Malware Analysis Report

2024-10-16 02:50

Sample ID 240515-vkjxpaba52
Target 06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics
SHA256 f297ac15619b88a1895cce2ff6b834dded0ab2085e2fe42adb02d1cb67c66dd4
Tags
persistence gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f297ac15619b88a1895cce2ff6b834dded0ab2085e2fe42adb02d1cb67c66dd4

Threat Level: Known bad

The file 06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

persistence gozi banker isfb trojan

Gozi

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 17:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 17:02

Reported

2024-05-15 17:05

Platform

win7-20240419-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baildokg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnefdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boiccdnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghoegl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnneja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emeopn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amejeljk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bghabf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Claifkkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnneja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbkeib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gangic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blmdlhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnpmipql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgpgce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgmglh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjilieka.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgmkmecg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgpgce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnpnndgp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmdlhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Baildokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgpgce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaeoang.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gopkmhjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Boiccdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bingpmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmdlhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmdlhmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Baildokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Baildokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bghabf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpafkknm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnefdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgpgce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgpgce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Comimg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Cgpgce32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Jkbcpgjj.dll C:\Windows\SysWOW64\Cnippoha.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Fpdhklkl.exe C:\Windows\SysWOW64\Fhhcgj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Fdapak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Gkkgcp32.dll C:\Windows\SysWOW64\Bpafkknm.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Glfhll32.exe N/A
File created C:\Windows\SysWOW64\Jondlhmp.dll C:\Windows\SysWOW64\Gacpdbej.exe N/A
File created C:\Windows\SysWOW64\Odpegjpg.dll C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Hpocfncj.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File created C:\Windows\SysWOW64\Gopkmhjk.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Clphjpmh.dll C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Glfhll32.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Ahcocb32.dll C:\Windows\SysWOW64\Glfhll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hellne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Boiccdnf.exe N/A
File created C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Hgpdcgoc.dll C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File opened for modification C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Fiaeoang.exe N/A
File created C:\Windows\SysWOW64\Hpqpdnop.dll C:\Windows\SysWOW64\Fiaeoang.exe N/A
File created C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Qoflni32.dll C:\Windows\SysWOW64\Comimg32.exe N/A
File created C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Ebedndfa.exe N/A
File created C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Jkamkfgh.dll C:\Windows\SysWOW64\Fjilieka.exe N/A
File created C:\Windows\SysWOW64\Ognnoaka.dll C:\Windows\SysWOW64\Cgmkmecg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe C:\Windows\SysWOW64\Cljcelan.exe N/A
File created C:\Windows\SysWOW64\Hmlnoc32.exe C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File created C:\Windows\SysWOW64\Bdhaablp.dll C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Ogjbla32.dll C:\Windows\SysWOW64\Ebedndfa.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Facdeo32.exe N/A
File created C:\Windows\SysWOW64\Jgdmei32.dll C:\Windows\SysWOW64\Gpmjak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dgmglh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File opened for modification C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Kcaipkch.dll C:\Windows\SysWOW64\Gdamqndn.exe N/A
File created C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hellne32.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbkeib32.exe C:\Windows\SysWOW64\Comimg32.exe N/A
File created C:\Windows\SysWOW64\Ljpghahi.dll C:\Windows\SysWOW64\Dgmglh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Pmddhkao.dll C:\Windows\SysWOW64\Boiccdnf.exe N/A
File created C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Cckace32.exe N/A
File created C:\Windows\SysWOW64\Accikb32.dll C:\Windows\SysWOW64\Bnefdp32.exe N/A
File created C:\Windows\SysWOW64\Dgnijonn.dll C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gegfdb32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Bnefdp32.exe N/A
File created C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Hpdcdhpk.dll C:\Windows\SysWOW64\Bingpmnl.exe N/A
File created C:\Windows\SysWOW64\Egadpgfp.dll C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File created C:\Windows\SysWOW64\Phofkg32.dll C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File created C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bnpmipql.exe N/A
File created C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Bgknheej.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bingpmnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Comimg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnneja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eihfjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Boiccdnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cndbcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bingpmnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll" C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blmdlhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpafkknm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" C:\Windows\SysWOW64\Cgmkmecg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" C:\Windows\SysWOW64\Dgmglh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gphmeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Boiccdnf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bpafkknm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" C:\Windows\SysWOW64\Ekklaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" C:\Windows\SysWOW64\Cbkeib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgpgce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cljcelan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 3032 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 3032 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 3032 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 3032 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Aepojo32.exe
PID 2284 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Boiccdnf.exe
PID 2284 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Boiccdnf.exe
PID 2284 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Boiccdnf.exe
PID 2284 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Aepojo32.exe C:\Windows\SysWOW64\Boiccdnf.exe
PID 2784 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Boiccdnf.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2784 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Boiccdnf.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2784 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Boiccdnf.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2784 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Boiccdnf.exe C:\Windows\SysWOW64\Bingpmnl.exe
PID 2900 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Blmdlhmp.exe
PID 2900 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Blmdlhmp.exe
PID 2900 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Blmdlhmp.exe
PID 2900 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bingpmnl.exe C:\Windows\SysWOW64\Blmdlhmp.exe
PID 2716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Blmdlhmp.exe C:\Windows\SysWOW64\Baildokg.exe
PID 2716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Blmdlhmp.exe C:\Windows\SysWOW64\Baildokg.exe
PID 2716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Blmdlhmp.exe C:\Windows\SysWOW64\Baildokg.exe
PID 2716 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Blmdlhmp.exe C:\Windows\SysWOW64\Baildokg.exe
PID 2500 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Baildokg.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2500 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Baildokg.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2500 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Baildokg.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2500 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Baildokg.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2984 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2984 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2984 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2984 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bghabf32.exe
PID 2764 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2764 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2764 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2764 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bghabf32.exe C:\Windows\SysWOW64\Bpafkknm.exe
PID 2860 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2860 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2860 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 2860 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Bpafkknm.exe C:\Windows\SysWOW64\Bgknheej.exe
PID 1628 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 1628 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 1628 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 1628 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Bnefdp32.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1968 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Bnefdp32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cljcelan.exe
PID 2740 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cgpgce32.exe
PID 2740 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cgpgce32.exe
PID 2740 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cgpgce32.exe
PID 2740 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cljcelan.exe C:\Windows\SysWOW64\Cgpgce32.exe
PID 1524 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Cgpgce32.exe C:\Windows\SysWOW64\Cnippoha.exe
PID 1524 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Cgpgce32.exe C:\Windows\SysWOW64\Cnippoha.exe
PID 1524 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Cgpgce32.exe C:\Windows\SysWOW64\Cnippoha.exe
PID 1524 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Cgpgce32.exe C:\Windows\SysWOW64\Cnippoha.exe
PID 1924 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1924 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1924 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1924 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Cnippoha.exe C:\Windows\SysWOW64\Ccfhhffh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Amejeljk.exe

C:\Windows\system32\Amejeljk.exe

C:\Windows\SysWOW64\Aepojo32.exe

C:\Windows\system32\Aepojo32.exe

C:\Windows\SysWOW64\Boiccdnf.exe

C:\Windows\system32\Boiccdnf.exe

C:\Windows\SysWOW64\Bingpmnl.exe

C:\Windows\system32\Bingpmnl.exe

C:\Windows\SysWOW64\Blmdlhmp.exe

C:\Windows\system32\Blmdlhmp.exe

C:\Windows\SysWOW64\Baildokg.exe

C:\Windows\system32\Baildokg.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Bghabf32.exe

C:\Windows\system32\Bghabf32.exe

C:\Windows\SysWOW64\Bpafkknm.exe

C:\Windows\system32\Bpafkknm.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Bnefdp32.exe

C:\Windows\system32\Bnefdp32.exe

C:\Windows\SysWOW64\Cgmkmecg.exe

C:\Windows\system32\Cgmkmecg.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Cgpgce32.exe

C:\Windows\system32\Cgpgce32.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Comimg32.exe

C:\Windows\system32\Comimg32.exe

C:\Windows\SysWOW64\Cbkeib32.exe

C:\Windows\system32\Cbkeib32.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dkhcmgnl.exe

C:\Windows\system32\Dkhcmgnl.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 140

Network

N/A

Files

memory/2944-0-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Amejeljk.exe

MD5 7cd245eacfdca38be92e58cc822ec7b8
SHA1 cf664f2859017ce368e010d8cf7f14ff1c558bad
SHA256 b667672a909b9d77fde52e28e59b465e8f77cd4a63a311c7aed4c090fc58e9af
SHA512 e0794b24b90528fc2c79dfa6070b617f4231de02ef2e2afddc015577d61ff24062d8670f226f66d229226f27388316cc0c0aa9f1c181f97be84a051dd737e162

memory/2944-6-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/3032-13-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Aepojo32.exe

MD5 f578171109499a34d9541fa03ca345aa
SHA1 a79c559bfd5e50ef610dbde2ec7d3f83889f3277
SHA256 b497ae962c71e6e91efe3624658f4fac4656c46cc721c93808d6731dd5f102a1
SHA512 71670b36ff45e833597ea2cdd2e5aa8ea158106e8acf876ae49b74d2cb6d0430566f9f7553517b50f38414d38681b98895cd417b4ac0b32fd1a1ad83578be680

memory/2284-27-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3032-26-0x0000000000250000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Boiccdnf.exe

MD5 d503d0704b4d898c6e0e98777c405967
SHA1 6c34e3d968d113c10b47820fc15148dc2f2b6353
SHA256 de64e91f86d4d80ea8791bf3b7cf5a429b2ad3879707e75c4cd06b6a97e269d7
SHA512 cf6f8d0bcacb12b92b9cbb0496b28751b0046067d2379ad933306c9c63922836164ae8c2d6adcd2c48fb0ef7e64d02e4d47b2a7a0da110e308bc54a602f8d352

memory/2284-34-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Bingpmnl.exe

MD5 ae37272e6eaeb9504cb8a4062d2656ba
SHA1 d297d21f34dec3dcd47a334b72ec5be64a0482ab
SHA256 68468adf850fa7262d82e459f2b0389f4fff165508a32ae7caa5a8f55a180200
SHA512 6f3412c4b19a5c0c5dfbcd5ce64b5c6b1270985f338decadf2d839638f746f31d17670fef601f334456831e98719476a9c33d2722b7722c74f84674a8b3f00b5

memory/2900-53-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Blmdlhmp.exe

MD5 697478cb72c1ea81563f0f0b7eaa245f
SHA1 48769be42a9d53020f4979c2b3c209e8e7bdef0d
SHA256 2897da5e3f942af5bd774baa6373c31f69d956af930375ba69b35cf7e5f283a7
SHA512 6f9d16392aa36519390085ce6754b02b5dfc5532209ff7dae0350fce91652ce5df20503d4a57c899351c28e89ca1f0cd96d6535d2ca59e07deb0eacddd17ced9

memory/2900-65-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2716-71-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Baildokg.exe

MD5 4519a4d221b2e11374df464b0878d1e5
SHA1 232834bbe4925b254333bba759ba6b673a777e8a
SHA256 81af946164cfa05933efefb7d15aefc2058c3e6fb30603da6a0f26f9ccf46b2f
SHA512 28aac221275e8bc21a11c6bbd8542bed19409697048fa56ecd7f0888885b417f868ab021345055fbf7f527d6b0b5ff02f94111f7bae1a38531bb6362d7c6c7c2

memory/2500-81-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2716-75-0x00000000002E0000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Bnpmipql.exe

MD5 5a5c15c6c5e3a817d3d5568c4065d9dc
SHA1 5fbb5a7188dbb35955dcc4781092378097f4b672
SHA256 3dad5600e9f86a555e574c7d7bf6464afcd4bd1347d321db2805a2ca182a8474
SHA512 b74a7927706dc50ed9571a5e6430677bd34ea1f9fa66428cb4c8aecbae9dc6c8b29a8b7bd5e31ffcbfb2d3e5e92a3b7b819dd5729705378301d90687dab9e6f6

memory/2500-91-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2764-107-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bghabf32.exe

MD5 c1c518fb77a1f7788c3e262820a462e7
SHA1 b867fd47d76c97f0e650141a454acfb18ad51070
SHA256 c1cb4fa46fc0b558984211323a58717c29102f0ccd1ba55461f215e2e81a48d7
SHA512 449d6a8374683a4b7b5955f69bf4d6ee09f02493c126009830394ee773f366fbe58898b162fd7e8bd7166db427cd7055a1809fddbbfd3fd45614e2b4cff79489

\Windows\SysWOW64\Bpafkknm.exe

MD5 0e06ace187760861335deb5106c8559b
SHA1 9935b60760245af70122ad12bc7cdc6c6d266c43
SHA256 ffaac6f3d10bc22f351e582c6779732b9f5be7ba5527b7a80be79ef778ebf226
SHA512 6cfb69c3719876966da6e6b0201e16aebe3922567ff47e37ebd6d32dab48273dde20aad382a8902bcc3a83e493f1839e44685b7de591e75d4605679da7560674

\Windows\SysWOW64\Bgknheej.exe

MD5 e0b15d46e0eb989169564db6de9332aa
SHA1 e21c79ff5c76ab04ae563e1b9c7bc940e8bf3909
SHA256 136b17790ae600cb1b46d996f071fd3b5129e47292628b3918f188efc3563a2b
SHA512 4ed499cabcbd24f6b56a59867fc66932c71c3eff093677ea3a5850a3b83fec87bceaea8fcbdc6c07e05146182db17110bd6a7d2ac01acdcdce17f671f9039019

memory/1628-132-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Bnefdp32.exe

MD5 c45c2cae8ee4385cd83cfaca0ca87134
SHA1 fc7bebda2146578af0c19fb88b7c36f8f92081fd
SHA256 f52395cd99c1b3addeca3b4613220cd6e0650fe1245021cf6a8f13af8f091754
SHA512 b00742e32557ed2ddd0894ab8f781ae0aee40131074bb1096848f506d3082753f4e133e735630a9a9e5ddf1a1b34d6399334b3c4c5350564908d193c91ea210e

memory/1628-144-0x00000000002F0000-0x0000000000343000-memory.dmp

\Windows\SysWOW64\Cgmkmecg.exe

MD5 b6db019ada29ff981c74d8c279e951e2
SHA1 02e7d497ed6402fd24e5a82b9a113038ed53c647
SHA256 6779f240e214d5168cee3a26f95d8027b2b2eeb18708daa94c48ea6b7b3f0174
SHA512 2a3ec3784cd4a035474d7aa1272d0c9241e0c12b4f2179b779459cf428ad6f7871b81731b4270c4843d6749864cee3035424100631060293eddac537ea550965

memory/2180-158-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cljcelan.exe

MD5 82bc4c91ba1a734d413e67965291cb29
SHA1 0f8201b8e34f3d5d7b12ca81199bc13f4855c172
SHA256 bffeb51707486a932ad2ff26b9c8823a383da3d28e0da421a446a0a3f3f59a35
SHA512 ab5e97fc44536fa827da2ce133e9488f25fc118d308a1865a3b25be93d96b91f43fca45ddd9ea563efdc5290d31b27a13afe96ae01a827e103a61cbd52d7699a

memory/2180-165-0x0000000000460000-0x00000000004B3000-memory.dmp

\Windows\SysWOW64\Cgpgce32.exe

MD5 d0a47a234347ed5ee6bf42a63b688b7f
SHA1 6f90770b9814c8f4864670eb6dba7dd6b01bac7d
SHA256 68c37c1b3547a731604060ca15ec63ae9c72a37c8f977e6d9e3cf908d5aff97d
SHA512 1d3f8207956d7d26bc7427374e1d01f086625caa57be3011d7d4e16a13cd41aa1d06e377a598d4f2bcfe87e453aedcdb5ec351b1f1fdf405d66544a1bd79436f

memory/1524-185-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cnippoha.exe

MD5 17fffcb33a43f62557555d9561f0c2a6
SHA1 018f6b121db22c7d839646859edab3ec1ceca144
SHA256 5a8812ea161e5202bfe91991fc21ee40a1bb6ab5eaf7ed461f55b6cc4c34db8f
SHA512 dc8bd6b26d8f7a84de7618a3177c2042e9c82a4bd98a33ee1af28e9a83621e39019945731d37c92454b8837eca8da1a9b238498fbe981d546962661e493f8035

memory/1524-192-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1924-204-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1524-202-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ccfhhffh.exe

MD5 738d46575ccca719eb0aaa261646231c
SHA1 beb9d9fc36fa74ba3bf26fd133ed731a8995310d
SHA256 4ce67347040838816869c574bb35b11d7a09a5d80960e974bc5d93daf5137cc3
SHA512 ae379fcc6673dcbd78c22142290fcb717cfcb1596381e14222f50e8fee952e355635d05a2c5df361248c131fb40ad6e012efd7fe72dbb48e13ff780663e0f143

memory/1924-212-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2712-214-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1924-213-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Comimg32.exe

MD5 a41b148db6a1f3aba85c800981a5fb48
SHA1 a279bbbcd9ab6db1b941801013172093376e14be
SHA256 47a09352bcf71bfc973f1f526e40fc409e4502e3f6c697dfd8f2c59a7f069fbe
SHA512 44b791e333b504045210248595a2f36cbbb6606a7579ab31822287a020e6bf0d5a7baefafe8fd9c4a2e2acfd20c4dd8b40e733880394ec9349d90c076d15c116

memory/2712-225-0x0000000001FC0000-0x0000000002013000-memory.dmp

memory/2712-224-0x0000000001FC0000-0x0000000002013000-memory.dmp

C:\Windows\SysWOW64\Cbkeib32.exe

MD5 c6044b554cb0ab51759325c670b33c41
SHA1 52855379853af116cfd821051c7109c6eb9a6875
SHA256 bb23a938d5ece4aba1eaa578f49d18046ec25285a6d813a1fabfc26fabb39cd2
SHA512 8e3d0eadfac06a9387595f90667cb259bcf064af4560ab6a6b9c3deda70a2f5d055b6aaa919427e51a7378f537fd02992ee29ff77721cc8219474049796d8f73

memory/484-234-0x0000000002000000-0x0000000002053000-memory.dmp

memory/1476-236-0x0000000000400000-0x0000000000453000-memory.dmp

memory/484-235-0x0000000002000000-0x0000000002053000-memory.dmp

memory/1476-242-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Claifkkf.exe

MD5 be833a578526a40e5ae02aa1d041acc9
SHA1 55c862ad04c38f7642a049021dbacbdfb6c680fc
SHA256 295a083d07a598107365f554778fac73cfa3109aee5016a8c811810f2e3d7476
SHA512 f560cee0fa2e03a35896c7863185abc63a9cdbdb01a4a9ecac5a08d9b566c4ccd030c9f0e049a92425c5badc361d487b96e19e891f069cb57cbc047605af6cf3

memory/1816-251-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1476-250-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Cckace32.exe

MD5 70953f360aa0d87e21b97b5bc88331b7
SHA1 7fe3a1910953c540e48c15cf053b1fc380906e32
SHA256 afdf82a8babb24260664f4bb09c39eca4a61e64e6206932d6805bca8917506bf
SHA512 afb949e64f1a30079a371b79f176b18b4557a47622e5a8452111d43842ff82523d9accada9313a6407ad702e1c263e0f810fcef886e40a1316ed6e001766beee

memory/448-258-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1816-257-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1816-256-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 2eb8a35e30901cd7ea92201f5014b6ca
SHA1 0662b01715a2e980f1aff6f999362a3dc36faa8f
SHA256 8e665708f6209da0f97608704452038e72c6c721d15b6002902e372d477907b5
SHA512 3f2bce9a1e1bb00eb2951dc863ea95aa892382ac45336c306906dbab2dd91af1e8fce5a1959e364d1ce658795ee59795463a13524e7af2b684a350b80e8bc2c5

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 448cca6cac9e478afafe4120fc124b63
SHA1 ef5ebcbdf30a903cfc63731e2ce6be0bf3a9e742
SHA256 bc2287e027637b3e0fe3cbf549d20f7025393014c3a477f036f51b563c3c0409
SHA512 88b57712559f8c52fcfc26f93605177e79edc394e1a5e0d994caffeec83850b07eb0a5b53488fb20aa925649eafece3d3f07a6ac5963c54449a3d8aaffb52621

memory/2052-278-0x0000000000400000-0x0000000000453000-memory.dmp

memory/884-277-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/448-272-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/448-271-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 c5cb8f2cc4fba084047463ce74948c63
SHA1 a4dc0aba2ce73931ce8f3fbd40b84b0835cdafe4
SHA256 797b91684e231752030f32449fb58de708d014d6e4a4262cdd2327c72e98edd4
SHA512 558780648eb3e3fea8d032f916647b25bcd88089eb8afa8d7fb05a45a42dfaf954fda0bdacc3a419d74b15b951fa237ccafc82c18e41282c49ddd11870fd6278

memory/352-289-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2052-288-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2052-287-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Dkhcmgnl.exe

MD5 0be94bc5c8dc3cf71b69f03cbbb4f352
SHA1 b5068f552552b87c0b988fe62a5e53608ca084da
SHA256 9d6759dd677dce7913a673b7eb179459d317eb056de91fd889d2836ab625fc3e
SHA512 4429c26b283ae77c5ad5147161e09f38631fa1b87d5f87c0be7c63586892b7f434ebb48d7ddd744488e292f861b6f6a4cac32a70ba7839ff4ca5e5bf9d51d1cd

memory/352-299-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1496-300-0x0000000000400000-0x0000000000453000-memory.dmp

memory/352-298-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1496-310-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1496-309-0x0000000000320000-0x0000000000373000-memory.dmp

C:\Windows\SysWOW64\Dbbkja32.exe

MD5 47ec42299dbb15593afa70b82d109879
SHA1 7ab15175a137fe52a66337041264cf606b16eee7
SHA256 3e7a0af1f266fba09623f060a292d4d0aff6f8972903526c56e50b65c4d82dfc
SHA512 8d2a618950fffa00d4c3388ce6aadfae6e8b26bdd49fa0b2e8a9b7088b7164def7315ef28288328cbd5814099708ebfe0e30821193caca591c8fefccce78c38b

memory/2456-315-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2892-321-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2456-320-0x0000000000660000-0x00000000006B3000-memory.dmp

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 9f07a0c5b20465ea845fceea8e340692
SHA1 7888d3623a5532d878e65bead973cd29eb8f0696
SHA256 7d952631e46d3e25502f086565e720c66c876fbd39ba3da62e5bdb3c9a92a47f
SHA512 1d78ceeaa39a9b821501a970a59dea59ffccd1e27c9dba36576b73c5d96608cdfd21094b2468c16591ba199dc07bf594df65be600187d7fe34db0775591287e7

C:\Windows\SysWOW64\Dgaqgh32.exe

MD5 eb7f7d90d09877a045395fc089073245
SHA1 d39e74aec3187adffba7f1119aeb4eab8ea22018
SHA256 2867c123769e7675abaa482b5fc36e2fd72b8598c6113eb5a794ca66db0dcb40
SHA512 6303d6ea8d17926f296609008d71e7669b88ff90cac2012ca206873c9f5f57783299f950d09d49f0df15847e6f0efdab6ecb5286a63c668c2aa7d3c10186027b

memory/2700-342-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2684-341-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 98d2bd2d9f6bec9c7dd62cd37e581c93
SHA1 034fbc9f6a4ce8f4cf63177fb971d588b022a21c
SHA256 2a19ec06e5c57a4e4e403b443fe429fbcd2d30bccb3feaf019ddbf886c897517
SHA512 938919d6422cc3a5d86bda5e6966d200fa4aceb227d2c7394ad709973614ed09250085ca6da8c4864b712b974ca1900707e614af336fc61fbf65bd48b07033b6

memory/2684-336-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2892-335-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2892-334-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Dfgmhd32.exe

MD5 a5fa97f1a89c1584e07330475223cca6
SHA1 577d32f0a1aa01272fbce7807cae8c023736c283
SHA256 df9c2739423d4f88b352bccfc04027ad907980efb98481efb976c3cb8a66268c
SHA512 10176655c9a57cc56ef057244c5ffd5cc886344f05336d7c2c37be1b0e25c23030a07765c247d2887365770e7b96527e289f9909252cb8a8a1ef667fd868d84c

memory/2700-351-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1160-359-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1160-357-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2700-352-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dnneja32.exe

MD5 3f2922d37e8afa6506c1873075e4178d
SHA1 aa8b2cdbd39600733bf131be1e946a8da41cb137
SHA256 6369835cdac2b19a050d28bdb02f32aef554ad31ef20d13a0daabd048f50ec81
SHA512 792396b5dc05576f3cf34bea64977b1b2374c1bf226a0e4d576169275cedf563fb5ada1075818af1e836b23760767f6adc25e8889333309e6485f08fc08b7ef6

memory/2308-364-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1160-363-0x0000000000320000-0x0000000000373000-memory.dmp

memory/2308-370-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 0807719f1a6afd59f77023dd662b2d50
SHA1 9c1c201b9cf25a0e7adc211a99f0bc119325b5fb
SHA256 47548180c7bbb775cfe325d11a7686cd5811cd499985bf031767e75b0b4bd3a7
SHA512 b2f2e0c0053c41cca60ed030c81f23c1c0954066414327bde9153b58a5a5ca21258686ba1a45a79f0e3aa4a9626d7e715a103da2833566218b4879d41dbe3f05

memory/2308-374-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 c30753762138295fa872f26caf3adaa6
SHA1 86839362ddc96590a12719036ac172baecb2ae11
SHA256 7a1211344ed876674137870df2fe059466a37807b80aaae2c1c356233910427b
SHA512 fdfa73873c1f5535da905e6c73916701bf7575c616f43c0c1c17d9c19f8256b22560668448dcabccb88f14405ce541b5da1589267c9f2f20a0fd9de3ada3be2b

memory/2672-385-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2560-384-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2560-383-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 de7f719d4e42e9b114b255f306ddce41
SHA1 32591981080108fc3da2712f73ad6c161acee3b8
SHA256 9bc294ac071a423bce6a124acf97a2be4210567928ba8cf434df80d27833298f
SHA512 0bf2eccbfe2f9fc2e5c5adf688b065edfe0303d5f19f0dbe8356395ba5a3ce88754f993b3068d084ae521bddf1541e75fcb832343fcd075dd5bb3b19c5a484c8

memory/2996-400-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2672-395-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/2672-394-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Emeopn32.exe

MD5 00208a7036d35a92a6ebeb5d48fb74cf
SHA1 acc726f30f6c58ddb7d11f68106fd8d9d66575f6
SHA256 a0e4f4063e339e375a728c46451ea6c1bc206a532df57caf0a31a1c7560c327a
SHA512 4293307dd3732bcee8dbb70bf7be8b27c18ab3bebb36cce2fbf4dfbe49d407f466d4fee0c2304982ab9a246309535e5cd5b8fc88f9c96fd7ec86d90786cb57ac

memory/2844-407-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2996-406-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/2996-402-0x0000000000260000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 54b04e98916d12f1538f498a93c502a6
SHA1 644aef1890f9c72c9aa1287b10085bf3c0471728
SHA256 8a9a26a1eac64fcc8a9984101fe8056f81b73d8241569cf44966bb1ed341af24
SHA512 bd9f81f8f1e529bb6264ac6c8d9771c83b4b4b8f1a57ea9cf6ffd5fc0b6237f7b62440d0815d97602ee00a0890df806b8c4e7f4bc8073945d9103415b6ca4ef7

memory/2844-421-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2844-420-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 18d901a496424fc5212f7d4db51e2b78
SHA1 d2ff01b854e86e3d40f0113abf82e45e0288d5be
SHA256 d68a93d9b161fc278857f4634c2928c1805fff55ec28417126bdfc1d46d43b86
SHA512 e07cde7ca6c78c1b8e165fe4105e04eb40c082a8201185680fbb40abab57d4057db3c702f1ffa810b642982d2ba44499ecdc4ae5b83a1db85b76ef935c2fbc02

memory/2972-427-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1980-432-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2972-426-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 61f8d2a9b181fa39390555f4fad9b4f1
SHA1 13a32fba5042c22ee92fb98fec5b58ebb19c8b5c
SHA256 c5dc221afd217ada4611f1f5238b5fe84bac13fc769a9d1bf464add179c567b0
SHA512 ea6c8217ad08ff7b1259a98c5decc75b3b946e599cf31804ec39adcd79c28d9ab56c4802ff30ccc6482fb78fa7d71d56b5c8b1169d3e1dd7cb31dc52936e57df

memory/1980-441-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1680-448-0x0000000000360000-0x00000000003B3000-memory.dmp

memory/1680-452-0x0000000000360000-0x00000000003B3000-memory.dmp

memory/1272-447-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Elmigj32.exe

MD5 590585e69961d6c207e45cb99e80b3a8
SHA1 ee4720247e62efce6a227fad27ab3446247410e8
SHA256 89983e6ab296a7674c058b15f2944519c08bbf10b330249f3744f083ed1ccc01
SHA512 6eca726316839bce84bd16efa957e3789c78ee6c5c04b05ee3a967cc920139696dfed4055e6e32c1d9ce387898cc4c350dcfcac26567c4c33dcb0c0f76fe6be8

memory/1980-443-0x0000000000320000-0x0000000000373000-memory.dmp

memory/1272-458-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/1620-460-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1272-459-0x0000000000290000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Epieghdk.exe

MD5 1dc88c1510b71fc407e008defcc52b83
SHA1 26c7496980c7c2ad186845f40b89a758a3726848
SHA256 23e2c7818b0d144283ed6584f3415b1996674c50312c55217cf78edcdabf5ca6
SHA512 773e4f67ca461308d0e06aee920f6853a7e2838d763f2b47eec0677a61c45cb89d6aa250a1e39442e8a07ac6150c42854af9ab9f0831fcf266e26e759cfad4c4

C:\Windows\SysWOW64\Eloemi32.exe

MD5 4b56d721471817d624da91a46f7456f3
SHA1 f48d69f6a03a08f9b5ac1e0056c321cd83284da8
SHA256 6ad590fd6e792b3eee8ba0ccfc2331b4b7e7f34c6db7d9e8ad06452b2e82db55
SHA512 ce9c6e7dccc56ced83bb6e9c680f4190f13d90233d697704766056a41cbbf83f627f62c273715ed9ef1eab5510a40ad7acfd98a37bd0642873f88b70a2bdd70f

memory/1620-469-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1620-473-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1092-470-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1092-481-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/1092-480-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Flabbihl.exe

MD5 f28b80ba389a071e440162a0f43b51d5
SHA1 5e7f6df5631c559855553abb8e0680cf5c6f9867
SHA256 94a9a4d6935d90353e75bcee441d22978c2806f5310aeab57eca9584a88d3c07
SHA512 88faee45a20b205cb7fb40d7afb9f86e69e9d2336e9ff470571eb099694ca2666e7b1c7c9deca413204603e61706470257391f0a9309ee9e0198400f00f41e52

memory/1300-492-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/1300-488-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/1300-486-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ebinic32.exe

MD5 fddbd2466be8993485f233366f138ed8
SHA1 0267e093e5b2bcf81f4a9447394119cb3ff4319f
SHA256 af1b0656fb5f89934ca6e99c1493e716da41ded3a4f1894b680b2f9e581062b0
SHA512 ae65e2b71a4f4552abf7e55c67438a175eadadb7ca83c929415feefb3c6a57a7d57bc8ec866c533c783f8e5d25f3b53c2f0521124854792fa42c48c2acce1c34

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 cf87ff163d39600f6a2b3c7459bba4c4
SHA1 7df075306826e22f659ebeb49973b1c780b829aa
SHA256 b20b5f9cd3d1f3f67eecfc73930451a6d7a6f29f64a49b7477528db03436490c
SHA512 0211517d5250dbff04e18c264177c171bb34880ffaf865dd48dc4d57f218d7f3ea5bb9c656a159c353e6082d8e9c476c9334ee293b1dfbd08cb9b5d05691bc98

memory/2912-506-0x00000000002A0000-0x00000000002F3000-memory.dmp

memory/2944-505-0x0000000000400000-0x0000000000453000-memory.dmp

memory/264-511-0x00000000002F0000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 a60304c69435828b12f218f84333795d
SHA1 efde633d1ffd8463186acff357dad68d68fb3fe4
SHA256 7c7a83f7ace1ff1ca6f4e7317e556dcb6308bf4df1341cb88c4dcdbfb8851512
SHA512 c4250fc04b2ce8ed82cf384441f8e0f9b94239d55c84fcbc3bdd0baff1758387d794c270944e2808576bb2d63d4cfc15d4a8d76756f3d93c200a13f4f5de1f5d

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 085fc92ea64b3109b85463fbfc72163f
SHA1 cd770b9b6b98ed24ab2e94a5032f0fa00d39f488
SHA256 1f827fa9682fb9f8c7741fe927545bab6c483cb8c33d10968a5715e428db1fe4
SHA512 098aaf3430ea4e3d4f03555ac1de15a4ec232b73d4d2ad2d14dff3c0d123d4d054ed3fc669fd9350dbd7737252df3b1a19d294a6303ce1570501836075f32645

C:\Windows\SysWOW64\Fjilieka.exe

MD5 18b66d03879161d8b5e3be1c3de560a1
SHA1 4480a41b5083261d1ff4c9a31e285c995508f96c
SHA256 d4734178140ab48d3669120c8ae4162e99342dee78dbd7f3fc32f7a9017886ca
SHA512 e5ee0753ba4b3e26a12620a0126e5bf7e8d3d2932f38b38f83e342337dcf121bd377c03a3656be615c126bf8aa29d7159b3a2b39bcf9fbcd175b604915a975bf

C:\Windows\SysWOW64\Facdeo32.exe

MD5 f5ecb065eacf2416e4b1389fa4126e2e
SHA1 fbbe2cc7e75e7c4cf93f6ba5328d1d4e9167f950
SHA256 cdd1ed5090087ba6db2985d9aab83ca1986000902fdbf8dbbaa2837cd0e9907b
SHA512 69b0637e616a842e8bc5e5cdd977f9fcea96ba34d0d04478c53086292f573c8710245103a7dcd4aa20b8461ed1499451813fcbeb528cf734906662015a2be601

C:\Windows\SysWOW64\Fdapak32.exe

MD5 ebf8c777b2c763d927684c496c02b6c5
SHA1 785c36623abd5395edd71c7b2aba2bc0c949a560
SHA256 1ddf6349b0c9f590ac819cc3b7d3a0dcaa432d58f4de1e49cb6c72bd51617e50
SHA512 8ce954d8effa9ad6dcae18793f292db5b4c6b194aaa0aab4fb4f1ffdff2842e221b84a6860895b3ab761e49cf5e28876639f828ffeaf1a910ff5ccc614ee9e5c

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 9579c1f20bd243a157d9bdedc85e9761
SHA1 0fef431072a69d6d2f6e0fc8b0a70dbfff4c546c
SHA256 d35a95fc40eff5fd717fecbde0ae77b2e7597948c0f04856821454bc4b6cc362
SHA512 f4e19284918acf861426b288e62018452c1f3c7ff5f9f0b80c7eacbcbcae5b866d8598d4b254c545e95362fee4f1f0b4c32093082578ad41bc1050ccda687cb3

C:\Windows\SysWOW64\Fioija32.exe

MD5 b6c16289643d7b1027fa6bd9029510d8
SHA1 ff9cf6bdd19c5373d2e0ddd1f4f84d2771a021e0
SHA256 7935c33c83ad1de970c9adf1d3ac3d88bf159b8b9d918067250391e0678459b8
SHA512 c074c5172708253bc589749b11782a043fb45b9ecba3b09b440599ec67e3e19a0bff4fbc56014d7896392e4fd6b02920e7f5d4b78a702dd1a3c0dff3d63fc0e0

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 1b87623e44a2dbade523070a3e0ee368
SHA1 57886827550c8d3542cb0d2e8ba64dbb54dacf45
SHA256 851a90ae3960c739a55da5919aee081055c4a4ed913aa93ef6fb8b9eb7006456
SHA512 1cabf939193dc1bc5d782cd6d7b59c0f4683b60cb9668b9852945da9c003bbd8b66e1a544322028dddaeb2f28fb6c288aac47a5a7627d8be4a6e3164fa122487

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 f28e96b36eb6898bb43416efee4eef68
SHA1 f070191d7e5534dc97f02d9c74f76739f34557b6
SHA256 8390b34443ff40a9978192772a8738f9b5851c678fdeeceb3ce4d857bc42fd2d
SHA512 92a763b4eb9ab5f289e5ba4c82cec2f4425cdc09df71cb3fdde1ea3ae4e8b036dc8aeff913b7b9bda21c4dc9f1b5e3ab22ef846478edeab9cb119779df1636c5

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 7b506c3252536da28ff3e97453f48db7
SHA1 ffda7a34c3a0f04e1376e3abfafef6cd1d6d32a3
SHA256 588fcde651051f646bbe3107b1f9430379033d8a62ad893a6a5b111aba2cf5cc
SHA512 56c24b7a68dc85636f64619a1c945d02ab43e9900b44c50f4100ecbcab368efde0afdb1aefd35f6d6a1748f94eb6204696ea32e2aa012704499b64d82bef3bc8

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 550f58c1cf3c565af19f9d7506ed3f5a
SHA1 f5eb4effbb3d4e44a2c4210e339b3720af6fec73
SHA256 b4c9c68fcd41c030f57eecaa67d34a50f308e63e9b8a14c570afd44a493a7c74
SHA512 b6b6af9bc4c07db958821027e641c64aa4f84fdbbefc3ed3808331cb5d2fdfddc2787a3a23e9004f81065c48b145f2f1eda4dced2a091b680fdb27f84291a6d3

C:\Windows\SysWOW64\Globlmmj.exe

MD5 284468aa6c95fc7023ae35ac50cc35f6
SHA1 37739f2b1d09ef152eafff4fc8c67f79c17e37f2
SHA256 17b12f9b72c51ce66083f094ec54683582a1fda9d2c0f5447179572728ad0e6f
SHA512 00ccc307ae232d3bace6dd04d9ec1d6a73d0152a0f0515570edf2f44f543e84ba0eea6fef78935ddf64860cad236189cbdda2651263fe7a72cd879f47bc45ddb

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 3aedf8787a29c45098e66761b94c491c
SHA1 f441649f0ae5181f771882dd5ffd24a68f82d4fa
SHA256 d16bd8108f5b9d0bc5556e0e8a94b27c98f4b457f151014e01c0c90f59f3fbc3
SHA512 81d90562f89b30b62628f4ed279efa04767515267d06a97e3c099e099596806f811dc3f6c47e61148230f68ec0727effb2c9b0813de580829468f60b9cc9f2da

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 03a153686e9bc7b87a0f158e6e99b931
SHA1 7f563bb133a6d3debb6b41b82d2f6a34556998ff
SHA256 bb9201f0ac14d7fb4cf1d060496d7a61fb15fade503766f4c2869abe9c62d1fc
SHA512 35ce201040a6f6b3cb53cd1675341a157e886c77e7a4c3b591e9ae96fa8d6645246f4b08d6eb4e824df88278fea0f957a0b6494fde7dd7233777d9a57d86a4c1

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 9086acd3a799c736cc95257f50266ebb
SHA1 b44fceba0d246c0f997e84fad53606baddaca4a2
SHA256 22e28b8c86b2fc520edd7082f13ec891b377930a7885c6a4f4c0b4a1a356f92e
SHA512 e5b5e86d345a67666400b5bcc60b9c146da51849497bd9e0101888f305987c6c1f8cd67fefb131e47c61a3e42c8195356893539648b6e00fd7b8357116b55065

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 4d4a52570ba584e63fc2df7f75ac5e5d
SHA1 30c035e5a7274ed2b5dce131ba84628a222d9cd4
SHA256 3902b2d884acc0032201fcc48aaa1e606bae2af0ed1518418865d197550cded6
SHA512 d6b4507ed0acd96f71691df23b39ac135bd2f23da9a4eb296ae7d0990f2222d566694ca32a4d43d161a56d4a50b73603d7a4194a3dc7d532b73b57fd39b1bab6

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 7cf46207fa25a2071229fe82d0ec1de3
SHA1 f97db9a2a5919b75b516cddab80c688e61dfc8f0
SHA256 e52e2df3f9a921d5e6a23ebc6ff37b8f0f4ef68f011adde0a7ce025b70b0728a
SHA512 210933331ccb226b3e585981bc1cd76724d4f1e6d1a074df11728951f5d58ade709ebf9d672930206d80411ba118f7d8967ac2f30c16185cd74991441534367b

C:\Windows\SysWOW64\Gangic32.exe

MD5 ef8e8d7466871381b6a3091009a8031d
SHA1 c5479b6b1599fb74d0d64f231c3c332f4844a4ce
SHA256 712ab646c4392a542fae9ffc183c6779e9adbca55b5b555032dbc860d9d89f4c
SHA512 bee745027398d520fdf429c66786826f6acb96e058236c0a20f98a0a7aebdf7aad111a321c0cac29ea6eeb1b4cf8b3630672bd3c5ff3481007b84befbda35080

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 649ac45e854491836b127dcb9c5dbf40
SHA1 ecd5c24defd23bc60af5d89cfa4caab8ae1728fb
SHA256 748b58e252934c5d0eace2e62ca59a9df78cf6df84f6919b7e9f66eeb58d5658
SHA512 00c98753f3bd0b492e0b89b9608ebd10f86fa79440c31c4f2e2be8733c91931c33b06af02da3ab98f4396d3326bef72a5ed0a32ae2ec1e15996e780276da2cf9

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 e43a26fc4fb3a01cfd1b826841882bee
SHA1 7266f7ed185e90004dd2e0c06431a0cdcd9b7bfe
SHA256 7f43255168e20c7bee88b4ea1e3dd6f0aea426581f113a96c6104398fab2f762
SHA512 89b5036040b8ece19be606e2b1bba7a41a7b86d7a1645f68495279d6fb473937853186a72d039a339f37bc0244cfce8b5b193bc30a18b4665efa6b8e0a53f648

C:\Windows\SysWOW64\Gelppaof.exe

MD5 83c81544053e738fe94a7d7b29c30803
SHA1 a20f1b08808536814ce99e5856158d29c814dfc8
SHA256 b727c68c5023ceb65fbb5cf5eda5ffc952a1811fd5ede8d2f8c2a156c9baafec
SHA512 5185e50ce5e2d946f84268579caae0be7e07f69eda2af5e471197938ffeeca0ca51df4dbffb0f5375e22708175c61773d776758b7bfd68d8f874a20b9f8c80ef

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 60155088d17272df0f1ab6e3f43bf3b6
SHA1 33f98e370aaa36f0a774872b0bf27519c9924f89
SHA256 4b4179dbf88232276571054d997010fdaf74813a0284c0c40253eebd90dd7450
SHA512 0d0cfbe47d779158648c98e224c507eb3737231f565e6a8baa85b8e2f4fb5ee6012d90bdd764bf41f82d2a924a7b59b412a4ba27b9a34a36a7aa9a40f564208b

C:\Windows\SysWOW64\Glfhll32.exe

MD5 c90ceb4563772a6c8ebfc898fbadc3e5
SHA1 b6eef129f58d29e8c7862405d4063d9599b7ac3e
SHA256 2f49f3020fcf1f3185c3a29e99496318bc879b3f94494f7484b9efebe8e33a67
SHA512 b5e93206f5fe00cc8de4b86ed5bfd624ec2c3d0bcf41ceb76982f9f4072406d9707628f62309a919cc0f422b9981dcfcac0b79c2f34ef77a61443231b96584fa

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 d16df3878876a0ed2cdcd7f605758b01
SHA1 fe067719e48035890e4b09bf4d07d46ab0aa1d04
SHA256 3ad8dbe272cd5630a578c428e4deaf21fe4962294b42402f993070e0206a5e11
SHA512 04dd2d03ce8629cc0fe7ddb24d84ca1bd13ebcc65bf26f2397288f95c6b8087b108ef562908d9a1ff8953a93748402faab70aedef52a2cf4b486e0514bab80a8

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 b3c1caaa412447089d9c9a4115b0bedb
SHA1 1373df0e8d971a09290ee8db81cd54f3257482e1
SHA256 469307f02c05f344b435fe085dde227f1c5882464685a56b4dc13697eec5ddc4
SHA512 1c9f06bc5539e0f8f3e9a76039546a3b2b5ac5139bd4ab36ea81c2172fba9605a90da042b11eee0c673a9c972390a0006d0c3bbc1deaf7133bc36cc45555a560

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 6af2c1abbbc01ad06a0cdbc62d8a0bf6
SHA1 64229ad3da9783e14e5a4376283fe8d2339de26f
SHA256 b0cd1e64dff2b5982e7ccc6d38d2e92d7cf33f28c9cfd122c460fedc87f274c2
SHA512 bb4b36eeb5ece607d5b39f8bf4b1f8507ef94a1a98d9ba5deead0a22c0f2be328047aa0618b7ede6ae51612ced851b8996bb9343cadf46a0e0e3256d6aa99cd3

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 dfde972e39eda44dab8f1f8569885822
SHA1 a383a15807fa80d36a351c7b39fb4e565bc8fa3c
SHA256 c452ad6df53da7c2c925f5055056ed3b5e7370beb163e681a364aa9a5ff6af8b
SHA512 1f18c73ff5f6c26884cfd745b3ca9e3d66b3cae79bc570d68a7b9e867d89b881af10598784c028f03b7678ba83f9d513b7a2f51aeaf1b9952a109e08afe699ca

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 0a4c2be796d3004729e8606e222d2c39
SHA1 e2dd25bdf1716af7dd9136e4f2e98404471f96c4
SHA256 0d87c580ddaa3ff9d6116c1b5d64ef96a1e928c9f92fe32154333ddafabc2b62
SHA512 5f7fb1da82e201a99bf58f6162eb51a9224ff3c2d713349ce386018417616686f2eb036514c4bd2a5be395075e1c547ec080b8fd4d40df799c4817730f461551

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 a779f6c32a261aa2ea1f4ad7aff3687b
SHA1 5863fe479c275d94e0e072a2b240b3049a64e7dc
SHA256 5bb19bc21ba0be8ca8e6be8ed2e1ea90b601cd045447be10e1ed2ddf604096f9
SHA512 e087e708087394506c1bbe72e88fe17dc00a96ef743493efe32d8a08e16f6b341752e21c86b5900180c3bf15c14b3c9125c5848a3b33d2515f666c3ef1354e1f

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 04c1a2c12586c5ac7b187e01f4b49119
SHA1 47a25cb2a32af14c86a35db93c29c64a88aa8ed2
SHA256 313f6b7c35b2eb829abbe2ce2e0cc910dc1acec747cdb6ccbb8b890281592e80
SHA512 95a8c3164d24dbab7f0f55e95c58c29b5a4bc131710d13177b6a45e2ad65a0a74e3076e440991df638381d5353e01fb509c5310440addea3003e90f403526abd

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 5e962488881710450de5c9bae059f962
SHA1 c46542ff8c14a1b39767eecbf9905c3fee19bb6f
SHA256 570cdad4fd1560874e6bfffc0b7face1190c93847341dd77cce96c9d43bdd64d
SHA512 8b776848b7d7205d212ea9cde395636a004bc06ee2992aa8e10d1c57d39626da053f85da7e29cd7d073a466d2148b2688bbf48524e7ff797cda1343cc51d1f1d

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 a604c45620ed9c87fcc690957cbd4efa
SHA1 fb880d39a685d400b24411efecfc69969efdcc4d
SHA256 cdb5a4aa6f222ca7f11681c33278f3d63be4e7aaa3f57a46298cd6f024772a99
SHA512 68f44cf056252b3d387d29b17e0688b918a66d06d5e77a9647a28e7bfe5ea14cf96e344cedc7c14dbec462b4844430fc50ac2445594d29a8b805eb0cc8ff2cb4

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 ae7d2dcc8f43631e7c56e45c4eaaae54
SHA1 e269b77403ca4e4c2ea2f9f12929568a47c01434
SHA256 45181825ce9c9dfdd66a9a9f99af72b85ab6279f1aa9a34ac8d272c56c289d2d
SHA512 b016ac853233b5b9b4de621dcc983f37fba6e78ddacfce337fe9f6534588c61ebd3a540b3e9c5e3784e40d7c7bf8d9bec9301b272d359751294bc8d1eb3a50df

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 8ecf2fe4a2bd44ddb6fa685d3e2c8463
SHA1 660e18a15dd5deec87e0ca6869a74bfbb44f7525
SHA256 57437d3da94300d6ba373555fcbc453ece820407d3c7763c5e6d865fdde1ab34
SHA512 1358cae650b4aaa6ff194a7c704046985cc91d86ff461800977661f977b8dab5abf589d4ac0bd655851db1431c89251fc155a77872a32fdb80e2e3177e1c0b38

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 f1727322838f6b9b993a8918c4a4265a
SHA1 2103d71fe815f0d77ab499f1df23ab8f6d2691a0
SHA256 096f3f0943618da2ba5b6407dc1923f54c73f7b59b31e771e59efb5ab05b4774
SHA512 8d6a1cde762a5b22ad54e93ce0b6aa9b62d8f928f60d38ce792dcab734485339e42b99544de119312333832693731a2f855657ea776906f5c557fd9579684816

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 7d9fb2aa95739d7676bdc270a70d1bf5
SHA1 0bb061b3305cf13c75dd0e57e188b228509430de
SHA256 7c8681fbb28807729a5a47f2e4a7b8d6a7ba91547cbc0bc2b4513b223688e5c8
SHA512 7b75073bd925be781674b2a5b5d9602ecc2c71bb1688fef934a188d0d0ce95fbe89405976f0ea05709ce83adeae8dfaaedaa67e604978250d27625a8a8a84824

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 010818adc9b964ab4a122de8c110da6c
SHA1 a6b07aed4d559e021a671adddba3b2b55c8b059f
SHA256 425f901c6c5b76766ae75077bccb69ac3eb0313b021933208ed4584ed1b235f8
SHA512 2ab2a2a493d77e1b0a4bed50783c73f56f643648829342336fe5047cb398d92eec4b71e751fd6ca71e31e4a6ed29720b2667ec8b18546439866373957d294dc6

C:\Windows\SysWOW64\Hiekid32.exe

MD5 56b3a40135ae1bdcb0303fad156c0e42
SHA1 fe628cfd50140c3cf3b6c25d8f115e9a14d559c0
SHA256 95a03c23a03d0c3a3aad46bbe31c444131a1d310496eb08287ad72d866bd6a97
SHA512 19705df94172bf9b77c7bf9266ed9c4d1cd0b458c828765e425332233d8bfb0493e54a527604033b40c324c24434fc927661c247dcd5d4d19a847a9e75398dad

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 4717e26cbfeb99da94b05e592a216597
SHA1 a815b9057a3f28c20adda7f1dadaedfa5e363061
SHA256 a1a22cbfc30a8eadddbe0a4e97998336264548926b77b365a5d3c70ac6dd5d75
SHA512 d193e08c810f92f2536fdaf03ef34826eb1c41d4c2febb8752ffa05530c2ef2f4d5d1c4ff081bceb4f47a2359598ae1b8373bb1534109a7608ece9ab8ed329fc

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 8568327dadeb1f25cd52f99ebdea3968
SHA1 83b1259c6ea5df4738a38e3e6267f920a9c70e27
SHA256 a85d398108e0587760dab9a3c441a166f02f934e89d74a3f0570845c4517cb96
SHA512 570430b8f1abdd868fd7a70ab3df37e412cb56fbe7db1ad89d936c4b6a811dea5ca348eb9bac36739f17d8d26db239af9a1d4aeea964d661e76db81bb7667971

C:\Windows\SysWOW64\Hellne32.exe

MD5 9641a1a9c23d07e048a4257403a209f2
SHA1 121aeec302dc96825dc233ef6d0e5be17a13d411
SHA256 6d99bea06d4a3f7e5b90f2ea034fba2d3737058b4b681767119333903871a261
SHA512 dbe6859df433426bc87cb59886afaa759ad0eb74613816ace19a47e92fbe4898b91f862c9ca4628b430389533c399bc7b9ae77058acc78ccddaa8628618eef87

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 7767a21df98969edb5cab54d1b26ff61
SHA1 9ccc4bde4c0268632bc81d7259a9bdca3d8f365e
SHA256 9fada4f6122d7cb167aa73e2a46d83746393951899bfba75a76d79e725937b31
SHA512 d3049dffa4e621a3f38611a412aba0d9830b456d3b39bf0a2ca773ba543d17f61e29a0cfe782fadfe4e9710cb27c4a7c9c047a096c368f895404595fdcb2eb1a

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 f17bfdab1a01c61359d659ea5baebc6c
SHA1 037a53308f3fd7768e59757e6bf151b127bfd82c
SHA256 3dfffbfe1c82c2272a339ed2563e914e40dd1236370bd1d4133dab92df9bf00e
SHA512 2322c123880ece91e4bba75980536f36cc0fe376e770525c97f4344d5e3b85c9c4d430a4e5d24e29224ae20bc52c212565b2cb3fd1e2c87c521b19873a7897f0

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 77e50d6acbba6664a7f174c0e0df7005
SHA1 c2f7821c4988be91f341f88c9020598df30b48bb
SHA256 17abcaa5b439950414e902db96676890c5bbc975d9190a080854ec3b499dfda6
SHA512 be5e52e74463c89a0888671a01cacec17d83c956fa683214d8db41860dd325cfed38afae11d2a3a1209fd8c97f9dcdecd1ce3eb1e8646b2868522e3283c6d7cd

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 32b8001b799ba0af297ea02ea448bc81
SHA1 2a5351ea54d78d7850d0b35417688f610152a212
SHA256 125e5e740b6e01b3bfe8881a85cbe0e493e4d7687a8cc6ef9449bfbc984ba832
SHA512 172543c987303187c86f86ce5ae1dbc5eb9a43293fec374ede422e5c04ae24c109e784bbdcd6d39267172d9088ae5484402c0f3c1ca38af7a2619de564247c48

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 8576a24a4211a12c70daa305de5b31bb
SHA1 2af36aecd651cc72ec071f50e636b18190ccf989
SHA256 155f5ad24265d483a03220b634f9730d1e8b34d161da1a5acd18233969eadd52
SHA512 42237feb3b80b84c17832bd19036f43d92ebfd235337cc5571f6d22b99273a76e7a882a48ec635f4bf43e32f1aa12010daa7fe4daa953ae23afab76e16dab107

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 5396ecb1bd7b4efdad3635e39a29a9f0
SHA1 92c1d11da5aa4c9f8f896322567359f5c243bd53
SHA256 096562a0e8ac132cb6ae09b39ec78c4fa56540353bad5f476c97bd8894b7f62c
SHA512 1051a66df5b18f93f4ca7234eaf04f8c1df80101ae6230abeddb79214b47eb7598cf7189fa93d1480d6ee15be08509be4bd4c24da054a27a3f0d74499fb9bdb0

C:\Windows\SysWOW64\Idceea32.exe

MD5 a46a090c28770dcc515cbd36c40e1c8f
SHA1 25f8d27bd51adf425a2d66f2b1997a54500e9cd7
SHA256 11ffb21f0472a638de3d4e11e858447da69c60fbac5a5367bb5273920a2cc328
SHA512 0da5d0b3a8d965708ce3dbaa4a44cf1fb138ce8330034d174931e1bec9303c7fb2d020fa5221f8112125138a9d312d61b2d7f0e21e2f1d3ea64ff9304a9c2a93

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 f4937f43ec86b11d2df53cb04b9620df
SHA1 53d72be0b7a74b65f44650dbef68e9eaa0eed784
SHA256 e3aaa6fb6f580ba8dd316665712a1c98d23c1ccaebe686fe4b5aaa63cd602857
SHA512 45f48a778aa39d90c460f2e8eb5d5cefa448eed42b7c9e58891635a8f2d2e6e8bcdd1cadd0d0d318fe9a94232c669b50def31b3947fcf04ccaf003890c325bae

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 8c4e2fd3c2bfb40a90f973b4e8411fbb
SHA1 be7855fea9eb41c43e6749159310cc015b45d084
SHA256 eee04f8aa735e60f87dd22ca3c640ce3e408bf2fd9cb1a647db9277f5584aa28
SHA512 058c029802ad3cad8395529ba9c195fbc293634f8060db75904e6ee26b0e86c3ab3b20a1d05847f576d98f9ae75e33a3cb1c343a79ffd0185fffd7b16a636843

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 0602fc19c581848c514f3a32ec92d8a8
SHA1 9c12fe0bfcf58756a0e665caeb8340a482a86708
SHA256 24f715b4fd262b1eb1ee8d375a1a5706a54628ff489d41af769e58ee7e3c6f4a
SHA512 6ce3fa3e393b192a45f1089454136de38be5926d0df7376a384cee934a26224a8d5bdcb05a62bced360c7d2e21faca0401b456f91d0c4f7346039fd995fc62f0

memory/1680-1298-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 17:02

Reported

2024-05-15 17:05

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcfebonm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fflaff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifopiajn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpccnefa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Elccfc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fopldmcl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laefdf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcgoilpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fqohnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdaldd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhcnke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbnhphbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbenqg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifhiib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kipabjil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efneehef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqciba32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnocof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipqnahgf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqiogp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcdimopp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Domfgpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjcclf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmapha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fopldmcl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebploj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbeghene.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idofhfmm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iinlemia.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jagqlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjbako32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnocof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eoapbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgphpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejgdpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjepaecb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaedgjjd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnhmng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgbnmm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Himcoo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcifkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mahbje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dllmfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcpapkgp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kagichjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpepcedo.exe N/A

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dcalgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhnepfpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpemacql.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdimopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnaji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dllmfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dokjbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfebonm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfdbojmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhcnke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlojkddn.exe N/A
N/A N/A C:\Windows\SysWOW64\Domfgpca.exe N/A
N/A N/A C:\Windows\SysWOW64\Dakbckbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehekqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epmcab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoocmoao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnoikqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Elccfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoapbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebploj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgdpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eleplc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecphimfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Efneehef.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejjqeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehlaaddj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqciba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbenm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpajh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emjjgbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecdbdl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjnjqfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcgoilpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffekegon.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjqgff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqkocpod.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcikolnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbllkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjcclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmapha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fopldmcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbnhphbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjepaecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqohnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fobiilai.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcnejk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fflaff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijmbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqaeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcpapkgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjjjle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmhfhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogbdl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbenqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjlfbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmkbnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goiojk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjocgdkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hihicplj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnnaikp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfljmdjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hikfip32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File created C:\Windows\SysWOW64\Hikfip32.exe C:\Windows\SysWOW64\Hfljmdjc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmmhjm32.exe C:\Windows\SysWOW64\Hfcpncdk.exe N/A
File created C:\Windows\SysWOW64\Lpfihl32.dll C:\Windows\SysWOW64\Idofhfmm.exe N/A
File created C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqaeco32.exe C:\Windows\SysWOW64\Fijmbb32.exe N/A
File created C:\Windows\SysWOW64\Ifhiib32.exe C:\Windows\SysWOW64\Iakaql32.exe N/A
File created C:\Windows\SysWOW64\Gkillp32.dll C:\Windows\SysWOW64\Ifhiib32.exe N/A
File created C:\Windows\SysWOW64\Ifjfnb32.exe C:\Windows\SysWOW64\Ipqnahgf.exe N/A
File created C:\Windows\SysWOW64\Ckegia32.dll C:\Windows\SysWOW64\Lpfijcfl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File opened for modification C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Iiibkn32.exe N/A
File created C:\Windows\SysWOW64\Jjmhppqd.exe C:\Windows\SysWOW64\Jaedgjjd.exe N/A
File created C:\Windows\SysWOW64\Ihaoimoh.dll C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Lpcmec32.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Ibagcc32.exe C:\Windows\SysWOW64\Idofhfmm.exe N/A
File created C:\Windows\SysWOW64\Npckna32.dll C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Mmpfpdoi.dll C:\Windows\SysWOW64\Ijaida32.exe N/A
File created C:\Windows\SysWOW64\Jjbako32.exe C:\Windows\SysWOW64\Jfffjqdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Mdpalp32.exe N/A
File created C:\Windows\SysWOW64\Hihicplj.exe C:\Windows\SysWOW64\Gjocgdkg.exe N/A
File created C:\Windows\SysWOW64\Hfljmdjc.exe C:\Windows\SysWOW64\Hcnnaikp.exe N/A
File created C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hadkpm32.exe N/A
File created C:\Windows\SysWOW64\Lmqgnhmp.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kknafn32.exe C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Fcgoilpj.exe C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqkocpod.exe C:\Windows\SysWOW64\Fjqgff32.exe N/A
File opened for modification C:\Windows\SysWOW64\Himcoo32.exe C:\Windows\SysWOW64\Hfofbd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmbklj32.exe C:\Windows\SysWOW64\Jigollag.exe N/A
File created C:\Windows\SysWOW64\Kcbibebo.dll C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nqfbaq32.exe N/A
File created C:\Windows\SysWOW64\Ejgdpg32.exe C:\Windows\SysWOW64\Ebploj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Goiojk32.exe C:\Windows\SysWOW64\Gmkbnp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe C:\Windows\SysWOW64\Kmgdgjek.exe N/A
File created C:\Windows\SysWOW64\Lpocjdld.exe C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
File created C:\Windows\SysWOW64\Ggcjqj32.dll C:\Windows\SysWOW64\Jmkdlkph.exe N/A
File created C:\Windows\SysWOW64\Ggmlbfpm.dll C:\Windows\SysWOW64\Domfgpca.exe N/A
File created C:\Windows\SysWOW64\Fjepaecb.exe C:\Windows\SysWOW64\Fbnhphbp.exe N/A
File created C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ijaida32.exe N/A
File opened for modification C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Ebnoikqb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ifopiajn.exe C:\Windows\SysWOW64\Idacmfkj.exe N/A
File created C:\Windows\SysWOW64\Bghhihab.dll C:\Windows\SysWOW64\Njcpee32.exe N/A
File created C:\Windows\SysWOW64\Dokjbp32.exe C:\Windows\SysWOW64\Dllmfd32.exe N/A
File created C:\Windows\SysWOW64\Mgekbljc.exe C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mnapdf32.exe N/A
File created C:\Windows\SysWOW64\Fgpjnm32.dll C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Dadofijl.dll C:\Windows\SysWOW64\Gmkbnp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnocof32.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File opened for modification C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqohnp32.exe C:\Windows\SysWOW64\Fjepaecb.exe N/A
File created C:\Windows\SysWOW64\Jpojcf32.exe C:\Windows\SysWOW64\Jjbako32.exe N/A
File created C:\Windows\SysWOW64\Fbkmec32.dll C:\Windows\SysWOW64\Jjbako32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mnapdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gjjjle32.exe C:\Windows\SysWOW64\Gcpapkgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gjlfbd32.exe C:\Windows\SysWOW64\Gbenqg32.exe N/A
File created C:\Windows\SysWOW64\Hionfema.dll C:\Windows\SysWOW64\Haggelfd.exe N/A
File created C:\Windows\SysWOW64\Baefid32.dll C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Jehocmdp.dll C:\Windows\SysWOW64\Dpemacql.exe N/A
File created C:\Windows\SysWOW64\Gddfpk32.dll C:\Windows\SysWOW64\Fcikolnh.exe N/A
File created C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kkpnlm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fobiilai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpccnefa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" C:\Windows\SysWOW64\Jmbklj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll" C:\Windows\SysWOW64\Lddbqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll" C:\Windows\SysWOW64\Ecbenm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffekegon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll" C:\Windows\SysWOW64\Hadkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll" C:\Windows\SysWOW64\Hippdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll" C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kagichjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" C:\Windows\SysWOW64\Kcifkp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mncmjfmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejgdpg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fopldmcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehekqe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll" C:\Windows\SysWOW64\Ffekegon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" C:\Windows\SysWOW64\Ejgdpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eleplc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejjqeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fcikolnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll" C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcpebmkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhcnke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll" C:\Windows\SysWOW64\Epmcab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll" C:\Windows\SysWOW64\Eoapbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll" C:\Windows\SysWOW64\Jdhine32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdcijcke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laopdgcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffekegon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll" C:\Windows\SysWOW64\Fqkocpod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmhfhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfofbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifhiib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll" C:\Windows\SysWOW64\Ffbnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll" C:\Windows\SysWOW64\Fcgoilpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqkocpod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbapjafe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll" C:\Windows\SysWOW64\Kmgdgjek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdaldd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll" C:\Windows\SysWOW64\Kpepcedo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll" C:\Windows\SysWOW64\Ebploj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecphimfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdmcidam.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 1172 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 1172 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 3208 wrote to memory of 3268 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dhnepfpj.exe
PID 3208 wrote to memory of 3268 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dhnepfpj.exe
PID 3208 wrote to memory of 3268 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dhnepfpj.exe
PID 3268 wrote to memory of 3468 N/A C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Dpemacql.exe
PID 3268 wrote to memory of 3468 N/A C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Dpemacql.exe
PID 3268 wrote to memory of 3468 N/A C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Dpemacql.exe
PID 3468 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 3468 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 3468 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 1724 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Djnaji32.exe
PID 1724 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Djnaji32.exe
PID 1724 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Djnaji32.exe
PID 4416 wrote to memory of 3388 N/A C:\Windows\SysWOW64\Djnaji32.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 4416 wrote to memory of 3388 N/A C:\Windows\SysWOW64\Djnaji32.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 4416 wrote to memory of 3388 N/A C:\Windows\SysWOW64\Djnaji32.exe C:\Windows\SysWOW64\Dllmfd32.exe
PID 3388 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Dokjbp32.exe
PID 3388 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Dokjbp32.exe
PID 3388 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dllmfd32.exe C:\Windows\SysWOW64\Dokjbp32.exe
PID 2096 wrote to memory of 944 N/A C:\Windows\SysWOW64\Dokjbp32.exe C:\Windows\SysWOW64\Dcfebonm.exe
PID 2096 wrote to memory of 944 N/A C:\Windows\SysWOW64\Dokjbp32.exe C:\Windows\SysWOW64\Dcfebonm.exe
PID 2096 wrote to memory of 944 N/A C:\Windows\SysWOW64\Dokjbp32.exe C:\Windows\SysWOW64\Dcfebonm.exe
PID 944 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Dcfebonm.exe C:\Windows\SysWOW64\Dfdbojmq.exe
PID 944 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Dcfebonm.exe C:\Windows\SysWOW64\Dfdbojmq.exe
PID 944 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Dcfebonm.exe C:\Windows\SysWOW64\Dfdbojmq.exe
PID 4988 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Dfdbojmq.exe C:\Windows\SysWOW64\Dhcnke32.exe
PID 4988 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Dfdbojmq.exe C:\Windows\SysWOW64\Dhcnke32.exe
PID 4988 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Dfdbojmq.exe C:\Windows\SysWOW64\Dhcnke32.exe
PID 1828 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Dhcnke32.exe C:\Windows\SysWOW64\Dlojkddn.exe
PID 1828 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Dhcnke32.exe C:\Windows\SysWOW64\Dlojkddn.exe
PID 1828 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Dhcnke32.exe C:\Windows\SysWOW64\Dlojkddn.exe
PID 2008 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Dlojkddn.exe C:\Windows\SysWOW64\Domfgpca.exe
PID 2008 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Dlojkddn.exe C:\Windows\SysWOW64\Domfgpca.exe
PID 2008 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Dlojkddn.exe C:\Windows\SysWOW64\Domfgpca.exe
PID 2468 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Dakbckbe.exe
PID 2468 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Dakbckbe.exe
PID 2468 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Domfgpca.exe C:\Windows\SysWOW64\Dakbckbe.exe
PID 2124 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Dakbckbe.exe C:\Windows\SysWOW64\Ehekqe32.exe
PID 2124 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Dakbckbe.exe C:\Windows\SysWOW64\Ehekqe32.exe
PID 2124 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Dakbckbe.exe C:\Windows\SysWOW64\Ehekqe32.exe
PID 4712 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Ehekqe32.exe C:\Windows\SysWOW64\Epmcab32.exe
PID 4712 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Ehekqe32.exe C:\Windows\SysWOW64\Epmcab32.exe
PID 4712 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Ehekqe32.exe C:\Windows\SysWOW64\Epmcab32.exe
PID 2460 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Epmcab32.exe C:\Windows\SysWOW64\Eoocmoao.exe
PID 2460 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Epmcab32.exe C:\Windows\SysWOW64\Eoocmoao.exe
PID 2460 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Epmcab32.exe C:\Windows\SysWOW64\Eoocmoao.exe
PID 1104 wrote to memory of 4280 N/A C:\Windows\SysWOW64\Eoocmoao.exe C:\Windows\SysWOW64\Ebnoikqb.exe
PID 1104 wrote to memory of 4280 N/A C:\Windows\SysWOW64\Eoocmoao.exe C:\Windows\SysWOW64\Ebnoikqb.exe
PID 1104 wrote to memory of 4280 N/A C:\Windows\SysWOW64\Eoocmoao.exe C:\Windows\SysWOW64\Ebnoikqb.exe
PID 4280 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Ebnoikqb.exe C:\Windows\SysWOW64\Elccfc32.exe
PID 4280 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Ebnoikqb.exe C:\Windows\SysWOW64\Elccfc32.exe
PID 4280 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Ebnoikqb.exe C:\Windows\SysWOW64\Elccfc32.exe
PID 3056 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Eoapbo32.exe
PID 3056 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Eoapbo32.exe
PID 3056 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Eoapbo32.exe
PID 4616 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Eoapbo32.exe C:\Windows\SysWOW64\Ebploj32.exe
PID 4616 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Eoapbo32.exe C:\Windows\SysWOW64\Ebploj32.exe
PID 4616 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Eoapbo32.exe C:\Windows\SysWOW64\Ebploj32.exe
PID 1080 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Ejgdpg32.exe
PID 1080 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Ejgdpg32.exe
PID 1080 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Ejgdpg32.exe
PID 1468 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Ejgdpg32.exe C:\Windows\SysWOW64\Eleplc32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\06fcda0a0e923ec22a8cf0546795f620_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Dcalgo32.exe

C:\Windows\system32\Dcalgo32.exe

C:\Windows\SysWOW64\Dhnepfpj.exe

C:\Windows\system32\Dhnepfpj.exe

C:\Windows\SysWOW64\Dpemacql.exe

C:\Windows\system32\Dpemacql.exe

C:\Windows\SysWOW64\Dcdimopp.exe

C:\Windows\system32\Dcdimopp.exe

C:\Windows\SysWOW64\Djnaji32.exe

C:\Windows\system32\Djnaji32.exe

C:\Windows\SysWOW64\Dllmfd32.exe

C:\Windows\system32\Dllmfd32.exe

C:\Windows\SysWOW64\Dokjbp32.exe

C:\Windows\system32\Dokjbp32.exe

C:\Windows\SysWOW64\Dcfebonm.exe

C:\Windows\system32\Dcfebonm.exe

C:\Windows\SysWOW64\Dfdbojmq.exe

C:\Windows\system32\Dfdbojmq.exe

C:\Windows\SysWOW64\Dhcnke32.exe

C:\Windows\system32\Dhcnke32.exe

C:\Windows\SysWOW64\Dlojkddn.exe

C:\Windows\system32\Dlojkddn.exe

C:\Windows\SysWOW64\Domfgpca.exe

C:\Windows\system32\Domfgpca.exe

C:\Windows\SysWOW64\Dakbckbe.exe

C:\Windows\system32\Dakbckbe.exe

C:\Windows\SysWOW64\Ehekqe32.exe

C:\Windows\system32\Ehekqe32.exe

C:\Windows\SysWOW64\Epmcab32.exe

C:\Windows\system32\Epmcab32.exe

C:\Windows\SysWOW64\Eoocmoao.exe

C:\Windows\system32\Eoocmoao.exe

C:\Windows\SysWOW64\Ebnoikqb.exe

C:\Windows\system32\Ebnoikqb.exe

C:\Windows\SysWOW64\Elccfc32.exe

C:\Windows\system32\Elccfc32.exe

C:\Windows\SysWOW64\Eoapbo32.exe

C:\Windows\system32\Eoapbo32.exe

C:\Windows\SysWOW64\Ebploj32.exe

C:\Windows\system32\Ebploj32.exe

C:\Windows\SysWOW64\Ejgdpg32.exe

C:\Windows\system32\Ejgdpg32.exe

C:\Windows\SysWOW64\Eleplc32.exe

C:\Windows\system32\Eleplc32.exe

C:\Windows\SysWOW64\Ecphimfb.exe

C:\Windows\system32\Ecphimfb.exe

C:\Windows\SysWOW64\Efneehef.exe

C:\Windows\system32\Efneehef.exe

C:\Windows\SysWOW64\Ejjqeg32.exe

C:\Windows\system32\Ejjqeg32.exe

C:\Windows\SysWOW64\Ehlaaddj.exe

C:\Windows\system32\Ehlaaddj.exe

C:\Windows\SysWOW64\Eqciba32.exe

C:\Windows\system32\Eqciba32.exe

C:\Windows\SysWOW64\Ecbenm32.exe

C:\Windows\system32\Ecbenm32.exe

C:\Windows\SysWOW64\Efpajh32.exe

C:\Windows\system32\Efpajh32.exe

C:\Windows\SysWOW64\Emjjgbjp.exe

C:\Windows\system32\Emjjgbjp.exe

C:\Windows\SysWOW64\Ecdbdl32.exe

C:\Windows\system32\Ecdbdl32.exe

C:\Windows\SysWOW64\Ffbnph32.exe

C:\Windows\system32\Ffbnph32.exe

C:\Windows\SysWOW64\Fjnjqfij.exe

C:\Windows\system32\Fjnjqfij.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fcgoilpj.exe

C:\Windows\system32\Fcgoilpj.exe

C:\Windows\SysWOW64\Ffekegon.exe

C:\Windows\system32\Ffekegon.exe

C:\Windows\SysWOW64\Fjqgff32.exe

C:\Windows\system32\Fjqgff32.exe

C:\Windows\SysWOW64\Fqkocpod.exe

C:\Windows\system32\Fqkocpod.exe

C:\Windows\SysWOW64\Fcikolnh.exe

C:\Windows\system32\Fcikolnh.exe

C:\Windows\SysWOW64\Fbllkh32.exe

C:\Windows\system32\Fbllkh32.exe

C:\Windows\SysWOW64\Fjcclf32.exe

C:\Windows\system32\Fjcclf32.exe

C:\Windows\SysWOW64\Fmapha32.exe

C:\Windows\system32\Fmapha32.exe

C:\Windows\SysWOW64\Fopldmcl.exe

C:\Windows\system32\Fopldmcl.exe

C:\Windows\SysWOW64\Fbnhphbp.exe

C:\Windows\system32\Fbnhphbp.exe

C:\Windows\SysWOW64\Fjepaecb.exe

C:\Windows\system32\Fjepaecb.exe

C:\Windows\SysWOW64\Fqohnp32.exe

C:\Windows\system32\Fqohnp32.exe

C:\Windows\SysWOW64\Fobiilai.exe

C:\Windows\system32\Fobiilai.exe

C:\Windows\SysWOW64\Fcnejk32.exe

C:\Windows\system32\Fcnejk32.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Gcpapkgp.exe

C:\Windows\system32\Gcpapkgp.exe

C:\Windows\SysWOW64\Gjjjle32.exe

C:\Windows\system32\Gjjjle32.exe

C:\Windows\SysWOW64\Gmhfhp32.exe

C:\Windows\system32\Gmhfhp32.exe

C:\Windows\SysWOW64\Gogbdl32.exe

C:\Windows\system32\Gogbdl32.exe

C:\Windows\SysWOW64\Gbenqg32.exe

C:\Windows\system32\Gbenqg32.exe

C:\Windows\SysWOW64\Gjlfbd32.exe

C:\Windows\system32\Gjlfbd32.exe

C:\Windows\SysWOW64\Gmkbnp32.exe

C:\Windows\system32\Gmkbnp32.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gjocgdkg.exe

C:\Windows\system32\Gjocgdkg.exe

C:\Windows\SysWOW64\Hihicplj.exe

C:\Windows\system32\Hihicplj.exe

C:\Windows\SysWOW64\Hcnnaikp.exe

C:\Windows\system32\Hcnnaikp.exe

C:\Windows\SysWOW64\Hfljmdjc.exe

C:\Windows\system32\Hfljmdjc.exe

C:\Windows\SysWOW64\Hikfip32.exe

C:\Windows\system32\Hikfip32.exe

C:\Windows\SysWOW64\Hmfbjnbp.exe

C:\Windows\system32\Hmfbjnbp.exe

C:\Windows\SysWOW64\Hpenfjad.exe

C:\Windows\system32\Hpenfjad.exe

C:\Windows\SysWOW64\Hfofbd32.exe

C:\Windows\system32\Hfofbd32.exe

C:\Windows\SysWOW64\Himcoo32.exe

C:\Windows\system32\Himcoo32.exe

C:\Windows\SysWOW64\Hadkpm32.exe

C:\Windows\system32\Hadkpm32.exe

C:\Windows\SysWOW64\Hbeghene.exe

C:\Windows\system32\Hbeghene.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Haggelfd.exe

C:\Windows\system32\Haggelfd.exe

C:\Windows\SysWOW64\Hcedaheh.exe

C:\Windows\system32\Hcedaheh.exe

C:\Windows\SysWOW64\Hfcpncdk.exe

C:\Windows\system32\Hfcpncdk.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Impepm32.exe

C:\Windows\system32\Impepm32.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ifhiib32.exe

C:\Windows\system32\Ifhiib32.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Ifjfnb32.exe

C:\Windows\system32\Ifjfnb32.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ibagcc32.exe

C:\Windows\system32\Ibagcc32.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Idacmfkj.exe

C:\Windows\system32\Idacmfkj.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Iinlemia.exe

C:\Windows\system32\Iinlemia.exe

C:\Windows\SysWOW64\Jaedgjjd.exe

C:\Windows\system32\Jaedgjjd.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jagqlj32.exe

C:\Windows\system32\Jagqlj32.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jdmcidam.exe

C:\Windows\system32\Jdmcidam.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kdcijcke.exe

C:\Windows\system32\Kdcijcke.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6536 -ip 6536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1172-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3208-8-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dcalgo32.exe

MD5 9eb58d1744fedc487b08df783459f3a4
SHA1 5a9eda1f229306207cb0251e78dc02bf42922f43
SHA256 2adc8a091f174dbceea14f7844056283183f399d8bdee34b0861fba29a0f686a
SHA512 e069e93f9dccf353dd3d6955fab3ba2fb78e83cb3385f6f94ad9cf1b2447d6708fb0fa9d5b6a6fbfe5a201dfb7c64d123262dd3b70b123e273bdd210dc4834ca

memory/1172-1-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dhnepfpj.exe

MD5 8796079a441c7c6d72dbbb3fc8e280d2
SHA1 895e277a24c475138172f8cb2cfac77fae201703
SHA256 afa34701d54616ae04b24ff98313aefd046f42c81c580cf833df90972c57590c
SHA512 38a834350be22335deaba9d28497d026bfb2d98086ca2d41a918442ee97bfb1a024078e70b52a01c393671cd205d492e73eedb68981fa75ab837378ded45eb22

memory/3268-22-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dpemacql.exe

MD5 560e01d0fc7d7c55580a3f2738319230
SHA1 692fc4933ecda844a162d94684e14c6dae5453eb
SHA256 c03287c8083927d31dc6faff6631a692e3131470195caa9f0689978cc2967564
SHA512 a37c9bd6bb3be6f6049773c40be8391d5f4b375bf0cbc2509eac4e393038b318e8ba11cbc5cee566829fbc973c44f9ac2c25926b7d8aaf6055ba57bdb6c4b99e

memory/3468-25-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1724-32-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dcdimopp.exe

MD5 bad6d54a9b568b251515547fe6261644
SHA1 be8a9b64b4425b2400e13adda61aaebf565cefc1
SHA256 c162f58039497812a9578a3d35fd398d9382cff4514ea1e1209de390d438c8ea
SHA512 31003cf08da8a134c6b06e3680dbc052b640e280b03fdc0a339eb451c88f5f7e6f5afc27da045c2b1ee8c93f76ef808c8ee5ef8984f407919e3ff6310202b625

C:\Windows\SysWOW64\Djnaji32.exe

MD5 02d77b0fd99b7de7f782cf8dd80fc66a
SHA1 6f17070748d106e6748b8b1dd3d7d851b2a688fa
SHA256 d66a697ed4c368f810a186070c16ad2660d128889c7e3bbdb107037f57d1bfb5
SHA512 973718e57d88b2d635498c8ae8c92e2cc9fffec84d7bb08b1eaa5ba00f4930fe723cc438134e6d644592e3f835e1882051ba593fb273a3076059e6a6ed4a3dba

C:\Windows\SysWOW64\Dllmfd32.exe

MD5 efe118b0724096f12ccb5ea6d1a9bee8
SHA1 59c6abe0aaba7a62321da30af74985866e269f88
SHA256 bc4f7ace704e57a26d051b4faee776080c2b47fbbbf6f13cd43a4b8fc36bfb06
SHA512 feebcdcda1c3eba16401721ed15572e32a0a390b62ab6136162bd88174416a5945d3e5b711ab79417c5c6e7a0f1fbba5aa0e685c01720232854a4218d13fdce1

memory/4416-45-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3388-49-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dokjbp32.exe

MD5 85195376558862a8024943d98fe1b8b5
SHA1 2c111beb77718ff68e3fe5baf8e6ffbb1323b049
SHA256 1a7feb687537c4bd2fb82c132285f52bb4005bb6818426f53389e88f9a916dca
SHA512 3c1704ce9431a30553d75695a12100ed96dc577cad2805d1b115d523efa1ea1e98ccbccd57c10d1132792717ec7838b51adf822387b57497b080a703279d6e48

C:\Windows\SysWOW64\Dcfebonm.exe

MD5 461e6a1cdb20a8c043df0ed4bbca4c3f
SHA1 c6b04a869f4f8b452f1b7433ffe013bdfc38278c
SHA256 20f361462199c24a2e38d53a5e274152168f8eef102bd86cb16214b6814c341a
SHA512 bed6c60c719a5ded1bc2369428983f03e9dba2cb40503071523f905a2828bdbefcfba1ceeea6f7a6a40277adc51b306d3af8d7b888ecb96a8f97a3ae33e11c54

C:\Windows\SysWOW64\Dfdbojmq.exe

MD5 5985b7099fda7a6448541821e31faef7
SHA1 a99536d9ed32d3af7172f64a044dd9dc93cd1f05
SHA256 b900b3037abeee01254b32599d69497132840258863838723045a03f2ae23bf5
SHA512 e82f6e30588c37421c5ca7334274e8101e5140174267672e2830368b7cdf5f30117bb7de59a1c444dadc6fdf25cf5376ad176a4e6c586261b13732467953dc3d

memory/944-71-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4988-72-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dhcnke32.exe

MD5 6b2addacab7344d2eb0d85a5e2e57687
SHA1 a223d2751535617569ca95e63429c04348311125
SHA256 98d5ee2912db266b745494d07b9f607f9d1d43f0279e255312c4b60ee1f1b767
SHA512 e6ca9565c1801fada25a96e341511b21245320f072bf54288fb053f3c24922626448ba7d1f07e6465c80285c567c77a12a710470d95d98163681399aeb9b0fb4

memory/1828-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dlojkddn.exe

MD5 4f6d931ac6a0fe83f405bdfcbfa44427
SHA1 80e533f97d6bb4f2dc3e42413131ca22f9339e96
SHA256 c2bd1ae48e72364c4a322c37ce39c92472e917985deefd405b2f450a0f7131d0
SHA512 bd2d93d0287b23a61557a212eaa5ca8147d0eb60870a51b90776e27bdd872ae15ceca788b5d41b33fba8551f852a16e346be0d0038b5583694ac81741810b2bf

memory/2008-88-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Domfgpca.exe

MD5 c6bea517c5ff836bd8245d6cc9aa8693
SHA1 4c3a9e20ba25d1d034115f51d601eafd03e4402e
SHA256 a21f54aa1f11b5e6bb3f3f3b2fbbe05523760bea728340e8a22c1d4c3098b3da
SHA512 cf25652fec1240530daf0f5cf1574e427be6ba382baf0ddae3169a74542222d4a71f220684956ea69b14d54c7cb20911f624d2bfa2332c512f370a2360aee4c8

memory/2468-96-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dakbckbe.exe

MD5 b3360d90422e0262d4967f05c9d751ad
SHA1 7230ea947a37d838bc194303999fbed7269e5b70
SHA256 7aabbbe12fb07d248478d2b90f6ced19c58e3d57648b74b2736f169cdb92f890
SHA512 2426efe1cf9de77eaff465cc37e1093a5a5d0d4b6faa1ad59d57cd73f3c863dfcb1138a18fd0f70a0b78da3e96d078c282f1bef510cb01e9e15109c0a31cbea1

C:\Windows\SysWOW64\Ehekqe32.exe

MD5 1a5f8c2344a16bcb75f009da186c51e7
SHA1 b42bd331af1eb762313687ff09741ded15949e1d
SHA256 09344762385bf3369fd76b37da6910cfe9d4c34b11a56f25c68a1483cf613859
SHA512 d6f8a3a3fb45363334428e872b082d926bfe165f87328a90f71f781b5a72262bcd305a70aaa278e11133edd0ebf43f6610af4ee828aa91f1b3b3b4c13ea5730a

memory/2124-104-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4712-116-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1104-128-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eoocmoao.exe

MD5 d551cb364fb096ddae576238e7e7b821
SHA1 5b1f645bca1710860b082333436fc0a0f12c1295
SHA256 da77e7811d3e0a7e948b10ac7eda5478fad24f78a6448a65520242b00ac3b752
SHA512 a1d92e730b832c150a431e6e59c28714ab105b64c4d3cf18e8945f4413cdc4cecf55d62780a6a4a935f32dad61b7448a37459eb3ddd846d9d9a5e1be9df6ebd2

memory/2460-124-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ebnoikqb.exe

MD5 156ced0520f0050171bf3d0cf694b167
SHA1 1550dd5f6c2206f193c115d00bb05491035c08d3
SHA256 96742b3ecc628bf1e3f2a059868c3e6e11cb7bb79f6e6c9a654f75484f2ef9c5
SHA512 2676436746dd5727559f758e23a6d5fd8790cee28fe6a03a6c4091b129b99c0d79f7287d8b4c04e0507441a38d89459e0672e1cbea1f189ab8bc1bb51cece401

memory/4280-136-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Epmcab32.exe

MD5 d4f3711ea935b2c1d7fbb303cb5b9597
SHA1 f801d6299f909a88fcbaf6ab3422f8a4e3d1ec13
SHA256 d5cb2ecd474c4f768515e9e73843f07ba9a08befaff09cf4971cb79ad0a19e93
SHA512 473aa91385dfbed36f1e2950b2d887007bd4fa389805f93a974644ea32d6497a712e2a3e575a9e55dec254acd981451fe25a71c28f938f53f59e7820ed812478

C:\Windows\SysWOW64\Elccfc32.exe

MD5 1df18f095ba0443707cf2841b62aa3cf
SHA1 c25b32cc9f0378c306bda9f2932ad7d12315d38f
SHA256 2bdac3bea4225ad3dcb1892618a745a12883449d133d6d77d562d074b6dac494
SHA512 2b32b03ccbd1dc962ac48c15ca8e2284a2ff53135f3b527b96712bff2d9f12884f7aac2ee3099003a2735a311bf24fdd94e7062c769159be0d1f7cc1b2dbdc99

memory/3056-144-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eoapbo32.exe

MD5 44cc38deddc7ae9325d5ed7bbb5f5c18
SHA1 02a7db6852ecb49cf0a33326d350861b61896f9f
SHA256 1d895a2a409a574d4bd6e124177ff4a217c669526d32d4ce851b4bd4016fd3fc
SHA512 c177b32ecdad038e4dc4f4fed69c734cc4cda9e315bc7986e99647925ef32a7a6be97e6d04e87e5b44f853c041efa4b9a2709e4c30e750dc9956d9ea7bcebe20

memory/4616-152-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ebploj32.exe

MD5 576dfe3a787f568ec218fb6e4ac6b2de
SHA1 e455d6b59d090be03e9b085d39fbe936fed6cc68
SHA256 1316a9a6c1fc243388d4daffca5e92d7886a0b2631bb53421b60eb6b9f85d719
SHA512 bb911909e24e469a5881bba199a97e7da47400951e7e532f3527aa5f68e459e7ba9708287471221a0204fc7288f3dd2ff0c77b5609dbe39348bbfc2bb3923846

C:\Windows\SysWOW64\Ejgdpg32.exe

MD5 69d1e732e53ce26c4ab3055f319e64ae
SHA1 0fca6f3d479b245aa0064bd1005f446d371db1f1
SHA256 cbba0d7e1a769ae2d446e987ad7632bd8e56273d0e43a66e0c58f4df6a3d310b
SHA512 18f05dee3f0fc9352e8cea9051171ac718a4983d22384807dea84e8ca62ba3b663e587c6b488f3fcb1dae8df0d7507a01c85e7f2cbfb6d4ad977d81898ecc78b

memory/1468-168-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eleplc32.exe

MD5 30f63e61381d8de2bbc9f5bd72cf1227
SHA1 d44983e0ceb4332905f8be45e797e4f1ae2dc91f
SHA256 a64bad08fc6a7688fb507fbad68257ea56045237b0548a9879b5897615631b23
SHA512 564a718d29e01185d27174524e760e9f29ddad43e9d82bb09f3661d49eb690b46d5bac5bda6eb58e9f3250ba742a6bc96e6a1eb9ed5c57bbf87c3292b9e1ec07

memory/3152-176-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ecphimfb.exe

MD5 1a83c39a0f35bfc875e312856338b879
SHA1 9a90bc417ff03ec27a2efec0ff46e133ed4f9226
SHA256 0372347324c548fc479951fd545ff89d031ec52df4d850a568b2ee654095d059
SHA512 942e57725735e9a8bc6435a9bf2064a254e74a67c6a76bf63caab34642c7795eb587ffd119e1aa985eddbdad4cbb6c324621fdd5926e808f2a029d8407865bb1

C:\Windows\SysWOW64\Efneehef.exe

MD5 ae05d32f9a0663334ab815ff2f065f17
SHA1 e73f45aac435b5a5ece2b45ce06425f4bd990656
SHA256 532b1f4a7e0137dea54c25fc32ac9d98efb05cfe284aedf20e4194877a5e0537
SHA512 13e369ca7b11c2d0e71e042bff96259c55df0d05215f23bfa3c555083943b09cf446a9b10bee4d55d70c3b53b9cc2386e3983225af9ab526682cf17ce8608702

C:\Windows\SysWOW64\Ejjqeg32.exe

MD5 aa2fb84e7980c7cfab15fa7fbe0e82fd
SHA1 0bd9617560e43877d77ffb688119cfccffc9a3ad
SHA256 8b7e0ccc7fe90ded0a59c13dd26c7f3e22835233a70ab86f0e87f584b04344e8
SHA512 31c3fc364179e1db6fa24aa81567f8b366c3468799a7756c3f1100e589452449e1d5981e066cff212ece904cafdfda68d1e818dc45c67d5298da1dd8940f0795

C:\Windows\SysWOW64\Ehlaaddj.exe

MD5 527493022680492a806fee69dea278e6
SHA1 87bced2401ca1848e7b36b31fcd416df3418710b
SHA256 fe430e2a3300a36ad615c67024fb370747176d2beca3d324413165ef802a5d47
SHA512 975594d03660bd98b96654f366d16442b23be382d62db3ac7988e09e80783e30eb58bf30459ec0f481df1282d01954b6d3f3381ad69baf9cafb6a9e6192abc47

memory/4268-200-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2060-192-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eqciba32.exe

MD5 d03ebfc841c792f03cea9daa9c7c0ac0
SHA1 408280fd5cbb08ecb45965627a93ce410f3203be
SHA256 436c747f7d9825a62306fc8d24e61e5eece91104f9355f374923a2bd8e032279
SHA512 907801120fa546af3fce24d6ae82ec820952d2a993ce71ce6a20d38e4fcb646d3f9b9f948ebfa6d80446046b6d6decd161ef3cda121a500ac3f2892f3fec74a7

C:\Windows\SysWOW64\Ecbenm32.exe

MD5 8cfe4e54f5c2523b09d216bc14d9997f
SHA1 3b672f6190c359ea54a8b0d4dcf9be6f4d0934fd
SHA256 1f92a97ae6314e21fe6b6f18cba62a602f4c921cdb2ad7a4d76db5fa3d28e970
SHA512 41c2b8c4ea87707ea3aad13085e952bea8e2f9f6d232e3240bf83f0e34a9708d2e1186e6d8393d73742cb7afb7a93e6cc44e6b079c6f3ba79ff8d056c791b1ca

memory/5072-216-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Efpajh32.exe

MD5 044fe22cbdbae6834ecab5e7e65d54dd
SHA1 a6173920a58c4807b956034bc40eebe91c8a36cf
SHA256 15d40ad754d6b5db66e12b3775644c6fd75b95bf6dab7cbde7cee5ba077e0237
SHA512 7d9dc50971cdc88986e0921991d5a133a5e4efe56b440a3d28034d9ed26c247d3d8285db062e450e1aea3ddd365907dcc766860e216b1e99867ed3ddafdf4639

memory/3920-232-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2880-224-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Emjjgbjp.exe

MD5 13f5c0e3c298484c14c02c10f2127159
SHA1 b6dcc3ada8218d350ccd777d4114d94085f974d6
SHA256 2560be26adb89244a69e6585c9600908c16e540ff9fc988df9b6308bfabf04d1
SHA512 89cd20cad9b1a19acc19cdacdf9fe8ca7ceb040249f237891d087bc080ce0e541664eef721e840fbb8976e3f362b29ded2f5b21c31527975aa4414d9a14d9202

memory/2972-211-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2712-188-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ffbnph32.exe

MD5 cf3a94e696767deba894565a5449d89b
SHA1 f81be50415b24b86766d73733225c9e281f1a488
SHA256 e2a30dab9859cbc34ff1e1861140bad00b59234ea7f0eab6bb080603ccdf8217
SHA512 d3c68ec14666af6baf947f2e8d5875ae29e538398c953d1928f1773cebc0de744f86e0642c84a3c6ffb9642352bda5c86a31c72a97ccf2a0a69482c83d2a5fcb

C:\Windows\SysWOW64\Fjnjqfij.exe

MD5 37026e54d63d3b82307e351a88a26303
SHA1 18e13c48eff724dfb216aa4d8d2b8d7ac2ccf0fb
SHA256 59667574ac063c30d17a86bc48e029a08df2c25c7f771e817e4cafd929bbbe96
SHA512 d107c3ad30a4f17247208ec7878f154d0fce6c75a96fb5d164008d969bcfab2cce7dabd3096328c4eeada74358d7c42d495e126476573a2aad7b5c184b27a9c3

memory/1552-256-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3740-262-0x0000000000400000-0x0000000000453000-memory.dmp

memory/632-252-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ecdbdl32.exe

MD5 335f53bd0677b7a674bdfb0904cd6f54
SHA1 e271cdf2ef8d9a9955c08456356768581cb5b5fc
SHA256 d2fd7d9ae39503e7fe263cb269057f77e8c5b0ea78a42a95c06dff201aeeff2d
SHA512 62c6157ff4e1df93d02ece2f4428123cf005b5dc3a5a1e4e9e1095810516cb54c0069672cde8069551f9df310dff2f0d1582f835605c3061789322372a9a43fa

memory/3528-268-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4784-244-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1080-160-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1160-274-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2076-285-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4060-300-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4108-302-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1812-308-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1864-314-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3956-320-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4948-326-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2820-340-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4996-349-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2348-348-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2780-360-0x0000000000400000-0x0000000000453000-memory.dmp

memory/664-366-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3320-371-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4400-383-0x0000000000400000-0x0000000000453000-memory.dmp

memory/540-389-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3168-400-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4376-404-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1808-411-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3732-413-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4528-419-0x0000000000400000-0x0000000000453000-memory.dmp

memory/452-429-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4432-431-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4680-437-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3860-443-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3228-449-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3536-455-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2496-461-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3508-472-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2540-478-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4232-488-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2308-495-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Hfcpncdk.exe

MD5 60014c0d93cdeb3035fe1a3bb837d494
SHA1 12f94fad7420eac32d189bd354dfd4cd45f414c2
SHA256 1c7890be197776f7885b79a003f7202c7e5b6919d485dff7b00fdee64c086811
SHA512 51f5f970ecd1c925454e22b146b4e7cd80d1fd1a8df146466e22c9d94f312e4a3757b0a3a008a1fdbb2873a88709859f1d6a83e3ea36d20816ee15edf6323ee1

memory/2512-501-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3972-511-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4608-513-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1076-529-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1172-530-0x0000000000400000-0x0000000000453000-memory.dmp

memory/216-531-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3120-537-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4292-549-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3208-548-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ifjfnb32.exe

MD5 73d12b0f170a2cdfe1ef0829f8a3fc4a
SHA1 da4f0eb26820676cf2aa56cbdabbfd40f4da3fa9
SHA256 08ba654f19cab20356f79b5f91d0db31c7a4a452ce422875f56b789eacc35b8c
SHA512 e2efbfdba7db5f3eb30009968dcb15a6108a816ebc898b6d2a1953d0e046a426a97e6bff24ceb92445dc33b58604765643cc881515116ed2405b80c79ba57881

memory/3268-555-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3728-562-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3468-561-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1724-572-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5016-575-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4416-574-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3388-581-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4628-582-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2096-592-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4988-595-0x0000000000400000-0x0000000000453000-memory.dmp

memory/944-594-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1828-601-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2948-602-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2008-608-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3480-609-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2468-617-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5172-622-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2124-621-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4712-632-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2460-634-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Jaimbj32.exe

MD5 44008ab0e6a67c75399ba09987e24b45
SHA1 79c8825fa6775a5e07018cbaafe4004124b571d3
SHA256 dc41881702270acd0bdb0c86694fc15b3acaa8e5f9a2afc6e439bf2890d25f7b
SHA512 aa07d6d817dde45694d509b5a2979a95670fab146b1be34658eb4eb25ca2330d811c790ab4028c9ca90d1a80c6d75a8dc3b14e2d086a7181691724ca8894ea06

C:\Windows\SysWOW64\Jjbako32.exe

MD5 111801429e4083f7eb9a03278ebd9d17
SHA1 01119b1484ee52bdda5e425bfb8869d485f0f29b
SHA256 95391061247559574ef17d87a0732f277572d307b3a513b87beede67da6f7e29
SHA512 2aa59baab918c8b56570e027f5ce8f1bc6d6182cf09858195da238c42b1cafec785e13421372fd5cd4468e85a8ad6ff96e26bbd07a4a85c38007ec0995eb7308

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 17beb33a76b7d2517ec2677971c3972d
SHA1 fcc11a538bad66dedcfff41c95df61308e2b12fa
SHA256 8b40fa0418390b2d60a9f8ed59f971747387de4cf7989dd5d39c5559b029a8d9
SHA512 283afd694b926da437b3fd1799eb6ace3458fcf1269d5c0e2d5ea3ae3b651ed3cc1397e21e8cd9a80476912c5245c0cb7f608475ba35bdc03e3ecccf3f0d11a0

C:\Windows\SysWOW64\Kcifkp32.exe

MD5 e9d6e9e42093e79ddb4311b08b303cb5
SHA1 97cea7a03fda533cc70bd7610c6a1f5fe5c62e56
SHA256 52839c8b21f0809db4e01eeced4540c0cc2f3bbc5423c29d6e8b474d52a6a312
SHA512 737052dc3bddd16bfb3f00211f3862d47712edbf1cfb047e577f524817eb0e2757ef86b5939837156a8a933c66cc4cf2e80e4681183c74184874378600a832f4

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 ab924f00831e57dcb9b5218f4f04669c
SHA1 cbf08c74a8f32e08cfc2887e7f27991f655ab54e
SHA256 ff0088993280c857e01fcab87c44c84126ef1b649ee4e0cb62258a22b6c541c2
SHA512 f6d86b1b1d29e3af2f11e8306aeddade1f36274f5cfce22157aecf474ee7a6ac952811460a537daa45702ddd4cead64994a2f22176ae052dd1aa1444399d530b

C:\Windows\SysWOW64\Lcmofolg.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 deac51cd76f6d09533e2606f76b3f368
SHA1 e9fbb6f949a9cb895b721fd33a20381ff884a774
SHA256 6d14436a94c18c21fd2b6c0cb8fc2dad0c12b17b6de17950e5d72ec88d7b722e
SHA512 aac25e04742ffdcb050a8c68001825fda4122751a3dc6f0d69b889eab12ed7708c215eb2acd8d3439660bfa497daee13ce5aca13e85c71b9971c455f6e370f0c

C:\Windows\SysWOW64\Lcbiao32.exe

MD5 26a611de47eebaddc892ec95d2b87194
SHA1 2b05b57d34c0e7389b270659f19280adda37e32d
SHA256 5bed1ab64d7e364fe2786199157d96f9f63f5b412ed096fed73e464502bf0d01
SHA512 56f274e3b0b7d06684da0760fa4e0e59b05b7f520129246745bfdd45cbfabbe66449b8e5b91677c829de760b627f5777d4edab20481b76bf7d8f2b4a1ad6e2ea

C:\Windows\SysWOW64\Ljnnch32.exe

MD5 40c946b3e88363c3f565b569f8ef9bb0
SHA1 221afd00de96e6e3b3f060120cd93caf46aed557
SHA256 940d4a30a6b58b54a22a44e8e264e1cb13d4dd7e2c13589eba539a4f2b165972
SHA512 058c2ef8d56d84ea32ade8b15657d716c378c49302d6605cddef690ffbfb871958d60bcf11a2b97db66ba3f3f65693feff121a84679c25abd14517d299555c8d

C:\Windows\SysWOW64\Mcpebmkb.exe

MD5 7c60c15d957c121958453d85f89abaeb
SHA1 d4a0f040a2e7cfc06c3c322973fea7a97e511e0b
SHA256 114b90aa02c54ca9c5043367538ee1029616b16a82adc3149c0ea8fd98f99d5a
SHA512 a212fae594127d2a02ed9d20c40a7e1d09cd9f8b8a8fc33263b1730ffd2f18b652b9262daa5e631a627d448422bdb1a0b87870410d45f6f27a632291a6d416ce

C:\Windows\SysWOW64\Nklfoi32.exe

MD5 d8daba75deaf20311cc792336a148e45
SHA1 81e6649ff71be92bf13849110bd82fa6658d71af
SHA256 8e402c51b8cb6f5ed5082fc45e5da18087dd8e14c2d49f2dc9389ccb5aa87879
SHA512 baea3ca24a6b058c87ac90d416d5b78c43dbbf7a9f83effaba7acb64e6c15ea10bdfda8a111d479b3b6c6e2b3e73a9daa7bc81c89637adbd4041cb47ee6f61cc

C:\Windows\SysWOW64\Nkncdifl.exe

MD5 9c3b22a84ba684cb8f6cdfb193da0f3d
SHA1 be8ad3d7ccdfc2659a84bd4468b32394a7d4c630
SHA256 4e8173619cab022f808874880a2b741348699eb3a06b4d7a437b642001acdbd5
SHA512 a142c764203c51203a1196be43c56c7bff80c652363fb9438edecac192759aef7b6f9f449dabd039fd2accd35facc94acf5c1cb5bebb811c6b5aef6b2b990d7d

C:\Windows\SysWOW64\Ncihikcg.exe

MD5 36b4dac4bf7531b4e36c21169957b0b8
SHA1 0517418b64e1d5defd03a8d67daa1d6a4005f18c
SHA256 b8a64dc55c676e92b82d452e7c28f8ae0e12f5c25b95f0ed4f806778c5c5337f
SHA512 085ccc086f8749384dbfd9f872df894184f1b93ab3674d829a81852477b41d1a32cec838ccad88dfb564d735be4952c0bcf5fb1156e83c4102fe00c35ef31338

memory/6944-1202-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6752-1215-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6616-1220-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6712-1216-0x0000000000400000-0x0000000000453000-memory.dmp

memory/6396-1212-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5168-1260-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5192-1276-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5980-1314-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5940-1315-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5720-1326-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3888-1368-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2832-1376-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4608-1386-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2820-1445-0x0000000000400000-0x0000000000453000-memory.dmp