904bf6b556b0e712dd2e528e9779b42bb8f6020ef27

C:\Windows\SysWOW64\Cojjqlpk.exe

MD5 a288252435b251f4826dec49f0844842
SHA1 c39afeeedf2478cd014110da5be321dd779b8d9d
SHA256 38278e62a673348847b7525aa1d4adb4f92a3db82ebbffef3ab5596ba78945b4
SHA512 d33243be1798417d8b37756693a802ae2aaad79bec520c4ff5ee8ad62d266cb967f94263abc5d100055f58cdd4670e4addfa13fba3de815c3d5ed44f61c5561c

C:\Windows\SysWOW64\Cdfbibnb.exe

MD5 d941aee691bc767c36ff1e214a6eae35
SHA1 468e12db2f56fb8237d4534d63d92b07c20f5bef
SHA256 ea3c3acb2c6675c1cd101766a0672326b8eb26e3dadf2e7f24460fcd1b7b55a6
SHA512 ca902e05ccdd48103d12080c18d35ac9573cc9f45ccc52880a1a952ef1be6f870105293f4758dbd467a34dfbe3ca6fb9c9c305bdc791460a430bff7f8c52ddf9

C:\Windows\SysWOW64\Dhnnep32.exe

MD5 d1217c8b955f7a7abaaad7892b8d5bfa
SHA1 9b5998544d3f31d43b6375378a1606d6f445766e
SHA256 4454d31e70c7f4b84b9484527eb8df4b904aa4c584538107fc5c73a26c6ab207
SHA512 b77f33ac17d6a2bf7f7a51905f0ea2470addcc5c4939cf29d8faf3c0e0a2a2cd03069a4558f9240d3565883930202228a8e65cc77782603127715f75b5e76db8

C:\Windows\SysWOW64\Dojcgi32.exe

MD5 909f873970ea815d88295cfbb302a0ff
SHA1 406645d9fedeab481320cbdf1569916a74b19bd2
SHA256 51f101e8d9178757822867187b1a60ea7472e75bd9d960feaa8b5d3fdea6d597
SHA512 4f2f60d02d2cdedefd32a7feb7a7dd05deddc5b6dd002663f86d7fc9fb2da8e4354f702304bbc37f6091860689448981810e7309d6ee411a5a94b56b391cce44

C:\Windows\SysWOW64\Dahode32.exe

MD5 a74a39b3f07d35431237a0b7259636c6
SHA1 670d3a05d3f9c54c794b13549288879878a32b3e
SHA256 324efc1bfa59f797e0f52eb6c0cadfd35eaa8a5b993aea6852462563fc314d0f
SHA512 1de98b6e195c2bcb3a3b39d9ace771b22c2f1c12fff63c6acbb08fccf2def3a4e2a5ab2c23eb7b7a6ad1185bb6f4ef70b6beb3075e5cdc232f1c5100b108d76f

C:\Windows\SysWOW64\Dlncan32.exe

MD5 d9d267fcee2d6615d7409844ac8b4117
SHA1 15c3caf69a3c6c5322f324dfad679d4ac64feeb3
SHA256 df8711a025bdda3cfb92b78b9be40a08fe41e044d11bbfd374eb29d7330d0071
SHA512 50e7d2a9a0b124e0b1de6c762c2d659dded46e4e285a37554d475f6b1693b761a43f93c7d3e2c2cbc68d58584e8bc39d4bc4e4645ac1fb1df42e824422b76123

C:\Windows\SysWOW64\Elppfmoo.exe

MD5 111e4c0543b73f451c22abcb729c785d
SHA1 63808106273cf7bdc8819feab2dda56cd307d490
SHA256 65e3e41e2c68d2e6952fd36c056dad27d816d1abd657d3f018a56066077fc178
SHA512 383a50c31e7b88584c8413c1438e250b5737c2ab870517ea05eeb8da844364348f624983cc3d23c64ae108a16fba09955e1d6a246f57029c8803fc26e58c2135

C:\Windows\SysWOW64\Ednaqo32.exe

MD5 18ee010f7c7845120e5ea64d31cb3528
SHA1 72c0d412830a34ff5e066b07f0c3ccf5ca93fcbb
SHA256 3fd1617e3f77f4ef8ec137e713da905597222a51069f45e55f1e7c0fda35c1bc
SHA512 4a787407d28bfd55684814b3d2cc20727c21b62bd41d7cca64b68831f0afed824a8eca608a5d31ee34ca66a562dd8c66069d4900ad44a9436d21e5e3c6e17458

C:\Windows\SysWOW64\Edpnfo32.exe

MD5 1e2d9593caa1742f75dd2eef1cac8bf9
SHA1 c60607efbb049416257d691342ecdc2621d9b20b
SHA256 19cfb974eb7444daabb9ba11e12200e9436ad4138a0444b390c46706bb205a03
SHA512 84b900f34fbe1ffa7598221182a926a3e9c227dc2592af30750ffd65522ed355d8b1a47292c123a10741f9b7e9a024815a01b7b6fe499376b6a1f5139897f54d

C:\Windows\SysWOW64\Eofbch32.exe

MD5 3c686126c5fb06b8ea1dfc534d7bddba
SHA1 8fd59a143ddf67d291276c9cfe09424a01f8dfd9
SHA256 6845e786cebe723f60d349b9e85f3c02eb57c72a2ddae11c95f5bc6b262f87c6
SHA512 c25d99c4b995d0ff310549451d8fadd06ff843168e84ced360a02493727d7e92c5dd4a0a80937ee6ae0bd13bae696e0ed0310668ab5f8a723353e8ab6a1606b3

C:\Windows\SysWOW64\Eepjpb32.exe

MD5 702e19d307e898917cc860a6713c2c5e
SHA1 b8a1bb7bdfefd7788c51608d20b13011a93a30af
SHA256 723a71448602515cf700b6390324b808f95cedf97b0a2588593b98f0db75af97
SHA512 5726acec0753b79958f7a23b2133197d0ee03548728b200086579b72d068fb60ca08b4302209cf21b98440e9a0d101f502c056706aa7ffcaa993d3ac495b1803

C:\Windows\SysWOW64\Fhqcam32.exe

MD5 09de7a28168a536d0a8e97a5310d2471
SHA1 26047b043e20dfd8da98dd1ee7c492b723f6a5c1
SHA256 0eea968e37239ac5f877a6787a409203129dcb6e578bd52d915e6d70b808484d
SHA512 cc27d02be177f82cb42c37f138d4919476ec0fe1a6867ac29115524839d63717e597ccb0f9559a896368a3c66787d64f1c5431c4075ea6b9fc9df5a7cb9bf72d

C:\Windows\SysWOW64\Fbnafb32.exe

MD5 d9d543761072e2ffece71514e84933e3
SHA1 0de153620acae615a0272d4624a48073d2000698
SHA256 bab54d1c51731e0db6f28c3e0f2f706a1baf208739690f15d4a79392eef1e67f
SHA512 2da6f1565dd0407989bfacf35d04b85dfa18355675b9feb33783cf4022c10eff8f05a23d7e0bb2a1dc1f01a3396857e9795d9c95d94bb8b81203876469d03de2

C:\Windows\SysWOW64\Gododflk.exe

MD5 b2ae9f5bde1bfb30ca48c175efda294a
SHA1 a7c80f125622c03393d38e005a6919d136c77a9b
SHA256 9821149d20718020f9637fa60493bdaf31f0da21c6542e62c4c2ed8b7b90d5c5
SHA512 2c603bc949af0946ee2cbeb1de446c0c7628bb33db72ed6b5b4c1017bff3428bb72f953d612fd7f7e864a2f468ae06ea179fc3412254c6674bbe8963bdd744e8

C:\Windows\SysWOW64\Gfembo32.exe

MD5 03acfc13d44e6968e59d3e6cf296d5e5
SHA1 1349da3d445f3a175d5db0256451270847a3bc73
SHA256 7cb6fe7c62eb165025ad434e46dae2519dca7fa89936194beb9549902f0f85d0
SHA512 b685962a09304e06f755c1960fed50b882ffc60112179cc78eb192aa288a8cd6f1c7cf6e6f5459ad0b5617bcad8a59bcf7a8c34d80c5e523b7e11d4f4d5ec214

C:\Windows\SysWOW64\Hkfoeega.exe

MD5 85826a4edf6b84bf85f8b484bfa7cc2d
SHA1 48f8f9876673c9cdba4cca991a196312fbdb6606
SHA256 3e21f0f39713b3a408418e9f1df4d9485e287d557c787cc11b1f1d44bc5ea32a
SHA512 0e047373bea9f6b884c53e9dbccb534ffb84da1b51b109bf6d09bbe323fa6e6823aa14a7d0c9f50d0b3968108db99219c5ff28218716ce340616309b86d82295

C:\Windows\SysWOW64\Hfqlnm32.exe

MD5 d0b7d526a98584fa3e0ec8802c2a63c2
SHA1 945997d57c201114720aeaacf007613b503688d3
SHA256 16e369025a88dfeb3661733ee98f83808f4fa74a88396b9ea177f12df0c4ac09
SHA512 2e4b8372663ba5ac5cabf470c466119d2f0e17e7a3dd13ffe2fc312703602c2cb41dce3f3c22776736657043fec53480d90af34e287e0421e2178419958b8921

C:\Windows\SysWOW64\Iifokh32.exe

MD5 212d87a39ad3b54cb3a455d830e58d82
SHA1 711170deceecfc01e5e236345df08dc8591525fb
SHA256 a0adde03b89f4d835622e72d500d14272dc868bb13c8729f305507ba0530610f
SHA512 ba24e299d8238589c7adaa5aa9aa34c40e88d32b8dd88c67c3cc9cd36672505b4503e4d4b253697c4295b344b7c7d85e57db507293b8653340955bf00672fc0c

C:\Windows\SysWOW64\Iemppiab.exe

MD5 9e77a17efc17f7222c0b787d14e54df8
SHA1 d13deceed41b9c377c4cc5aecfa2f1b54a70491f
SHA256 536e1f93b2b7077f425a3cbeeca46201ab3cc42255b939eafbc858bc4305dd4f
SHA512 8f9c99b5806a2999ff2011958bc9477d94f77ec1a8e6cc0946e267dedc6bfc6b78acc2bb1771db08b8fd9cd53c36de3820b1bbdafe0e97082ee4b5d4460301a0

C:\Windows\SysWOW64\Jimekgff.exe

MD5 dcd76f33f3bc18f5315d2a622b7bc6ed
SHA1 d2af303fd8a200e2c4aabec5059d20491ed4d107
SHA256 1bc5c4a532288dc136966f758b9e502688e6103a76ad926200ce318a9e4ce7fe
SHA512 6928b4b76eb2b49ae9cd0edfdc1fd0defb8fd1645e91ff9c3f359958add0fec9f83ea2fd41b5aa75a4d9b8d1f5332bfe2c52af84e347c65f4bf99df944825c81

C:\Windows\SysWOW64\Jedeph32.exe

MD5 277f5d6335df3067a370702bc8f9c541
SHA1 b50891794c717f339781603c1b3fe0f424462193
SHA256 38042bdb546f601ced6fcae0d437efe0469c2231155e76dd2644db8179231632
SHA512 0386d09c77b5e22002629ab81a12bfa4d4103202ffac7e5d7dbb1ade5f1cfeec1c008a0aad86df6dda36c3e3f978e0784fc46d0ffab5f2e411958b6814a27f0a

C:\Windows\SysWOW64\Jifhaenk.exe

MD5 360ac56bbe402b147612d210f4baf991
SHA1 591cebeea3153b43e56cda5a3ad89323eef8018e
SHA256 9b0ebfa2f5d2beba1cfd0dee94832becf6a319a8b7619158429899c055490ed0
SHA512 04b98eb2959a3bbc892f449aba14474e78dd56e8a0be02944942b02f1ba4c96980868a20705f687dfdef80c4ac5869a13ed16b933ddcf8bf192c64a306be0444

C:\Windows\SysWOW64\Kbaipkbi.exe

MD5 5a58ca5a1dc71f7ecf700a98fc6b8729
SHA1 803b1e4654afd22048b60ccc1db6f560844ba823
SHA256 b95f22b8bfe88dffabc69bc91653c320197471bde9ea7b1d96b7eaffd884f850
SHA512 8c59fed65c6d28baabed89cc2328b3cb61455e66c540e1fcf210db35ae74b700c77b2b4fe3ef1f329fc7a407bc8eee4ae07fea56f793fcf759b45b88c34deea3

C:\Windows\SysWOW64\Kpeiioac.exe

MD5 b01fecefc6f90cc241e08d7439879fb5
SHA1 6d264973284a81f8ce1f38f25beef8b966a43460
SHA256 01cc42f31261a3338cb1537347cce85865a82ff1ff0720e3a5ae579bded328cb
SHA512 491a8a986cbcf01b569d35165f739e2a831222f01d4df732d1207a792b12f731e4cde7f069e5b5f6c22d801bf78d5ab2dc446bb7a1e87c82338519ad23e8824f

C:\Windows\SysWOW64\Kdcbom32.exe

MD5 0207c887e3f044c2c5f4f6ad750573bb
SHA1 de7f4f4a23f29b6f743096c22dc932670fe87e7b
SHA256 f7c11defcaa2c6d4fb3e519efbea87d6f354d50bfbdd06dd50565c865166345d
SHA512 e69b9b09e5048aa123e319b7fee6e68a369792b5edb67b71c12634821cbe4ff869d45a21397792211cdfb2e2131a1a61316ebba4d2306c9faf37e9527090df24

C:\Windows\SysWOW64\Kipkhdeq.exe

MD5 2fc1dd62a50cf46b09c88919d1552ddd
SHA1 bc6f5350d97625cb6770dd1fcfcc7504a9842b85
SHA256 70c50f1de5e85baced26fc59fd879f76cde726d7b89a596f9d6b097a5d3c2f62
SHA512 15ae528d70b8b08e4b0c5e7de0f4fb6c9b2afbb6136a7c31152e40882cfa67c9acc3ef2885969cf00f5ac023114e3979bce845358908240a2c30fad639a87d95

C:\Windows\SysWOW64\Llcpoo32.exe

MD5 36dfc3252ac3b9b82083da5d6bff7fdb
SHA1 254842dd65b0a8bb7f8aabf48765c56b2c3173d8
SHA256 2994a9cc9d61ee92ac12b24140a626cf33b38af10c913e9c97bbf475bcdc5166
SHA512 272aec85323cfe8c5349280947cc902019a94c360e8ff138a560fb3ebcf478d6fb9feb6030c01050b1eeefe0df11ba60c58753a178cc7638decc4035f76ef081

C:\Windows\SysWOW64\Lekehdgp.exe

MD5 a20f29075eb44d4ae15a20877674c1b6
SHA1 34943e6094bee7bed8a6608a441791d6b46166a2
SHA256 92b220b92a69c949b5a19ec24f63d1ef54a1d6a246a69daade986fb05caf10fb
SHA512 ac326613ac9a6f010d094ee6b1abfec18bf27ffb4f6d19cae0938659c9147f0d68f08833a048d91fdda40c1e7a9e4d2deb9682cf5448f08435e0afef232cd355

C:\Windows\SysWOW64\Lmdina32.exe

MD5 d598bb0b3b417f1b35720e0529806b49
SHA1 860448e188f8a961f67cf7275dcd4f0f1390dd53
SHA256 3bca1fb3f63b7f57f3c6bdbb3edea319d9fb220d8b638848196a4859e44ec01e
SHA512 8f6b9a97146aa6ed19fefaac015f44c8a3f3ecd6776c54187e8f6698b7f5c7514cbacbe323e8df96ddaa6fe4b4b3910329bd2fd59e95be3ab1ff031193919283

C:\Windows\SysWOW64\Mipcob32.exe

MD5 f688e6fbb73c2c38119a4dcd17308a94
SHA1 001e4601d60b543986fd6638f1bb9eb885dc55cd
SHA256 f6211bdd45347db39a03fb7b63ec45feddb189841caff3481b275a6b35180327
SHA512 a815bbdaa08d02af07584a88771b76bda62fabbbec487557cda5751e76908329ef4047f95c16a1b477827504c4417c35fa6be161db7182b36529d52b53f44f76

C:\Windows\SysWOW64\Miemjaci.exe

MD5 bab0d1b07bcca513b671d8fc0cfdb617
SHA1 e01e140118ecb5910a183cf0987b8715e36a1422
SHA256 a36c7b964b6d8c8153e66caa9666715ac45438bdabe90bbdf780d53731d35b1d
SHA512 a6cd18d9f8b4c8c6ddd5f806260d3c30a02aa2b68b98ce59ca9310f7cca63d895f9840797148df8c114f4dfb38a7ac5242e5807268b9f1d5fa98b030d9cd3689

C:\Windows\SysWOW64\Mnebeogl.exe

MD5 7ddac9faed407aa75782fb08b7bf97d0
SHA1 80849fdbed7725d66c861f68ff3eb944cbe720f1
SHA256 2849104c1b4dca1e2e47befbb30d92cd4b5b44c347659e9095d240dfc9cdc34d
SHA512 c8828c4e4c2643eb39e8e6d0a98dcf6a58e6656bea01e3ba16bf2555c4636911ab318e4764bdbf51c1e0fd8aa15cf878c969f6a8e4a3e0d6a6ee52be8718c3ac

C:\Windows\SysWOW64\Nljofl32.exe

MD5 a704c6cf1e30c0f542e4e911948d74d2
SHA1 c9aab2aca005d3248e57b9cb073940bdcccbd5a0
SHA256 bcecc3a6c51de761bd178a6581c41608052aff4ed48b9e6f69c5c9ce3c307e0b
SHA512 5ccec5e8f42dae4e50e3a84be0bb1035b65741c812307a60caa0ea895bb3a4cbf225c1bb8ed2e0cc0a120c8942bccf30debdfaa004a0cdc0e6a66b424633ee3e

C:\Windows\SysWOW64\Nnjlpo32.exe

MD5 2d79e3753afe0bd2d8c1d1d874498b2b
SHA1 16fd188e5b6915b0edbd6f987544b752281d15ab
SHA256 c35f38b4d734052342e524bbf37affb8dc10cd8187c4157c1c103904eae88e01
SHA512 f7c8e46c974319ee6a8050fe4b1f911558f04d8dd678003ea0b54fdebbc7e5a347c68dc1356df7476f40108e9bc514aefe04d8f91e9c723054c695cea2d67e25

C:\Windows\SysWOW64\Nnneknob.exe

MD5 fccbef1949b5fc920168de0d57fcffe9
SHA1 172d16e5b62be5e56f541c763b785d473018ca73
SHA256 ece5fdfec98016b01cd8ec6b3e62921bb0b6ee10984e440cfd6513c9b59344e9
SHA512 85663ba5b3c25cd2f64cf577d74cd5ab5d423300e8c96cbfd7825c4b1ab1606b0f21080a7fc0d8eac8b262c151bb28d7f369021ff5f3eb98ee81bd9d24a58b76

C:\Windows\SysWOW64\Olcbmj32.exe

MD5 93a45900b2eddd7acd6dee9b2dd34bc0
SHA1 1c34ad615a5b156d2b82cebccc0adbeba6b64d4c
SHA256 99a9be741b079a36feca2938547239d5828288018ed4a02fdb33ef8b4ea6cf59
SHA512 c8fedb592e032940ba22ecb69cc7517ec36e7466e0a647a6ffc095dea3d812a6fa426018cb4d69c36403b46dfa509a7c18af0837c6455b20af5a0a9de29bf2b8

C:\Windows\SysWOW64\Oflgep32.exe

MD5 7a7e5c600516e820da3e07604bb345c2
SHA1 514055fc75407efa7f750f0bb515ddc89b6c5a5b
SHA256 0d793d32e01a40e1f2d41265780862d370e53c4c159c3d569fdcf0bddc68e12a
SHA512 cc2c4e044e5f3423f060ad0713005de4d82ccda7c00743b0cfaf000baec7d69a5bc55231d01d0427a113f2f501b3763015b39fab78dc6640bdc94e8b46912177

C:\Windows\SysWOW64\Odocigqg.exe

MD5 de22ac67fb178ef848d1cd41ca137683
SHA1 757136051314fb99f0417edf94759cd7defc0c86
SHA256 4bb7a4853903a6aedce62456efb7964b2ef93297c4ced4642e363a5445a6983a
SHA512 bbdbd406da598e97088ab56552cbbc46cb49a188fc1c2194807320384f0f72e3540c18d17e7758a11403f0c680e9fcae21965affe9cba308748671f012aea4b1

C:\Windows\SysWOW64\Olkhmi32.exe

MD5 30b1c7a14bb9b62cddf89feb9ca50547
SHA1 0734a9cfa1d38a14d867483cb924f5dd850047c2
SHA256 6112aa24fe8441ea02b8bbb6601153d3d6008a27244eb71eff7932844c0593a3
SHA512 0d920111bc3d2e341bb073bdcb3a40c831f74462c90e731f4d43f6c9e67c3591d40c6c6d7ad74c27b3a66336e5bf9b943aaf58af6e703b21a31748eb431184b7

C:\Windows\SysWOW64\Pmidog32.exe

MD5 9854653db03cfb29237e449736760497
SHA1 45cb46c194a55134be9e5829499850bf7da2860b
SHA256 23bdb89c8dc61c9cd76d6856ff53b319acf9a3b254c5b008e3b7d7f86c5c3bc8
SHA512 d33ea805b5a4584912456f22d151f92e6917bd3af2094e07e48402e7538ee3746b52389a240599ae3f851bbf13771ea2e8796f9740433407f3189a87f6ca2a36

C:\Windows\SysWOW64\Qceiaa32.exe

MD5 7f6452ac98d2cac18638c7054e68afaa
SHA1 134426daba45ae381c69b9a74e4dd032c28123c8
SHA256 9b69480c54472a092c2ad225fe561af976e4d8fa9fe2b6e3020d11f744bb137b
SHA512 0b7c92e6df51e03f72da4f2bc33a9608536c271ede635edeed30bf8a95f992c48a7df5b1fd44118d82a7586c48eeae52a8b12d99fa28d72c5f3aa7143506bbae

C:\Windows\SysWOW64\Acjclpcf.exe

MD5 1e8c1287724b8fbf15d734179832533a
SHA1 03f49d0187209277e3f2fc19959d89c5af7476df
SHA256 692713ed6dc49d72d4534fe5f3f9c41d4eb50d38a98dbe713343c8ea4477ef73
SHA512 e5ac93612c3fe3a919b99913858f199a3bf6f66196d6cfb461e077d72170cd1068891a350785684ce72153f35a7af09d7111bffa15e875f683e4ce1bac4fa40b

C:\Windows\SysWOW64\Ambgef32.exe

MD5 b4b38816e4a7a2aaa90d7821154fa715
SHA1 edf2c7e28ad381b45a16a7e6458527ba82c5f662
SHA256 f7f8848bd874ac0b545e36c67bc6c7b3a1d6e7f95eb4b3de7b2c2223516d5862
SHA512 31120ceba75a65332f0bac6b0d34e177453fe241cd26acda7e2c5173cb5b88332e9fb744c89b3468355c03ce27d4acb8ba3d58c7896a0264c05c715f48e483f5

C:\Windows\SysWOW64\Agjhgngj.exe

MD5 273b5309ebf5f4c2bd4223afc4bc41c0
SHA1 3fa6bfe9043aff0ea24960c9d5e45c647431fd89
SHA256 054de93257b53922c87ea6afcf3bcf3a669bebac5a8291d6822fec3521b39b62
SHA512 7495b64afcffbb82b610ce1d040de0ac4054798c1899535fd71c72ab88b772bdbd7ca1b4e7a92133509591f959793da4d590ad54563f655be0f0d9562b7b0bc8

C:\Windows\SysWOW64\Acqimo32.exe

MD5 81ff3710e5e1b81746a31cd5522ff109
SHA1 5e07b3358a4413934f8580d0505eef5b5dc3a05a
SHA256 1cd4ec3ed17c073df4b79616abe02a9d72f860a967d5aaef9f22c88b1494fa38
SHA512 32f65fe666e24885ffe08ffae80b5870d1063248065829f6885c1551f89bd35baf8535159e0c2537f214b1e216a72d1b03871327c68f986cd2e346bc68cea763

C:\Windows\SysWOW64\Agoabn32.exe

MD5 b1b4cc0bd4474a2cc7cc6db292fd7696
SHA1 fa7439250837ae274d5a9e1327f4b49a06b91ffb
SHA256 9f4942c78e5d185b38475d15e6676c2ef1d5922ea2cabf384b071b3811fab4a7
SHA512 18830cb844d86c39ca39b2b5046686dbbfc85d4b099d39fcf043575eb924a7d7e7a119aa2016934fc4d9dfc99b00b5e82c12f853c4d874930845850e1e7ed42c

C:\Windows\SysWOW64\Cjkjpgfi.exe

MD5 253d371f485ebd7700c37d5aa8091fe1
SHA1 321c86c1c160277c08b0584f207ffa2e52b420ab
SHA256 abd94942a96db14ed95f6f440f4127ebdf9a4349ba1a286aa3c9c4fac2054dde
SHA512 c06a62cd051c80c2c836d8df1c8285518f87a2f51cb306dedfd4aa35f14d4625b12afebba7b5de978e76b224bc538348c3cce78acbf171244e45983d3f52843f

C:\Windows\SysWOW64\Chokikeb.exe

MD5 a493d61cbc156ef6fae0194cb9bf1952
SHA1 9780421965abaa0207e8ee16dd1750cc72f92f7a
SHA256 669532b6b7f655358792181dfc0a505000f4380392eb933ff5450109c521038f
SHA512 fe820844d701d17d1356e0014a1c28e624fb1e30d0c0323bd26af9040dce3b95ef9a7733c5773450450b5663802f67dfa97a135f317d60dbacd018e6269eb37a

C:\Windows\SysWOW64\Cdhhdlid.exe

MD5 45fd45039d51961ab1a9c849a77126da
SHA1 c757d556df3fc01e694b263e254eacc2fab80b18
SHA256 92b12390bd70a9832422d81ef2e5410281f25663684dc8a61dd82b809094121c
SHA512 d8fbd83ce5616299759a8be4359f02ee3889edb77d8a351e92c64a25876f74d8bb517d9a17ca55b0f90b8401f544c92530b99f3d12a042af99a1e5ef781cc012

C:\Windows\SysWOW64\Ddjejl32.exe

MD5 760c2e840af77a0d214bc6d6fe5fc735
SHA1 cff779b974ed8f432e44d1333ed452021e7da925
SHA256 9cc03dda57cb3e125efab3ce1edeef7eabc9ede97379cab9ef8b12fd04672f8d
SHA512 1a236d4faa4337eff1c5fdd34db70d07bda4bce80d04a2231ef09489b7c0b6d83649af55fb61d5e61333de5219bd0e1e7943a4b60cbaba5c4d07a3048567cdf9

C:\Windows\SysWOW64\Dmcibama.exe

MD5 d03a33edaacc95c6997fa56a0d9a47d0
SHA1 044463d019fdef28b544bc4e8f071936ba61afee
SHA256 8ad76778c3dafb488e21cdc989635507981af709a0ee4402dddcec765d0cfb7a
SHA512 2278efdf69b68b32534bb2e73eaae397c978f1a1b40b0d3bd93cdc7d0fc9649139a3ab3c04386b4ef59e9b63e3a2fe5b1b44e399e7a651354062e9b48fa12bbb

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 b46ed2dbb0fb012b78611961bbbb7558
SHA1 3674ff151de1f0d62fe676556f716da5ed50ef78
SHA256 414c2cc09d58ce5180528c027ea90a5b6cb1fba3186609e20a81d62c4c93c4a3
SHA512 9bc77a7173a2aa8afc9cd1f3c480f2b026a9bfaa57f47d3817c515bcba78927af05c0a466b63d5c6ead5633e7474dd96999827cbf6ec0bf990fe7ebbfa1f60e6

C:\Windows\SysWOW64\Deagdn32.exe

MD5 4f7dfa63c63bf8d106f11a57d945f867
SHA1 cc7e2fc63b8bb7ed990f685a4fad3219cd88e2ce
SHA256 ef80544ab52b4765f6affbeb4bc8a76f64ee9461e6cada17f9c639698c87522e
SHA512 28d56d4ac6430b2971f17f1988bfa93fffc0ae0d1c468c74c05d79beacfd8e4237e1039f059bb8831839d029cdbbcaf0167d90f0acc48282dddcb7a49ed23f10

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:45

Reported

2024-06-13 12:48

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okoafmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Okoafmkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poocpnbm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aniimjbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkidlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qeohnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odjbdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkidlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apalea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poocpnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aniimjbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apalea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnielm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odjbdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qeohnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnielm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbcfn32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjbdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjbdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohhkjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohhkjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkidlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkidlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poocpnbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Poocpnbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeohnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeohnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acpdko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acpdko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnielm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnielm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmclhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmclhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkglameg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkglameg.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Qeohnd32.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Ljhcccai.dll C:\Windows\SysWOW64\Aniimjbo.exe N/A
File created C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Mgjcep32.dll C:\Windows\SysWOW64\Acpdko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkglameg.exe C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Fdlpjk32.dll C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pkidlk32.exe N/A
File created C:\Windows\SysWOW64\Hqlhpf32.dll C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Mdqfkmom.dll C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Faflglmh.dll C:\Windows\SysWOW64\Ohhkjp32.exe N/A
File created C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qeohnd32.exe N/A
File created C:\Windows\SysWOW64\Cophek32.dll C:\Windows\SysWOW64\Aeenochi.exe N/A
File created C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Apalea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Mfbnoibb.dll C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Nlpdbghp.dll C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Jmogdj32.dll C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Hbappj32.dll C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Odjbdb32.exe N/A
File created C:\Windows\SysWOW64\Ikhkppkn.dll C:\Windows\SysWOW64\Odjbdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Ohhkjp32.exe N/A
File created C:\Windows\SysWOW64\Pfnkga32.dll C:\Windows\SysWOW64\Qeohnd32.exe N/A
File created C:\Windows\SysWOW64\Mmdgdp32.dll C:\Windows\SysWOW64\Bnielm32.exe N/A
File created C:\Windows\SysWOW64\Imogmg32.dll C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File created C:\Windows\SysWOW64\Eioojl32.dll C:\Windows\SysWOW64\Poapfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Apalea32.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Ebjnie32.dll C:\Windows\SysWOW64\Apalea32.exe N/A
File created C:\Windows\SysWOW64\Mlcpdacl.dll C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Bhfcpb32.exe N/A
File created C:\Windows\SysWOW64\Lbbjgn32.dll C:\Windows\SysWOW64\Poocpnbm.exe N/A
File created C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Acpdko32.exe N/A
File created C:\Windows\SysWOW64\Opacnnhp.dll C:\Windows\SysWOW64\Bhfcpb32.exe N/A
File created C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bkglameg.exe N/A
File created C:\Windows\SysWOW64\Mabanhgg.dll C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Ohhkjp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Acpdko32.exe N/A
File created C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhfcpb32.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Poocpnbm.exe N/A
File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aniimjbo.exe N/A
File created C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Amelne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Amelne32.exe N/A
File created C:\Windows\SysWOW64\Ecjdib32.dll C:\Windows\SysWOW64\Amelne32.exe N/A
File created C:\Windows\SysWOW64\Naaffn32.dll C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnielm32.exe C:\Windows\SysWOW64\Afnagk32.exe N/A
File created C:\Windows\SysWOW64\Ajcfjgdj.dll C:\Windows\SysWOW64\Okoafmkm.exe N/A
File created C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pkidlk32.exe N/A
File created C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pgbafl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Apalea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Bhfcpb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Okoafmkm.exe C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Gneolbel.dll C:\Windows\SysWOW64\Pgbafl32.exe N/A
File created C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aniimjbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Apalea32.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Ennlme32.dll C:\Windows\SysWOW64\Afnagk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bkglameg.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odjbdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll" C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okoafmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll" C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkidlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkidlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgbafl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Poocpnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" C:\Windows\SysWOW64\Apalea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnielm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll" C:\Windows\SysWOW64\Okoafmkm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apalea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" C:\Windows\SysWOW64\Pgbafl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll" C:\Windows\SysWOW64\Poocpnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odjbdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" C:\Windows\SysWOW64\Pkidlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" C:\Windows\SysWOW64\Qeohnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll" C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnielm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Biojif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Poocpnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" C:\Windows\SysWOW64\Aniimjbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aniimjbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjbcfn32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 2996 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 2996 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 2996 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe C:\Windows\SysWOW64\Okoafmkm.exe
PID 2948 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2948 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2948 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2948 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Okoafmkm.exe C:\Windows\SysWOW64\Odjbdb32.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 2624 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Odjbdb32.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2604 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Pkidlk32.exe
PID 2612 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2612 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2612 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2612 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2224 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2224 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2224 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2224 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2572 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 2472 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2472 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2472 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2472 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2184 wrote to memory of 840 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2184 wrote to memory of 840 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2184 wrote to memory of 840 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2184 wrote to memory of 840 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 840 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qeohnd32.exe
PID 840 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qeohnd32.exe
PID 840 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qeohnd32.exe
PID 840 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qeohnd32.exe
PID 1648 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Qeohnd32.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1648 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Qeohnd32.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1648 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Qeohnd32.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1648 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Qeohnd32.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1188 wrote to memory of 568 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 1188 wrote to memory of 568 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 1188 wrote to memory of 568 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 1188 wrote to memory of 568 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 568 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 568 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 568 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 568 wrote to memory of 1816 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 1816 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 1816 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 1816 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 1816 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aeenochi.exe
PID 1732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 1732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 1732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 1732 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Aeenochi.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 1988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Apalea32.exe
PID 1988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Apalea32.exe
PID 1988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Apalea32.exe
PID 1988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Apalea32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7d4e811a1aea2dc42ab2a3882c013440_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Okoafmkm.exe

C:\Windows\system32\Okoafmkm.exe

C:\Windows\SysWOW64\Odjbdb32.exe

C:\Windows\system32\Odjbdb32.exe

C:\Windows\SysWOW64\Ohhkjp32.exe

C:\Windows\system32\Ohhkjp32.exe

C:\Windows\SysWOW64\Pkidlk32.exe

C:\Windows\system32\Pkidlk32.exe

C:\Windows\SysWOW64\Pnimnfpc.exe

C:\Windows\system32\Pnimnfpc.exe

C:\Windows\SysWOW64\Pgbafl32.exe

C:\Windows\system32\Pgbafl32.exe

C:\Windows\SysWOW64\Pqjfoa32.exe

C:\Windows\system32\Pqjfoa32.exe

C:\Windows\SysWOW64\Poocpnbm.exe

C:\Windows\system32\Poocpnbm.exe

C:\Windows\SysWOW64\Poapfn32.exe

C:\Windows\system32\Poapfn32.exe

C:\Windows\SysWOW64\Qeohnd32.exe

C:\Windows\system32\Qeohnd32.exe

C:\Windows\SysWOW64\Qeaedd32.exe

C:\Windows\system32\Qeaedd32.exe

C:\Windows\SysWOW64\Aniimjbo.exe

C:\Windows\system32\Aniimjbo.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Aeenochi.exe

C:\Windows\system32\Aeenochi.exe

C:\Windows\SysWOW64\Afgkfl32.exe

C:\Windows\system32\Afgkfl32.exe

C:\Windows\SysWOW64\Apalea32.exe

C:\Windows\system32\Apalea32.exe

C:\Windows\SysWOW64\Amelne32.exe

C:\Windows\system32\Amelne32.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Afnagk32.exe

C:\Windows\system32\Afnagk32.exe

C:\Windows\SysWOW64\Bnielm32.exe

C:\Windows\system32\Bnielm32.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bjbcfn32.exe

C:\Windows\system32\Bjbcfn32.exe

C:\Windows\SysWOW64\Bhfcpb32.exe

C:\Windows\system32\Bhfcpb32.exe

C:\Windows\SysWOW64\Bmclhi32.exe

C:\Windows\system32\Bmclhi32.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Cacacg32.exe

C:\Windows\system32\Cacacg32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 140

Network

N/A

Files

memory/2996-0-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Okoafmkm.exe

MD5 291e292617abad23289f77d5e422663b
SHA1 8199cf98c7f7b0308bdde5d63d34089d315f9153
SHA256 6725ea58f5f0cfcb4bf900094f861747099dd23a71877f61edd45a7441d0d7fe
SHA512 316d1f1a3843b8e8649bc06dc25362a781ee5f83be8ea822576f45c502ac67029d955e16bacc9c5b51b49c72e82d82ecfe07a0825fd821f29a3d3a1b107ba5bc

memory/2996-6-0x0000000000220000-0x0000000000263000-memory.dmp

\Windows\SysWOW64\Odjbdb32.exe

MD5 c6037ac00e47ab3203ead8999558de70
SHA1 94535021d5c6b32fe8b44412c9ed2aad6fd08763
SHA256 6e5d1dd9273ec1306a538d4471604e300b97e6bce07ad7991012f0e996b1a018
SHA512 504743309040ba55df47100ea54e8ba617f97b8d2c6cf84c9c0d7b33cfcb4745287128f9acee956931aa1d29da2d36bb461451a252c1b0e88f9ddf57c1e7d6bd

memory/2948-20-0x0000000000220000-0x0000000000263000-memory.dmp

\Windows\SysWOW64\Ohhkjp32.exe

MD5 447c3cf1679b888fc4d6313496477dfe
SHA1 230b704ead52b0220de14df77f477fec0abfe466
SHA256 99b5d356287e86caa28395138ed1acdfaebb8fc63360d5f3f53125f7f70a06ec
SHA512 71ca25e2fe059bc8d8df7bf72a5c3ffb2457a9d30c3e7c7f23ec87fb63729384cfbc7c97068e2aa4b5529fd6b897653da4f195f1b22afa9ef723b2711a298d90

memory/2624-33-0x0000000000220000-0x0000000000263000-memory.dmp

\Windows\SysWOW64\Pkidlk32.exe

MD5 495ba8dcf2cf3867418dbf04aa49e25c
SHA1 4b065d2dc21d09743e5348186c40bc4c3f7f058a
SHA256 73d833ab4835600fe705ff6c7d77e50b8d577722c7e92b634af7f004acbc0ae5
SHA512 f31bb1de6e2b92ba95edcba2da2b328838780ba33f06d89b22e2eaa136f5a90d0bf3f61e69291a7bc306d1837a615e5c5f346afb828575fba99a1ebfa594a86f

memory/2604-47-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2604-45-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2604-52-0x0000000000250000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Pnimnfpc.exe

MD5 ad22b3a015b02b3a51a781c3b8aeaa11
SHA1 b27ec9199a253add8cff7b0c6b10bfe76b600171
SHA256 cc3356dbe417fd850bd6f81961c388099f572b7fb74f1d21bdd809fc5a47732a
SHA512 6b6d7991b33045969ccc09c07c3c5af1684dc030202a7900649bf3e076e4827e0a7569c183aa18db195f6347b2d695e890a1913d2495407db8093e478dcd8826

memory/2612-61-0x0000000000330000-0x0000000000373000-memory.dmp

memory/2224-67-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Pgbafl32.exe

MD5 8a282571db771e7cfae7c3105adefdcc
SHA1 8341347a0fa7fc1c1e1c97e3e2e5a02e95bffb10
SHA256 43f477357098d42fe89a1bc75ad4f03009dd46e956aaff8309b09898bac02bdd
SHA512 d74018d035cdec28e85ed295d18efe8da5bbe08c96cfc512b232d36321ce7827541b3230757fdfabd1ab40d36fac820aff888a8ccefef52ba7f01663f99e5726

memory/2572-80-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Pqjfoa32.exe

MD5 7fee9ca77877843399ae7af00459a6d2
SHA1 669af7fd07caa7bf2907c8d594e2ede3cac54b7b
SHA256 0cb60e121628cb45078ced3c8657f9ec1bd727470b10beb4a9c437989b9a0ee4
SHA512 58b6b5e6bfddb3ea11d07f746c8ce0a4083e22d04c4d4577d724ab2f305b7b77ef0f86ee3bf861fee3c841b68949296c55b60558dbe328f5cb7ddb47c4491873

memory/2572-88-0x0000000000220000-0x0000000000263000-memory.dmp

\Windows\SysWOW64\Poocpnbm.exe

MD5 49f1c833b1a46b30c7ec022f56e1e97f
SHA1 ad4f8b898d8939de46661e2d846cd70f2c550c2b
SHA256 5f3aa34f34a84e13a108e9a6a1e6dbc62ad46a7577f5d923b3b977814fcfcf5a
SHA512 9fe9c94d23ad38676ed19b33244ff55936f2b20ed6c747436b436a522d029227fa325f70ae03623b2aef190a207ebc8108027f29a52d0787e71d3cbe43b537ec

memory/2472-106-0x00000000003A0000-0x00000000003E3000-memory.dmp

\Windows\SysWOW64\Poapfn32.exe

MD5 2bd054af100e447a2a82844029e18b9b
SHA1 71290f715c2ecdb27a0b98437fc4cec8f6ef40fb
SHA256 4c67c74e1b07cd91b379e80ceecc9a7c841cb79c646869931cac280af8a209d3
SHA512 a181f097978f37c5b23d446b1eb07a4a0267c06b7bc923fd10f13c7155da734f6556853d810f4e8ac1753c58d64b68e4d3adef4ff716d9bab57d0f2b7b684e86

C:\Windows\SysWOW64\Qeohnd32.exe

MD5 cd95b3c04248328bfc1218bc27ebeb14
SHA1 358dfe1f71c0adb38b15685eb73108f8f049ff72
SHA256 209291b408262ecf556b7f36169d23bf91dd22a048abdf02e3709282a2c4d45c
SHA512 21c9aae386459e08e6113c5e8df71ec60430464c7a2b9267cb4f66eba02431ef914900146f55646e33323ab599e8fa94b51a6a1aaf0e7aabe25daa574f9e8872

memory/840-131-0x00000000002F0000-0x0000000000333000-memory.dmp

memory/840-125-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Qeaedd32.exe

MD5 2a14aa94c341e481288287a6c1ae7f4b
SHA1 52b5c19e153968ff01cdacea648c742c872c842d
SHA256 c9e743edd5aea21f3c67709dbf5b3407515eb7bb82443f49074e960707caaf58
SHA512 b06fdae67738a8e8ddbf89ae15dbaa7eb86fce39a370de168e1bfa92b22f65ff8579246d08e5d02d7763791fb982a19c40e7739058dd56a54a6b2f3e1fa691d2

\Windows\SysWOW64\Aniimjbo.exe

MD5 8ee74cd8fb22297ae06c4b5f95deaa74
SHA1 648b8529a83bdae401380e051cd56c5c8b1e85dc
SHA256 6db5ba59d88f094b1be6bca29d3a5bb14be83a075c786aadfdc32315ca8287f8
SHA512 f82b1b6157e4f35c967f278644460683d79721090f117dc7a75695724d7adbdac984fee3f0c2d1c817597fad0226858dc7cdcab70a635b84723c91037f737683

\Windows\SysWOW64\Acfaeq32.exe

MD5 4d69b6320f6c0f3047ba6e276dd1ccc1
SHA1 9f261acb8aebf4ce14b29a9b665cc3331a2c21cf
SHA256 4e5622664e4ba093e69ef049e9096dc86724ec18affb1f618f2dfab4d6dfa299
SHA512 c218a54c7cee17dc42bc93f8b75e534f7278737fa751967f88cca682d62fe5eedbd5e46109cbbf285c659d7ed103e196969b1695272aa50a82a5bf7584a4e930

\Windows\SysWOW64\Aeenochi.exe

MD5 e209e59f9dc475ebc5b998a302205ed1
SHA1 b4192f00203206dd590f113c65979dfbd544c02e
SHA256 a3d276a4a5f0c5cd10c4f96c5424dc474c0b0d1f1bb7dd249e101342212f2e59
SHA512 45485506f28b2d4a1e3d3a2a31e3d4b5d84bfa43f8f46591e65d3cdcce01a608dc4a34f0efd2467d87d05da3524f944cc83001cb90eb559ae480912a96185a6b

memory/1732-187-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1816-180-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Afgkfl32.exe

MD5 7a29503d9679cff55f88109984a10dcc
SHA1 16949b98b64037c4c6806a45c1b3a40a4f4af106
SHA256 4859a18c2d1a1df22dbb3d396e571a9daae7a7ab3a1ce03fcf61d6e58120bcee
SHA512 90e0d6018ad1ff682f62ace5759634422fb1fdd004dec590b208b04c74f573d56e11d6fe619b1621d19832f87f42870c9a08ae5320694630aebb166bbc5a64e8

\Windows\SysWOW64\Apalea32.exe

MD5 3da4f9c6e352fd4a236ec35c6dceb2b0
SHA1 72ebff2466ac698eee83548c632493923e227b14
SHA256 3694aae1874343287142a9bb5b2deb86142638bc53de12a7069b029acd7165be
SHA512 d43247a509c099b7b381ed531341ea61befeeac872203fe5aad840606c7b830c3935e0b5a7662e45d0fe7b53917e3e4981e2b7e70ad49d050992065c7ec282d0

memory/1988-204-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1620-222-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Acpdko32.exe

MD5 40210b6cddb4597d6bbf5490992d26e9
SHA1 8e44d826afba7cf424d72f099d04658553cf988f
SHA256 247a354e1e30ed19ecb5a22c611b369c0654f53a558492d83ea2960fd534ece8
SHA512 dc8f3b3acad72f575f3f50366e69561afaba7f8d575b976f581ad33860a68b5f3d9b9fefa29a0877f86d5f74903c75f2d6ab16ca45cc7b7b24c4ddbf620450fb

memory/1620-232-0x00000000005E0000-0x0000000000623000-memory.dmp

C:\Windows\SysWOW64\Bnielm32.exe

MD5 e8e48236cde5f71b5862c9eca944d213
SHA1 694108b971d0c02ff7b61c724d6eea84c2b1261f
SHA256 7eac4f612670f9aa14e305a553e8db7655393114e03de2fcc4e92bb5d17b59d7
SHA512 a2d4de74ff8e43fa6e7813dd393a5498dcc5e30b88a585a6e6f9c838f5c724c53dcbf694c2337a43cbcf88b355c032cb71a9295829873235992daa79574cb4a0

memory/1664-255-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2120-254-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2460-265-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2460-275-0x00000000002A0000-0x00000000002E3000-memory.dmp

memory/896-285-0x00000000002A0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Bhfcpb32.exe

MD5 aa5e2c015a312d17271cf8248a5eb8e5
SHA1 717fb04e18a9bbe9ead052e965a164d39b2aa42d
SHA256 ed22ede437dd87a7d45fd7a10dd31707fdc0da7c25c3cb881d39643e79a96fa2
SHA512 4c9587891eada59383ae2b6aff2310bfc1261541d97d86baff2424207f4d0f136f3dfaa01b27243522ca5e5e813e92cbd9aad4090e787a50128df00a3f352a2d

memory/896-286-0x00000000002A0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Bmclhi32.exe

MD5 ade7d5fea5d6aa425bdac3e547a08a9c
SHA1 a2e542cc105ee5306d7993e64309043c592d43a6
SHA256 0e1a5ba8a538be2ff38969522faa6703ff973df55da73ca9b372dfed42561fc0
SHA512 6dc843315e0fac3050298d5554b829909970841721182a6667e6163cc759b95b66f2b9162b22fad7e9a786569b8a3fccadbf1748e05274328947e505df261c0d

memory/1544-309-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2944-325-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2944-329-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2052-335-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2052-337-0x0000000000220000-0x0000000000263000-memory.dmp

C:\Windows\SysWOW64\Cacacg32.exe

MD5 80f47e13b19b153456833d3322ea5f5c
SHA1 9b54ca85689ebd57dc8f8b179e085a696280347d
SHA256 e1d73d44e14e7206eccb62fe5ad3c84e01412e9b2d1833b7c857990012442af0
SHA512 34b2ba247dd299bedf02d999792204ff28ac292d8d253670f1130899c32bc27a532e0d07efba4111498928e13026cc91c7982e08b7b4e5a92f65c526294a2187

memory/2676-342-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2052-341-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2944-330-0x0000000000220000-0x0000000000263000-memory.dmp

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 e94696ef63005004ae85338bf0906f99
SHA1 c23296f338ab5573f8ea8b3253f2c1bc3b37e297
SHA256 64ba51cadc9ab727bacdc8f5fe20ec9ff99a495b1cf5b0b316fd23161287b5c4
SHA512 52fe1111346dba9b2e926d0c04781864eaf2debb88baa257f3bef3f988ea5bac07ab221e6fb7ed689b6f07c6bc9a15c2d8426d1d20e9c02398368f42e80a667b

memory/1544-324-0x00000000003A0000-0x00000000003E3000-memory.dmp

memory/1544-322-0x00000000003A0000-0x00000000003E3000-memory.dmp

C:\Windows\SysWOW64\Baadng32.exe

MD5 19f8a785a492b05c91615ebce282a047
SHA1 e33caf9f169268968e227afc4140e76972ae6942
SHA256 d306fb49b45fcaa966bca3d3f4125e2ee517e846399c56290293bf412200ce83
SHA512 2cb38b04cd41c524b3e9bde5750e85cfeb38da3effd2f000a757906d52578197b392501157e5e041b3aa46072222b6c62567a6f369c4d6897a63768a2a0abee2

memory/2092-308-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2092-307-0x0000000000220000-0x0000000000263000-memory.dmp

C:\Windows\SysWOW64\Bkglameg.exe

MD5 ad3fe4b398e9da9dcd76c37237bc05cf
SHA1 959594ec8aec26125213aa7f3fb42f49fef1f766
SHA256 efe2c32b0a6830307e7f8d7003a5813687a44d14cf6e33e67f53953c1f00bbfa
SHA512 24fc7577e579b773482a149f077387f174da6057a42a70199e5917683c9d5d3f760227d456bc65a89fb45c3e952b3c4c2263e4b06ae0e3c49e298e43bea77f66

memory/2092-298-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2032-297-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2032-296-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2032-291-0x0000000000400000-0x0000000000443000-memory.dmp

memory/896-276-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2460-274-0x00000000002A0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Bjbcfn32.exe

MD5 1365454a2c5178d916d962cde6c1d066
SHA1 ce7d84272e1022b997b69a23f2148bdc167e56de
SHA256 e2813a74879c74f7890438ce3befea9ba3b922f862f348b10fff43a5195fd517
SHA512 710d0fd8c255ca8a3d7b694b7b4791f701a209d128cfc32090773b251558665370cbc939fbfe2ce62a3cb833be67b5a2a8a08e70e61d3b9624e3f7020daae72c

memory/1664-264-0x0000000000220000-0x0000000000263000-memory.dmp

C:\Windows\SysWOW64\Biojif32.exe

MD5 c34ca6d132f408d92583d14072e8401c
SHA1 03ea3e97b3286c8514d61a8676b32265a8a407bf
SHA256 19740436444f779e3d01edfddb61241ff78686d0294c590d44f54d022ed03390
SHA512 3aa7664d8e1bb95c9fccaf250831e1ca780aeb836dfe934ac5fc448fa22becc025df58c3818b2a26ee05ed92b71257dd650b4c7702f1175adc4480ffbb88f3e4

memory/2120-253-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2120-248-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2388-243-0x00000000002A0000-0x00000000002E3000-memory.dmp

memory/2388-240-0x00000000002A0000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Afnagk32.exe

MD5 f83b255acfa6c91a1d85aab1a5260254
SHA1 5a377449e7251211bb50b99d336d3883cdeb9792
SHA256 ce2c7a59b899e7ff029a6fb5930bfbf58fd146d8efce00f4a96ba49fef496cd4
SHA512 e00dcf9f29b0f3290e2c1824b18b297c28a9a6c4d8447f18308a26e156467a2769d37212205ade69eef9a3e8923b9e306f0e57ec71e97a9642e89be033fadbf6

memory/2388-236-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1620-231-0x00000000005E0000-0x0000000000623000-memory.dmp

C:\Windows\SysWOW64\Amelne32.exe

MD5 611cbde340705f2689fa4bf269a04d92
SHA1 b58eeff7d13277ffba2e570471bb223ab1943f54
SHA256 554afda285f0eba354f5210d17389544196ef7f28bb1e216d5007dd466e2b443
SHA512 424ee99cdf0fb2be7878f90fde82b20c9287d6048b76134c8fc2a24776d903dd82d8447a761e0b15ca4eb244ec951b341f7c44becac5a25c0c84b283d6e647f1

memory/3016-212-0x0000000000400000-0x0000000000443000-memory.dmp

memory/568-171-0x0000000000220000-0x0000000000263000-memory.dmp

memory/568-159-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1188-151-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1648-140-0x0000000000220000-0x0000000000263000-memory.dmp

memory/2996-343-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2948-344-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2624-345-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2612-346-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2224-347-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2572-348-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2472-349-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2184-350-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1648-351-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1188-352-0x0000000000400000-0x0000000000443000-memory.dmp

memory/568-353-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1816-354-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1732-355-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3016-356-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1620-357-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2388-358-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1664-359-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2460-360-0x0000000000400000-0x0000000000443000-memory.dmp

memory/896-361-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2032-362-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2092-363-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1544-364-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2052-365-0x0000000000400000-0x0000000000443000-memory.dmp