Malware Analysis Report

2025-08-11 01:59

Sample ID 240509-dysnbafh7w
Target de6691e2dda3e61636b7fca20acc9640_NEIKI
SHA256 43776b80c311fdcc1d0c7e330554de6a94b61f31fac184a8bada88cafb084a39
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43776b80c311fdcc1d0c7e330554de6a94b61f31fac184a8bada88cafb084a39

Threat Level: Known bad

The file de6691e2dda3e61636b7fca20acc9640_NEIKI was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 03:25

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 03:25

Reported

2024-05-09 03:28

Platform

win7-20240221-en

Max time kernel

117s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgbaml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaojnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iebldo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkgngb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nibqqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Neiaeiii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbpbmkan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgdfdbhk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mihdgkpp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdadjd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acekjjmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djgkii32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjhcag32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdghaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hadcipbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acekjjmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilofhffj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqmnjd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncnngfna.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pleofj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imgnjb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olpbaa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Giolnomh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gcgqgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkgoff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koflgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhgkil32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkgngb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbgjgomc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjebdfnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkjjma32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mbbfep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qndkpmkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alihaioe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oemegc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oemegc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Offmipej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Badnhbce.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgdfdbhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbnjhh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkipao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oaogognm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Inmmbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Badnhbce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifpcchai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmipdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijphofem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hadcipbi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkaehb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Giolnomh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jibnop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nedhjj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaogognm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpmmfp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qiflohqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgkii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mimgeigj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nibqqh32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mpbdnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgkil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opifnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemegc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acekjjmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Badnhbce.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckahkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqomeke.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilofhffj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgdfdbhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdhgnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhelbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mihdgkpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbbfep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgblmk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjebdfnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmmagpef.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmjhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djgkii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imahkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaoqqflp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjahej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhjdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mimgeigj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Offmipej.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phqmgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkaehb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qndkpmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjobffl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdcifi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbmcibjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cenljmgq.exe N/A
N/A N/A C:\Windows\SysWOW64\Caifjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imgnjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifpcchai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijphofem.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbnjhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkglm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpmmfp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdkelolf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbpbmkan.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbobkol.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaglcgdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Keeeje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldokfakl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpbdnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpbdnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgkil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgkil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opifnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opifnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemegc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemegc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acekjjmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Acekjjmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Badnhbce.exe N/A
N/A N/A C:\Windows\SysWOW64\Badnhbce.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckahkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckahkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqomeke.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqomeke.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilofhffj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilofhffj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgdfdbhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgdfdbhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdhgnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdhgnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhelbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhelbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mihdgkpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mihdgkpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbbfep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbbfep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgblmk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgblmk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjebdfnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjebdfnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmmagpef.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmmagpef.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmjhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmjhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djgkii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djgkii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imahkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imahkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaoqqflp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaoqqflp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjahej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjahej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhjdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhjdm32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cmpppdfa.dll C:\Windows\SysWOW64\Kaglcgdc.exe N/A
File created C:\Windows\SysWOW64\Jnpojnle.dll C:\Windows\SysWOW64\Pmehdh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Kjahej32.exe N/A
File opened for modification C:\Windows\SysWOW64\Keeeje32.exe C:\Windows\SysWOW64\Kaglcgdc.exe N/A
File created C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gaojnq32.exe N/A
File created C:\Windows\SysWOW64\Jamkdghb.dll C:\Windows\SysWOW64\Jpmmfp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcgqgd32.exe C:\Windows\SysWOW64\Giolnomh.exe N/A
File created C:\Windows\SysWOW64\Cenljmgq.exe C:\Windows\SysWOW64\Bbmcibjp.exe N/A
File created C:\Windows\SysWOW64\Imgnjb32.exe C:\Windows\SysWOW64\Caifjn32.exe N/A
File created C:\Windows\SysWOW64\Oaogognm.exe C:\Windows\SysWOW64\Olpbaa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gaojnq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Jaoqqflp.exe N/A
File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe C:\Windows\SysWOW64\Mjhjdm32.exe N/A
File created C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Mimgeigj.exe N/A
File created C:\Windows\SysWOW64\Nmlfpfpl.dll C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Klkpdn32.dll C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
File created C:\Windows\SysWOW64\Onipnblf.dll C:\Windows\SysWOW64\Mkipao32.exe N/A
File created C:\Windows\SysWOW64\Hhkopj32.exe C:\Windows\SysWOW64\Gkgoff32.exe N/A
File created C:\Windows\SysWOW64\Hjaeba32.exe C:\Windows\SysWOW64\Hadcipbi.exe N/A
File created C:\Windows\SysWOW64\Mihdgkpp.exe C:\Windows\SysWOW64\Lhelbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmmagpef.exe C:\Windows\SysWOW64\Bjebdfnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbnjhh32.exe C:\Windows\SysWOW64\Ijphofem.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkipao32.exe C:\Windows\SysWOW64\Mobomnoq.exe N/A
File created C:\Windows\SysWOW64\Mkkiehdc.dll C:\Windows\SysWOW64\Phklaacg.exe N/A
File created C:\Windows\SysWOW64\Bgblmk32.exe C:\Windows\SysWOW64\Mbbfep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijphofem.exe C:\Windows\SysWOW64\Ifpcchai.exe N/A
File created C:\Windows\SysWOW64\Dafqii32.dll C:\Windows\SysWOW64\Offmipej.exe N/A
File created C:\Windows\SysWOW64\Pmehdh32.exe C:\Windows\SysWOW64\Oaogognm.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
File created C:\Windows\SysWOW64\Mfakaoam.dll C:\Windows\SysWOW64\Bdcifi32.exe N/A
File created C:\Windows\SysWOW64\Aodcbn32.dll C:\Windows\SysWOW64\Mdadjd32.exe N/A
File created C:\Windows\SysWOW64\Ndfnecgp.exe C:\Windows\SysWOW64\Ngbmlo32.exe N/A
File created C:\Windows\SysWOW64\Ifkmqd32.dll C:\Windows\SysWOW64\Jmipdo32.exe N/A
File created C:\Windows\SysWOW64\Ckbjaopk.dll C:\Windows\SysWOW64\Bgblmk32.exe N/A
File created C:\Windows\SysWOW64\Amjllk32.dll C:\Windows\SysWOW64\Bjebdfnn.exe N/A
File created C:\Windows\SysWOW64\Ljqglfel.dll C:\Windows\SysWOW64\Mbbfep32.exe N/A
File created C:\Windows\SysWOW64\Mjhjdm32.exe C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
File created C:\Windows\SysWOW64\Nhgofhlp.dll C:\Windows\SysWOW64\Caifjn32.exe N/A
File created C:\Windows\SysWOW64\Phklaacg.exe C:\Windows\SysWOW64\Pmehdh32.exe N/A
File created C:\Windows\SysWOW64\Gaqomeke.exe C:\Windows\SysWOW64\Ckahkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilofhffj.exe C:\Windows\SysWOW64\Gaqomeke.exe N/A
File created C:\Windows\SysWOW64\Hdaehcom.dll C:\Windows\SysWOW64\Ahpifj32.exe N/A
File created C:\Windows\SysWOW64\Biggnm32.dll C:\Windows\SysWOW64\Oemegc32.exe N/A
File created C:\Windows\SysWOW64\Ilofhffj.exe C:\Windows\SysWOW64\Gaqomeke.exe N/A
File created C:\Windows\SysWOW64\Fdapnj32.dll C:\Windows\SysWOW64\Ndfnecgp.exe N/A
File created C:\Windows\SysWOW64\Iikkon32.exe C:\Windows\SysWOW64\Hjcaha32.exe N/A
File created C:\Windows\SysWOW64\Jbbobb32.dll C:\Windows\SysWOW64\Mimgeigj.exe N/A
File created C:\Windows\SysWOW64\Hjbklf32.dll C:\Windows\SysWOW64\Nedhjj32.exe N/A
File created C:\Windows\SysWOW64\Eamjfeja.dll C:\Windows\SysWOW64\Neiaeiii.exe N/A
File created C:\Windows\SysWOW64\Kbbobkol.exe C:\Windows\SysWOW64\Kbpbmkan.exe N/A
File created C:\Windows\SysWOW64\Bokblhqh.dll C:\Windows\SysWOW64\Kbpbmkan.exe N/A
File created C:\Windows\SysWOW64\Cmapaflf.dll C:\Windows\SysWOW64\Kbbobkol.exe N/A
File created C:\Windows\SysWOW64\Mbbfep32.exe C:\Windows\SysWOW64\Mihdgkpp.exe N/A
File created C:\Windows\SysWOW64\Klcdfdcb.dll C:\Windows\SysWOW64\Mdghaf32.exe N/A
File created C:\Windows\SysWOW64\Ecfgpaco.dll C:\Windows\SysWOW64\Hjcaha32.exe N/A
File created C:\Windows\SysWOW64\Qiflohqk.exe C:\Windows\SysWOW64\Pbgjgomc.exe N/A
File created C:\Windows\SysWOW64\Eioigi32.dll C:\Windows\SysWOW64\Gkgoff32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe C:\Windows\SysWOW64\Kbpbmkan.exe N/A
File created C:\Windows\SysWOW64\Henmilod.dll C:\Windows\SysWOW64\Oaogognm.exe N/A
File created C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Jmipdo32.exe N/A
File created C:\Windows\SysWOW64\Badnhbce.exe C:\Windows\SysWOW64\Acekjjmk.exe N/A
File created C:\Windows\SysWOW64\Oaoplfhc.dll C:\Windows\SysWOW64\Bjkhdacm.exe N/A
File opened for modification C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qndkpmkm.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjcaha32.exe C:\Windows\SysWOW64\Hjaeba32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" C:\Windows\SysWOW64\Mobomnoq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcomknkd.dll" C:\Windows\SysWOW64\Acekjjmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcfcend.dll" C:\Windows\SysWOW64\Ckahkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lhelbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbjaopk.dll" C:\Windows\SysWOW64\Bgblmk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oaghki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbnjhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jlkglm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hadcipbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckahkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lhelbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lljpjchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Badnhbce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Imahkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Inojhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" C:\Windows\SysWOW64\Imahkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jaoqqflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qiflohqk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkgoff32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpojnle.dll" C:\Windows\SysWOW64\Pmehdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll" C:\Windows\SysWOW64\Iikkon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oemegc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biggnm32.dll" C:\Windows\SysWOW64\Oemegc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" C:\Windows\SysWOW64\Jaoqqflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbnjhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bokblhqh.dll" C:\Windows\SysWOW64\Kbpbmkan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ilofhffj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggfio32.dll" C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncnngfna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghanagbo.dll" C:\Windows\SysWOW64\Lljpjchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iebldo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpmjhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjhjdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdhfp32.dll" C:\Windows\SysWOW64\Jgdfdbhk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdghaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" C:\Windows\SysWOW64\Oaghki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqefma32.dll" C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmmagpef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpmmfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onipnblf.dll" C:\Windows\SysWOW64\Mkipao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjaeba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oemegc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mihdgkpp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjhjdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobnlgbf.dll" C:\Windows\SysWOW64\Ncnngfna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkhip32.dll" C:\Windows\SysWOW64\Mgbaml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phklaacg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpbbo32.dll" C:\Windows\SysWOW64\Ilofhffj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djgkii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdjmc32.dll" C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgqocoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkpdn32.dll" C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhkopj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjebdfnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeghl32.dll" C:\Windows\SysWOW64\Kdkelolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmapaflf.dll" C:\Windows\SysWOW64\Kbbobkol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldokfakl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Mpbdnk32.exe
PID 2032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Mpbdnk32.exe
PID 2032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Mpbdnk32.exe
PID 2032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Mpbdnk32.exe
PID 1448 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Mpbdnk32.exe C:\Windows\SysWOW64\Nhgkil32.exe
PID 1448 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Mpbdnk32.exe C:\Windows\SysWOW64\Nhgkil32.exe
PID 1448 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Mpbdnk32.exe C:\Windows\SysWOW64\Nhgkil32.exe
PID 1448 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Mpbdnk32.exe C:\Windows\SysWOW64\Nhgkil32.exe
PID 1068 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Nhgkil32.exe C:\Windows\SysWOW64\Opifnm32.exe
PID 1068 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Nhgkil32.exe C:\Windows\SysWOW64\Opifnm32.exe
PID 1068 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Nhgkil32.exe C:\Windows\SysWOW64\Opifnm32.exe
PID 1068 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Nhgkil32.exe C:\Windows\SysWOW64\Opifnm32.exe
PID 2524 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Opifnm32.exe C:\Windows\SysWOW64\Oemegc32.exe
PID 2524 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Opifnm32.exe C:\Windows\SysWOW64\Oemegc32.exe
PID 2524 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Opifnm32.exe C:\Windows\SysWOW64\Oemegc32.exe
PID 2524 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Opifnm32.exe C:\Windows\SysWOW64\Oemegc32.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Oemegc32.exe C:\Windows\SysWOW64\Acekjjmk.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Oemegc32.exe C:\Windows\SysWOW64\Acekjjmk.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Oemegc32.exe C:\Windows\SysWOW64\Acekjjmk.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Oemegc32.exe C:\Windows\SysWOW64\Acekjjmk.exe
PID 2556 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Acekjjmk.exe C:\Windows\SysWOW64\Badnhbce.exe
PID 2556 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Acekjjmk.exe C:\Windows\SysWOW64\Badnhbce.exe
PID 2556 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Acekjjmk.exe C:\Windows\SysWOW64\Badnhbce.exe
PID 2556 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Acekjjmk.exe C:\Windows\SysWOW64\Badnhbce.exe
PID 2424 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Badnhbce.exe C:\Windows\SysWOW64\Ckahkk32.exe
PID 2424 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Badnhbce.exe C:\Windows\SysWOW64\Ckahkk32.exe
PID 2424 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Badnhbce.exe C:\Windows\SysWOW64\Ckahkk32.exe
PID 2424 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Badnhbce.exe C:\Windows\SysWOW64\Ckahkk32.exe
PID 2168 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ckahkk32.exe C:\Windows\SysWOW64\Gaqomeke.exe
PID 2168 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ckahkk32.exe C:\Windows\SysWOW64\Gaqomeke.exe
PID 2168 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ckahkk32.exe C:\Windows\SysWOW64\Gaqomeke.exe
PID 2168 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ckahkk32.exe C:\Windows\SysWOW64\Gaqomeke.exe
PID 2356 wrote to memory of 572 N/A C:\Windows\SysWOW64\Gaqomeke.exe C:\Windows\SysWOW64\Ilofhffj.exe
PID 2356 wrote to memory of 572 N/A C:\Windows\SysWOW64\Gaqomeke.exe C:\Windows\SysWOW64\Ilofhffj.exe
PID 2356 wrote to memory of 572 N/A C:\Windows\SysWOW64\Gaqomeke.exe C:\Windows\SysWOW64\Ilofhffj.exe
PID 2356 wrote to memory of 572 N/A C:\Windows\SysWOW64\Gaqomeke.exe C:\Windows\SysWOW64\Ilofhffj.exe
PID 572 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ilofhffj.exe C:\Windows\SysWOW64\Jgdfdbhk.exe
PID 572 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ilofhffj.exe C:\Windows\SysWOW64\Jgdfdbhk.exe
PID 572 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ilofhffj.exe C:\Windows\SysWOW64\Jgdfdbhk.exe
PID 572 wrote to memory of 484 N/A C:\Windows\SysWOW64\Ilofhffj.exe C:\Windows\SysWOW64\Jgdfdbhk.exe
PID 484 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Jgdfdbhk.exe C:\Windows\SysWOW64\Jdhgnf32.exe
PID 484 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Jgdfdbhk.exe C:\Windows\SysWOW64\Jdhgnf32.exe
PID 484 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Jgdfdbhk.exe C:\Windows\SysWOW64\Jdhgnf32.exe
PID 484 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Jgdfdbhk.exe C:\Windows\SysWOW64\Jdhgnf32.exe
PID 1924 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jdhgnf32.exe C:\Windows\SysWOW64\Lhelbh32.exe
PID 1924 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jdhgnf32.exe C:\Windows\SysWOW64\Lhelbh32.exe
PID 1924 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jdhgnf32.exe C:\Windows\SysWOW64\Lhelbh32.exe
PID 1924 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jdhgnf32.exe C:\Windows\SysWOW64\Lhelbh32.exe
PID 2004 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhelbh32.exe C:\Windows\SysWOW64\Mihdgkpp.exe
PID 2004 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhelbh32.exe C:\Windows\SysWOW64\Mihdgkpp.exe
PID 2004 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhelbh32.exe C:\Windows\SysWOW64\Mihdgkpp.exe
PID 2004 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Lhelbh32.exe C:\Windows\SysWOW64\Mihdgkpp.exe
PID 2280 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Mihdgkpp.exe C:\Windows\SysWOW64\Mbbfep32.exe
PID 2280 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Mihdgkpp.exe C:\Windows\SysWOW64\Mbbfep32.exe
PID 2280 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Mihdgkpp.exe C:\Windows\SysWOW64\Mbbfep32.exe
PID 2280 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Mihdgkpp.exe C:\Windows\SysWOW64\Mbbfep32.exe
PID 1632 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Mbbfep32.exe C:\Windows\SysWOW64\Bgblmk32.exe
PID 1632 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Mbbfep32.exe C:\Windows\SysWOW64\Bgblmk32.exe
PID 1632 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Mbbfep32.exe C:\Windows\SysWOW64\Bgblmk32.exe
PID 1632 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Mbbfep32.exe C:\Windows\SysWOW64\Bgblmk32.exe
PID 2364 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Bgblmk32.exe C:\Windows\SysWOW64\Bjebdfnn.exe
PID 2364 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Bgblmk32.exe C:\Windows\SysWOW64\Bjebdfnn.exe
PID 2364 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Bgblmk32.exe C:\Windows\SysWOW64\Bjebdfnn.exe
PID 2364 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Bgblmk32.exe C:\Windows\SysWOW64\Bjebdfnn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"

C:\Windows\SysWOW64\Mpbdnk32.exe

C:\Windows\system32\Mpbdnk32.exe

C:\Windows\SysWOW64\Nhgkil32.exe

C:\Windows\system32\Nhgkil32.exe

C:\Windows\SysWOW64\Opifnm32.exe

C:\Windows\system32\Opifnm32.exe

C:\Windows\SysWOW64\Oemegc32.exe

C:\Windows\system32\Oemegc32.exe

C:\Windows\SysWOW64\Acekjjmk.exe

C:\Windows\system32\Acekjjmk.exe

C:\Windows\SysWOW64\Badnhbce.exe

C:\Windows\system32\Badnhbce.exe

C:\Windows\SysWOW64\Ckahkk32.exe

C:\Windows\system32\Ckahkk32.exe

C:\Windows\SysWOW64\Gaqomeke.exe

C:\Windows\system32\Gaqomeke.exe

C:\Windows\SysWOW64\Ilofhffj.exe

C:\Windows\system32\Ilofhffj.exe

C:\Windows\SysWOW64\Jgdfdbhk.exe

C:\Windows\system32\Jgdfdbhk.exe

C:\Windows\SysWOW64\Jdhgnf32.exe

C:\Windows\system32\Jdhgnf32.exe

C:\Windows\SysWOW64\Lhelbh32.exe

C:\Windows\system32\Lhelbh32.exe

C:\Windows\SysWOW64\Mihdgkpp.exe

C:\Windows\system32\Mihdgkpp.exe

C:\Windows\SysWOW64\Mbbfep32.exe

C:\Windows\system32\Mbbfep32.exe

C:\Windows\SysWOW64\Bgblmk32.exe

C:\Windows\system32\Bgblmk32.exe

C:\Windows\SysWOW64\Bjebdfnn.exe

C:\Windows\system32\Bjebdfnn.exe

C:\Windows\SysWOW64\Cmmagpef.exe

C:\Windows\system32\Cmmagpef.exe

C:\Windows\SysWOW64\Cpmjhk32.exe

C:\Windows\system32\Cpmjhk32.exe

C:\Windows\SysWOW64\Djgkii32.exe

C:\Windows\system32\Djgkii32.exe

C:\Windows\SysWOW64\Imahkg32.exe

C:\Windows\system32\Imahkg32.exe

C:\Windows\SysWOW64\Jaoqqflp.exe

C:\Windows\system32\Jaoqqflp.exe

C:\Windows\SysWOW64\Kkjnnn32.exe

C:\Windows\system32\Kkjnnn32.exe

C:\Windows\SysWOW64\Kgqocoin.exe

C:\Windows\system32\Kgqocoin.exe

C:\Windows\SysWOW64\Kjahej32.exe

C:\Windows\system32\Kjahej32.exe

C:\Windows\SysWOW64\Lgehno32.exe

C:\Windows\system32\Lgehno32.exe

C:\Windows\SysWOW64\Lkgngb32.exe

C:\Windows\system32\Lkgngb32.exe

C:\Windows\SysWOW64\Lkjjma32.exe

C:\Windows\system32\Lkjjma32.exe

C:\Windows\SysWOW64\Lddlkg32.exe

C:\Windows\system32\Lddlkg32.exe

C:\Windows\SysWOW64\Mdghaf32.exe

C:\Windows\system32\Mdghaf32.exe

C:\Windows\SysWOW64\Mmdjkhdh.exe

C:\Windows\system32\Mmdjkhdh.exe

C:\Windows\SysWOW64\Mjhjdm32.exe

C:\Windows\system32\Mjhjdm32.exe

C:\Windows\SysWOW64\Mimgeigj.exe

C:\Windows\system32\Mimgeigj.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nibqqh32.exe

C:\Windows\system32\Nibqqh32.exe

C:\Windows\SysWOW64\Neiaeiii.exe

C:\Windows\system32\Neiaeiii.exe

C:\Windows\SysWOW64\Ncnngfna.exe

C:\Windows\system32\Ncnngfna.exe

C:\Windows\SysWOW64\Oaghki32.exe

C:\Windows\system32\Oaghki32.exe

C:\Windows\SysWOW64\Offmipej.exe

C:\Windows\system32\Offmipej.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Pkaehb32.exe

C:\Windows\system32\Pkaehb32.exe

C:\Windows\SysWOW64\Pleofj32.exe

C:\Windows\system32\Pleofj32.exe

C:\Windows\SysWOW64\Qndkpmkm.exe

C:\Windows\system32\Qndkpmkm.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bbmcibjp.exe

C:\Windows\system32\Bbmcibjp.exe

C:\Windows\SysWOW64\Cenljmgq.exe

C:\Windows\system32\Cenljmgq.exe

C:\Windows\SysWOW64\Caifjn32.exe

C:\Windows\system32\Caifjn32.exe

C:\Windows\SysWOW64\Imgnjb32.exe

C:\Windows\system32\Imgnjb32.exe

C:\Windows\SysWOW64\Ifpcchai.exe

C:\Windows\system32\Ifpcchai.exe

C:\Windows\SysWOW64\Ijphofem.exe

C:\Windows\system32\Ijphofem.exe

C:\Windows\SysWOW64\Jbnjhh32.exe

C:\Windows\system32\Jbnjhh32.exe

C:\Windows\SysWOW64\Jlkglm32.exe

C:\Windows\system32\Jlkglm32.exe

C:\Windows\SysWOW64\Jpmmfp32.exe

C:\Windows\system32\Jpmmfp32.exe

C:\Windows\SysWOW64\Kdkelolf.exe

C:\Windows\system32\Kdkelolf.exe

C:\Windows\SysWOW64\Kbpbmkan.exe

C:\Windows\system32\Kbpbmkan.exe

C:\Windows\SysWOW64\Kbbobkol.exe

C:\Windows\system32\Kbbobkol.exe

C:\Windows\SysWOW64\Kaglcgdc.exe

C:\Windows\system32\Kaglcgdc.exe

C:\Windows\SysWOW64\Keeeje32.exe

C:\Windows\system32\Keeeje32.exe

C:\Windows\SysWOW64\Ldokfakl.exe

C:\Windows\system32\Ldokfakl.exe

C:\Windows\SysWOW64\Lljpjchg.exe

C:\Windows\system32\Lljpjchg.exe

C:\Windows\SysWOW64\Mgbaml32.exe

C:\Windows\system32\Mgbaml32.exe

C:\Windows\SysWOW64\Mfgnnhkc.exe

C:\Windows\system32\Mfgnnhkc.exe

C:\Windows\SysWOW64\Mobomnoq.exe

C:\Windows\system32\Mobomnoq.exe

C:\Windows\SysWOW64\Mkipao32.exe

C:\Windows\system32\Mkipao32.exe

C:\Windows\SysWOW64\Mdadjd32.exe

C:\Windows\system32\Mdadjd32.exe

C:\Windows\SysWOW64\Ngbmlo32.exe

C:\Windows\system32\Ngbmlo32.exe

C:\Windows\SysWOW64\Ndfnecgp.exe

C:\Windows\system32\Ndfnecgp.exe

C:\Windows\SysWOW64\Nqmnjd32.exe

C:\Windows\system32\Nqmnjd32.exe

C:\Windows\SysWOW64\Olpbaa32.exe

C:\Windows\system32\Olpbaa32.exe

C:\Windows\SysWOW64\Oaogognm.exe

C:\Windows\system32\Oaogognm.exe

C:\Windows\SysWOW64\Pmehdh32.exe

C:\Windows\system32\Pmehdh32.exe

C:\Windows\SysWOW64\Phklaacg.exe

C:\Windows\system32\Phklaacg.exe

C:\Windows\SysWOW64\Pfpibn32.exe

C:\Windows\system32\Pfpibn32.exe

C:\Windows\SysWOW64\Pbgjgomc.exe

C:\Windows\system32\Pbgjgomc.exe

C:\Windows\SysWOW64\Qiflohqk.exe

C:\Windows\system32\Qiflohqk.exe

C:\Windows\SysWOW64\Qaapcj32.exe

C:\Windows\system32\Qaapcj32.exe

C:\Windows\SysWOW64\Fimoiopk.exe

C:\Windows\system32\Fimoiopk.exe

C:\Windows\SysWOW64\Giolnomh.exe

C:\Windows\system32\Giolnomh.exe

C:\Windows\SysWOW64\Gcgqgd32.exe

C:\Windows\system32\Gcgqgd32.exe

C:\Windows\SysWOW64\Glpepj32.exe

C:\Windows\system32\Glpepj32.exe

C:\Windows\SysWOW64\Gaojnq32.exe

C:\Windows\system32\Gaojnq32.exe

C:\Windows\SysWOW64\Gkgoff32.exe

C:\Windows\system32\Gkgoff32.exe

C:\Windows\SysWOW64\Hhkopj32.exe

C:\Windows\system32\Hhkopj32.exe

C:\Windows\SysWOW64\Hadcipbi.exe

C:\Windows\system32\Hadcipbi.exe

C:\Windows\SysWOW64\Hjaeba32.exe

C:\Windows\system32\Hjaeba32.exe

C:\Windows\SysWOW64\Hjcaha32.exe

C:\Windows\system32\Hjcaha32.exe

C:\Windows\SysWOW64\Iikkon32.exe

C:\Windows\system32\Iikkon32.exe

C:\Windows\SysWOW64\Iebldo32.exe

C:\Windows\system32\Iebldo32.exe

C:\Windows\SysWOW64\Inmmbc32.exe

C:\Windows\system32\Inmmbc32.exe

C:\Windows\SysWOW64\Inojhc32.exe

C:\Windows\system32\Inojhc32.exe

C:\Windows\SysWOW64\Jmipdo32.exe

C:\Windows\system32\Jmipdo32.exe

C:\Windows\SysWOW64\Jibnop32.exe

C:\Windows\system32\Jibnop32.exe

C:\Windows\SysWOW64\Kjhcag32.exe

C:\Windows\system32\Kjhcag32.exe

C:\Windows\SysWOW64\Koflgf32.exe

C:\Windows\system32\Koflgf32.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 140

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Mpbdnk32.exe

MD5 2fbe2c8072c0b98b092fc2a626188435
SHA1 26cd7987f5f39055da648a5d86a59d40aab9d5f1
SHA256 f1210ad40b9df0792910594ad97c0bf1727ac8003c7cecc10c97ff3f44fbe9b2
SHA512 6fcd2c176ee7f1717647205b41e035cdb3d69eeb43ae63b5baf2ccd0568862807f5133f8169da86de10d8427dd4202bbe39f2f212ca80b97c16e0448df15b280

memory/2032-6-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Nhgkil32.exe

MD5 eefa9c3845e184ab2918b07680351af2
SHA1 14c577879da3c7a69306e8467372821dc4b3ec96
SHA256 32a78fcd57745747aaa7511c09d733cd013142078c2b0aba52b32188beb90b1a
SHA512 3c6b57d86647071cc87592591e4a07e3106463b8550f2487a294b9814df53c9e52fd7e97fc6a5ce700ab17c504c468b684c7c960d6bc829b01a1cfcf20389d1d

memory/1448-25-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1448-20-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Opifnm32.exe

MD5 14832641f6136c5e0a7d37dd0f38fb87
SHA1 ead9830183ca85309337899b0f98b4b3ffd03a2d
SHA256 f7129a7cc4bc0c802ff8d961aacff2b19817ed89e9ca6cba677acef4aff7e87a
SHA512 d420a5068ef95d5fb38c1c8f592681b11d93cc426790816453c50d30ef277f87218097e5680be9fddc07a61155ea61e995c0973fc931dd79918460f66bbef318

memory/2524-39-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Oemegc32.exe

MD5 b0cb24afd0b6fd15fd58e095093f87bc
SHA1 26d3bcd8627522e89e3ca464aba39ebd0cccb6c9
SHA256 e71e493572fbb3831931b1c05a49f6c8f40ce97002d2f37ce2d3a6f3e07185d8
SHA512 34de3bca52c859e21d1ddd8a6e8d03afa5796a10d4fcd1bceeff831718fad64d539747ede36ef591e6f076090c151eb223c83f3de8a17e486cce05e09b79f806

memory/2480-53-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2524-51-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Acekjjmk.exe

MD5 17066bfb51c41ed4edfcf2158a09b08b
SHA1 a0f4e111c2051d4f694ea35813ea8501cfe8ac03
SHA256 72b2ef5c9d2feabbf7dae1317d2318f268c0c2e4131903e6a3e558b5288a9e08
SHA512 5ebf60a2da22b37cd9705f7afd9ab90e9df025751566d021204e6281231ec93d3eb005461ebf118fba5078e41b5a7a4d9d869501c58476f9722a9d748b65e755

memory/2480-61-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2556-71-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2556-79-0x00000000002C0000-0x00000000002F5000-memory.dmp

memory/2424-81-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Badnhbce.exe

MD5 01e46442ed7133757e346f0209b4d42e
SHA1 0f35a0834fc3149454928c96060496a09f2e174f
SHA256 d14c379832e5c50fce897dfaca19f7907452701b457f5dba6970081100142f57
SHA512 7ee3850143fb6b0b49b29c49c176d72c728c23312903110d98360f9e852ad42eee0282e100689460320e10a781a5a7163a4e02a821c973156e0ff2ad42be6ccc

\Windows\SysWOW64\Ckahkk32.exe

MD5 937d84d86af06c0b76851224875e5982
SHA1 eb2ce1716fd8a8c7e237316b760fd4329804380f
SHA256 71467861face27489e17c1cd64d621417873bc2e56850737ed9daeee43e76ffe
SHA512 78d04e645d341411156aa2c1aaa9920d787499d195ab14483a4c3517ccf16b0703f72b7b2b153647ebb5aaec15221c191a27c7314083ccb3e1aa2a2a26ecb780

memory/2424-89-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2168-95-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Gaqomeke.exe

MD5 c6b072a669acc66785e2229c47aeb010
SHA1 9ba4bbf4e88fee023b3c6b00110e9ccb00162283
SHA256 df7c1bdb997b6a27be23c199cd921febc9bae60b9de3c33b35574c71856b67a1
SHA512 49e742af6785c95120fd2f3bc5656e485ae49eda313aa8c01f4be0a6fe3893bf8342af7df660f2777c8c9219c320e3d581c0d6924449be580c67d0dec38aebb0

memory/2356-108-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Gaqomeke.exe

MD5 34d3aaf5e95476c9c74e45eb82a57065
SHA1 e2ce80293544bf95ab9912f9dfe922934d12b0a5
SHA256 586429293df669645c679c28217b04b73869629aef85c8e59b1a5388d93197bb
SHA512 6375468e577f5f065c92251e970526a202cfc890cc5cc9ce354086545cadd87e15fa408eeb78b554ed4a2947b9b9a9cd3fb49c179d8a0a8dffd9f5e272bb9533

\Windows\SysWOW64\Ilofhffj.exe

MD5 e952b78eb0f18b4213f38e0dc0f42a9e
SHA1 6805cf72298539cdfd729b8218d25e021aaf1bbb
SHA256 ec973bf680082f1e394cc8e2be48410efea95d8310daed1a5f8d9f7132ce3737
SHA512 beea036ad21fc3f31acfdeed1bcf4cd4d41f456837da3c853593df81ce73feff6ce498714d815109ebfc99ed0e0c6d7e43b06d1425a91b42f0283b852bfaa5e4

\Windows\SysWOW64\Jgdfdbhk.exe

MD5 4afaf0932c629d91875e3fb5c39ccc24
SHA1 c884484c12efe812cd6ee30b71eed31c987a3293
SHA256 9a8b14c658b27ad7049296fe690c59a8418ade2d856a6e45215e8f4cc392ca91
SHA512 1c8491d9b39fa694838940c9028c059f854fb12fc03a5c24f2503c08b9ce7e735e30e0ff5a9bdd19dabe78078d5e98d6c05d49bbee11584566775ca6b23bec3c

memory/484-134-0x0000000000400000-0x0000000000435000-memory.dmp

memory/572-126-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Jdhgnf32.exe

MD5 2ec5b9ee1014d385f0f775dbcc0e5e62
SHA1 87e07fea1b7a91beaa6de0171bb133a19cec6f2d
SHA256 f2b3c49e7545422c810a6c7eacc8304d0faf7cb7414e2c0f064b224fb1424a5c
SHA512 e8ece36653b9232048fc0107a0f4cb3d3e7222a52d22b15162970f6beb6001a4033e264f69c254a12b1aafd72dc4057a58c840793bf9886f3f01b1c5cb350a00

memory/1924-147-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Jdhgnf32.exe

MD5 309ecbb40e1878c01515fdc921dac49d
SHA1 67129e2ef2387c9d8f1e533874f7ea0c8df2c708
SHA256 94fa7eb79d8ddf97996381dc6fad8a7a15578e490c04f5f6cfcf5fefb8e5dd85
SHA512 8d00fe0cb44d73c7890964d6e561f454607996c4d5a36f44f06f8d8c884aa9b5aa1000a4ad55119c0ae28a3b83a9e6920890f7080e0dcdc1bdd4100ac0a61c86

\Windows\SysWOW64\Lhelbh32.exe

MD5 b5da3e734c12c745187d023fa5519325
SHA1 2b9b916a19862e26ceda21009fd22507c872be85
SHA256 c8100db6f425c6efed14b4a725042abfe2f602b27755e826b7584d1c048a0cd2
SHA512 a391d2203dc2616a5b00d376e629409db6a77c9d9cde8918a77cbeb69ac2a7e0dc4458690ca7cc6d3cc90ee5f01c0cf7363929090aa84687e96b3e919b269869

memory/1924-159-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Jdhgnf32.exe

MD5 9592642c61bd2f596edd1f69bbb7086f
SHA1 cfd5bdfd94b2805f4f4219121e2fa94e4220cb33
SHA256 c8c58bdb5d5abfd1c2e586a8303e25653afb06e5dcd0515d0ab8fc973f761ecd
SHA512 f4c820e5b08c2cc730e0d2b8eae5b63ec44fd5a56a7e68eae23345c06e92d4534023c763d59ae639ab5b9466e4174fe99f83ef17486bafcb9174f111f5e1e002

\Windows\SysWOW64\Jdhgnf32.exe

MD5 6c569e9ee69390a6ed23de3bb2cc209b
SHA1 c8a5f08a2f441c4ecc7eaf84197123c306b1af0c
SHA256 b54b40458717e1fc2021266b0a70cd48e2743e67aeff1be634510293304fdb67
SHA512 a4938601c60e96d58157fb919df9008015fc1d89351063d8c66d28079e42ecd77210a4d1f980afaa853300f3865d4c3b3ed97352bb7c06b1b5f0b57223d8bb1b

\Windows\SysWOW64\Mihdgkpp.exe

MD5 967e4f4444c79d12150f9d5541af454f
SHA1 0f92655d9fd8472c3ebbf207f98cd8dbd1737f42
SHA256 902c56c307002ee6ebececc620c25436be5040a1b4f591be7c7dcf62b5209103
SHA512 e2fc54c393532e214eca5771f0fe9380ee50a1746ee69edf452d96c18a276ccf766c02312dbc1de8397547c2203ce718f2664c1800b3d0ee45376e3451426d2c

memory/2280-173-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Mbbfep32.exe

MD5 90a65f5f86ab4adb6d211eb7dff20180
SHA1 571cde9c52d3216a72ae03d7f50c72b90f75fc68
SHA256 5df7f8bbc9840230f0746f18cf78a976a7e10d4f486f7284fa2c12641b5a32c0
SHA512 9222d589eb5ebd784824fc81308302c8bd6d023aef5b7ef3a63dbc43c2f1ba83c82efde1e0f568955ad703f0ad44c72f89e6d075f43070ab96399d9564da0890

memory/1632-186-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Mbbfep32.exe

MD5 9fd4fe387f52c025dcd4036c6f6e5dcd
SHA1 dcdb8c829a7d3f8d72003f4fecdd56a0ca724fce
SHA256 e3f4e5282fbd493cf11330236808998b9390089b7f37137c71d5cd5d2c056775
SHA512 c45d097f76038173b712cc0c66f68ca1f1a732cc7e665cb7ac4524f333410bd0175436407502a765407da670f8c2f22d43d0be897fb6c44f54434a2bd959f0d3

C:\Windows\SysWOW64\Mbbfep32.exe

MD5 4de8e7839e1a58b49fb562228f61ae88
SHA1 f654fd0139a68a06b8309063922bfeb60e0e4cab
SHA256 57356ddacdf91701f895de1e970c4184aa5814d2990658de46440cf31e22ceea
SHA512 ca25b6aac87d262d0dc1e001eb3ac838daefe35f21ee52afe171f5f2d553c84d770f00374cedf68f8ccbb1a1a9c30c26a0fcca06495e10e68102f01ef3f506fe

C:\Windows\SysWOW64\Mihdgkpp.exe

MD5 530ed5e0964e01538510863899eaa9c1
SHA1 e3d3575c78d857f82d5ee3187d076191723461f4
SHA256 69430c8b339a57525006fac5667b8ea9aa92b5c831b1358a9b8bea7a25500800
SHA512 15c5f5e1e5381c366f484a3adb9d3d8bda4e9fd51cda19ac5cb29fc9e22cf73a1c4f41c941cca44f862a94b8ab1857423879c0f7357544d269e2cf428803201e

C:\Windows\SysWOW64\Mbbfep32.exe

MD5 09661223c92b2d5b7ce725be650602e2
SHA1 d023352fe6046e32e19643b1772ee9e2a28f4bfe
SHA256 ed3564788222ad603eca5babdb5d205a5683ec4ab3d7e4efcea6a9ce856911d7
SHA512 6e1c3e28521eac05302e4705ce7267917e6128d97984499f87dbb8440aed23f802f51b0bc61be6c8502a1431cd5daf93cb53f07980c1c81fdc79b4cf6276a5be

C:\Windows\SysWOW64\Bgblmk32.exe

MD5 29abdc7e9c3de2742feb5366595e11c0
SHA1 1ed46be6c0e7786224ed38136e5c8f694d9a00a6
SHA256 2e4755c3d593cdb24a958989961cb039d2efcfc0e6c8885a5494d4e676ebd4c8
SHA512 04ce8e4904ef1939d6eeefae93a9cdece48bebc083b2d42be0eff20fba2fdc4c8f398a43c0da420228568d082e880f5279abd1b92e78db33d9021b5e950f3dc4

memory/2472-212-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bjebdfnn.exe

MD5 94b408ddd2813de6c0c0ac2f5f47adb3
SHA1 e1192c1729a56e9a4c2ee9b23f59ad98f35492c9
SHA256 fa1d5bf009a3a093bc97b6caaa0bf472a5f54f1011bdd6be529f628b99249769
SHA512 13121837aeddf336ae1f1c85cef6b4d2ba10d8bf41871eabfb9923297c596429e4b5962a9eb1c2030ec901880bb1029ac73c0237aa0a6f339496db37e5142c58

\Windows\SysWOW64\Bjebdfnn.exe

MD5 f8eb1f1561588cc228863d1a0f256972
SHA1 4b3c0b70be67ae76acf6a9c32e37087d39e931e4
SHA256 29ff78be0d9691d1808175b654a572c24ff5d5e9521d0751427e39a2dd945890
SHA512 3a304c222b79a70fd5343b1c5645dbfa6b0ddd4b84da2ab707741940824336ace1c67351ddb0a6f5d45617c9e6b6ffc87974255e6cbaebabe538083f313dc10d

\Windows\SysWOW64\Bjebdfnn.exe

MD5 d79293f04307d9ef0496205b21a7802f
SHA1 dafc0f6c21353808aace55507dd86ebfa9d1ac97
SHA256 ad2602801b971c76f892e3d85551a99bb55ad8f63052adf678747c845fc7ea04
SHA512 1191ee5a42c7881ca828ef593a694da8bf4d711ee9afb5257b4c766ca532f843ed71cccb625e2a031b449160d780f34c1d187ad1fb1fc80e9b8c168ec501f8a1

C:\Windows\SysWOW64\Bjebdfnn.exe

MD5 340d6d3d18de5abfdb1f73426f408d4e
SHA1 db9b96affcde51512f8d166ffd444b733134ceaf
SHA256 32e1a3bde05ca0b7b7b5384dc79477c828e3d193fab006fbc9df5ef0a0fc6cf8
SHA512 c172db2b2ab17a36ac8bf25cf01deeb7dd0d3cd657a5a28e80cfb078934bfc4046e9298fdb39b6f2ef66974a3e0db70c65ea1a764009ed1a5703f7c3af88500c

memory/2804-222-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cpmjhk32.exe

MD5 05f4339dfdca10b9755ea5c01bda37d3
SHA1 2f404154e01cb0437b4aeb79391f75f42984e0e8
SHA256 78000480ddb5e77b1c9570ce5ce1cc77abae4f0cc53a1594ffa643f1d2ea8cb3
SHA512 f257c489111da0f8e277ce3feeb83dcd06f902cb6982c587ea3e85e358188731f3d1ea03a121d61b096b101bd05566e2000bc185ba54c35f378e058019115ce5

memory/2904-232-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2804-228-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Cmmagpef.exe

MD5 eeb5f0aa051febdcd127653dffb110d4
SHA1 e02fd4e8066800dffd4383273f1d583d0ddd1621
SHA256 75a3f6c92f3216b2fae9ee2652eb31418ceb3b832e0147a7d3887a76484f1644
SHA512 5a223ac711a5df3574f9ba7e0c3b8c2e45cebbc69da1469f0166092e5218f088e5f9eb6f1a39487831dae07ed85a7f1c4ed123038fd884717c5ade7507ddb6d8

memory/2364-203-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bgblmk32.exe

MD5 733b42860111bf36ca7826f0b55add54
SHA1 2840785ee18e18bc83bf9022031375e3fd5b113a
SHA256 314aa418fa9821959ae184b621921fe9ec2e88ba9ad5a781153259c993fdd252
SHA512 3ed654ab689fd5383629c7885102d1ec7d9b3e010fe1513b3283d0210b26c5a91c492806daa687a831f24ca386a58ab608cfd2764075e1efaf1aa9039884068c

\Windows\SysWOW64\Bgblmk32.exe

MD5 252e77d443bb482e13a5e3a4a10d170a
SHA1 e9310d5cc1a2c13caa958d89b804127e27abb074
SHA256 3ff27ff66983d22e899792a399d25e746e7e4720ebe8ff65dd1e847355da4706
SHA512 f0615cca260b44cee110bf5fa7b2fd812d5dcf89be4cd78142778520a5381b2723536aed3fe19955e9d5beec4530f85c6376c95fa2280935dae25ca735e7553f

memory/1800-242-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2904-241-0x00000000002B0000-0x00000000002E5000-memory.dmp

C:\Windows\SysWOW64\Djgkii32.exe

MD5 340334bb4948fa2b1acc3a840a575fcb
SHA1 feb6f73177df08deb6d368d0df76c7f2d7f55d3a
SHA256 7cd4639b6036444ab8feff0f4d9f55d269ae73abba21bf278fe1948e29fc4697
SHA512 8bb47068769a3f24c56b3c4606c3d70476d44c07bc55d4f9ea7b929eb896a363d35e2a09eccaa251e2193b9a3d1fdc68dedfc27435e740e6eda7885955858401

C:\Windows\SysWOW64\Imahkg32.exe

MD5 a94b5e868ff7ab97b4607f84a7c64070
SHA1 c1c52576d6f2bb7d3065915939c66edb27dab4b9
SHA256 e6e6a044cd27e58481f76d642fd8bdac824f5d44f5c852ed50ea4fa84f80cc07
SHA512 45be7e5b4e1795572fc47c747a275b67b2091e9b617a36cbdee793ab6020e7edb975f17bbf39278337eff680be75db0a7c0fadbee94651052f302835dcdd7717

memory/1564-253-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1800-252-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1800-251-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1476-264-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1120-275-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1476-274-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/1120-281-0x00000000003C0000-0x00000000003F5000-memory.dmp

C:\Windows\SysWOW64\Kjahej32.exe

MD5 74245da76a0cdb69ff875a215393d05c
SHA1 02d6cb6b067349410f9e94dde1acde3e204a77b4
SHA256 37f2671a0e12a2d723729b2d2372538fab6a07e31d1e79e96ca431a8103d77ae
SHA512 af588d878ce181f993ace7c7d569b00cb5f64acbd04257b001eb8099d0cd36e3e65140f79a7185388885beb461115b174f24ca604b3053d11e93e6e78cf238ab

memory/1744-297-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1532-296-0x00000000001B0000-0x00000000001E5000-memory.dmp

C:\Windows\SysWOW64\Lgehno32.exe

MD5 8f6ad9b6b17c75903bef941425f6bf32
SHA1 0bc956e45228bde82465c5c0972ae259de6bfb44
SHA256 e0b2bbb8ae8d3ceb31af1f10ecb1f4c2477d283ac66002e1ac15a02540c05f9a
SHA512 026b3fe9b26ced9aa44e1312ec6fd918b04e6594c9e3a3e2fd0a5dbeffad8ccc260eec7e9567df0e07417faad2f553759a28437870096040d75507b158cb80c0

memory/2916-308-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1744-307-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1156-319-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Lkjjma32.exe

MD5 1ad3b7abb9117575a3630443682b93ce
SHA1 667bb1c7d56cb1ae41508b0f8a8519c9682da1cb
SHA256 30ab5459d4bc494fb088bb78857b8043a795a376d2f4a96b14757df514efb64e
SHA512 ed42beb8164d3e22e5583239ef4ef8202d331a5b0184e8a3aefe1b0fa1abdbb84fa7f85c10c2a63e5561e4c8d8c547f28113a419f74d029d4a4896e5d9410ab1

memory/1548-330-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1548-336-0x0000000000230000-0x0000000000265000-memory.dmp

C:\Windows\SysWOW64\Lddlkg32.exe

MD5 7dd366f0888f65eed2dc7b54264de337
SHA1 1cdd94cd80b8c867d7765ed4c94508c3c91611c3
SHA256 e0e3aa35278d53f428d60006b096d62867e3fb7ac7a66ec5292e8c2cc501a2dc
SHA512 837df45870d5f67f77138f33bb55acc448daa59dd62bf7512c0c8959af8790d54ad5f7b6002cc670ead6ca392109e22fbbb289b36479272736c4fb566d2ff788

memory/1720-341-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1720-347-0x00000000002B0000-0x00000000002E5000-memory.dmp

C:\Windows\SysWOW64\Mmdjkhdh.exe

MD5 e1da4a5ca54d40f828c4433656aab8ea
SHA1 869c0aba3b0bc1f9f7ef8299f76c8d1d149026ad
SHA256 a0ecfce4d06afa197bd381bb2cce820655fd95c8e2fd46448d9742e85d66a261
SHA512 fd1c6ac6039030473c915831bd8524a0b9d5aed0091e3190bb2fde85e8417ab52b102f1f8c3a0d5d2316deb554291da7ddc521d2748b396f023f76a1557760f6

memory/2492-373-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2372-380-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2216-385-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nedhjj32.exe

MD5 f88ddfb66affd51274958253b7fdbce8
SHA1 e77f9321da1a5381e3bbfd36222be000461cbff7
SHA256 7cf63fcb931273003c3534b3478e058a7148b5aa74dd23b9bacc6fecfb2f6518
SHA512 a0a126b140304d644c64b01ecdb290555d41193afd484dc6881e052e3cd6a17feeb0887018e4494c037026738b5c3b76490544853ebe9189fc1177ab955c5c31

memory/2908-397-0x0000000000400000-0x0000000000435000-memory.dmp

memory/764-412-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Neiaeiii.exe

MD5 449a0ae2722e5bdd1c13d21d91fc5665
SHA1 df8981f91ca8014fd8f7164d3b44a51524094568
SHA256 61db5ed38b677d1aa1aa15f01b383f8257919219aab7077a72d44d72bada57f7
SHA512 8e9356dc4d50467ffb7bbe202ab9c55e2f1bc3a107a3e522d0393f30d75e871d3fed4d580cc0580696c1914414698d1a9e1c673ad71f42da23f769450aa534d1

memory/1456-420-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1456-432-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2640-433-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1456-431-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Ncnngfna.exe

MD5 ca8df812ef892e5cc8a9543d2f7ffe8e
SHA1 80cfd03667bfc28df005c6fafa0712c29067632a
SHA256 a289dbc1ea886d87b0cf04c25cc7b762a6408d86445df89c51d883a4febd67fb
SHA512 bd74f8380edc0bd20c3eb6b0c62f056ac71b5c38e0720ff3832b5cce7f69b0109f64c17c47ed9dbd52263c534e56ce6c513099007cee13289e22c64c69b4fabd

memory/1448-427-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1448-426-0x0000000000400000-0x0000000000435000-memory.dmp

memory/764-419-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2292-445-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Offmipej.exe

MD5 4d0eb11ef2e3e5f9851f90b5b4587c5e
SHA1 c4b38eea5a9263ab47caec98c378c4d466f186ae
SHA256 d790994e4a5717b4d74b54928ca7647541ac3b8fc1781c32f25ce5eea3864db0
SHA512 1f2b4794017069f2961e3657d643a007678579828cba63e2bbcc4c26416625b22d084e22ea185203a51b334c529f46b895c9741e6ac5aaa5f374fc7f879e050b

memory/1084-455-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2480-454-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2524-444-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2660-466-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2556-465-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1084-464-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 a4f61ed7fa3d900c6c343a51f6e0a602
SHA1 8205bca6021c6194fc7cd37928c9bf9911b9461b
SHA256 2b944231842b8e758468aeeb48b92ad2b3c81cf19e4df65772194aad25788a41
SHA512 4faa62c6ee82abdeb98e05d10b7ea4e2e9e6d3e831a7fa6fe2857574efd0565c3675789fbd1ed3f9da1f8352a501594e9c3df0de490bf91259e967dc2b906b12

memory/2232-478-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2424-477-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2660-476-0x0000000000440000-0x0000000000475000-memory.dmp

C:\Windows\SysWOW64\Pkaehb32.exe

MD5 300da49fae3c715569ed44a58183df9f
SHA1 86f8cbb6ddffdeac9cac2ef3abfe9046af670d54
SHA256 208ae158398ad810ed339c6dcf6f4fdbabbfd6d980f3d4c8c66eed0927c735ff
SHA512 95773e393c3483c0e8d2cf8b73c07e3cfa55ae7adb2931f9f8646690769ac8911c4efbbcafe17017f1a86b15381aa1f88c6dfe3b6abd2e9aa09d2d2e8d71390e

memory/2168-487-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pleofj32.exe

MD5 d2fb7cef3665752a2d31de1484be84e6
SHA1 f0cebd20a9e0e5d33e116ff0a847eaee98eea15b
SHA256 d1fc88db6fe5bfc9992072b846a56827564578767b10c8bf09136e1695d3cb42
SHA512 cef0dd55cc9f753c8569029bb701bfbd97bfd90a57677a95950301ee06e26b1c8887259e527ad1010add43bfb7d4219bf479d1118a203cc82ced1a679a3b3f49

C:\Windows\SysWOW64\Alihaioe.exe

MD5 8795849b1e6a33ddd925d1cc45a2879a
SHA1 4edf6f9ddf742105b52a983ff8af72f6e73b54f3
SHA256 53744c40c30332e6ded263c9547cdf9a62f1bc766928c7c7b4c91d25b076aef3
SHA512 a1ffe17c0ae95f9af1996c2eb222472a06fe20a4f6fbafffdadad6d7c962d244056caa4e61c803c8bead327ff87f6513408151420cddc1605d2b3a62e91a492d

C:\Windows\SysWOW64\Qndkpmkm.exe

MD5 df617864aa0c5cb6d9ace74de30cec4a
SHA1 8fc0914800f10c9837b0443958eb8bba88aa65f9
SHA256 1766a13371433dac36fb16b6a6231abb16e552868a946dbbf9cefb39b4008408
SHA512 76f1cf3b712a720b7ae4176f2d19fa3fcac7b558148efba9b48e93fc02d7a5d38d50267b8f02605baa32be194f8a642184e0af79534efd0ce3e57deb53780c63

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 d6b1233009573773d9adab65cec30360
SHA1 b942874ec2b7fd8aa58672d24c81b22dc6589f17
SHA256 3f35262d13ff705e2f3356a6cc4fd44d0efd81bf9b8726aa7295d32292292a82
SHA512 b0abb08bb3d063a762417ae04fa7723872c6d0d7ce42176edd83926ff38669f3f2ad16e6f55ac521082d2681a0647b258b988592f48c6a8557382f95447bce84

C:\Windows\SysWOW64\Phqmgg32.exe

MD5 57a48bb2f2f05fa087ac1a3bea101a33
SHA1 3c6b92d95532cf1270ad50bf393cd51f4fbad320
SHA256 3f2f86aca0fbaaccdd9bd0d032e8a24f02c773fdb3aa1fec26395d5ed0558e29
SHA512 a53f98630f422f055940a3e94ed90bd55b15ca0d9d3789c3ca9ef0fb99abaf65efa639e03f8d3ef142d653955371bca915ebcb8957e358b1b883836d431bbc8b

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 5420c9da639fcfd530effe5950e68203
SHA1 67005f4dcc09c2ef28ad8c787a706abf017927ab
SHA256 87d9241425ee0e77d9bfc4ded572675c989695a83e735d56347407dd32ea89ef
SHA512 040ef6fb8be1c4d5a086d60453e36cdfb3a6f74d8020cebd5f30ca9a13629f48a6fc1d51e0ebbc1e95d32ab393b864463e947d323212a3013f1944911e1dbad0

memory/2424-475-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2640-443-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1068-442-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Oaghki32.exe

MD5 b359dbf745e396e007f832f9bbbeeeb4
SHA1 51434c706d33ceee716ad8fb02d16e5b3a810a02
SHA256 b3d8ead86dfaee4b7427561e0abe2d70da9d7779a73d0a3f2581ad163e30bc0a
SHA512 907dcc6b5710459650fb00b6c374d2475f4316664fed9e4e9e31df567703cfc6727c97c2b91288737d5911193669b36478774596a5e16f0f7190d728866a8a49

C:\Windows\SysWOW64\Agjobffl.exe

MD5 0a8c09bb381496ef61420a2c305997fc
SHA1 24355ad5d3a5e9729eecd19e475517226003bfc1
SHA256 8bce4af34d343f6f4a1582f9f83e8de288a8155022c4445b956cf1adedd044c6
SHA512 10a71bd18441dcebc7243c12cf0bb0b0c5f03a5633c82365d84d14dcb43340321feb02ddada93b1c20959bd05d8e33425956613cecedf8ce626392e19594d2c1

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 c05f0bf60b937b141d1447e0b3653dbc
SHA1 a70d6a7eb0bc572a722d14de50bc72bf5d120691
SHA256 0979261e31c224d0d6940478e37395a8c357dc9ba97ff5e29b57c19a8c6eb2e1
SHA512 f6d6aa640931f87d2c61731a25049dcc8fdb91515b32932ecc31cbe46a5565c0b1a1d479c2e0b591d515561af183ae7e0aba89dd546fe3abb224e1850382169e

memory/2032-418-0x0000000000220000-0x0000000000255000-memory.dmp

memory/764-414-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2032-410-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 0fc37d94f976a7497015e5deef776cb6
SHA1 c4313374ee3f184a5c9a6fdc0890b7dc983d4bef
SHA256 91b6cb30244e656235d9192780107d8860386ac7f5fd8da0813f3faf2920ce93
SHA512 a510efc7424fcd49104155841ff5faaedea67d40b8878e75bf4a29fe680357566317ec16b51a4be3fb038ef3e19c6a4cf0c3b3f1b7380952754ac31819eb289d

C:\Windows\SysWOW64\Bbmcibjp.exe

MD5 2d47700d7a354e69859d768a44ae59f7
SHA1 4121970f3e09ab8120181caf47ee3212f485e022
SHA256 fe982a166e193b14e63bca5171457f05cf788d8c32c51cfa37ae8aa1a47ed847
SHA512 7b47f91ff9593020ed4ff8f825a03b83945ba0b4b0522a9d0f0ad03c4fbb218a1b2e66b195d2dee736289fe6c18b769414461d4565e54e7ca9bdd52915adce24

memory/2908-406-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Cenljmgq.exe

MD5 68a81c7c9663891c6fbb80e379b45648
SHA1 be9e964b4714f3ad1931047f8e0aab667cdaa7a0
SHA256 1f9490f7081bfcc44f8669a09a2b71baa2a801ffde044e7d7a11e7ad4e6f9b31
SHA512 520d154e746a294663d61c8250a6263c0adf66ca3377401c44a644d92a7f6c6612afbb72a95a45c750960e6f7a2e882250eae72254687cfd12b381a2d55110f0

C:\Windows\SysWOW64\Nibqqh32.exe

MD5 996cc096b6b1c8db5c3d099898a0f518
SHA1 9f9aefcdb2a6a74046225ceab394c1f3537a135a
SHA256 b55e01f236d96ea98318bda25837e53dc956d6f4872d4634031a777831936d21
SHA512 5b26b56a703fa911db75ef48a51a4a630a7c672ddd5d730c2479f70a1e2e2c727bcbbc171038d515751d3d728a02170df2fcb10a7df899c3f2f8aa8f7dfded46

memory/2908-405-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2216-395-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2216-394-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2372-384-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Mimgeigj.exe

MD5 c36c9ca06ee5b6f13740ec30ab01152a
SHA1 e3bd19ecd9ca792329507e860ac4b922f3480059
SHA256 98bb27191a0ffedab10413be94e9de23ccabdfe6052671591681b43bd20b25f2
SHA512 de9c4e0812abb6cf9e0e4bfb8834cdf95f4de498c9dd8cea638f51964df196f7a184373d3f80630e4fc98e2fed4fef69f26a18e7b96d7f7c2cb97086e6337a91

memory/2372-377-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2492-372-0x0000000000440000-0x0000000000475000-memory.dmp

C:\Windows\SysWOW64\Mjhjdm32.exe

MD5 fe53436e8fa66c755aefee6ae0879365
SHA1 a7909f516a4fbbe3443bac9d8af398464e8a80fb
SHA256 8a032f906a526046d8961386f956f3bb1cd984e0e96401209f0405cb4911b475
SHA512 1f8ab7eaa7a513adac949d291992614d07f7d8c764d3c6b5184e0cc5d1621da5d69f025f28cf1eaaaabc58c4c1d4685892ec2f38c06f8e8f18a53086930a3a67

memory/2592-363-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2592-362-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2492-361-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1720-356-0x00000000002B0000-0x00000000002E5000-memory.dmp

memory/2592-360-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Mdghaf32.exe

MD5 fa852f080f11bd56da8c71b01f310e90
SHA1 9e3885033a7d870a84989f52bdd791c84c395511
SHA256 dea7c37fdef2e17927ebc6d0b764bebcbf0526c1cf2c9649761fe69c02b3b54f
SHA512 da24c09e9ec54da1b2cfe35dab32abfbd6ad6c7d0b55516ea99ca8239b529d044dbcc96e24102ada9d0276d88de719dbcf7ed2a5d470e7d793fd7e9c980da72f

memory/1548-340-0x0000000000230000-0x0000000000265000-memory.dmp

memory/1156-329-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1156-325-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2916-318-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2916-317-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Lkgngb32.exe

MD5 755f03a7aba4adbffa468c1b9760b9be
SHA1 cd9fa403ab72085a292ee40e741fe01d5dae8358
SHA256 86360b74e8c39ca7ba21d1554bfd37753129f4ff880851781055a68f343fe2cf
SHA512 8dd0a34a7ed3fef75f5463d989c4cb083c67842e1e854539b31a6f8376f7f36ba2fdc1988995cc6a01d18267b143f37e0fa188f45f84aad61069e3636001b325

memory/1744-303-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1532-295-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/1532-287-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1120-286-0x00000000003C0000-0x00000000003F5000-memory.dmp

C:\Windows\SysWOW64\Kgqocoin.exe

MD5 4adb687df27470832d1b98340b409ace
SHA1 2cb2ab46c3352682e2b4518e8189e100ad624bd7
SHA256 832bedb8ee7b9cb76462f721377b37f15475cbb89a8e56cb0613d577072a0818
SHA512 ab2f0c993d355e5629fcf9efb3229c9ef105a3d10516e556747d0b138ef519c3e9aa93b5397f90c92c7354d2bc1028fad99f8b2ba31aa2f97676ba614ba52c9e

memory/1476-273-0x00000000001B0000-0x00000000001E5000-memory.dmp

C:\Windows\SysWOW64\Kkjnnn32.exe

MD5 c1551bbc2bc6c89c0485dad66ca8dd64
SHA1 25c2006a16a6e82aacb3f36ab885ae6aa30a40e9
SHA256 fa3d864267e35aec9e654ba00e0254367f22852573f5155fbbcd8e9df035ea8b
SHA512 64604b2007b522e88fc887b14b1ba3f13f5ee15478d18aa0844e5d5d61cbf5133d0713a825ab106983987a309a2060fd79c33240276f19ec2d24ec9ea3861232

memory/1564-263-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1564-262-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Jaoqqflp.exe

MD5 0c45341a7ec204daa745f8bb30d38508
SHA1 ed463aa0a37b2c5092c49ccc31275515fb6dac21
SHA256 f67727cfc3ab5cdbc25777c4490d22aa92b56be237e471de55f85ffdb88e4348
SHA512 a0821e6fbc21d6f0faa5ba06962500c75d1123423f35ed7ae4d2d135e746249e9d30b678f1dda755fc0cac979b050158621018f0f665928512ebe59ad3287815

C:\Windows\SysWOW64\Caifjn32.exe

MD5 6fc903980aaf4ca87d4ebd2d579cfc7d
SHA1 5438df74c454a368c0b7543dbdfc46b0aacabfc5
SHA256 08928c59f75a53e596e99c057b31944c15eb134c8ac9ecbf931190c33fbcfacb
SHA512 83fb2e4656e328c04e54ee434a084faac6baf3696d48d7e14802b149b510acb7773cb347006fd971f2335b317ea92105ce266bea724c61e1d9ccb17b06ffde90

C:\Windows\SysWOW64\Ifpcchai.exe

MD5 77e72c0207d676454833eca4d9b54e06
SHA1 6dcddd69e0ec8d9f92d4615b1e531c40a86a77fd
SHA256 25c2b7b38e7692c07ef6cf10bc87939927011556bcf58d2e4b9bc471a0526250
SHA512 658b9614e421ccd834d2ab8ad6c83a1b1f2ba4d67f8206c89b3b6838cc5ec66002c5a5bca8af490228f884b86f9630fe313609db11546237139c9f28964a7e41

C:\Windows\SysWOW64\Imgnjb32.exe

MD5 2a44b32793ff2c0da8d6d933b91ab57d
SHA1 e663b48f3991110d52e60b948e1381e5095e2f61
SHA256 fca08f5a02ef190b24b8d0f6859a84d4c559e94a1e23862432b9a41f17dee503
SHA512 453cda00120835a653aff318d6993897623c026e706290bca4b15ecc415ca0daf945a6922b994dfed3488c5c34d91e58f39250477342a4460a4c78a6b6a74e8a

C:\Windows\SysWOW64\Ijphofem.exe

MD5 920b884cb38e06849b2a32826e429a72
SHA1 ece73679b242083beca076cb1929bff2e33a5fbc
SHA256 c2216aa6c2ada5e909978d67585a4cd6c1cb05499102b926cfedc7d6664a36f8
SHA512 e3b57e15539f505aafc42ba68675e9348c2b1b04f1821d5bac855aac1995fedd00465dce8ae436285fbb3dd31c09d8cee8a0ee894ab5d3de543b7f56eeafeb7e

C:\Windows\SysWOW64\Jbnjhh32.exe

MD5 290b0d10f23f2eaaf5966d38c6924b8c
SHA1 0963690f074de53287a30884eed26c383f8140cb
SHA256 087deb3b49836ba10a1f3ec93f2860d807bacdb578c7e922ce4a1f8e86324e98
SHA512 2479594a47707ea57e4972e4448ec50fd35f88e6c6923fd134f3f51b7844e705a7835b5095a9cca451bc4df4bb646f89548837c9e1dcd2835162962e2f8b1d49

C:\Windows\SysWOW64\Jlkglm32.exe

MD5 3d5590e3543fd82827ed3773973fb478
SHA1 cea23b884a1d4aca622c1311d84c72fa192f1e2e
SHA256 25acde8daf288dec3afd8f66b2368de607c267f7ceeb22fc022a3a37ed2910da
SHA512 fe1c515ce7381eb85d1ac9eae4436b3fb52739a26ab34ce77ea65fcbb1aa387b1e691fed83de73b73f8667aa8bc3c4691847b6ae7aa268428283dfda7485ab2a

C:\Windows\SysWOW64\Jpmmfp32.exe

MD5 49ac0090634c9d4f349a649f1f1fbddd
SHA1 a5e895904d720e66fa3d1ddde0623208e25936a9
SHA256 f0ebf9e94d554c968cbf7c7cdfcdcc6dcb6ca248fa5ab9152e54ae5072e95c5b
SHA512 56422320d51889647cd7e90fba0d083c689090ec34915b89f12848aaab36d71d14325b65a7c028228a14d8400adbe70edf885bc77e6972251f2c8d8b05541d4c

C:\Windows\SysWOW64\Kdkelolf.exe

MD5 f16a74b88fbee8a45e482db07204a221
SHA1 c5de07841f34bba824b81851472b9ebd4b21085d
SHA256 a7bf73b5bbdfd513ac35490d08815e993e847d49049525b24a64211f7e9f0d81
SHA512 5e063b28138f5c84d80902229dd52bb191dff5f396d00da6aaab3c64b5a0651459ac3962c235fc42fa3f7aec90471bda44b925b18648b0bc821cafbef3640abf

C:\Windows\SysWOW64\Kbpbmkan.exe

MD5 b85f0592041224277cd569ffeeab9cbe
SHA1 2fa2a9ee8e95864ba3ef0073340909855d2d5bb5
SHA256 c1f7545be14e262cff003c8462dc27639addbc56225c7f692f7745e98bec571c
SHA512 9181d9e01c1d7b2df8a64374be7afb08341b9f7af92259e9b641cd590f04649c9e416d5196cc9b51b53944d02330ac084c5ce7d1915b60e8ae2e74621b741215

C:\Windows\SysWOW64\Kbbobkol.exe

MD5 fbca2f39518a15dda6ed8708eb0bab9f
SHA1 73f561cd93be21dc4e94b1bcf70eb2e21041a01f
SHA256 21b6d84eec6a2ff452b21dbd490485c8609bbc6c2dcbe9db12dfb0aea747044b
SHA512 54db0cca2b5ffbcaa06128cbd7cabfff796a5f1fb7765ed7025fa10b7efdf5ad5966303bc29a9a15d9fee5dfb3f4258015b86e8ad679c15803382bd5264b0339

C:\Windows\SysWOW64\Kaglcgdc.exe

MD5 3fb65c72dc597b5d547be36c6e9c14ea
SHA1 76881946cf3894cc26dc15c5da9c40eeefc26b63
SHA256 8c3f410e4cbb0643e2d43b3bc1d35da0dfe455092ec448a4c243ba2572ca700e
SHA512 3aa6ecc19138654700b94503be8c169d736b722a9696dff6bf56a50cd61e7988624f1eb5c37528da3c218535fbfde0ddcffa78f82908099973d9f0846d0e3899

C:\Windows\SysWOW64\Ldokfakl.exe

MD5 b31ff51c405179746a1d23b92ee9f4e8
SHA1 4e064884b0dd5ad0c16fe54d9518dccd1c78c793
SHA256 6b426b9c34906c8e5568a50bf951e76d02fbf473e4192868e42792a441e6dbbd
SHA512 c5d007dc4d5c2e9e9f2cf8aaff33ca6e9be73f606d6acba4097fd28a38c93ade19d5f5febc1279e2034b4647d92986506322a38c172389b3f5a5563a0d546b12

C:\Windows\SysWOW64\Keeeje32.exe

MD5 fc01e2864502a22498873bb74375a637
SHA1 9853707a355c1a13aa5121c51417e82b55609a98
SHA256 7d0002c2350815be41702c196a4d9f0fbd3ade049d37ec29d557c80b7bc6cdee
SHA512 37650ee4d474b4d605b87afe08180c758eada0eb2c64f84796cb50879a3d2bd98ebbd4e434dbe09b7c5fc2c4cb0707c2afc231f3f29a2bf0d3c8c997d8b3fb1d

C:\Windows\SysWOW64\Lljpjchg.exe

MD5 1de004a62d479d68c1c1e0b7433494d3
SHA1 95a0005b5ed5cb4813e651ef3b8970223c2455f6
SHA256 3f3b41abd2b5af62a185f1b09252be03415053252d503e2715d9d2aa5c678d42
SHA512 9016b5113654f4350eddaaf05b29bef8779d52a692e2a831f1e9ad44b1a6a0384d4ac9b709edeb1d73a65eaa8fd4c2d79bd11feddc79ba6b663340d2cf61cc91

C:\Windows\SysWOW64\Mgbaml32.exe

MD5 fbb4d9afe3f6d44bbb3aa005de14d216
SHA1 f9652f849f348d60914e6f19f4a84830d84adac6
SHA256 6b5576e8846321ba6d328253e5da8af0a55cd359bfafabd34047ffcdb262c2e4
SHA512 7263019333424114bd4799f8781621fb5226689da08a8e3a1e9d9e608c54093e25863468af007cb90cd0320ceca889bb826fc8d7b3bda7121acf16a1ba63e6d2

C:\Windows\SysWOW64\Mfgnnhkc.exe

MD5 ed27f51198d155bc36958541070d819a
SHA1 6dff1cb19ef45553d7b3d402576af5faa072f3d3
SHA256 6fd6ddd42394dfe3054a5c5f8db39f6af38d3f400a2e2d277561a4ac7ea549c6
SHA512 3472cbbf7bfa246cc549793fec2f1b1723eb8fc777a224102aa7194e7c4b7759843e9b761af638d45e42dff6e08ddba385bd7f702a395fc0da72d5dd3a71bb4a

C:\Windows\SysWOW64\Mobomnoq.exe

MD5 494ebf3cd6f92357fc41e25fdc63b423
SHA1 f36098658a2f9ac88df5a747dcd56c562ab3a79d
SHA256 7a12b70c116d3b40ebeafa53e4a42d3533520ef98eec01a04c866065cd208640
SHA512 f32688873f456c5eae8f974fa3fa6b0ba7c65c2003fc21ef40df24f374192db77aff175ad0a5e522a49bae1d1fb6c418c0233f00d75028423ad9f0bcc8bc84d1

C:\Windows\SysWOW64\Mkipao32.exe

MD5 2728dccb9909ee7699d40aa419c4072a
SHA1 389305701f674c7461f11db9477a701eedbc651e
SHA256 5c265fb4aab5380bb6d8c1d5632aaaed92ace8d3462e5089128bc0865976dc7f
SHA512 f9024b083a9dd8e0d6b3a1afc15ff920d70dd0e81961664049c542b176bd2d6a098a92c3a678ea4d3a0f16dfc22ea2f470628a596b193a36ea7e41bc4e4f0ada

C:\Windows\SysWOW64\Ngbmlo32.exe

MD5 4b8367b11430d1c394cb110af51b0f50
SHA1 20220cd35e2f4d54de42988212cfb9b04e28b0d5
SHA256 d53ca22bd3449ed3357082bf4c1ced6684600c7ea003e6524bb7d32f67f0bd63
SHA512 f691cf773742559078076ff3e19a3a593085556a688c446c6098df4208a69e0927b219fd9ade61f218b0fac7906f55e81c1fab655bbeba023d837d58b8cd3db9

C:\Windows\SysWOW64\Ndfnecgp.exe

MD5 3e8bca2a6ec274552d2ecae36fc80556
SHA1 28722893c2381db3d53b4c5e29d8a406d2762df4
SHA256 a3f366fc00b830c1953899f24cfdd3be576ab5119a755c26d13c8535e6e6fb44
SHA512 903908cdc335bd389e9e2d5f704f112a368e7ac4e0df38fc9807c00c1b64939045a8dffbf9b0391cd2858aee481b0c0f218899f55bc97bf04776395f59529e05

C:\Windows\SysWOW64\Mdadjd32.exe

MD5 5747f4621b43b817ee8f0f4f657dd85f
SHA1 41b75db166034ac1a790409176ddd185d7d0b17b
SHA256 0cbca347b71a4a5baafff8d17d39994e70110439359fadb83dc5a627572bd63d
SHA512 d310acfe3fb3aa58d73522d860247e1d4671aaf657d0253d2802f9fb05dc1e3dabf59807ac410d1ff3776aeebbf67c11a8d93a3cf0847ed5ed074d9610237317

C:\Windows\SysWOW64\Nqmnjd32.exe

MD5 7def59f77ccf6a3b80bafc5f1dd4a758
SHA1 deba180025e81e3ceb2f6971d852eab09bf4ebe7
SHA256 5bf44a46671b6cab64f8010ee454ddc0f5d14e3930cbe621c0f2fb87047c88ae
SHA512 19497df7a4457cca25f2a27f4714d9c1a85907eeebf068b44af5966ba72a65422786f5e6e847f6c5764323e5738ffa2a66c858eb5e72d0eca364f35b663deb9b

C:\Windows\SysWOW64\Olpbaa32.exe

MD5 fcfecf0405d8d37081c020009212e2c4
SHA1 0d4829afabab4144a65aeda46908f797250604fe
SHA256 a68a2e12627fa12f73d492e586cda65d9c02c393d5a310fbc975af693ef586cb
SHA512 c505716c3e62a1711a1336764c68717238546e652fa5b3b96449c1296b9386c9fb1e7c3e32993c9488984fbdb2e9fa7e22e77958bfee5136d2ecb087dba88a0d

C:\Windows\SysWOW64\Pmehdh32.exe

MD5 b0f9b62f61b998d7d57a6b30fe8c53f7
SHA1 2e017f756e39e24f23270ef1ec68dbbe98e2cb2f
SHA256 0cab45107fccd3a7230766cee6f70703444c67f627794e5103c9d38bd273c8ef
SHA512 405b7731955ab9aea92decda2f9b80af6c865681eb058466b75ba75f67a5b925d6bf0be353f5dac8a5994496bd795956999913e99fb2c9f37aa44f59d533c751

C:\Windows\SysWOW64\Phklaacg.exe

MD5 b8e04c2d153bb61e0bb3984e3ba4a463
SHA1 57ac62e96c46c205daf18f399aa9854afea7b19e
SHA256 ee61badfa38763d19c486203c34efc707e203036a9e071d918eb93c4a0a5f521
SHA512 a4a9b4fdf2c5267cf93cc2bbf5df4eb125ef89ca0be0d024799fdeb1f6ed54add997d57a9e0f3c5ed53d6e9d9513fc0ca439a7e60abb3e95731c5a6d8fe0896a

C:\Windows\SysWOW64\Pfpibn32.exe

MD5 25303bf2686c4b895e27e45bb919e4ff
SHA1 90b064dd1395b5dee46877ce638bff5102299e9a
SHA256 95d3904ba440a47b703e2d4bcc552d69823579e6886afed27770ade8fe9c765e
SHA512 3e5b1b84ea4e35f8b605d9c859f180a0f74c6647c68eac8b31407f222f1ee1520172f5e921d1206852afdd2e0907af2ef28970fd17923cbca3cf07de330f7fa9

C:\Windows\SysWOW64\Oaogognm.exe

MD5 ba118b704357e912ce1a5670b0a50d02
SHA1 535b0a0445526dc9d7efb47ebff9869772a09930
SHA256 0c35cc7ce49db50605333eb2798b4af1a3e0be65a429d82c0c146f45226fcdee
SHA512 dfe3d8b172831ea55b66b1066ca040545b69c4dfc196b365a824289cfac3379b12f68c2166d2cbcdfcc9fac44073b34cf99e2b12d0700a4f9cf6332aad0435f3

C:\Windows\SysWOW64\Pbgjgomc.exe

MD5 eec1eb42adf0a5d52dbb8fa84955c71e
SHA1 8a549fa9f34f75b15a9d3f824c5734c7fb8d2f63
SHA256 837bd6b306fe2e74247ebaa5cef265e55a9959b0b08d1c58c26d116348977ef2
SHA512 75161f9e68c2ef7464276ad6c39bdab76b0f9d252b989032ebf666c0ccd75a20d1493ae507c06691116f2f43b585949b9fba96d65b92646363f185066cb09694

C:\Windows\SysWOW64\Qiflohqk.exe

MD5 3814c2b8a7ddfa12a651e821b55ca72a
SHA1 3d8b8a88e5c26074076d5a73211a3a2d2a94c430
SHA256 9fbc43f975d75f226a309be81702002a7fb547074e276fa5f0487db76e7cd3fc
SHA512 b74cb6875182f4bba1edfe240e205e94dca8d7804c0af504c4c9eac9a9ce7a765f6759e92522b9ae5214500c68c364ef25a51dfd00ad9ccf8b6764d6e9d6a00e

C:\Windows\SysWOW64\Qaapcj32.exe

MD5 725608265aa8929eab9dce677e19a1fb
SHA1 8a85dbdc13541beb419be00536f214c5cfb1a6ee
SHA256 109676e3174a0304625f357e391782e597af31ff36cf648adf5d0cbbffbc51e7
SHA512 9eea54e6fc486bba2adad6820fb7b5f59a41e337d6d9c7c9ed7ff9e7b7c6f908110b649ee853edcd72287c06c4af25b863dee2c444cf9c03e72f71b10a11517d

C:\Windows\SysWOW64\Fimoiopk.exe

MD5 c4ff195af48af6814d18b7bd187b94ea
SHA1 7e8dfa61d9c6b5627bff64077986b9a16c154d59
SHA256 6d475a18f7c61dfec9436e943502df1a9c7e53924d570450e8ad8d9e8c3c6542
SHA512 314bc08a9ef2d2d66ea9ebe998935224ff6d7780986b9b97810848b2ace9521e0f31a81094bd905c2df1e2fe0544e156513b3c895115f8349c8cb4f0d3c97487

C:\Windows\SysWOW64\Giolnomh.exe

MD5 5a52c55b1f338a4b5745689d171c346a
SHA1 8d721ada8bc0860bc17e49914314ffcfce431ddc
SHA256 2103c53f271eafa80b5f90e593fab3656c282728da09dfb34c0f11c5e9b2b044
SHA512 ef77773e2032a1161abc47792f57246a7306a2005ea2c4d44571df7a0c1b10a40599fb2cf88594ac6cdf9ebc7274610e7f5e0799fbecc2434a69aeab59efe765

C:\Windows\SysWOW64\Gcgqgd32.exe

MD5 99ec8c8ee247d382483a3b10a6e30f90
SHA1 68aa54225108bdc534bcdc8dc0408cbe0fd255de
SHA256 2f64a401b586d97ba8a2e28c56ecffc4d6c27403376fed1029ea7c48a872656c
SHA512 ce60a9815d5cd57049dff857edcf4558fb9d520b5ffdd721e4e17359e8e811e7a2ec8930dd2e9a4aa307cc77368772f5d9ed1321c4262312a0ab03f0fa960116

C:\Windows\SysWOW64\Glpepj32.exe

MD5 abe74d99f02ec13c31beef2d0bb64219
SHA1 b8edc3d28cdd92de744bc426e2c8141046a4f610
SHA256 d94a9b8992d281ac54d20cde8010fc869761f27a0db2ce41d092696474cbfee8
SHA512 3c21a42addfc4e5302098748942d13350771fc802484f7c34f366b5eb7720fe80fd6b1d5a6182ab76174ecf39c588fa225f4474b28212610f5b8cf51b124e1a4

C:\Windows\SysWOW64\Gkgoff32.exe

MD5 906ed6441da287d52aa64355e032d6b2
SHA1 ed29004cb5fbff1476740ee4713cde05c17ff547
SHA256 e474f0595c8b765fd2d577b8a88b692c38893f49760200094f6013a6dc32255f
SHA512 fd648ba6b77d977bba782cd9b75796f26551b507b0dabf3caebf54a52a00f4d0ffa9924c1f0529b883c0215d17b321be68085e10f1ccce3a242d1ab053418aae

C:\Windows\SysWOW64\Hhkopj32.exe

MD5 0472768c8bd8deb7e664ed3b6e7ed0e3
SHA1 1da43752ffadc1f381f9b9ff6256ab85095a8ac5
SHA256 3d11cec685216b278260f63065320308641917816c06f5a7a86388a9224da856
SHA512 1b69ea62dff1325ef68299bd361ceca5bb9666c45fde9dfcd76976d60c38b0d4230bfbfc771664641e4b4a403a9e101bc11151db07e6d9746b084fa06378e22f

C:\Windows\SysWOW64\Gaojnq32.exe

MD5 85442dec6eb36016f361607e7cdde738
SHA1 57028d90ac2a353a116797388e62ce33d30ca120
SHA256 a580612f31b2e37385e5a2432e8190ed06401773ae0ee3f0e3e256abaeee00f9
SHA512 0fb44cf561fefdd8bd677207447ef523fd05fe25df2fd10e85cdf1f3e9687cf1e8c42c32984e260ecc3bb4d3fc718136a5520c9b9a61352b9d29e299293e8a66

C:\Windows\SysWOW64\Hadcipbi.exe

MD5 52c4ceef0b0b933585fde6478a7332b6
SHA1 b181d45cf5aa146d2fd2f3c68df1359f2a2c4cc7
SHA256 ce6c535dcfba7b92ce581ff4c37fe3e8ca650ee3276a36be87b474e89463631a
SHA512 134b75f72b0f8ee6a30a47e0d252dc699650d2eec4c6c6a44469fca4fcd3156b572e219f6d064109cb0fe73b0e0aeb56a162518dd9dbf9558a9f1c345e7b77db

C:\Windows\SysWOW64\Hjaeba32.exe

MD5 fab0d728847653bf0c8320a1894d9b68
SHA1 d13405dd0df505d6108d537071c89b9582c5157c
SHA256 510fdd63ad002fef962fc3e3e358ee0ba174708a6547183a0e994e9e7abe82ca
SHA512 347f785cb5586350ae1d2a36bcf8dd31ff26054222f30f9f8461e9675f555ee7895677e88dbb294cd80d8bb4dc344c5a2e0b59f1ffdd3e99c78f433137b27de6

C:\Windows\SysWOW64\Iikkon32.exe

MD5 6ca729b900ab3f6a3a4d473b00461d64
SHA1 57156580089556edcac41ea9ff6d13d59afe75ab
SHA256 ba7e9d0d264d1a8faefcae9a21a07e991ceea855a4c3e2e9e229e191fb547f09
SHA512 c4e7de10841df7e301a5b8434d5af770cc63c892ee6125aa7be826a22d1b5386e01deff0cc10a6910e35c69aed0ba01e939bc65019834ca8aa45cabe5257a364

C:\Windows\SysWOW64\Hjcaha32.exe

MD5 35fc9e0cc6057f1460665677ad93b827
SHA1 4cca94de1cf68589674d0908c20ec230d4c438f3
SHA256 63878718230863b04aa11091e8000eb108a83bcce7b7a483bd07ab85a244f47e
SHA512 8a98a15251beaccbc6fa5d28cc63d8ddcc278c4f6c13e76fd69c4c02e58ff5dd47353d1fb20f2e44b10983ededa705a85e98823cea57380750648378ccc9935b

C:\Windows\SysWOW64\Iebldo32.exe

MD5 71b2a3de3488f51e0698f5fdf711b77a
SHA1 ba278e8a1859d3587dac9b5a5292325f1be3c66b
SHA256 560dbaa75b46bba69944ee049d1f404cfab81747cb68d45d5ec177b3f0dca36b
SHA512 3b596e06d7733aff9296d750dd8a20c72a37bc5f08132cf2b3ab1ce1a41ccf92baf6ca2dcc499b2a7046707fe6cdcadc7cb26628de1308d01191820fb2433e54

C:\Windows\SysWOW64\Inmmbc32.exe

MD5 9cd5da6515b72a50512ba1a00a04a0e7
SHA1 02614be1b149341af2f6e8cdf467f0739c4304a3
SHA256 440c1ef7cbc8baa11d9091ef9812897a1dd0c5578b4f35273728870ded5dcb84
SHA512 0889018dcb2a7c1d32c2083c19dd65ecd37008a5b249100931e2485ac9fbaee8fc0e61d0dd4b09ac705ac309eaf9ab3ed72befb72136a5a23ed00efb2e5bb969

C:\Windows\SysWOW64\Inojhc32.exe

MD5 af57846eeff9a645668c1e8b14f02b8c
SHA1 36e117185a966e262c91e37a678905d4762c2e93
SHA256 2695993e555909e9ffabdc3113c7cc988e2a8694ac193f6b8fe7468972bf22b3
SHA512 8f450d726fffc793ea07ac36b91eaf129a1821fd7810e463a296ac2f7fe68a46c4de03a8d7ca6e9cc40c18f7410caddc72b28eedeb3ee49b7aa81a7cb92cb84f

C:\Windows\SysWOW64\Jmipdo32.exe

MD5 718193181f349c76516dbb9cb8d26926
SHA1 ac091208624aaaa6cead6a5cae01a907cd6ada6d
SHA256 1e81351748fff5d4907fb4a12643de83e474ce2aba46fc869ab6f99148f3b6db
SHA512 1509a913c75aa5d09e5060c7fa39d32e357039bcda4742b7c0af4e3669f18d284e5e1c10b912da458e844ec0ace227966dec0ad6196e7af239765287012d7ee7

C:\Windows\SysWOW64\Kjhcag32.exe

MD5 0c9de5126f8aa7f9270a7477b71dc42c
SHA1 20eb6b6187359a498b873e3787be791549222875
SHA256 8ce1d77ed897af6b81e78218d6f6f78991e333b48615496b21041d344ae7629c
SHA512 107c44090566187401c72650cdd3e815408645e2761bb02ece31dbee4ad2843a45a1a2dc33fb1fb90a416561efe572e9dd3d8a363347d8ae970a7a337c319fb4

C:\Windows\SysWOW64\Jibnop32.exe

MD5 15910012d213d0a12d7c7963a77c7472
SHA1 fd83fd5b734111041790d01c1b13c79869f53c3c
SHA256 e095f754cb60f9a65db59e37575459bc7f2d37a354a41247bf292c7af53811f6
SHA512 f7d691cae033bec9b8dafd6cf04c63743f47e6b54ed1c480701e026c43b9c0034ea9d8cdb916582865cfbaaf75db903bebd4ee6b187a4010a3416f827c75ec42

C:\Windows\SysWOW64\Koflgf32.exe

MD5 83c21e8c555efd4364ec01eca70e7926
SHA1 588bb474fdf9b25eb7e4d5f7b660fa72c5479ed8
SHA256 81413bdc2196abe6b9a3fa9a9de84c601dcb8a43c83857f87804769397908a1e
SHA512 3de3de7793d123fcf02bea702399bccc2456789923ca9bf501cef5483305790b28138b5c6d54802f9bcd965fb1d1f91017ff8b51e4290985c3917da23f917037

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 588bfbcd8aadb8016d4602ebee88dc56
SHA1 0e55a1a29dd77650cdbcc487e27ce2badb081e9c
SHA256 4b6310be059bdaa1f327cbe518686a8ef4c183131c344799b8315cd4fdbfca03
SHA512 96be68b6270f092dc0db656b37d01defe52311f9752081b517df71e5c42d088da5308d46641b44a1c4ad28e80ea7dd1fe9615190ea584049ff9f038c3c04a37a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 03:25

Reported

2024-05-09 03:28

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iidipnal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kknafn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffbnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Domfgpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jiphkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Domfgpca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fqaeco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iidipnal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Oijnep32.dll C:\Windows\SysWOW64\Domfgpca.exe N/A
File created C:\Windows\SysWOW64\Hakfehok.dll C:\Windows\SysWOW64\Ffbnph32.exe N/A
File created C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Nceonl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfdbojmq.exe C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
File created C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Dfdbojmq.exe N/A
File created C:\Windows\SysWOW64\Dfdbojmq.exe C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
File created C:\Windows\SysWOW64\Kpmkpqcp.dll C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
File opened for modification C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Dfdbojmq.exe N/A
File created C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jiphkm32.exe N/A
File created C:\Windows\SysWOW64\Ffbnph32.exe C:\Windows\SysWOW64\Domfgpca.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Ffbnph32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Iidipnal.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Kknafn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Fqaeco32.exe N/A
File created C:\Windows\SysWOW64\Lppbjjia.dll C:\Windows\SysWOW64\Kgfoan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Kknafn32.exe N/A
File created C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Ffbnph32.exe N/A
File created C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Fqaeco32.exe N/A
File created C:\Windows\SysWOW64\Denfkg32.dll C:\Windows\SysWOW64\Fqaeco32.exe N/A
File created C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Iidipnal.exe N/A
File created C:\Windows\SysWOW64\Jdkind32.dll C:\Windows\SysWOW64\Iidipnal.exe N/A
File created C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
File created C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Fcdjjo32.dll C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Dbppbgjd.dll C:\Windows\SysWOW64\Dfdbojmq.exe N/A
File created C:\Windows\SysWOW64\Pipagf32.dll C:\Windows\SysWOW64\Kknafn32.exe N/A
File created C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbnph32.exe C:\Windows\SysWOW64\Domfgpca.exe N/A
File created C:\Windows\SysWOW64\Mgblmpji.dll C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Jiphkm32.exe N/A
File created C:\Windows\SysWOW64\Bgllgqcp.dll C:\Windows\SysWOW64\Jiphkm32.exe N/A
File created C:\Windows\SysWOW64\Ihaoimoh.dll C:\Windows\SysWOW64\Jbhmdbnp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppbgjd.dll" C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfdbojmq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffbnph32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kknafn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kknafn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffbnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iidipnal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jiphkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll" C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Domfgpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll" C:\Windows\SysWOW64\Iidipnal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iidipnal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgfoan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Domfgpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll" C:\Windows\SysWOW64\Fqaeco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll" C:\Windows\SysWOW64\Domfgpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll" C:\Windows\SysWOW64\Ffbnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll" C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll" C:\Windows\SysWOW64\Kknafn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbhmdbnp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Dfdbojmq.exe
PID 4312 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Dfdbojmq.exe
PID 4312 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe C:\Windows\SysWOW64\Dfdbojmq.exe
PID 2512 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Dfdbojmq.exe C:\Windows\SysWOW64\Domfgpca.exe
PID 2512 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Dfdbojmq.exe C:\Windows\SysWOW64\Domfgpca.exe
PID 2512 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Dfdbojmq.exe C:\Windows\SysWOW64\Domfgpca.exe
PID 3560 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Ffbnph32.exe
PID 3560 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Ffbnph32.exe
PID 3560 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Ffbnph32.exe
PID 1260 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ffbnph32.exe C:\Windows\SysWOW64\Fqaeco32.exe
PID 1260 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ffbnph32.exe C:\Windows\SysWOW64\Fqaeco32.exe
PID 1260 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Ffbnph32.exe C:\Windows\SysWOW64\Fqaeco32.exe
PID 2260 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Hjjbcbqj.exe
PID 2260 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Hjjbcbqj.exe
PID 2260 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Hjjbcbqj.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Iidipnal.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Iidipnal.exe
PID 2912 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Hjjbcbqj.exe C:\Windows\SysWOW64\Iidipnal.exe
PID 2924 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Jiphkm32.exe
PID 2924 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Jiphkm32.exe
PID 2924 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Iidipnal.exe C:\Windows\SysWOW64\Jiphkm32.exe
PID 5096 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 5096 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 5096 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jiphkm32.exe C:\Windows\SysWOW64\Jbhmdbnp.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 2840 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Jbhmdbnp.exe C:\Windows\SysWOW64\Kknafn32.exe
PID 2612 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 2612 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 2612 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kgfoan32.exe
PID 2496 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 2496 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 2496 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 1868 wrote to memory of 4696 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 1868 wrote to memory of 4696 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 1868 wrote to memory of 4696 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 4696 wrote to memory of 3304 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 4696 wrote to memory of 3304 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 4696 wrote to memory of 3304 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"

C:\Windows\SysWOW64\Dfdbojmq.exe

C:\Windows\system32\Dfdbojmq.exe

C:\Windows\SysWOW64\Domfgpca.exe

C:\Windows\system32\Domfgpca.exe

C:\Windows\SysWOW64\Ffbnph32.exe

C:\Windows\system32\Ffbnph32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Hjjbcbqj.exe

C:\Windows\system32\Hjjbcbqj.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Jiphkm32.exe

C:\Windows\system32\Jiphkm32.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3304 -ip 3304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 408

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4312-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4312-2-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Dfdbojmq.exe

MD5 312e264bd797fcde6e056b97f746f548
SHA1 e3ac2d19eec93fa6c926789e69030f23fcb6949f
SHA256 831abd7a11c93f7b9350ac8bb90f4f8f34278a0cb1ae84d5a6a81e7a16aa78f8
SHA512 a9ccda1a7e0a5515571d92def4010d24caceff9d36efcc97207b81ea971bb43163e7b89b6f82fd16af3deb5da6fc5fd5b749bfe24d1e95990ef8e69c7c6896ce

memory/2512-9-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Domfgpca.exe

MD5 d19ec5a2154f73ff6b2f8de7fac33e26
SHA1 7a1bb22e5b666baf6ebb952f108a2c131e0c6581
SHA256 1225a13785e7e5f685e76fd8e562d48b4bca7b81c477757b02c9ce397a65588b
SHA512 5b6129d0d70678c0d51a053f0f257737636a5df2f1e133305c3c3321ec9e226261ce5804462269a2176ea8782e3a868fb4e95ce6cdbd8ac7c3015d902bcacf81

memory/3560-18-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ffbnph32.exe

MD5 13e1cf1d082a673492231967f93f1774
SHA1 e3c96e18133d656199d8d442bee9627bf08a0755
SHA256 c50519ce3440c4433836b53350b2bbd31e8125593fd8c553aff88a6cd6dc8cde
SHA512 7f18b9d8e64943ee620f3c0870014de78cc28559e452129bc8fa6caea8eac4d75bbbe263d14b4f062e195a76567d591caf929eb4e6c661cdcc2e78fb920a4a9a

memory/1260-25-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Fqaeco32.exe

MD5 de8ed894de2035cf30ab97f7ea3c518f
SHA1 16383d16e6ba946ca4370ae1276451d702ad9c6c
SHA256 8bb49005007664bdb6a5aef5c9ad1ee60de926f00e118a3d32445ba6be56180a
SHA512 b70631659e80ec970e4c9d92070273dcac85277aa525acc66903b69c32b7f3b825818a77a2bf0ddd10e08ab71b23716e497981d8757acdfb572e3b430dc0c3dd

memory/2260-33-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Hjjbcbqj.exe

MD5 fbfc2ff9ae4e574ec61c908edfb4309f
SHA1 ee50c59c7a119968caa8462434247936364fd89a
SHA256 d204627d89f219ca95868a415fa1004c682e80993e7a28d94654d558dd161397
SHA512 e8d3c3123b5748466000e59176fb723c5904c7314bd25747e0688d48c2560e5ba22f8dcde126a0be6397c8857bb5756ddf8041a99b3bc9d9ac3690b74bf21190

memory/2912-40-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Iidipnal.exe

MD5 cc22fe4421fef6afe172126a383e3f58
SHA1 8b73ac727d7bdf5dd78aaf9be3de17457c57e6d7
SHA256 f6e75c867f899908b8831c74a9cdd418d4266d1a729aab97ad2a4f7177ef7b32
SHA512 7d88649f2cc11b86da6bd0860f8c66a28d013f542d128dbb83277a9ed5b9a3667b9f4e9e7ba1b955ea03b2cf113b7857c3a2d1639b626736f11e2f7938a5ec44

C:\Windows\SysWOW64\Iidipnal.exe

MD5 30129775c5453ba28f01c89b88e83b44
SHA1 84ce13669f6693f1fa61fc34589c34ae46e3c470
SHA256 0344634fdc7823d57703ccccf4be7d2cb0e9f9e53a06874822dcff9cfdb99301
SHA512 98a35bd78c52ad67f8620901204466ec81573a6100ca5c91d0ff0ff514eb9f38d86c809da45d0a72b586ff95fb9f79d700d58fe537afee242283b238be8b171a

memory/2924-48-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Jiphkm32.exe

MD5 e2bf1d48679ccec3c2961e870fdffc47
SHA1 2a198d79341142a8e38e0cd8b29244c4f42b7bfe
SHA256 a3d2c4e006c565dd75bfbbcf93cef666e06fffa928069c1dfc6d4f324370b6e1
SHA512 7ff33c17c37297981c7d65835d8252916440621d7b0c1d54e8a5efe1207bb86ca76f6680090f82b36228298eb389bd28de24a56527c7556fd0960070ee1c3351

memory/5096-57-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Jbhmdbnp.exe

MD5 5f615b5f0ba62ce467b3f109a82589a6
SHA1 a81172b1996ee950f0d05773b2fa9270e51382eb
SHA256 baa84d3ec64b4ed636969d6ae791ef01c74ca38e4aac9e79044012ba6e5e30b2
SHA512 265595fd3bd289f6d189ff16af7b915cea037bf3e982ad4beed40b48ba0a29481ad8535b51269152aad819844c801258d3dc3a820efa2e97cb00e85eb1196b1f

memory/2840-64-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Kknafn32.exe

MD5 61318872037ce5a1bcdf5c49ea6b117a
SHA1 64a259b938ffe2ec96b440098e8c10e18fcccdee
SHA256 1c5ec6b0148e0232c2a64d40c1c8c354d0d2ef862504eefe772f30cc248d38cc
SHA512 d7340eb9b46ef041340cf0897cc40cfbde17cf82296cec14a743fe5bd9b6f0b99a3f69174b80fc0abc841daa2867f9f72b26d108f0406417e7d94c968a0ae1f8

memory/2612-72-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Kgfoan32.exe

MD5 e55a7be26a045c7a9f751e902612a411
SHA1 ee38e4117430cb84c327286d58555c01d0c839ec
SHA256 3882f32a320f31e88763fb842a45612b22f059745d6c733ecb699dc495ee2185
SHA512 8f6422f886fa82ef6c43124b0799b2f284ce53e5ae362c0559e00067911a8516a5763a7c810a42a9bd0322500269602880a0a6d426d7f399863a7984b004feb0

memory/2496-81-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Mjqjih32.exe

MD5 2ff11b805ba6f4ec909d05df75ccf3fa
SHA1 8869df6ecc3be4b7eeb037348c88b1bcdfe62890
SHA256 b9461ded335383190a198c882a705a59742cb93a3e8d6301ffed05639abde79c
SHA512 5217167737ba39a68983095b0484f6818b87fa3c93a29fdb9316488cc238f4f531ca75ab2f983962fce50bfdb3c73d8fc1ee2bc577dc8b8276379448a31f33b8

memory/1868-88-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nceonl32.exe

MD5 47ad6de597502a8897b97d1ef47efc4b
SHA1 b49e4fa240e2ec7404708b856080de6347628204
SHA256 7baa107cb1c1ddcd62153f64205b666f462a929a67f9b661f35b2975a8f26b43
SHA512 0f88dc5be56e7079a0ea8cf573157eaf160485c21e97ee70489c2121e9627e1af5f4bdf07d167546ddfa63f3cac575c06bc9a41895930af4c2a3274451c288b6

memory/4696-96-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 3ceac35377a0f07f98726139ce179059
SHA1 9a3c64acb1f5b7cec461880e7cc00f83ae40e8ce
SHA256 9aee34c274c1fe90c32a51da163e639962d32c303b6a1fa71b85e6fb0bedc382
SHA512 26a512047b9a7d20dc0cb58138d895a506b7f9eb7c36ea89e6a7343038e86d3635a63f4507b686370b3c7e580e7500422a3575027bec0734913f2d9600d79758

memory/3304-105-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3304-106-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2840-111-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2512-117-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4312-118-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3560-116-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1260-115-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-114-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2924-113-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5096-112-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2612-110-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2496-109-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4696-107-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1868-108-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2260-119-0x0000000000400000-0x0000000000435000-memory.dmp