Malware Analysis Report

2025-08-05 22:11

Sample ID 240509-r1y5rseg9z
Target 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics
SHA256 ddc732c689da1b1dcb4cb1700fd87312f9cc2145ce60142d9e9bf2dcb0e42df9
Tags
backdoor dropper persistence trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddc732c689da1b1dcb4cb1700fd87312f9cc2145ce60142d9e9bf2dcb0e42df9

Threat Level: Known bad

The file 61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

backdoor dropper persistence trojan berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 14:40

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 14:40

Reported

2024-05-09 14:42

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcklgm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcgohig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcklgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidbn32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File created C:\Windows\SysWOW64\Odegmceb.dll C:\Windows\SysWOW64\Mnapdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Gqffnmfa.dll C:\Windows\SysWOW64\Mcklgm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Lnohlokp.dll C:\Windows\SysWOW64\Mjcgohig.exe N/A
File created C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Jlnpomfk.dll C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Majknlkd.dll C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Ogpnaafp.dll C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Npckna32.dll C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Fibjjh32.dll C:\Windows\SysWOW64\Nqfbaq32.exe N/A
File created C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Hhapkbgi.dll C:\Windows\SysWOW64\Maohkd32.exe N/A
File created C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File created C:\Windows\SysWOW64\Ipkobd32.dll C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Mdiklqhm.exe N/A
File created C:\Windows\SysWOW64\Gpnkgo32.dll C:\Windows\SysWOW64\Mpolqa32.exe N/A
File created C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Geegicjl.dll C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File created C:\Windows\SysWOW64\Lppbjjia.dll C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ocbakl32.dll C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File created C:\Windows\SysWOW64\Jjblifaf.dll C:\Windows\SysWOW64\Mkbchk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Pkckjila.dll C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Opbnic32.dll C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mahbje32.exe N/A
File created C:\Windows\SysWOW64\Lifenaok.dll C:\Windows\SysWOW64\Mahbje32.exe N/A
File created C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mcklgm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File created C:\Windows\SysWOW64\Egqcbapl.dll C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mcklgm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Maohkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Mjqjih32.exe C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mpolqa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Maohkd32.exe C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File created C:\Windows\SysWOW64\Epmjjbbj.dll C:\Windows\SysWOW64\Mdiklqhm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mahbje32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" C:\Windows\SysWOW64\Mjjmog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maohkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcklgm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" C:\Windows\SysWOW64\Ncihikcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcklgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll" C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" C:\Windows\SysWOW64\Mcklgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 3380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 3380 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 3068 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 3068 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 3068 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 5016 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 5016 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 5016 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 3640 wrote to memory of 3396 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 3640 wrote to memory of 3396 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 3640 wrote to memory of 3396 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 3396 wrote to memory of 992 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Majopeii.exe
PID 3396 wrote to memory of 992 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Majopeii.exe
PID 3396 wrote to memory of 992 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Majopeii.exe
PID 992 wrote to memory of 4628 N/A C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 992 wrote to memory of 4628 N/A C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 992 wrote to memory of 4628 N/A C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 4628 wrote to memory of 3652 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mcklgm32.exe
PID 4628 wrote to memory of 3652 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mcklgm32.exe
PID 4628 wrote to memory of 3652 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mcklgm32.exe
PID 3652 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Mkbchk32.exe
PID 3652 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Mkbchk32.exe
PID 3652 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Mkbchk32.exe
PID 3428 wrote to memory of 3136 N/A C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 3428 wrote to memory of 3136 N/A C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 3428 wrote to memory of 3136 N/A C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 3136 wrote to memory of 5080 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mnapdf32.exe
PID 3136 wrote to memory of 5080 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mnapdf32.exe
PID 3136 wrote to memory of 5080 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mnapdf32.exe
PID 5080 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 5080 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 5080 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Mnapdf32.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 1232 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mjhqjg32.exe
PID 1232 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mjhqjg32.exe
PID 1232 wrote to memory of 4792 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mjhqjg32.exe
PID 4792 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Maohkd32.exe
PID 4792 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Maohkd32.exe
PID 4792 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Maohkd32.exe
PID 4912 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Maohkd32.exe C:\Windows\SysWOW64\Mcpebmkb.exe
PID 4912 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Maohkd32.exe C:\Windows\SysWOW64\Mcpebmkb.exe
PID 4912 wrote to memory of 5044 N/A C:\Windows\SysWOW64\Maohkd32.exe C:\Windows\SysWOW64\Mcpebmkb.exe
PID 5044 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjjmog32.exe
PID 5044 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjjmog32.exe
PID 5044 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjjmog32.exe
PID 3972 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mpdelajl.exe
PID 3972 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mpdelajl.exe
PID 3972 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mpdelajl.exe
PID 5108 wrote to memory of 4660 N/A C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Nkjjij32.exe
PID 5108 wrote to memory of 4660 N/A C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Nkjjij32.exe
PID 5108 wrote to memory of 4660 N/A C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Nkjjij32.exe
PID 4660 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 4660 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 4660 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 4692 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 4692 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 4692 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 1560 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nklfoi32.exe
PID 1560 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nklfoi32.exe
PID 1560 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nklfoi32.exe
PID 1436 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 1436 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 1436 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 1072 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Ngcgcjnc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 676 -ip 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 193.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3380-2-0x0000000000431000-0x0000000000432000-memory.dmp

memory/3380-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mjqjih32.exe

MD5 2aede822052a6893e2aead38d220fdd5
SHA1 0a980fac68493588c78de98e010f3454bc49c53f
SHA256 54295920c04bb39bbad0f1c1621c8f377f11a72e02056130d544a01c876b07d0
SHA512 3d213cab541188104a2349039560273fdc2e04843cee1190fac4a32d03891e41f208f0ae90b8c72ec5baaeb2f17ba9beb5ac65c51e6bfef35df837e1989673d0

memory/3068-9-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mahbje32.exe

MD5 1eab379a79081323bc426a21e9860be8
SHA1 dc16718c4c75f7650a4a99fb18bd279b4ecb2124
SHA256 52de7abbf9cc8c3e20fea4e157addc46e8fc00bd106a040a785ef608ca3625ae
SHA512 2fb46a7772852ae34bb56d8dad15ceaea3833aa34bdfced4637a8783bd069b4646ff8038aa2c91f7ec55daa78aed75960c9e6bf7ed0eefc5d6c2a0f405f1468a

memory/5016-17-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mciobn32.exe

MD5 89eacd666a9b5b6372a4eb11adce7e1a
SHA1 85f23ee3f0913d069ef0f83e4e35edc123a71846
SHA256 03ae5bfefc71b11ca0092a2e00d57a7746152cf3f5374312beb1f1c394d35ce6
SHA512 733f63a8740d5b0f1fe3ce4c52ba7648ef89abd1ad8dffbce0509b3e11fe21a0812054af441919d912b66b692873e2b16d7f394e91f9cb7c4f4346a067ae2610

C:\Windows\SysWOW64\Mjcgohig.exe

MD5 c647f5c1e7c1e136b0c163065585fc0b
SHA1 9734dd5fd29a37847f5b8be3d31b5751e1ac36da
SHA256 d7bfcae37efbeb6f04297baa9aee98d44f710721736d4962f693e99e3cc71779
SHA512 b9befd603787aa46d43456dd280493b1dd1ed00c4f4b812f22dfe8459c4ee3336996490841a2e8f2c1f359b943a01661770850888a58b78b85d2d6276b0b2c0f

memory/3640-25-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3396-37-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Majopeii.exe

MD5 ec5340bbfaca115611f944bb4109807f
SHA1 714f2954fab5b0966b63c9c0c3d4ec51cf91a8f4
SHA256 aca21872dafa10ee6bc1c29aa0dfb582a6ff77f48dc2966ef0c76f1fdafb507c
SHA512 ea76c797e23a527965d4b29f06d76c270e627f221dfd0bfc756eced25b49b16d3c5e091aedb0247dc60509d0a99e48e143db9affc294f9db86f097ba203d89d8

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 42dd54dac1547795ed2b0a4d12e44576
SHA1 4e196d2d52fdf3e5299a33233b13a7e1b29a8923
SHA256 c11d8d82a7f79c2f665a26ed9b1ea4b089c9b1d4bfbb8b4afb73b3b3818fc851
SHA512 5d8080d9939743c8f4b509adb5c2511d9900af2c876ab03ca3d9497694c122a808581b7b9987911246db7f9fc7e481cc41d4fd68fc93e7748ff6e34b518a0305

memory/4628-53-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mcklgm32.exe

MD5 4482ca09b1fa6c542c74ea28cd06073d
SHA1 c6771c3319c08400206e5ce8838df75aa90eac0f
SHA256 aeca7d9dde2f32708c0536a68af0ebcbf32ca12ef7155bee2c41ae49ef37f462
SHA512 a1fcb315919ebd3d2407bfc445c30d9e178d22b3b1d992ed370e873fabd0b6917a32d53f79ef4096c1112c0aaf0bdec73c53604a747ea5c100df581b775da03d

memory/992-45-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mkbchk32.exe

MD5 f5d86d813651fb94551dc63288399d66
SHA1 0679bcc5719a0975d18c4935a782824e92b7f18f
SHA256 eab2d5ecdee60419d5ab438a168ce4f7ba497b1a7bf622871c85969a2aeba9b7
SHA512 502463a6c4cf55e816643e5419c639bce1a1c75165111ab072f573141dfe7034cec1e652b2fdbf58fa38dff80f8bd5cb4701cbc665fa91407361b00dbd389078

memory/3428-69-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mjeddggd.exe

MD5 a948197bcef0128f5b0d8c63fe22dd7b
SHA1 07360c5cb1e9e801fe6e20a5c52f45120bb1c187
SHA256 375752dcf84bd1cb4a2f1f5a91181d438fb34a99631e61da332f2ffa0dc72e99
SHA512 9f8f5b78ae6cd22289d78c137f017ace785c5aa53e653c0cdc4797091e137355856329052065f57f301a9610b053375b941e23638ed048337e7646e79cf3cd40

memory/3652-68-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 11004dfcb790ded233a5567f8a4595cc
SHA1 afd7b27f8f70900c9a2999fc5c4f4d6699650e09
SHA256 ce334aa8e38d3d2683abb17b272f5c2950564ae7c6f2820254ee94e095db6d1f
SHA512 14c7408b61cdd021c892173b1cb02991fe10d976340ea44897e324e2f4d5db467bad9927a9e4808c83a8b4f185574540da28165562bc08734e2ed6a0adc81f43

memory/5080-85-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3136-84-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mpolqa32.exe

MD5 e4434032eea8b0fd9c44d36c831c07b6
SHA1 dc4fc6dfbea43a30e5a9bce65e7fc63c7a2432e2
SHA256 8703f3e26232d61e286c40a172ef51d4efd3c4a19913f078a1c5ab2923fce2d2
SHA512 aaf91a379717d1826bba305e7813a4795cbdbfc10df849ff089fa29c67762efe68bb4e5f7c9eb8f6bf9090579a9c44c04e51064d9a53e303ab609d9e5528fce0

memory/1232-89-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mjhqjg32.exe

MD5 dc0b11c1281232a8c9475d4e9fac8f97
SHA1 cb77bd2d9d64ce58e40f213bbd726db5208477aa
SHA256 d36dc626f1cbb41143fa233f655ac563e38aea430491d3750866cbb281d527d7
SHA512 46f2f305029b72f3a22f768a0900a8b515250e4d037d638e926b9aa7dbce35170aca5c447686c0d9b3fa274befda7802a34ca953480342dd1d4a60d1ed6efe5a

memory/4792-101-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Maohkd32.exe

MD5 1bbad646fb12d298168276b42235e3ee
SHA1 28c4879edbc8f76672104efc2d4c075abb556e50
SHA256 2cd815e4f213b829d744c983c9cd6d569f8d280b5aa470c3f0a1835f813b8e74
SHA512 15c620cd3133a3c61ef2d49878148dcb08892a2967a7f4566b9075c942cf2335bdd1c60bb120d12420dc052d31090e12604a502945d347bd3e68133e2f360b44

memory/4912-105-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mcpebmkb.exe

MD5 fd0fcd0648f33a1b6339683ca724d398
SHA1 35dfec5609cc651aef936c63d193c1c1294323b3
SHA256 c1ce43c658fc33ed52b229f4ed4ae6fe22dc245933a6401be4a8d5fb13dc7f54
SHA512 c9c9a0e51baed47c0ab7ec9a6444522bb651fb4d73eee61a09b568853aefc2c4667a3771ae3f8efe118802683002143f55373c01e17661b09908fdafc6498177

memory/5044-113-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mjjmog32.exe

MD5 001542a69507912c217084dbdcd5e826
SHA1 f977f6cb82091fdf591b82a9499dd67743276b9a
SHA256 13e060b2742f3556df7dd1a585ea23d42483d6a947c234df94ea1408007990f8
SHA512 fa4f589c8856c627382c69fe0014130729ffe03edb2a643c1ce5c301d56263f2899c9bc62e52e056da74358461162d9ff4cfed5bc90a860c922b7ebe08543d5d

memory/3972-121-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mpdelajl.exe

MD5 aec099cd34280cb0ce475d839193ff74
SHA1 779a839c8f69fcda4bbf1bdb84d868c8b5a3bfc7
SHA256 abc0ce4cbb6082e558eeba5b6a33bb1ff91c59c771556f0caa16e735dae5ae9a
SHA512 06c0e0e8ad417a0b034331dbefb9f05476fa3547c0871a5ff23abb21d128cbf430d2848b640048a9486601877df01b0b1d10079d1fad0049bfa0f48c7d33ff40

memory/5108-129-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkjjij32.exe

MD5 45dc7e9a32c3845ba41f0b2cad53e2ab
SHA1 82bc3e1dc46d9db79af19a36a2db205402cac44d
SHA256 b2bd1dfb5dc51c45597238dd3718fec9e85a8a2b19f228262e25d512a5b08b9c
SHA512 0881938f0343d89a92702bec3278a7101cd95d53f3f763ea6fd29aa14fbe7aa959f0cb4d5cececc6db01847ae38a9d8484f72f621e0a5fb8e65ce706f7d534ed

memory/4660-141-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nnhfee32.exe

MD5 f0108077712b1494417545d35bc05eb7
SHA1 116b2701feed1974800e904e73586962cb5ec576
SHA256 e2fbe995048ee02a4573d8374f74e3332920a3acf775793a7c4795af21b7f6a5
SHA512 3364c553354682edf3975c7e4058124c6bf03cf04aa1416f824dabe33a447bc5deb47ab349c57a3a77dfeeee4e8005629d8f14a52169cc75d07a8799070a00b2

memory/4692-149-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 a9284e54e70080a50551cbf425bbe420
SHA1 2a06554f88d41f8dcb03f3c27e29b02613e601cc
SHA256 a9f96907fb99271cc85aa7f3efe737a2d0ef3d287a6e64ff79de75df567346b2
SHA512 1cf28a6c5d8cc1064a382f78f2fe996c09f19094ef790bf4a09fc4274548750f9d521acad35447fc2f27c01b99ee88351824c8e204f0077af8f88b231d7822ff

memory/1560-153-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nklfoi32.exe

MD5 260a9a6ec3e6a9aff54c5dee748bacc1
SHA1 f2bf360b32c6419e9d6010b4fe66837467cd795a
SHA256 7e00193d1f53de0ed9c957d5ab0003f1fee7d1a4ced409ae368e30bace82c020
SHA512 578ce479bb730ce48f661dc812dbe75e1f67dd865405af6f060a92ced56d82fe7ea46f6fd5f8eced82045be71b615858decaa1b16dcf0006e0b54f561ababd86

memory/1436-161-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nddkgonp.exe

MD5 539ccd065f99ef2352628097940f1911
SHA1 a71a4fc07bae84753b226b899f9b448df73adafc
SHA256 1f50b0adcc34c3dbb84160f3fc95f3c6dcf14d2de578b8b4a7f9dbc9a09f5ed4
SHA512 1cc34b257eb05a75b7afcb202e25323dad250f17aa11a6118b8054a6c42a061bbca6f0404a728b142237ecfb92ebd3e9ded28f43ae92e7bab37fd7aa513b35c8

memory/1072-169-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ngcgcjnc.exe

MD5 3876f29ff0f024808f3e2782e9da6dec
SHA1 a351a54146f1e8324a203ea43097c4d385d2da1f
SHA256 79a6f2e716458c93929bd1c70de356b8428ca4f7f61740396a8639352ac1be9f
SHA512 8fa2841092941e1a443ff1f2836f1e4603d403ede01cfcdd6cd2ac7a03377bbe34d2e39b02123ef1cb90ede2f3ec38c19662ed5c68140a6ddbe3977d5717841a

memory/2468-176-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 eea86daf3ff73b2d820fd6867d87eaa1
SHA1 70764848cc175f034bd7064ac084dfa40994d51d
SHA256 5518e719ffd358d07ef7a51adf21e5bc2989edaab0b1fd9747be774dd1e61bea
SHA512 9d384bbcb96bbd23eb52f662dd9fda90ef8f792fcf9ee6264071616b10e8383428ddb660cdee356e69467e4b4bb22c5b2e10d35c54cbd77f17722fa5666f2241

memory/1196-185-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ncihikcg.exe

MD5 5f830cf49d33ca28afacbf2682ddd530
SHA1 8ebda3a448930356908148c46552c25080d1c0d4
SHA256 0e87e900193edcdcc924b9a2306898d040f947a6b585b371de992e9d830498c0
SHA512 c82a4a5a12778d697c4a4481d8f7664510876f0b69fdd84887fcb10ea2a8526da234c57ebcdcfab7626076b061d522efa9b4cdcf32ce7feaeae97b0b981da5e4

memory/3712-193-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkqpjidj.exe

MD5 1ea5192707504d81ab2658a47c8ecca0
SHA1 9e92cb837263059710315e9e63b5f5411a864dfc
SHA256 c737e2826bb3fd3766921a8a1f525b0cbe976d56b75f9c0aa2f22fd8816c237b
SHA512 a9808c6989cd3bb406bc4ed038827f10f3313cab85ff540edf9cc7400bae8b210c93d6161add2cae694fd9b4f6939ff33e33200d30df32a23a6554166d4454d3

memory/1668-200-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nbkhfc32.exe

MD5 60c9c6e8e9fee67d76ada412f30af4ab
SHA1 06d53275e3e5932789670aad8ef96ee889867815
SHA256 cee6a045cec835c2866341232f5e4107cc11418009989d71eea9bd21317df8a3
SHA512 463997be5b690da6dce60c7635c55a7a2f1e7d6235bc72b4ee2a643896b37bdb2e7cde85495b0469b945f4f342336b593841f92a0f2d60e766f679b925fd1bea

memory/64-209-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 cef556d52c781c44cc096d0ffb09b0dd
SHA1 1e856d33c83a3406060bd409bfb993a7314ec2d6
SHA256 948a0e5333996ecca6b387e3c63766728f25721c93a67c80b953c4ebdb4c35ec
SHA512 b543efcee029643227c8621ea9475c34a9701a1a652708c7fe91569571ded2e2555f44aa27db8da7afae52cbe0b132a5278b61f97670d1ad6f811c52c4f1c0ea

memory/4604-217-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 48fab0ab836fd7ff25f897523ef0b1ac
SHA1 9df14edc3ba7cd31288201c558940d717231fc68
SHA256 6ebf0b1820255cfea496cad141648476a0b4e1a1a41955e4e3d56b20827309e6
SHA512 49ef56273a3f00c90cd81c90091f4e3f757a38a91bd51519e5c5444c731785490a6e9a7b7901362f76190168dba8c46e89c138a9738acd8ece388564f6e1624b

memory/676-225-0x0000000000400000-0x0000000000439000-memory.dmp

memory/64-228-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4604-227-0x0000000000400000-0x0000000000439000-memory.dmp

memory/676-226-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2468-232-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1560-235-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3380-244-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3068-243-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5016-242-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3640-241-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1232-240-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4912-239-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5044-238-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3972-237-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5108-236-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1436-234-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1072-233-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1196-231-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3712-230-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1668-229-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 14:40

Reported

2024-05-09 14:42

Platform

win7-20240419-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aalmklfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clomqk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enihne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aajpelhl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnbjopoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnbjopoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfgaiaci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Affhncfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aalmklfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aljgfioc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdopkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahakmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhhnli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcaomf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbflib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnefdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glaoalkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkbib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alhjai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpeofk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeempocb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahakmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbdocc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bghabf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cljcelan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkkpbgli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbkgnfbd.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajpelhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aalmklfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbbnchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbflib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Copfbfjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckffgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkpbgli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecqjpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahakmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajpelhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajpelhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Affhncfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aalmklfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aalmklfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alenki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhjai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbbnchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbbnchb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aljgfioc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdocc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhahlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbflib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbflib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaqmeah.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhnli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkfjhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcaomf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpqdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clomqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgaiaci.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cndbcc32.exe C:\Windows\SysWOW64\Ckffgg32.exe N/A
File created C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Hfmpcjge.dll C:\Windows\SysWOW64\Bkfjhd32.exe N/A
File created C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Ddcdkl32.exe N/A
File created C:\Windows\SysWOW64\Lpdhmlbj.dll C:\Windows\SysWOW64\Egamfkdh.exe N/A
File created C:\Windows\SysWOW64\Ikkbnm32.dll C:\Windows\SysWOW64\Fmekoalh.exe N/A
File created C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aajpelhl.exe N/A
File created C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Affhncfc.exe N/A
File created C:\Windows\SysWOW64\Cfgaiaci.exe C:\Windows\SysWOW64\Clomqk32.exe N/A
File created C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Fpfdalii.exe N/A
File opened for modification C:\Windows\SysWOW64\Copfbfjj.exe C:\Windows\SysWOW64\Chemfl32.exe N/A
File created C:\Windows\SysWOW64\Gpekfank.dll C:\Windows\SysWOW64\Gphmeo32.exe N/A
File created C:\Windows\SysWOW64\Gknfklng.dll C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hhmepp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Emeopn32.exe N/A
File created C:\Windows\SysWOW64\Ennaieib.exe C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Ckblig32.dll C:\Windows\SysWOW64\Cjpqdp32.exe N/A
File created C:\Windows\SysWOW64\Hghmjpap.dll C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Goddhg32.exe N/A
File created C:\Windows\SysWOW64\Cpeofk32.exe C:\Windows\SysWOW64\Cljcelan.exe N/A
File created C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Lpicol32.dll C:\Windows\SysWOW64\Cljcelan.exe N/A
File created C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File created C:\Windows\SysWOW64\Alenki32.exe C:\Windows\SysWOW64\Afiecb32.exe N/A
File created C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
File created C:\Windows\SysWOW64\Dnoillim.dll C:\Windows\SysWOW64\Efncicpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe C:\Windows\SysWOW64\Fjgoce32.exe N/A
File created C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bbflib32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe C:\Windows\SysWOW64\Fckjalhj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Aepojo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bnbjopoi.exe N/A
File created C:\Windows\SysWOW64\Hfbenjka.dll C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Gonnhhln.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Aajpelhl.exe C:\Windows\SysWOW64\Ahakmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe C:\Windows\SysWOW64\Ahakmf32.exe N/A
File created C:\Windows\SysWOW64\Hqddgc32.dll C:\Windows\SysWOW64\Aajpelhl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Dcknbh32.exe N/A
File created C:\Windows\SysWOW64\Oecbjjic.dll C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Bkfjhd32.exe N/A
File created C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Ghhofmql.exe N/A
File created C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File created C:\Windows\SysWOW64\Kjnifgah.dll C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Clomqk32.exe C:\Windows\SysWOW64\Cjpqdp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe C:\Windows\SysWOW64\Ennaieib.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Ojdngl32.dll C:\Windows\SysWOW64\Bhahlj32.exe N/A
File created C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Fmekoalh.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Bcaomf32.exe C:\Windows\SysWOW64\Bnefdp32.exe N/A
File created C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Ajlppdeb.dll C:\Windows\SysWOW64\Fhffaj32.exe N/A
File created C:\Windows\SysWOW64\Kegiig32.dll C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File created C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhahlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" C:\Windows\SysWOW64\Aajpelhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" C:\Windows\SysWOW64\Bkfjhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkaqmeah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" C:\Windows\SysWOW64\Bbdocc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahakmf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" C:\Windows\SysWOW64\Bbflib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fiaeoang.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbflib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" C:\Windows\SysWOW64\Alenki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhhnli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" C:\Windows\SysWOW64\Ckffgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Glaoalkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpeliikc.dll" C:\Windows\SysWOW64\Abbbnchb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckffgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" C:\Windows\SysWOW64\Bghabf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpmlfkm.dll" C:\Windows\SysWOW64\Eecqjpee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Copfbfjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eecqjpee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bghabf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpeofk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbdocc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll" C:\Windows\SysWOW64\Copfbfjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbflib32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Ahakmf32.exe
PID 2912 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Ahakmf32.exe
PID 2912 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Ahakmf32.exe
PID 2912 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe C:\Windows\SysWOW64\Ahakmf32.exe
PID 1396 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ahakmf32.exe C:\Windows\SysWOW64\Aajpelhl.exe
PID 1396 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ahakmf32.exe C:\Windows\SysWOW64\Aajpelhl.exe
PID 1396 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ahakmf32.exe C:\Windows\SysWOW64\Aajpelhl.exe
PID 1396 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ahakmf32.exe C:\Windows\SysWOW64\Aajpelhl.exe
PID 2584 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Aajpelhl.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2584 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Aajpelhl.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2584 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Aajpelhl.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2584 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Aajpelhl.exe C:\Windows\SysWOW64\Affhncfc.exe
PID 2720 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2720 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2720 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2720 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Affhncfc.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2800 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2800 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2800 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2800 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Afiecb32.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Afiecb32.exe C:\Windows\SysWOW64\Alenki32.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Afiecb32.exe C:\Windows\SysWOW64\Alenki32.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Afiecb32.exe C:\Windows\SysWOW64\Alenki32.exe
PID 2516 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Afiecb32.exe C:\Windows\SysWOW64\Alenki32.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Alenki32.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Alenki32.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Alenki32.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Alenki32.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2944 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Alhjai32.exe
PID 2944 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Alhjai32.exe
PID 2944 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Alhjai32.exe
PID 2944 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Alhjai32.exe
PID 1028 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Alhjai32.exe C:\Windows\SysWOW64\Abbbnchb.exe
PID 1028 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Alhjai32.exe C:\Windows\SysWOW64\Abbbnchb.exe
PID 1028 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Alhjai32.exe C:\Windows\SysWOW64\Abbbnchb.exe
PID 1028 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Alhjai32.exe C:\Windows\SysWOW64\Abbbnchb.exe
PID 1444 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Abbbnchb.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 1444 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Abbbnchb.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 1444 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Abbbnchb.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 1444 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Abbbnchb.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 2580 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2580 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2580 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 2580 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Aljgfioc.exe
PID 1972 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1972 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1972 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1972 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Aljgfioc.exe C:\Windows\SysWOW64\Bbdocc32.exe
PID 1220 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 1220 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 1220 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 1220 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Bbdocc32.exe C:\Windows\SysWOW64\Bhahlj32.exe
PID 2420 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bbflib32.exe
PID 2420 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bbflib32.exe
PID 2420 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bbflib32.exe
PID 2420 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Bhahlj32.exe C:\Windows\SysWOW64\Bbflib32.exe
PID 1296 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bbflib32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1296 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bbflib32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1296 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bbflib32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1296 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Bbflib32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2236 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2236 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2236 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bkaqmeah.exe
PID 2236 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bkaqmeah.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\61b9a24b39c7e4d90caab5eb6421a190_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Ahakmf32.exe

C:\Windows\system32\Ahakmf32.exe

C:\Windows\SysWOW64\Aajpelhl.exe

C:\Windows\system32\Aajpelhl.exe

C:\Windows\SysWOW64\Affhncfc.exe

C:\Windows\system32\Affhncfc.exe

C:\Windows\SysWOW64\Aalmklfi.exe

C:\Windows\system32\Aalmklfi.exe

C:\Windows\SysWOW64\Afiecb32.exe

C:\Windows\system32\Afiecb32.exe

C:\Windows\SysWOW64\Alenki32.exe

C:\Windows\system32\Alenki32.exe

C:\Windows\SysWOW64\Afkbib32.exe

C:\Windows\system32\Afkbib32.exe

C:\Windows\SysWOW64\Alhjai32.exe

C:\Windows\system32\Alhjai32.exe

C:\Windows\SysWOW64\Abbbnchb.exe

C:\Windows\system32\Abbbnchb.exe

C:\Windows\SysWOW64\Aepojo32.exe

C:\Windows\system32\Aepojo32.exe

C:\Windows\SysWOW64\Aljgfioc.exe

C:\Windows\system32\Aljgfioc.exe

C:\Windows\SysWOW64\Bbdocc32.exe

C:\Windows\system32\Bbdocc32.exe

C:\Windows\SysWOW64\Bhahlj32.exe

C:\Windows\system32\Bhahlj32.exe

C:\Windows\SysWOW64\Bbflib32.exe

C:\Windows\system32\Bbflib32.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Bkaqmeah.exe

C:\Windows\system32\Bkaqmeah.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bnbjopoi.exe

C:\Windows\system32\Bnbjopoi.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bhhnli32.exe

C:\Windows\system32\Bhhnli32.exe

C:\Windows\SysWOW64\Bkfjhd32.exe

C:\Windows\system32\Bkfjhd32.exe

C:\Windows\SysWOW64\Bnefdp32.exe

C:\Windows\system32\Bnefdp32.exe

C:\Windows\SysWOW64\Bcaomf32.exe

C:\Windows\system32\Bcaomf32.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Cpeofk32.exe

C:\Windows\system32\Cpeofk32.exe

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Cjpqdp32.exe

C:\Windows\system32\Cjpqdp32.exe

C:\Windows\SysWOW64\Clomqk32.exe

C:\Windows\system32\Clomqk32.exe

C:\Windows\SysWOW64\Cfgaiaci.exe

C:\Windows\system32\Cfgaiaci.exe

C:\Windows\SysWOW64\Chemfl32.exe

C:\Windows\system32\Chemfl32.exe

C:\Windows\SysWOW64\Copfbfjj.exe

C:\Windows\system32\Copfbfjj.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Ckffgg32.exe

C:\Windows\system32\Ckffgg32.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dkhcmgnl.exe

C:\Windows\system32\Dkhcmgnl.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Dkkpbgli.exe

C:\Windows\system32\Dkkpbgli.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Eecqjpee.exe

C:\Windows\system32\Eecqjpee.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 140

Network

N/A

Files

memory/2912-0-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Ahakmf32.exe

MD5 5cc680013ff9c34533da140fcfabc501
SHA1 7f214c27e6c2437202993b94ff54d479b5a4c5e3
SHA256 d9c0f2200deb9f1d66a2bf3d4cf06c3d5f8b33ef3a4a2f38d5edf8d26bf9be69
SHA512 cca1ca1ca4537debd4a917c286c72897f0c8d5f65239ed361a255b189597997d0f7497ce78e8cbe94401bdf98280759e2149b7725bfceb14f4f1a654c34b2fbc

memory/2912-7-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Aajpelhl.exe

MD5 75aedd00e2ba7ca432b5f7839273bd64
SHA1 b0c37c152244fb7f822f14bf8971c5f15e987869
SHA256 7d9538ecef18710f854de72d375454f8f413379b4e2e9e5cdae0e3f044739ecc
SHA512 af736b9b1b7c49b715eb51de9bb2e921db770deefe5101fa08fe98fe9917988f000cf75fc4696060d71979ae579bdfc9e54a9c8e93b8ce6e220625e560dc4aa2

memory/1396-25-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1396-24-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2584-27-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Affhncfc.exe

MD5 263a840181e28cb53c78f29fbb8c95a3
SHA1 49bf55bf9d834b939014ffea7cf26a324e82aade
SHA256 98584d3c81977ebbc0a16afc5d131158f3f79382ed2da003a4f232cea2ee67fb
SHA512 e8da4fa2503d4c268660573351fea6afcbc9758e7d391df79486b7793cd314500b45cf8951a5e21be426cb32eef9327fd16ca54af020e9fb9145747af94e083a

memory/2720-40-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Aalmklfi.exe

MD5 a2bc5da7a45f4b0e1abcbd59d716ac44
SHA1 319a0d7f797f52302cf68511dc596bd6f36bc5c6
SHA256 5c73261ec39e96e90cf7d59e5a6fe750744c5a528ae3c99bc0a703089b3b08b4
SHA512 f2e1daf88e659aef26ae786d60427e7dbb71607519537980361c8603f43d18f352d4c99ac57d28a58de8ca833670297d6e9ae1a4e84acaac50c322a21ba5618a

memory/2800-53-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Afiecb32.exe

MD5 5856b8408b8319146b68da892f0af7de
SHA1 e2339a13740e0348754b0b7aeda8aa4c43a11200
SHA256 fc991efe03594de94449746c400d360dc52d40705b3f6fdbe8859670c746051e
SHA512 f2eddb76c34db9039eb83fb822611238cc8a8e9cbf90460265fc148279f862992b63f640095dbb6459e2b4a24b4a5cf32d39907ff5f0eface0ce22d0c7515121

memory/2800-61-0x0000000000290000-0x00000000002C9000-memory.dmp

memory/2516-72-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2516-75-0x0000000000250000-0x0000000000289000-memory.dmp

\Windows\SysWOW64\Alenki32.exe

MD5 76916ef6ad27239136863c41403d17c3
SHA1 4559342e7e119f1493b72dac59a1142143a38564
SHA256 06a191faa7555cbb2c74c187c9a55e2827209707599c2d70faf27917d9691358
SHA512 74ff862e40a07e8797e18c9629eefd0537990fc7567436729c77669bb75caf9af19a194f3c6f4dec59e3f06c5dbeb82aadc8de2116b78d9d2a3b50892d763298

\Windows\SysWOW64\Afkbib32.exe

MD5 66892a9f2991e89dd680392b6537408b
SHA1 8a2d1bdd41861eef80823a58cedda9f073f1bfa5
SHA256 4046d212c2117378b50d840f60a35d922ed676c77fbe40fcf7cd258c70ddb01d
SHA512 99af29a06f15e3c90af05051aa9e865f95f182200a8fc1736f076998439ed9adaf60c2087871e087616a7d0e3ea599265a5c6fe23b94719574486023ce5196ea

memory/2496-92-0x0000000000250000-0x0000000000289000-memory.dmp

\Windows\SysWOW64\Alhjai32.exe

MD5 7b939250adb6c5bb529bb8fc8bf7bd36
SHA1 9b490a24b7962658a4aae2e87d72e03e18d75f8d
SHA256 228119c3ed108f6b9e8861e42d3fb89b5f2e1d79fb3bc64f3a1e7df691edecb8
SHA512 b11062e528ca085fc56fffd21d3c862c5668320c3a0aa0595f5e0d9b51f2271acc17dceb0bbc3221cd47e2d7663a57e54d4b5f8bc44bad234465acc2b118d5b8

memory/1028-106-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Abbbnchb.exe

MD5 b55af7168ba6fda7c1f97bb98665d091
SHA1 8d4f978a118c5dee0dfea62dcdfa0a1ddb7e27ee
SHA256 9f4d731f413005871084093b8e1ea606338341f3e6cc3643ef7c15e0b83819e4
SHA512 f1200d0c009f32e5707978dbcc00ef34a4877c260db37de56087b3ab27f717b94a8ff79f1885dd90e6587484821b970b3e637d615bbf707bd9cadf37d167a724

memory/1444-124-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Aepojo32.exe

MD5 b04a538e5cfe51b3505be116609975dc
SHA1 daa659775c53018200ba8ed5ae72e3dd945da371
SHA256 8548542771ba79f3bc12215a545d98c03ae08ffd1cac26358dae8893966528c6
SHA512 33eafbf5845be69b5227da8857275ef3550beab138e7e7f160e8cb155ba5899df0f598b6145c5bb6ae9d4fb0bf6a51ebcfe08c1522310e802ad21a3746f6da76

memory/2580-132-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Aljgfioc.exe

MD5 bfe6369fa1e246197db74e531aade89f
SHA1 8b620ad9762f863d7362e1e668a77e0b48f56e77
SHA256 e6c4e48ddc5870bbb234832375c258feed55c866d0dd6d2733fcb9055e195036
SHA512 b9978ba26633034bdeeee8dc0e1772a062573cb36475d0b1b251d37352a40037a8226bbb7e4646ed5e4fba4fb10751ca93d44571deb86cbc4c72d1d772e6c980

memory/2580-140-0x0000000001F30000-0x0000000001F69000-memory.dmp

C:\Windows\SysWOW64\Bbdocc32.exe

MD5 d5f509eb1aab724fb8adc5af97a6e0ca
SHA1 8285d8e22e4a32d23ebe0b8a94c82714fada8d40
SHA256 c8bf30ff24f5754b637c48103528c711a54dbedbe35bb29e4306f185b79b48e0
SHA512 7a3b07b4ef93a5717f3edc4072ac1d658eb768cd37867811d0af4c21af6e8e2d4d8b131f269d9f11134f231d535a05520707bdb618f0561e8fb5f3fcfa56e2e7

memory/1972-157-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1220-159-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Bhahlj32.exe

MD5 f6a6a04df8b2d547e3a5cd219cdc7567
SHA1 02815f967948c55bed12b567213e7952ae82d70f
SHA256 f5079ba247fb277bbfd420df6b34e70007c569807492f77c083b5d60f9c204a5
SHA512 a50296e5f9d7c36eca894079b7e88784d95cdf1c2ba92be87b93843f73b5db0b14cf5d94d5825d21cf34d932ce134dd6e611f5f11436f19ac3373be2e527c050

memory/1220-167-0x00000000002D0000-0x0000000000309000-memory.dmp

\Windows\SysWOW64\Bbflib32.exe

MD5 aa44d7af48298d068be480f3e8669728
SHA1 ccdce30ac1ce701a502d4598e1b8326a828dfd68
SHA256 a7265ec757e04179c4411ab667e55299d1689af4891a5002e95fb405d712a7d7
SHA512 1b2bd6c68fd53ca4e56480c36e741f03490f5b80a239e47ef6f58aef05861a9f604a5353f0535da846c23e1691b318b0909f9e790415f85218eea2af187ffb3b

memory/2420-183-0x0000000000270000-0x00000000002A9000-memory.dmp

memory/2420-179-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Bhcdaibd.exe

MD5 77bb2f6b9dc22c48aedc17687d48ca75
SHA1 8914eb8a5cdd5bfb31818d969ced07a08df3f9ff
SHA256 e3f094d0982aaf4eae3782d0484c1cd61fd8470bd45c17339029e51733511c63
SHA512 5ba179e62b0eef75d49bc87ee640e0964a146b00e4c3a8e664cc7f7dbb1afca52bbd6c80cac76c43646a665fbbe34c038d2412d10e271682cd98d4505e7db73d

memory/2236-204-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bkaqmeah.exe

MD5 8fc8565f950bce1fbca872f2f42442e3
SHA1 7aedea44c761f73ee4b2fbb41e88a5541a5d3867
SHA256 297077b1b0afa6c0ac7eae7d15cbf9a434b0092b3ca8be18f01c56d11b56d130
SHA512 1f20717b69f08758b104cf1154cad4638a125e5614492d286f78300effa0aaa711f69887ae400c2c83dc4aecfef52ab2e016565e463c672f6b7720d6a32283ae

memory/2236-207-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1812-213-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 cbb762d38686bd2b6a3c2c743d3806ca
SHA1 e0d0045e32b4ea729e20fea39ee657347ac4327d
SHA256 e1bfd1df0f9e3e08acadbb4c39614f5702a3bb3466cf6e7145d36b09d05374ef
SHA512 3a44a90de7404b09b39fa492ab7b9d5be02112d1b3576434892fc114d7bc6deb75543dfc4bf1b162934c408cb4ff49207c8500d25d5c47d4e281858e70032213

memory/692-228-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bghabf32.exe

MD5 32ff51ccbd2759d34b9c5992a4e7b34e
SHA1 9f661e4691a84143a5ae44fad272ffc29119f420
SHA256 6edcf77d0e6cf8ba89a57d1b5e6294c5fd4b98979cf5921a6fe388d752e46a12
SHA512 3bed381cc62d51ace1ce7f21c2ddd3a77a6dc2fa14b9e588a7623a5816e2456070f5da3298a876ee428ebaa2a850ed435affee40737252974dca9fe227e32ef1

memory/1484-232-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bnbjopoi.exe

MD5 c08bec5adf5d74c7b41fb48a24980e28
SHA1 27894a3498f256c3c73aa6deb2d73600e905f788
SHA256 c977513cf053737a45f30a8021294a9a34aeb046f5363c12ea9d2197f1db05c2
SHA512 9b11d0e79717c00074f8815d7f90aff8f178a38f37d47ea1fe3f4434ef69bdb7acee50b17321024d40fbad02717803dba8d1717c7cbf6445738c526c256f1334

memory/2460-250-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bpafkknm.exe

MD5 2e0862497a5b03c6227e9b859fa8820a
SHA1 b8dd1164bf1acd6675fd65f5cf696dc7d3bf1aae
SHA256 c409ddbf57e4ebc8a9a1742d06605d4ed79db843e4fcc4908f4a82c778e2746d
SHA512 5ee03f95c76c7d4c0de75af162716b841d50a22db1379668df275afd70c4cfc892aed56b29add17157a8aef3e448d875d85aa27df9ea38733b4ebe90ebe97fd6

memory/572-246-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Bhhnli32.exe

MD5 3f5afc17ab51c6115de1df3d2f7ef4a8
SHA1 7eb07f0bdc1eb8b5325645f8234bf4ff1b71455e
SHA256 dd1541c514bf129b208f61b5567f8dc4cbc4448b5138b7530939557b4d4c7974
SHA512 3e567f65e38ceeb856fb6540c2f5d5f812caadaafdc6eaaf67ca37018dbb1af350ba3c8886e96ecff4380cd9f140ac4c63bce391ba0613f0a0e1df6f39788db7

memory/2460-263-0x00000000005D0000-0x0000000000609000-memory.dmp

C:\Windows\SysWOW64\Bkfjhd32.exe

MD5 eeb8cfb16fdd17b265ccce3e10a8e519
SHA1 6503e1f8ebdb3b12f4d52cd228953193adbf8811
SHA256 81873c2ccee6196d8f7c787f9f4e474b5e68bf2261bf3007639bab352b6721db
SHA512 b1ef2bcd64bd1de59d289d55a3ec17c972884eb97686195a342fd8634da85f6de057760e90126db43c390f14d63b52a5cc8110dc54ea91e52d9344c5df3911a4

memory/2340-265-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2340-270-0x0000000000250000-0x0000000000289000-memory.dmp

memory/840-271-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2340-269-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Bnefdp32.exe

MD5 bb41b0f6fc9f9ea2c1fb27b5d17caf49
SHA1 92838c110648a9848c2fb0e5f71eea9cab6b50d6
SHA256 376f867e4f509f8f02f3eb3292c56f63020dea50928b703a8bd92d8690e1f156
SHA512 746996cc8f64c34ddc7c0d511881867199876befaa616f82b15299c1d7045d337692735ac431d2ca0b43ce0be5025d7755e90afcddfbdf75ef5a2ccb94b57f9d

memory/1044-282-0x0000000000400000-0x0000000000439000-memory.dmp

memory/840-281-0x0000000000250000-0x0000000000289000-memory.dmp

memory/840-280-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Bcaomf32.exe

MD5 3aab24ec0af413c65cdf80452c8df074
SHA1 fa38a82e9b12ae4ce268cc9bde1fd875e1e0d739
SHA256 5c6f19e3fdc8d6e0aba6f31b8fa990b6658675368935718e5089d2584aaca332
SHA512 d0052596c2cc30c8ddf96695d4b866f11e2d38d6575c2d1c28530c7ece8fea3836ba6df386c26dc79a454cda3dfe33a78418ec3d7fa7f3b1f1c6632fe2bafa80

memory/1044-292-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1044-291-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1184-293-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cljcelan.exe

MD5 973157140ae9a10df64234016947e771
SHA1 aafd4a245366991417575f943c71870c5530a619
SHA256 6b26553ec83ecdfb9262b83dc42b6a9aa91b476154e2db6f2f35f2aabe594be1
SHA512 818e635fa2067527c655abc89e180494237b9726f517986b9be01d0a6f419aa428f4afca3369edb41a5969d443463c6f8ee034dbb97bb667cac3886d045592c6

memory/860-303-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1184-302-0x0000000000250000-0x0000000000289000-memory.dmp

memory/860-308-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Cpeofk32.exe

MD5 bc32563b42fbd978d232122e59f1f06a
SHA1 be312d5c8d1b0a434b5fc9ed857030b98ceba514
SHA256 4aaab524125778d2221fa6be36a9d1ceadbcc3f0a66391d1ece4de89c802968b
SHA512 fb736473b0908fa47cb3c3f70012b5780a523565f69ec5f8b17bae55d62acddb90f6ebd7fc0547c6371b99932a9731a273eca5858e6fa8ce4caa2b7b607284a8

memory/1644-324-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2936-336-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2052-335-0x0000000000270000-0x00000000002A9000-memory.dmp

memory/2052-334-0x0000000000270000-0x00000000002A9000-memory.dmp

C:\Windows\SysWOW64\Cnippoha.exe

MD5 52fc45176e6f497e74944e2a0bd8faa3
SHA1 0df93fb3f69428d9cb5d672059039bc236d2ad2a
SHA256 05b5050e6fa9acac787b0fbea819726156414c448c20340aca3c5af0c94d18fe
SHA512 8e9d73a5b26b065947a009841fdbd355ac87b2339682d1a7b373602a273c4b5f261e14d036ec6663bb1a47fde8f4ebedcdec3a09146438c5e90974e6e750706f

C:\Windows\SysWOW64\Cfbhnaho.exe

MD5 fce11051773cff493b67da5336c2e2c4
SHA1 cd8484b787ec0637a8fc2555b42d5f9e57b2dd47
SHA256 97f0799e18174b01575aece8149a7b792e2c20e3cd95f0a300e934d9a7315c62
SHA512 286c0b0113c95805d460abcafd8e5cba9af249915360da7edd4cc0f5af18999da0f8071901d5ef52eb4a3ccd691fbb4983d546b5654b672da3a2ce6fa039cc40

memory/2052-329-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1644-323-0x0000000000260000-0x0000000000299000-memory.dmp

memory/1644-322-0x0000000000400000-0x0000000000439000-memory.dmp

memory/860-318-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Cjpqdp32.exe

MD5 278908aed153302b41bf9caffb0b20d9
SHA1 bdc5fd072e4f4e135f8f30efbbd1b2a76fcc7a96
SHA256 8458cef0a54c971e7cfe90b51f2c5391427dd0dcb8e3a8550c08e12d24c3ea63
SHA512 393af0c2a5adb72cd412555d308b6ab6328cc8a6fa08158b02007206115613496bfc0f470a34a05201ec9caaa79af03c74b766200990f08d54bc7424b5a79ceb

memory/2936-345-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2936-351-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Clomqk32.exe

MD5 3c160d51c1b855d44ddd5f6d1346f77f
SHA1 59bda677746f478ff7f8434e849ecbdb8b07a99d
SHA256 95a47548a33c70f506a51102f5587b66dd80423f18664f1e67f32658d9356c93
SHA512 1a8654db7d25e6a063945f449ef3a6912c949de6b505f996d0036229e9f4f1de39fa74017ea9c842ac44051df07766c1a83e0ccd0f4d2bcbf6072b83dec4d52b

memory/3020-352-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3020-356-0x0000000001F70000-0x0000000001FA9000-memory.dmp

memory/3020-357-0x0000000001F70000-0x0000000001FA9000-memory.dmp

memory/2968-358-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cfgaiaci.exe

MD5 5e4e23457d7e1dc5781053bfac50962b
SHA1 9644314d61c0a5290fc785ec66346a5c492fa53b
SHA256 db6f11b32431c43306094bceae600a256f2bab6aae018d94c91793288d6b4d31
SHA512 bab5959237ab590f0370147cca9e8b90fec2f8735185321ec4dcd1b9874bb0ca3d233ccc70a8dfe948a4aab1ba24a447be320eb8bf6006bd5761936b9236481f

memory/2968-371-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2744-374-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2968-373-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Chemfl32.exe

MD5 6efa74aaf515c4f67d3f5b7948ac5f6a
SHA1 d35e0ade501ec606f8d8c94cb102d879a33ac6e6
SHA256 8bffed84aff1bf7435e206b3c233386ad54c6035254a6d41c259e56f67c4e457
SHA512 99749e920e3ce953420389e1b444f20c5bda73c3fa7fa0b549bbec276bf3f04f7bda508e8efabc23037f1d07f8ee7c1c7b00264af5963d3e60629e79792a5083

memory/2744-378-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2656-390-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Copfbfjj.exe

MD5 e60a7710c20458d85335f51322e62033
SHA1 715153b68f708cf72c3976b50fb600741d522661
SHA256 cfd2120aa0b09148b0ed6188f5964f3a5f356a14c17ac48887706188076202d7
SHA512 187e4e2150eeeab9b041f99f91094d9ad486729d1b7df3d4a05ebd69f733403a4bd6a9a3ff353dba844e5c33b487ae852cca552197b588a33742ca0462ced831

memory/2744-380-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/2656-379-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2656-389-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2424-394-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cckace32.exe

MD5 05cf91009afacc9e872bff5630f2105a
SHA1 7eb609e92cea613e158dedb1bb49af91c093f65c
SHA256 837d7457f9f3bb3c4ba5268dd07b51bfd0736e8e611a497c8cec7d69bab22ffd
SHA512 2097651a5df2a2d2e4296a2ff5e01abd9f2726b5ba0af064fd47f10c813505d7f7b839fd3e72767cf35c6b6b5ef24b392f9cfe4dcaa66d6a7d3bb8ac3aa62022

memory/2216-402-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2424-401-0x0000000000440000-0x0000000000479000-memory.dmp

memory/2424-400-0x0000000000440000-0x0000000000479000-memory.dmp

memory/1668-417-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 c6bacfdd33a2a918211b6c2420c4881f
SHA1 2b6c933f8000e1d5bc9421bf85663b9b9e48322a
SHA256 4b6f3307fea39e8b3bb297fbde6256d430c049f02f793e035439e49e7f433a76
SHA512 34702ba3f179d40ce347467d39b1043e872bf00c5c608b9a72476611cd50f4eb82754a103e60618b1531ef088abfcab8fabe1f50a77c76553b522bad9bfebacc

memory/2216-412-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1188-424-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1668-423-0x0000000000300000-0x0000000000339000-memory.dmp

memory/1668-422-0x0000000000300000-0x0000000000339000-memory.dmp

memory/2216-411-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Ckffgg32.exe

MD5 005d4453319e91e7445576c4d4915f9a
SHA1 48060c3b61af52274e871a5b63160d098eff165c
SHA256 c3150c60df8e8c12512ec726e136de9f055ce8756a58ae6a9a77eda0949e6be8
SHA512 52ff4aed0107cf80c47deeb3356615f0be8dc184a3220a4ec760336646fa2d7d0ccd68a069d847b505a07fe3db139f431c7b23abb61449af1afde7d882847e73

memory/1188-433-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1188-434-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 487cbd879b1fabb698f5c6c507a3dec0
SHA1 cf780f3f6b1fff1c3bd8371439951e5a869cfc6f
SHA256 d9dfb3f08dd4acc6cad3ea5c4354f1a542fefbddc03039a903a33f791e24e87a
SHA512 51f55de2d8570308d6257801852cf1aacd5911ee3a03b7c3c71e608a44538df7310fb50dcd607d9a9223690c0eeb0c505459744c05d94f4d940aa8483b314a82

memory/1820-445-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2140-444-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Dkhcmgnl.exe

MD5 aebad012d727cbc4be6c422e51644f0b
SHA1 f300726300bf794a11436b32921fa816884ae440
SHA256 cfd926ae7d51e7942a963df9241fee087e7a454b4d90022b38900fbf8282fa16
SHA512 322c8fbb0414eeb3ce78fc3bdbb618170fb362c330cd02516881996339be8e983020dfaa4c8ca18e7055bfbec2b8c89cfa3e3aa761f09d4f8b7648209edaa08b

memory/2140-439-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 20975afca769b94b4dfdebe96f57510f
SHA1 23605affe3317b13904ebfd27b0a408ac52a340b
SHA256 12a5e10a5350799fea0b16507d12b1b90449036354732153da1656e9a1ef6ab0
SHA512 4f97f819bee00fd29bbc08df3443eceb013ae3972be48473045af2ba019376be85f40fcc693dc791afac81b1b467176450d708d93e38e4e50391d5397a32c093

C:\Windows\SysWOW64\Dkkpbgli.exe

MD5 e030918d458a90579b0f89913775c0ee
SHA1 31c2681a5ab6b74ae5ab31c8caaee9d588ce5c2f
SHA256 43414f46670b8fa058c5f4c669fb4967235ecbbcd368604a20bb5898681de3c5
SHA512 06a747c9b9c8964c2a1e32aee6fa373e93a269f5f10246df8df1218dc7bbabe43dd19bed288a5b2f089d1a89e53a8e7b88a7203c553bf9c10474d0fb2d05d14c

memory/1808-460-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1828-467-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1808-466-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1808-465-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1820-459-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/1820-458-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 6f0d379f5e7c5ed2d89998854eed1d62
SHA1 02f64c25a83e11d6cf4263bd80cdf22e4d0ec4f5
SHA256 6584bd8cadc47ef2785f824718f429dc52b56be7e8ff3d19c8b338cc06a4e9f9
SHA512 6775a139f803ee41668bf1510fbfd5a31330e51474ebfdc389fb03dc100e2f42d532eafe48989880bb696636de66b5d2c00a7ae611af0f5243bf6eaffdc660fe

memory/1828-481-0x0000000000300000-0x0000000000339000-memory.dmp

memory/2784-492-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2784-491-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2260-488-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2784-487-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2296-493-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2260-486-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2296-503-0x0000000000300000-0x0000000000339000-memory.dmp

memory/2912-504-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2296-502-0x0000000000300000-0x0000000000339000-memory.dmp

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 92abe85020276d28e9ecf1944665fc84
SHA1 ae34181550a374122418fa9f010093e9ff1dd283
SHA256 22831d7b3cdaba90d85cdb1273156e14ebc3f672832c7c5d46bf9a02b8f42a8c
SHA512 e068dbc012820d771fb00e29cfbef43ad324cdc8fdecd10e6024ff6ecdb01734cda27aa4fa5d19d5aeb50ed8f7e83ef5721b5c176db2f309362fd935d3098922

memory/1828-485-0x0000000000300000-0x0000000000339000-memory.dmp

memory/2260-490-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Dgaqgh32.exe

MD5 a51976db5eec6180c0b63e6b03fb4f05
SHA1 7f52e5d0c048f46f4ec7645afb211b1e4ea664f9
SHA256 2a18e8ab78d61de290aeefa71b1ae24a259ef1ddb67abaa84361d21be977a11b
SHA512 a161ecf64c358dc7a36bf2a2fdf820b5905400d14e7312fa42ac0d14d3c904afcc79f9b81c307b9b133d8e811571e6d039c3408f7fa3862fb563374f4b8be648

C:\Windows\SysWOW64\Dnneja32.exe

MD5 4d0b9881557fcd78723f907d010fde2b
SHA1 16f0493f783713545cce7a9bcf005ffe91bbe4c6
SHA256 3626e8adccdb2b8d8dfd5eb3afcca2951134eebc212e031b76769c3e2aeba767
SHA512 f6b3e14f1365a3d4b602d311685a7673a9e1b3754b3b1b077fd29b814f4ac341bb4ab49cd29550e1f0961d33e84896350fb56580369befe0dd97fcc9886b555f

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 a293b99d3260fb170c9bd109d4d6de91
SHA1 13a8c8dcb4a45b7c0ac9ef61a7115790bdec1fe1
SHA256 521636a94a33f7e652b2b3382bd15f03b195992f0eb4f360ba5d4d1862211a86
SHA512 62cf350dc2824d4c00ab0da098219f34015981541df69402cfb537d36e66827855d61528b53336667a1f75e6cb27ae9b3eeb854125c599831d1a746872c22b2a

C:\Windows\SysWOW64\Doobajme.exe

MD5 e629de119331f6924b7e1f9d96e3a4c9
SHA1 c9c08705d8d74f255f21e44c7c8168527abf2f0c
SHA256 fbbbc57de07001dbf0fa8eb19efd1cd2918a3efbcff8e9e2927b9084e65464e6
SHA512 465d81eac73069360b5b84ad645910967a05f24c0490957d83ed7b41c18af4fc36841ccc9d04b3eb717cb0f26637366c416ff73508a4a11ddbf35f15dc5b8db0

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 4e6210b1ea44d86d007438a47e90347f
SHA1 4d89d0799729518bccda1e3b7a67ac60691e2c50
SHA256 4beece1aad5526c0d588096884faf498aadcbfc0f2f0d40ab66a3e705738712f
SHA512 8f951ac05e77a55930d47cf5d0cc886f7193068113580f83197cef6adeaeadde2d688c720927b2c7e43d15303b4cc6cd967a836975d7823c2bdef7db04660277

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 76aadbce373d4471553b26a0c1e545ab
SHA1 2e98a8cc74397dcac8267a6390847b617c5c5440
SHA256 f5dd1b1aa6846a0984f1cdd11af206c081918c0b4910bd290680f77f67bc0d4d
SHA512 80fa44a5c7064ca7657cd1b6a5de2868c80fd9a7ec5cdd5b734219628b15860fde586e1c3f49ccbc27690c42830770b02279557385c57e09c4def22caf3e9b62

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 3f3291c94ffc1017616b2e2863c21442
SHA1 7cad33ea3c54a117e750eae944d214d84956f651
SHA256 7871e0a195a03b7a8a143484bb165a450ef0b84f25fff67965a450da06d8f894
SHA512 16c74c88051dfed4cd031e07798ae6a7b32390856d4cd8805b301e69c71dec8f67722eee9c35c51937888cb8950b720e81e38b07a8bca79b2177410a28e18a30

C:\Windows\SysWOW64\Epaogi32.exe

MD5 7d36c7aa7c38470aa7d047f37034e2c0
SHA1 e3b2472ad2a2c65a8eb3115780648473efc9b258
SHA256 9766799e072089e5856b9b6071163353a2f3dfd3582807c8bf5a9a4da486979e
SHA512 0f16e2dc3e0c328dfac38ff337695aafac1de45a8dd9b9cf46165d965617a724536a4cda5c4f9dde67f9b810468da65a798eab0437c569fd8676ae81e86ceb9a

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 1f7911225236e2197efa12e70c7bdf5e
SHA1 f35691048397cc1c902d82527202d97c30f1e60a
SHA256 af65ee5091e9deb78f5b97ee40e09f02a5da206f3f693a572dc5ca2e4569fa51
SHA512 4e2bd78358525a631ac57a97066edb9da80ed0642f6e3a5f4354d9070330f9ff87a3680f36c2e613b19a5f9540019a9ddb1dedc2bc2e5443623b46463d75b541

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 080e7e7a58eebf88ca7865334b1cc2b3
SHA1 a9c46dcc31bd11fcf4912b71fafc2ca058e774e9
SHA256 49b44331eb7eb1b9e62ba743d01cad686428095d8030ac0bf5c0e154af61fb62
SHA512 aa005fb680a8a4c3b30c73aff63134f7ca22f06a56d3c03847ca69460bdbc365cc6fbc288fb4f4d25b58f0aeafd023cf3177386877fd497df275c312043abd70

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 b7390154a03ffe916aabb24cf07c089d
SHA1 47e6d47ca1b69db96edb68ead09e5dd77d655ecc
SHA256 96dbcfec943bc9a75b7ecd00b39a37d01fa93819d0fa3a88c36178a7c73b82ab
SHA512 c4e3aeeb90bb653e2b5e19a4aeb2f00609c5d7033ada3dc4c8fa2f9091091e84c4e83a361118b830fa578fbceeca6698f13359cc8ac97e6445ce246f8093e337

C:\Windows\SysWOW64\Emeopn32.exe

MD5 25ed8652704fb80f1144dc5aa1eb1b68
SHA1 d8b82db5fad99d84a381af55a0ba6ed4b898c3da
SHA256 163fbee1fb79b81cee5cce343f08d82d0c5db30315464f539940bdf4ccc06113
SHA512 f764e6779d4a9b1df3089a783d067aa60b29d4d7baa96c608f9925e72c1b5bf85b05c3a4edfae92f660af348c50f98e5e17c08bc57c634712cdd2624d392bea7

C:\Windows\SysWOW64\Epdkli32.exe

MD5 35a37850696af169d761658e3c8f9acc
SHA1 83ae4f90c982268bd3435d715e4cc1810249af77
SHA256 d6fe7d423d66a6a39efb753094937ea1123d1878e537d760768a0016678019df
SHA512 9efdaaf3a701dec8b25b3cbd1cb0f67029f8799c6bbf9861f0eb985c4381f0fb4fbab07a8d0d25200a51b808d659440f8edc16b87b80f1c455dc455df8386aa7

C:\Windows\SysWOW64\Efncicpm.exe

MD5 f89d58d2411274a37f8f858f7ff2ebf1
SHA1 b2286aa14b7b0de093d94369859bc74bd1788eaf
SHA256 b48cf3c34bc790607a01e551c59f38faf183f7d243287e0be17bb3057efc4a85
SHA512 773e4e8f7c2915da335d39288e01f8bdad53d9c04282e80dbcf26053d39ed3877118b73e97e1a888f0d85fb1c2ede7a2220063e7f7bd8a8e92083c47fb98668b

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 b98223a224639964cc45b65ed221e51c
SHA1 7c42c962bfd4a162672a41f70fe89d78c16a2586
SHA256 b2280cc63831cfacb8f3c9caf1526ab1fa8a5de5beba8042c29768a69fa2947d
SHA512 43abb21c72b870be6b9dec5e964a6640dfcdcd24b07e0c941d68b7d408cacf9d611d6c1be22b6c444fc044aec20674b5779e20a870d0a39b677fe0385cbd41a0

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 d5b8a675171928e5a6bd2c05164e14c1
SHA1 ff3cb7f9f22a320803d26c9f5922dcb79192a333
SHA256 3111931d8bcb8f14a6028512f3ddd155f7b55d95c7e14d430ec115aa16547be9
SHA512 60576046381fadeeac8f981581bc38a7652d70bd6622d7da977811fb1c7fc440e27a54f07b0e3398e11b0e004973af62275d1efced7e8e062ce8cb978d31f897

C:\Windows\SysWOW64\Enihne32.exe

MD5 664564e50ddf11227741a34e7d0e3ab0
SHA1 287e6963ead570f244c3afb2fb847c33116e8679
SHA256 6744e87adcf9cf2094553a5c49190b38578a3d6e27905d7bc73f1a183b4b66ab
SHA512 9041f13dbd4127805c709fbe74a7b96097717f3088fb2da4c6897baf577e739d1ae75c76bb17c20429287dc6ad23a3598b8bb3471b5451d4e4a4dc80e7f76a2d

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 573d5ecf6446b3b999ead19c853f5bf4
SHA1 f2726b008b04ec01af3043e86feda2c57456417e
SHA256 6ba587f8c43ac9bd337d6b40c63f249a7a409f89718c98c7001d06d8467135f5
SHA512 1e4f5df3b22f17df15a878636507e70638d4d0bf9ffea99f39d952f7f7d48be4bdb94ce3119fa3f222c41e4a6e1a3f35140b03d03220b65ac3edb6b34f573af6

C:\Windows\SysWOW64\Eecqjpee.exe

MD5 6c7811ee5d6db9a1939fc2526985424e
SHA1 4abfb1cf1b838c7ebededfed155f61a9c2b57b6d
SHA256 eb395e54ef8764c76943aae4d88b483cbc02a9ecd0a21e8a41ed5a9881371a2e
SHA512 6d76139ac2a670aa917d0302679a38e284a8861653bfb891e515b4f43316567508f3b432dd35aefae0f42cf9fc36b035281770d4959d898cd6a33e48834191bf

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 69d85202a41b5e41fc52d077c90de808
SHA1 639a1eddb83ab06340a8dc4c95aa08eaaeacbe00
SHA256 c6bc450326159f43283051d460688e968c91cdbca579a741032a4bc967723633
SHA512 41feb7fb1978477fbe3c5ef52dfab664964c4c77b428557e8fbd4f9fcaec1cfe3ad1bced2a3ec3d4426d772f5dc3c82fbf3a2556b315bf0326a851f26c33d492

C:\Windows\SysWOW64\Epieghdk.exe

MD5 94c15c2b5c4345c7b6901d60e36ad63d
SHA1 b9a23351d33d8bae493b3f49e3982f8b86308d62
SHA256 f1842d7e4762919a94f46fecac4c4fde4619bf9e48e550077a36e3f2acc3f480
SHA512 28b91f5c66156c2dcfd3df1edf8bc8e96dd7439698837cebb4ed36fbff9c807a1ba33ddf0e669cb166c5ad70c056ff1e21b380c17d371cd7e94014ac7133ce45

C:\Windows\SysWOW64\Enkece32.exe

MD5 838a3cf591e486011e3f5b4df41339db
SHA1 28dfacc130fb3cc802f4fd2fb276d235a55823ef
SHA256 167d06fa63ac2710b7dc02a30cd57e383b0d5017420be25f9a3be685f0a50ea6
SHA512 5e1396ded67bf4fd3485ec6e9eb5aafb2b738ad21aec4d374a1f8a36d2190da505816b6efaad2d25000af1129f483eb2a88c6dce303bdc01865115824a63968f

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 ac589e788abc94a3b5721864b521b0a2
SHA1 dd9e059657f450fd90a7c3ac29135c325eef5b8a
SHA256 dee02b1ce2f7e5c20d903e594539cc63d846319b4ef80efc55693904329ea5f3
SHA512 5a72c1e5844af23b89e18206287cad8bb2a700f925a69f95f15b655025df636624c6ffec9bcf8b255f72de41e4b4a8f82f9dc2915d26fd57f3246d005b8b0245

C:\Windows\SysWOW64\Eeempocb.exe

MD5 38263da5a70adcbe644880f11715bd98
SHA1 a8c554aa12e730592725417cf63f7f0350d125c5
SHA256 3540b639076b64f5e512c7184274c156b143f724c377eb569fb302e767ebcd30
SHA512 0f141723527434bf6878e26f65d5f5bca268f2fb9dd8688db71c7c8c26137e326cdcc5be9ec4629cc4b1967e86463b4589d04eb5b5a005853e5a4642c4d97bd4

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 7a8b39efa860966bc421fbcfa23131a3
SHA1 6530c17a92cd8e4b315fdc061c4f4fcdb3b5950e
SHA256 0539e16cafcaa0d6304958aa294ebdaf2d4505b3d79c5d470cb39a2b039a90d7
SHA512 5373d9908381359ca4f877608a65ceae0e6dadfaa13b18769f99da9da378acc3d5e715c2e358e96befe22584fcc549e124f136ade0a0ba05f45984d211eb1b1f

C:\Windows\SysWOW64\Ennaieib.exe

MD5 2f69bd2820c0b632f8be5b00ead6e783
SHA1 27377e39692c60c4717cad4319fd0b45fd071779
SHA256 b598ece9b503df0d12c0d324ff302ed46feaeb2c4084b905e04c7e9799b7673a
SHA512 b5648aaf55285f88a4b447469cca13ebc0cffc9fdf30863b4d8654f66d3e07b96d872e74e7262380e85aaf6180a7f1534a9bbf5306a2493ff22257ab4da33758

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 f28cc48b741ccc804ca335ad6d398277
SHA1 f43e9f2e12e19d22d1313ba53d3a1eafe8ad2147
SHA256 403fc91f2c88b309b8b85d3c927ac8577480c7ff7a88e5afb82cc39244ae324a
SHA512 9e03990c3228fca4530462bb06e8286ca52e14664717ddc67cbb46760cdc066738776c54aed270c10bdea9a508b5c75b6da5a016a7a001c08749abf328027524

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 9aaae57e5f29770bef5cbfa8a580ca89
SHA1 f81eac6a27c2d555bddc5fca6802ac6cecfbd425
SHA256 91eedb2029e73be069eb5079f38087eb82e002fb076b6f510abfda68cb777f14
SHA512 2d749bf10f53db974c673cbd30cefc050b58c6e95beb3df2ef2cd203c349e29d92de54b46caf5df168555dad9afc4fa89006de3c1d700424a30e6f60f79fb423

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 e816b9e8f000c4e1594277132816063e
SHA1 61fb3341d816034f62d41555f31b690061e502cf
SHA256 0b59ed583cf7bd500fdd89bd398ddc15edbd36f70d78bcb3392628cb4ca9334c
SHA512 936522958e36e2f1bde345fb07f38c2999cea4d23acc00ef46c1622931fd8fc3294413c29fd5149f400818dc410b20d6ed91a7d8191e23f0171e11258f978186

C:\Windows\SysWOW64\Flabbihl.exe

MD5 0b3f83b3ac3fd1569f09044088e9325f
SHA1 919fca702f62aa987e907aebfa9049ae440aadf3
SHA256 884333cc38f5db47f7e0209a6ba906efb4cceb41d9a3faef46eac197d1f4d1b8
SHA512 0feee7f4b41aa06d01718c5a10f925ec43f12887f0e6b96e16ca9159d9c5ea979823a93ef4d843cb32818458a64f82f7567f5186f4492163dcf05a433da1f5fa

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 b0a815e16bb4bd34b010bc58ca2570a9
SHA1 b02b906854aff45a91a2cff33f78861c2db323e8
SHA256 b0ca2e33c7ffc4a9050487d7a33b34eacfe8307025ee00eb9cfc8d2453d47227
SHA512 4bcd9eae29aa7dafd568909d9fd8f529e7394309741ea908409e2a6c7b547439af8ae521c696936aa42a4a888f13b664677f2a442affb73bc178daef00d795a9

C:\Windows\SysWOW64\Fejgko32.exe

MD5 70c094225bbf653dc0c8c821167b8d83
SHA1 51a8e1bf5f214268d22da2e45ff1a5a2b09dc028
SHA256 81256cffe3d4afc4829b7bb3be8498c231eb3ae7e9d6d3c08f3ff913e970f916
SHA512 9d1c13d507f312cdefdcce5b9ddb8ac2a393a637fa3e2c6f4d21953ad435ea7a2288b781b7c26a8060651d0c811edba5c68c93239f1139ea1a5e3eb2db319768

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 1a7acd238aaf283ed611ad643c9f88a7
SHA1 7805690aa2861964177b0f97971386f918b5bb6f
SHA256 45b791126a08ad4a875b518495300759476da4f47ef886f021d03b54eda5f1f8
SHA512 c02051f946adcb71af54754ab50afc8ab12a408845baa344dae28a4d315f096e6b46e5838a11b1c28169953f213f6fec03e5e737a7a738cb3c3318889dce0936

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 ba94191a885971ec6d325c22ca1a75e1
SHA1 9db6135963cf81c9125bddba828253357e443310
SHA256 0b7ba5d37c4f302e94774c44ee7b6688e76a524d04cd70ce9353749a503fc301
SHA512 c3f7929b81bd439cf3357f4bda64c25f724795eed9e56129cd68c6073b6d8d104a74b8ce444dcf27a58bb0d96a45926b3aa64d7e72492aabb8561b022f2e9c8b

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 49015447da6d55f5360e2a9b443c78cd
SHA1 3a5dcb821a0e477007c0d40c1ffd1e773f900c20
SHA256 897d663135e5803d73638f328338a6db677651505b41e7542aef9c8f8f780934
SHA512 33ab3b1f3078ba154ab05111b59a8e03998907aecea8b4cb9cc8f1268fb067dc29bceaf8150080b4e84a9664e50d069fcc25fbb01fe3a7b619af260bcf3b36a9

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 a6d924899069def41abacbb05b5e256a
SHA1 03543d6d1f96e400985908c00d77f4dbd1e398e6
SHA256 845d396f48548e797f1db1d67a7c3793aacb8e9eb67cb6b5c8d5edf898b2b196
SHA512 c34b302e1cfb6f73dc35621971628c07cb921f569469dfb725e28ffb12b11b5811670d70c352e8a3f315ff12789a57cadec8bafbd7f81f638f61d41dab1850dc

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 3a1cafa4fe2fc2b239b53c76937ec9f2
SHA1 32f13ad4792ac74b320aba52aae194b8ab8ebd3c
SHA256 07c37164491e0ebf0b35b0e4304561776ac85dbca908ad3dcc6740b733b0f27d
SHA512 25654a7a399369da62a8d65aac41ed1f6ba797485f3214fa561697084083156af52068b3c56bce67463a4573f6204ce7f2db609f1b4e48bc2189c274c2417872

C:\Windows\SysWOW64\Filldb32.exe

MD5 a34c692cd32205b7aa0ef297db27191d
SHA1 3be1f2453058eb6c5e9b3e8275574a5a6378fc18
SHA256 71dddd89c2181277d2a4c2a163518b0b4a36bd1e1b49771f3e8972ad13bf2dc5
SHA512 badb69e69c5de643ded02abc33f56fe29150c120116aa559322e2c4b478a52fbcc75271991a11a7495a9799c4634ccc8c6098781c5b2aa72c650240c346de55a

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 8f768eec8ba1bf7c3cb267cc0226ddb7
SHA1 36c4d32350717e7935a8add7033c0e600aa62237
SHA256 652d292b843dc34bc15187e498c8fe37d4cb6d728fa2b3bc66705243168bd160
SHA512 83a022e75f8b629b7095fbae98eaa980cd7f60bffb96aec88074b9c1e7695422e32d952027d2ff4e4be6ef581e231ce7a7038269e133fa997316c9af6f23bc4e

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 a60de8ab89abbf50101c317ee1493aa1
SHA1 998a12039e6cca47c214085c1b9793bc26f5d492
SHA256 f4c33602d0403045c92f79b2f7575f46429bb310b49c6b103ad5feaa5eb22323
SHA512 3a8a42999ca34cdb10374bf29266b14703fafc904bc046be38a0dcd1dfad036b79701742aeebd608136d066ccd57f5526c2c8def65bfbb2a2a25b4eb1d0a22ac

C:\Windows\SysWOW64\Fdapak32.exe

MD5 8553c057a2311d70fc2cc82ceba99cf1
SHA1 9e505716c2925f38b4cef250b0bc4d9d1aa7b4ef
SHA256 9dbed30cb2f801c6ee02f28c3d031f079f27e042de36f6c24d474e69888fbad5
SHA512 93947dbd8d255874b81b69bc08a3c37469156b39a8d25b8230d48c0b0c5a29c76062a5949627fbddf542d745ee9c8a8cf20744e11d19ffab86336800807ae6ce

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 8c8eec2ce5d7ee8de701775539a63040
SHA1 61cfd0d2cdb0ee162f26d94830978b8974b0dbac
SHA256 efdd704e8ba2a068655cd15eacc660caac038ae085b5b497ccc3420a09e794ee
SHA512 36f74bcd5453b1460dcdacb13f44d870189db39554892c1d2f8386dbe4e32dc530bde60de12ec18daf085c045a08c38064e4a03b842b60678167fa83fee2b0cc

C:\Windows\SysWOW64\Fioija32.exe

MD5 cfb0b934e6750606b2121b60b2dccd34
SHA1 2584b19356323e8fa2ae4b541577a517c6f8886a
SHA256 d3d9fe5f26a5252ff87b6c7ab1ee5a223e94af58b52c3878d951835ab71ba5ab
SHA512 016682e45a5817a74e61fe28100a241689c05f8bb6c07d89f6cdaf524b42a508c938f2283dbaa897d1c7196344c19cad8a886078555ab57c03c0e15fe9ab9b82

C:\Windows\SysWOW64\Flmefm32.exe

MD5 eea663c691520ce4d2dd6dd16c1133a6
SHA1 8ed1638ed5f355c330e0759935d117d3a0d9de1d
SHA256 24bdbfaf96e2969c5617e2c5c0c6e6f0993d860a2fc89f422be236e4dd4c7201
SHA512 382e701d674569d57ce6b405e959798f9a3857b820d3273cfcec22d4d2b8aa166b9cc541806a4c4f0606ed5ef8acb54bb9c167ed60f370966ac6c59fad4e117e

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 0b61a8e1e7c95bc2c658281fe68157b6
SHA1 da4edc277fccb07d0b9ef5577214c54d8ad262c4
SHA256 fb51905e7d25ab7ae87e615c403aa2b50118502b9363f1ccd8ac97c7b1c7abfa
SHA512 e9aa7b54863157db2dca181b617417695f7478f8a836b635ce00aeaddef3594526c012029cae1c8474fa48129ab31c93bb8841bafc6dfed31100e911e2668029

C:\Windows\SysWOW64\Feeiob32.exe

MD5 fd7eb7df33ec2e688dde1c017fa12af8
SHA1 8925fc1ed1f8cd20c9e79506687e949813b3450c
SHA256 ce8c3c08073fa411db6c1b307880f06a13882b91d71eb12f1559db4333816f81
SHA512 cfd19d4987e0b498fa7ae423523d83cc857f847ab936a8582e4931a4cfb24dca515fa4bc995c56aa4e8e9e073b5c4a44ccbe1344d415a685553c0e13c7948c22

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 bbabd44622d931930c6339ce5f2acbf6
SHA1 dc8f07e049e8f4e862f7cbf928d4401bcd27f349
SHA256 fa73589e0dfec60a5a6b60fed6816fab8f70e765a9bdebc46f1bfb4a2e72eb66
SHA512 257ce637b051bb128f0bdaba1d2c2bfd77cd1befeadf8a5a6c6a65e2ad072baf6042f85bf7a8f1c6e7cb6625c4bf2677f0495ec85298fe33f1f287224c1df83d

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 d05e61594bd998d2ef58cbfab38b52d9
SHA1 b00acaf86e86ca49c87c6b0a81a0547f7c474688
SHA256 e3fb07d6e41916655817b65f2de00cf75fd0ca2b876997d053e5bd7c3741ab86
SHA512 23b682942987fd8bec16cc746007ff35d691a8bd8b3f228302a7e922b9db5f2af4f352dd7df5df0cd3a331bacd26a7178581e8c0b11be81eae086a5eed1b5c55

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 188c551331ea4ae356230394c4f29a7a
SHA1 b994c4b8ac9581da9a516ff5da9b5b11a0d11356
SHA256 cfe20ef8435a0b25bbb9d725d5ad593d4b2c86826161e24b343ab916ff883d81
SHA512 f8391be10f17afcd83d4f5aa76c7d063b5818101e5b76be81ffd84528d93aafc717a4f5641cc8443b7dcef976aa1645d1b694971d3f93fe3f6c95e04bb83e706

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 797220f4fd41d3c629884d8858321baf
SHA1 f5ddc0c21f7a3e37b5c592048e6568ed91e90073
SHA256 ae62dfe90e3bf541040624d708c893bd2fc28a4caae36eecc4deb660c6c2ea8d
SHA512 4349b44d42e5a88571fba9edcf88a0c4b9a3cba38bab447d15b17d7eb5488ca6c20d15803a1de997b67fae5b30cfe940b161d38722db92e94170be9aee82f76a

C:\Windows\SysWOW64\Gicbeald.exe

MD5 146de9deec6ede98725c51a673e50f5a
SHA1 b413c0b98751ef90fc05cbae274bee4cc0c8f55c
SHA256 852092e4abd1aa370b03a8e5e6d19cf82f0d816c72758ae5d374e3223c949022
SHA512 8454b41b11fc7ec89f5b0d2fc02138d502a681f39be77ed15bb9a288ae5c02ea6f7aea0f3fba7b3ff11f004bceef60c8510f6dca6fe273eb55c34b2377037668

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 091f2b85a10e9a58daf1ba7031233ff8
SHA1 a4428abfdc54bfcc2c8bb1d66dd7e1f263af8687
SHA256 7eeaed93a8ba9953662a3417daad8a1661b32d1a9693ebf1d139ff002380394e
SHA512 3f9c0f9641c698639ca0e24dc04fddd6ded1bd7aa99415dc3418f4035a4855c7d6b2976fbf1c8e9fa48e15b7d7e9f8c2445ae45d82a8ce886a9e6996185a8b02

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 aec731142827360085df8cd949475288
SHA1 c40ff42afe63921323641473dc7eab7978096eca
SHA256 78c8c83a46065562a2d595bea7e13dd5b64964ff40947d2056c2ac148ba29c5d
SHA512 655600ad0ae1bf3c8dacd2d1f8e1f180624483bcfab21ea9e8d737498cf16b425fece47cc90762dc0f74dff27412a8abb0f22c719ca42b3716142b277b6d06ca

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 f3c610d7882083ceb8a09ad23897a636
SHA1 fdaac662ba0de0d676c210e3dec8d9950ce63d06
SHA256 b7c8312319e9210e4227d0be57dbde4c2d33e11a03e5d52c250451ff8c3dd076
SHA512 5e9bf9d46b0d11cf8a5cff812e575808a06bfec737bad1b5db699364403dd4a537f386bcf886d344c0eb2b3c45c41e70c1e31e71d9fc0e5694c598d65352093f

C:\Windows\SysWOW64\Gangic32.exe

MD5 e17588da634838520cb11c243576a3fd
SHA1 85293516076b456b4ec0289d58e5f42c882d64a1
SHA256 652d3fc661f16eda16bf2f54c55f78b86f5dc6dcde4ebe21670525e3985fe73d
SHA512 634cf7be116ec6cc59fe080bcc3ded36a6e9c373f1b7d56abbf361a17249055fb150e8986a4c0441104d6037cfe7a994d4f30144f52bf084aea5781d122109a6

C:\Windows\SysWOW64\Gieojq32.exe

MD5 3eaf70cc2df8975880c007a3dd09d61e
SHA1 6ce296b6bd683a032565b3b58582332d957adbf5
SHA256 bda224e982d699d36ce3a1a5b7cd3546d024d1c0b5e7076591e2f20c066a8dea
SHA512 5e1710136d8e5a4b0448c1b26138a3992987251b5e3b64df763d80193d16aa6f9c69841b1fb11942f4a46b10f0aa0b0a5c4ebc33e2a3b3c8582275e3186a095f

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 226733d2d6b4ee7c7be9eb58796cbeab
SHA1 e1361b11a1ad9c58e7d383d952f26d4ebba41a38
SHA256 eb1b15b4b9c258d9df7dba2bfdbb8fefc57188bd40a75a566135f5478d166a97
SHA512 592deba6a3c518a9d68d10ad618f1479b64397005545113b6454c6dc99732ed6dcbfed935dada029787076b150f21ddfe03b87c514ab7afcf162ef9804f7639c

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 54b3627c21a7f58543c21bbeedadc841
SHA1 2be5db8317fdd63e552bbc74112023feb1a5338a
SHA256 cca0ec641520e651fae4df309942e3b4e34e59412bc0b879333fdabb88f0c9a4
SHA512 a59f4286c7fec8c17ae3b10b7fb3097d1fed7007ef9c4272a2b2abd1282baf696710cf64cf06a72131077377caae9cf0fbbdc67aa85229c89a058810f2c961b3

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 c12f4a7e071fc49c26e00bb5e9b630ce
SHA1 fa32867796c92d2c34318eaa2418ea265985559a
SHA256 272195dcd18380a28bad7b33215a26ac76bc7f0b3b2f32e55d7abd9e979d6c5d
SHA512 7a306ffb24899cdc2bb4c73e5a824972b02c2390e8168c46563bc08548f603f72cfa317f4a5a44f554901dbe5f0da120b797ad7d2fa676eb4ecd2bf638f99454

C:\Windows\SysWOW64\Gelppaof.exe

MD5 aaad2b142023dbf762882766a3aa0ca8
SHA1 9ed754664b3ae8abfec3f0f9a5990f3de6cc4389
SHA256 06cbdd1363f1b8bef774f47f9f04f449f6b1d7cc2ab4ef673854fddb6b9ef967
SHA512 b2693f21229591b8c270fa344f4047da1a5454a48935e61bef96203c3d659fa00994ddde273dd0bf193b5f89bb4ef4cc65f23e57ce3a046f7058643db7edfc1b

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 ceed7015778dcc68ef714fbbaf1a60b2
SHA1 11ede52330a978ea2a56121325300402427cd1ea
SHA256 72b83e84ef6f44fdd6578a4f6ef7d6ac0f1b0ef0e70d2934bc1a6f00cdfa7da5
SHA512 e5aa55a55a210cab77d1664b213c79bb53ca4bf3a0a136039e0f25b9980810c4b77a23906ef338d126f33822a591e7376a0f5a983cced97a30ca602830a2d841

C:\Windows\SysWOW64\Glfhll32.exe

MD5 e24127370a11175133048f1dbc3b032c
SHA1 c28c3d51a4e64987f497b68d1d1db51e861f260b
SHA256 a38314d05abe9762c1c2b5bc087db975339dd7f72150c3e9a94d9e95e92f0e1b
SHA512 fdd7d661c3a0655cf1cef764dcf6970d52f6f0a399a38d83d35f6b6daee67d014b44a36923d26910a3b4e7cc320e104f5185b1c2f70ca3ed50e0bae5e31d7d3f

C:\Windows\SysWOW64\Goddhg32.exe

MD5 eefa78339cfdb6155708bd4be0ca1d91
SHA1 45a5767b965cd66071fc24a3d531da4a64c17b30
SHA256 75d35f50f5e06a2676360bcdf2e8c47514cf8a1e4525d1541338f34284e4f56c
SHA512 7bc4dc6a2625894b28488dfbf9602461c87238ff3a144fb8dbae99acadffeaddc549211be4c52a23f4b0bfcc6742f2f3c5c3c57620a8b09a55deaa76cf48120a

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 a1eaff0c5714d18fb7a8a62f0dd967d2
SHA1 093390c7002718841405bf1f7b142189e027a0bf
SHA256 4540f0c153df399ee243ebc502505a1755d99609c99509a89eb14ee0d20ea7c1
SHA512 898f5d94b90e698d5a5c9d7f26b2bc6493b75785797fa3745b5e7e2eadc1327eaceb8fe90ae8932232076955272fb7928e694d3b55f35f38c7f9320059167df5

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 bcaae3c731f0524da283c2febed5d82d
SHA1 a81dd60af333c753fa18e1d615462d09d57964b2
SHA256 1e9b66c540962b98ca6a68a538bc50d24d66d8daf3970d82f1edddfdda6e05c8
SHA512 284393877f26a9a65d41336635dd9ce965b0d15a943df257dc7d3cd38f3ed0d3e05dc837fa3d8b2e4f3b32dd1771309a2b37e7b36ff1b3ae068807b94f02660c

C:\Windows\SysWOW64\Gogangdc.exe

MD5 c349dddfbcc7916b74e8a4e80e9c6e2b
SHA1 2f375282aa5f50ed2069e9d1357040493d072124
SHA256 471e5ca613ce9d271b3b2b581f24f109d941a69f793830a021f56323ff4632c4
SHA512 8bc280acc2c7158951b4d0d7ebd7bfc570243c67d6d838c101c0704459d0fa927c38e797c5b87cbb2ca2cf0ba315b32753fdd6310b1b9bd1df8ef25a4fb8c807

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 f264aea3a1760163d1c705c1f3db7b3d
SHA1 7361dcf50ba734bf0acf1c3c6aa12124d51f5ca0
SHA256 2bbb0fe58283f8d0b70f2778ec6d4a7ead441bddc9f25f1da3f07f2fcb5213d3
SHA512 47172277906c702e04c74beb334832c890e566dbe9826dfbd7b1a4a226c6a16f0e43e2da962797466819671f6dd10bec5dc8d0078e347e757c9e467efdc64527

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 67c3a095f9cb086d00a3b268e7572250
SHA1 a76604e9eb3041dff12bf90ceb2b92be6fce84d9
SHA256 3ceff0b589d21c7b9c6d0be975a8224d9b0ccb05399bc78d8bf9106b43f147e6
SHA512 d45b5345ee3f47b47675234c3f480f7a7d46f02380a2e127ba13f8294ec9077a51c2699dcedf19d266a618555381eb506352694389f4932d479e4feeca20ba00

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 3738f137e1f678a3dc8065d629e2e212
SHA1 53e60d0bc87434e10215ced0f5408fc6666566f7
SHA256 45465e238647c98939585a0d110ca13058c5963dec44615b882df76e7de6afbc
SHA512 9912c9dad3598919c70c1d3a03393f4b299467d5899fa20174fcce00c52a2286cab16a291f14759be9010954cd90c449e989e02e39e969f06a2d303411df63bc

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 e02d40956caf9257a0445531dc564503
SHA1 7de593774af840b5952cf53c0ff6abcf86761c25
SHA256 cc550973c139e2ced85bbaeb54fac4b3cc10046dba62156e0f4d05d47b1346c5
SHA512 24808dd461088baa93e523c2e280f832ae980a63023b58bfc90cdb7e9d70f0a761c79b9fefd1930c0e5bc23dae8caa63262a0f144024f64f38a06b3eef0f4080

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 bff7bf2aebc04be55f08858161645019
SHA1 af48257673fee6c3097e681326cb0a9791c605af
SHA256 f2afb4fc9bf8a9ecaaad8bc4b998f9890f1cddbf795c2f760c437d6d84a7b4b8
SHA512 d44676dcbcb182e6fa5f375cea7a54489d3028f83a4a3228b9d092449c8ec5384482904f9aa32a2751045e39c290af142cdd61db6e3a10f79a4619c8220b0ce5

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 a653131906c32a70109472a545fe06b1
SHA1 288ff8ec7b55adad623727da44fae7f191ef2c06
SHA256 6933f4efb6006760f91ca751ce02eef6ed4b8eb5d86af83b87c1ee9fcd36d8e7
SHA512 e43dfe3d93712eb70be77315319ae246ebaff3e8dc0a53bf785874014e4d7f0b75bc9d7372207c50630407497dca78d5f509966dbeffee51b1e532ff74438a75

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 9409790437822fb4f47facd6b7c6c969
SHA1 50db4cec17094e2c07b7be0cf83ac74ecf834b29
SHA256 890ea14b352711a9b73bcae0e32bf4f6da6eb11a6be328f15c18346dfec6d3a7
SHA512 02040aea53f948a77d02c1fa812be89ba5e7dd80b374e526991bf84d32341b2d3e77956bdafdb288029c7994095d6039d64a0e2f70c6c068eacee1c12a5b9ffd

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 8cb7b42dd1f70479b4327982a70a57e9
SHA1 e61b1ff996713654d30cf9f40e39188397194cbf
SHA256 38d060d229674189a215fc33cbff8813374759bae093cc1070937028d13f6b38
SHA512 0909696a05844b13d0cd448a462387ea4c3beb4e150d05bcb4f6a1f0363d0a736bccd0f64cff69b91bd9548b1973c51d02a76b67f473292ed941c24bccfd6393

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 529891c14f2aa4bf51285ebcf155df57
SHA1 b1599fb3001bfe9f5e7e1d824022a18fe9dfd0fd
SHA256 920567176b752bb2854cc12d849b38c206994e6c0fcca34601a5aaac89dfea70
SHA512 1b982eb143baedc15b8e80c4f7080d61f14c545b7f9083d6fa2eac7402b3a32f7e413c2553f3e2354ac16c7c0f6344ec82bb1ba142e56972774f71b1f6a5ad20

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 9b9f65c6166193ad446185684c733fa5
SHA1 8124bf2b7c6ac54ebb0667c16ddd1d86e6f51a2b
SHA256 bdc8a2a039ce38048ea79c5b2986a53f8a36a72b461f48140acff684e47a760f
SHA512 854557bf598c863c999fa837f6b37ef6617bc2634417266c9306d0f843fd2e862d147d8b5c5ed3e291064a1d5327a0a2148f01ad31b14987a6cf0c878de1c393

C:\Windows\SysWOW64\Hggomh32.exe

MD5 4cf74f4cad740eb93e2c2d2244de4058
SHA1 49bda687d119c32f1787d05973235d61435ea37d
SHA256 256cae56cfb095e77191a95e911e197e3939576656c48c7686ad0360c849de7f
SHA512 e8a8baca74ec8bed0d940418ece4e1365e23413b719935e6d443087729d91b74e57c830d463dd8a9ce174cc7e73497f5f401a93c605fc07d63d2c46e6e8bc884

C:\Windows\SysWOW64\Hiekid32.exe

MD5 b9d1d2582163248de85b794ba1389bdf
SHA1 d82cd8c57ba116a8ec588d0ca1ddc879d9df2399
SHA256 1e04e9aae99497f50f5be135efc4d7b9e2c43f156e9235beee46a070d13c7406
SHA512 bf5898a6bca5a71ea2b2bee7098d4496ff4e30c160af0a6fcbf05a7eae25d9eb74655af6230b7cc5c540b2efb0c53cacb6f68e995f8a58b4f3ac41205c7eb967

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 7a31f2d5d613b5fa66b09f1eebaf7835
SHA1 1b7ea1461864733fb53fcde0c3e3e1296eedf707
SHA256 dc78bb3efc53b8b430161cfe5d99d332ac556d69849dfab4832890386232bff2
SHA512 912d06d801d27a19c993aa7e06be60d3e0274e40e7df5d5a29a785bb83305f38a0dd98ecc2da0a7660c0408631b87e62badb248ac5f9c588b16d453c69881902

C:\Windows\SysWOW64\Hobcak32.exe

MD5 9ed24f925cfaa0f235327430042fda9c
SHA1 c6aca012a42d29c90b0ef2e95bd25f451e2a6596
SHA256 023a1625b07ab75d88893866b1c5206b49ae6fe2b8e230ca8c81b6e420f22087
SHA512 3640d835330266174bfbcae4e192df132385af886ad54226ce94e2ac592c34f1cfcd202fa15b9f4d8913c4ffb5ff5dd72208edf80004d8e33de792537f68b932

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 96e0f02f3bb337388f577532c556b9f3
SHA1 0f553855276a4308f0e84679dbf7b3e2a849e6eb
SHA256 c66dfb23392d97d9dfc09bed4f4ba7e070a4681133fa0af39a8210b431ba481b
SHA512 b7650c93bfef9a3a975d52d0449bce9dbe4d21f591748bfdc06f22a606c04a986f3c02e95fd420b10e2a5abce90cccaecea36429f83bcc2f471d423d1c7ab517

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 2023601aac865b3471b300fff5193b84
SHA1 c3959affadac36f72ce153a089ffe04994cfae62
SHA256 57549aaecd358816b1ff5a30a02baee10aa59be030c9fccc1e728b0953b397ce
SHA512 24c1f148f2410f19672db8a63ae5a570cf57cf00bb9d72da354411e1d97df036ac9578bf2bf18ff053bd5893de26899c749b36e451f85c88d34c538eecda244c

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 f375110c666b64fabd722626990fe9fa
SHA1 444d9037c2bf42f4ce98d822e811fd49655b950d
SHA256 711454f712acca6c2c4048f1f4ae206f6bb4ef142fa497540aa50959f94c7200
SHA512 096c7d85c3292e9a67f292a4037090757dd5e774b84948ee199dc868cf7405fe06b79ec5c12ca93e1386772e5dd08659867003d224d9c9ae3a50b3c8c2d715da

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 35dee71f52e28be72065b26e58c1a553
SHA1 e5db8e5d848b17da98b2a64af9af8e932f325961
SHA256 64eae670ca7220da71b6e27612e3aefd3fd41ee2dbcaed2d38ff50726390a577
SHA512 9983a6469900560b0759e0728f33a8d12a9433edb2e9bb7e53d0877a0198d8bfc65c3493bc6417ab9270830bc8aa914a641b1fdb8af23c7279a6adfe11d7812c

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 8e48a714cc253246907da6d6fc77bad6
SHA1 feb56d49c81ca91d81bb2dc02680c815d3a75dd0
SHA256 bf86b5ed100909cbcb6d0676474c9ad0a643373fc49d05463bc8769334ec96cc
SHA512 8d971b2d1ff57b2202c27be52ad853566bed0f68c86c3fca3991335bc65e123510cf07e03a4c6cd6503038f49a7e98c8e9a2f92da426a9fc6741db0cb8628c39

C:\Windows\SysWOW64\Henidd32.exe

MD5 ed1158fe822d17f8be361acd118c88c1
SHA1 51dfae02dac0735681a41469e180747ba0953cd8
SHA256 5f43a88f00e3038869ef555ed50783fd207d37b029f2ba3a3d728777b56f8681
SHA512 4774376fd5033ca5d0b584d72d35367fd90e9b216540eab928a8ca5368f68cd993e7ac626be7986275ffb0402e125260ddd4adababb365f8b0957eff2d8ff5bf

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 3e10536766fe7bfe220c6ac27105bef3
SHA1 84f9a9ff4ca8a7afa34e61518bb4e17f9b620793
SHA256 54594a71ae469d253ea15eb411b3bd27c0ce8f93c610ebf92157ed23cbed393e
SHA512 ce4443f7f887ba138afd52db318b624b15923f5efa80dbd12fa5d21d0d4e8c20ecdbcbed32f0c908a6a831a387484fffd8a5d0661f63f19b375a54a6e4b54abc

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 600e47e4f6f403aabb187995737f0fc0
SHA1 b8723271d5b7978383eb27a48d8fff9ffa852aa9
SHA256 445c84823e98842f3e52679d6983db08fd6efedd911a0b18a446a1c7e7cb3b1a
SHA512 f38e65fa895c2e68631809718fe8046803192e17c436ae7c54bd97f67c383fa16e01c65b498213f2063f648e0f56140e920e764390a03a552c60a5e999c2a532

C:\Windows\SysWOW64\Icbimi32.exe

MD5 24f275e38d76bf8097f1e871a80fbe69
SHA1 280381bb19d5b58536a022d0dc806f1e7bc70fd7
SHA256 9a0937a203e908b6fc42be2d544d85d8ac7ef5ccd727afb5c5af1ec65e3d15e4
SHA512 24de41326ce96c803510ca8406f4c8961ecdff96db4b26c5e238dd53ed06866be8b1b56685856cc9dd6b51d9c18273402821583d541c77e64cb378bfb29c2931

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 50c35ff6118f62f5c53e3229feaf3c50
SHA1 a47a087aa00fd21ee5d7aa2e01c0794434885e0b
SHA256 d4fc1125028e638224f783260a33ebe7aabf67ddba3e60c4b651b3901cfb0584
SHA512 55773551c5ad07c0bf88f120347cbc725cee2af61277c0066ab6c5fa7e05218afdec8c37a90719c6c09559a2a8f1bd7cb2a3ff86c86a2aef56341cd16414df0c

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 afd27e219b18c82a4af5d23930b26348
SHA1 66c57552893f09d4a8ebbe21aa26f143b9824a99
SHA256 815a626e1a49528dae63240b1ad6327ae3a4640beae614dede94c8364742c597
SHA512 d88a0ddb56b4b29c2a6827b22a61d9becede6f10508258c43c064f9061ba86bfe0d3b9b27364eaa3b17602d6292012250aec2cca3c5e36febf51be8e7ab8badc

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 66409bd5cee9a9e1818cd8dca3de78c7
SHA1 8818a0f684b9d3e00220b7f7a4ee8c441d8586ab
SHA256 81353f385ac4f0bd8fb615db10a40755935e528cc4aa39b5ef6a33faf14ec334
SHA512 d0770d765feb396a9b67f488053bd8c5ccd2a3a7ba4461a4eec33d403b1f737cea551688b97ed127ed2c9a2f72c79418535e7325593afa7efaaec6b3865895a6