Malware Analysis Report

2024-10-16 02:32

Sample ID 240519-a1fjzshb92
Target 37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
SHA256 23e660244272a1428b7591bed1c32c7abc634b8bdb8257a0de60a9f9aa03f6d7
Tags
persistence gozi banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23e660244272a1428b7591bed1c32c7abc634b8bdb8257a0de60a9f9aa03f6d7

Threat Level: Known bad

The file 37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence gozi banker isfb trojan

Adds autorun key to be loaded by Explorer.exe on startup

Gozi

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 00:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 00:40

Reported

2024-05-19 00:43

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnneja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhjgal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebgacddo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffkcbgek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqelenlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dchali32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fphafl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fphafl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebinic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghhofmql.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Egdilkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fphafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghhofmql.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkihhhnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdamqndn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Egdilkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Egdilkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkcbgek.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dnlidb32.exe N/A
File created C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ebgacddo.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Fhffaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Egamfkdh.exe N/A
File created C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gegfdb32.exe N/A
File created C:\Windows\SysWOW64\Chhpdp32.dll C:\Windows\SysWOW64\Ghhofmql.exe N/A
File created C:\Windows\SysWOW64\Jpajnpao.dll C:\Windows\SysWOW64\Ghoegl32.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Ndkakief.dll C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File created C:\Windows\SysWOW64\Jbelkc32.dll C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File created C:\Windows\SysWOW64\Ipjchc32.dll C:\Windows\SysWOW64\Fbgmbg32.exe N/A
File created C:\Windows\SysWOW64\Bhpdae32.dll C:\Windows\SysWOW64\Hckcmjep.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Gkihhhnm.exe N/A
File created C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Gdamqndn.exe N/A
File created C:\Windows\SysWOW64\Alogkm32.dll C:\Windows\SysWOW64\Hodpgjha.exe N/A
File created C:\Windows\SysWOW64\Fglhobmg.dll C:\Windows\SysWOW64\Dhjgal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Ddcdkl32.exe N/A
File created C:\Windows\SysWOW64\Bcqgok32.dll C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File created C:\Windows\SysWOW64\Ocjcidbb.dll C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Hgpdcgoc.dll C:\Windows\SysWOW64\Hlakpp32.exe N/A
File created C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dqelenlc.exe N/A
File created C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Hgmhlp32.dll C:\Windows\SysWOW64\Ddcdkl32.exe N/A
File created C:\Windows\SysWOW64\Jfpjfeia.dll C:\Windows\SysWOW64\Dnneja32.exe N/A
File created C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
File created C:\Windows\SysWOW64\Eqpofkjo.dll C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Hfbenjka.dll C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Fenhecef.dll C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Ebgacddo.exe N/A
File opened for modification C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File created C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Fphafl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gegfdb32.exe C:\Windows\SysWOW64\Gonnhhln.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Jondlhmp.dll C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File created C:\Windows\SysWOW64\Jmloladn.dll C:\Windows\SysWOW64\Fhffaj32.exe N/A
File created C:\Windows\SysWOW64\Hicodd32.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Hepmggig.dll C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dqlafm32.exe N/A
File created C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File created C:\Windows\SysWOW64\Fndldonj.dll C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Gdamqndn.exe C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Kcaipkch.dll C:\Windows\SysWOW64\Gdamqndn.exe N/A
File created C:\Windows\SysWOW64\Nobdlg32.dll C:\Windows\SysWOW64\Dnlidb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Egamfkdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Fphafl32.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File created C:\Windows\SysWOW64\Ahpjhc32.dll C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Anllbdkl.dll C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqelenlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fphafl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dchali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fejgko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egdilkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ebgacddo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ebinic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebgacddo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Ghhofmql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqelenlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" C:\Windows\SysWOW64\Ebgacddo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdapak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" C:\Windows\SysWOW64\Gonnhhln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" C:\Windows\SysWOW64\Dgaqgh32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2000 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2000 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2000 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2824 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dqelenlc.exe
PID 2824 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dqelenlc.exe
PID 2824 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dqelenlc.exe
PID 2824 wrote to memory of 2512 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dqelenlc.exe
PID 2512 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2512 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2512 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2512 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2484 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2532 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2532 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2532 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2532 wrote to memory of 2420 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2420 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 864 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 864 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 864 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 864 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dqlafm32.exe
PID 2660 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2660 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2660 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Doobajme.exe
PID 2660 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Doobajme.exe
PID 1516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1516 wrote to memory of 1228 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1228 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1228 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1228 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 1228 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Ecmkghcl.exe
PID 2128 wrote to memory of 296 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2128 wrote to memory of 296 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2128 wrote to memory of 296 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2128 wrote to memory of 296 N/A C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 296 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 296 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 296 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 296 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 2016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 2016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Emhlfmgj.exe
PID 3020 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 3020 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 3020 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Epfhbign.exe
PID 3020 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Emhlfmgj.exe C:\Windows\SysWOW64\Epfhbign.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dqelenlc.exe

C:\Windows\system32\Dqelenlc.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Ebgacddo.exe

C:\Windows\system32\Ebgacddo.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Egdilkbf.exe

C:\Windows\system32\Egdilkbf.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Ffkcbgek.exe

C:\Windows\system32\Ffkcbgek.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 140

Network

N/A

Files

memory/2000-0-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Dhjgal32.exe

MD5 a800b09c1166121918b72f2ad2899025
SHA1 c8c30938678af6ff6bb3e2840e52826bc4684d8e
SHA256 e1c1a567a8e81c6d2c312f6b037dd7266596fa86ee25b0a73883cd9ba1b66f5e
SHA512 c31e76c4ea6f1ecceb6d43a96871dc0e4a73f84afe67a05743cc1dac313595afe4425cbd6769ca8f022a7213755a0a818a989f63165ad8b7609ec24c70e91d99

memory/2000-6-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2824-14-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2000-13-0x0000000000250000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Dqelenlc.exe

MD5 4d379fbab98d9725ea9a0e563fde4673
SHA1 0d09042dcfdee1ab90dfb091f66b2b00743bf4cf
SHA256 84a8eeb871b4c2ddbe3bcfe410887a41d7546662b0babf30e50aa982626daf9b
SHA512 a779af5c0df67823dcb22136cc47b12d8836443026010b1e12e3c72d44c880458670004a2a21e3ff6ad9a0554ebabe1816a866ce871615bac6627445955e19bf

memory/2520-40-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dhmcfkme.exe

MD5 c8d1a5ebc1a5abc4ac45e77dd113ac8b
SHA1 a34cd4475dae0273d5b20c6f668f1b3dfe7e2390
SHA256 9e50c08d1e79fff4295e8218aa0e06e16c348b31d7ab79bc68e9b96727f3394a
SHA512 a86d9198cb1246d2b589735fc7d5200fe3c3783c7fc1ddbb75fd7b655fd193e2a1572d2ae0ae5a5e26b266174cc2af97a429257a5358b10252c7237a56da3354

memory/2512-34-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Ddcdkl32.exe

MD5 0eb90bc9a2f8a6cc0df89b24a1777e9d
SHA1 5d8fc2297149e83e42bbd92f139c5ea126841d9b
SHA256 26fc6bc7c4098516ffe6a3bccbb42f32052da7fa29eabad265ced6f948140bd3
SHA512 de8123b7ba3678f692d0b83c217ce7dcb11ee4880663da92370cc308ffb4eab44699fa1df2ef8f7725751250ae46274c7fe2ddc623e63eb1624b668ed83a6928

memory/2484-53-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Dgaqgh32.exe

MD5 c19f2b835469fcb91e8a42814c24a0f5
SHA1 45c827042508d2392dcc98d67a5244d94deeb477
SHA256 e1b0d28db9b18e644b360a7bccd6546cfb013ca9e69961a91b49fb9e55740c12
SHA512 c34ebfdbfff25c7ada825cfc36c61bcf7ea9e960ede85e4d848d15b8b055a4eb937c5f1ffe2a6b33cb44e088ebf9e4185767309402bb20b5929248871d643514

memory/2484-66-0x0000000000290000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 8e8c2e77de6afd719a04e5536adb886e
SHA1 859142a2d5f44e9416214ef511ff0e75df66920d
SHA256 17f55b54a5a99c6c8d9003933892e3441d2de4c8c0d2825d81322468842ba596
SHA512 464457867fa99dc834c805af427e53a89613cb5539b619aa49700a8ddf8e97e38e333bbf02c07fb068e948df76e97768423e87c12bc3cfc9649031c4afd4f50f

memory/2420-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dchali32.exe

MD5 fb871f4e18e3213665a4c1783fdeb9b9
SHA1 f2bed9341c11ab2029e4f9c3d6801beeed67748c
SHA256 4127637fa1f6f52ecc3c346c136a3032284a920a8f28b289f41e149612c23c9c
SHA512 d132a36b7e4f64f7e552d1aef0a5c651ac957865dd7b5d1d18af1ac27a06fdd5cfcace8ca1879928c9cd9d5695514259484943518373cbb2954b83bc3d46c474

C:\Windows\SysWOW64\Dnneja32.exe

MD5 9718f184c41038243434ed038a9586cd
SHA1 e19ca633f6a6d8cc999f79899cdda9d8841e674b
SHA256 97e1ca5d03495a1d492dd55d56e439046d7cde5c18c0ed98f8d8dd272bb4aded
SHA512 0cd7cb134af282762508e5da1f9fbc94a62fd371e838f5d408ee4adcfc14648984ef5b86b1b0624d4f3246e53ddcd5fcd976ca8b3de321e2796e3be487fad758

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 0e2538afdf2f0978142abc0c452dc7bf
SHA1 74d74a8b9ce2dbb53761b8ff3087c2760f2df8e7
SHA256 fc1ed04d3f69c200c051d682d8c3251ab949c12df25a96adae5c72d88b312768
SHA512 da74468d13615cc1c8a4741f7951fddb83ca2a874a92d9480e399561a2e6089298707fed85172f32d685d998291f9e9c67e812b0acea2d6bc12a491be1ca1c10

memory/2660-120-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Doobajme.exe

MD5 51a6a7c921db766d5fb89ec02bac1ce4
SHA1 1013a30b1c1f2eab4fd4f461730829f639b60553
SHA256 c3d64b200c51ddb3d564e42da3d50706da9c48e026f0b498fa228d40e1ab8737
SHA512 8db6416b70a14e89b244bfc94d84865fbb4cf706b32da8cbfebb556b0c0d196d7dc28f2be2faa12c0c6a90f437464c59b902728a8d65109c8cc1db2cafd9e007

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 edaecbcf0e64100cd8b4fc0b15e3267d
SHA1 254f0e9057f39c2a257f157262f3da14e4cd5f00
SHA256 e5cf1beb112e28806b3fe1821a0b128d4cda760b4d711fc7bdd60f3ad86bf471
SHA512 195948b59fc41f5ff54332281759ed64c42042250eaf2d8dfcf5279f9194c1e0be0017470d36ca915dfbc3cf175c29fbee0401d3b0e5f7728f1b36499fec6710

memory/1228-146-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 56b1d96ce0e640dd2c83a619421e075c
SHA1 f53da46f554e76806c266b77d9ee6422634bd85a
SHA256 b9e16b83c0daf403525fa5117d507f7fe4115b6df1a71b8585d377be05619eec
SHA512 1c41ed46e57d42799e9717fdbe35ce68f5b7dd0242343604c5af874eb586a8c7b3b4fbc6a6fd9b49975fc4c223c9dfca3d9abf6f639a38f69bca600975c76982

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 985c6e76118bc4075fcaba0013cdfbca
SHA1 77c092dedec5db75eab715eeee8d30c92126d230
SHA256 d379a303262c175ac77613cb2e0fddea2e7391a49e4723adc8746f6fc4228350
SHA512 bfab6f84f3638344de09b3ad67acbafa01b74ee9c20aafee5062ebf3139cdba1bb679c96116cd1fbef0a6f05b39dbe395eb64eef5d84ee761bfe9d496ba3a622

memory/296-172-0x0000000000400000-0x0000000000453000-memory.dmp

memory/296-184-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 348016c6776fbf0b5fea3fe96fa05969
SHA1 fc7a70b8b95c21bfeb80683e40f60d4c1a616acf
SHA256 240ac451d2d70b0e60af60a406258c12ff9ddf48d416b70a7ba043be739fec23
SHA512 c10601a28fecf260a0c678dd8dea450bfcba690969b845ecc09d747769f3314c07cdbb21b46cd3b9e839b6b864c03fe855095ced73cdadbfe8c89e300edb1dcf

memory/3020-205-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Epfhbign.exe

MD5 98356c0b2f8c5cdbbb04fff892e7f2b7
SHA1 43e01ddb6e3dd239a2d527a55e3b982159e9a0df
SHA256 ee80ed53550caadd71aa93b8db349aed77bdb51de594c508d47d17565e1b9187
SHA512 a2a5f7eb17e9b11eca0c3636744502adf861d52a40b35019e346dc6f38e8eaa154b2e4a7c99266b8bf82f219fa7cfc908dfee6cc4071246bb87b79a6f80ffaeb

memory/1084-215-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1440-238-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1440-252-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ennaieib.exe

MD5 b936ec7d4fa113a57216280047d06390
SHA1 ce557af740f632144dc986894828aa7902190aab
SHA256 5bcfbb9e6b15335d29b15e55d8e6aa9991668fd5a0a2f7e0d0f3958474bf352c
SHA512 c2b2fc571b6962d36f854e9b2dd26cd1635dc297781d63d47cf76837190b6ca4b11ede79f5b8662e65c0683f29e00ab2c2dd9d09abdd876626e5fdb67b8e789f

memory/1868-313-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Fejgko32.exe

MD5 a63fa5a1162c758ec6a5546e8a7e7680
SHA1 183989017ec5f8615664b5cc60bcd27f9fc40be7
SHA256 f51512f01d948ad03374cd44f8cd9a9af8fdbe2be28b47192cf459a480127daa
SHA512 d1bf9ff27b89d4489380c7d35f5da181aca56b860b2cb112fd4d68b0b1f2875e4752c3dd2edc583a0b67b131c64be5c7082830d5ab81e1e53694470383d5dcef

C:\Windows\SysWOW64\Ffkcbgek.exe

MD5 6eaa87b85fca9a1e000c026494dbe0e0
SHA1 d8d53458118f951759e41e566f9a8ae914d276db
SHA256 78e950e99f5d69cdb8e25d89bac83429205e0d8223e69b90521ce11c41b2c5c1
SHA512 49ede01ee6b18b76897b66086805216fa25b0a95c8ca676da45f9c34de9d5824a9b2feff8151062be2e8129c5a2ad0dc9d6ca17bc047f4fe77f9e58110d5c3d8

memory/2636-355-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2720-367-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2492-381-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1852-389-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1852-403-0x0000000000300000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 2043469f1862bea080b07ea4f4af212c
SHA1 9f22d735d68fb07292f594be186974fa3600edaa
SHA256 cbea449fdaaf12282db8e85a6fc83d016ed7e7ab80b6d301f795d3db19c64cd5
SHA512 3c9854d923beec24135a5e94c02d389c564d7f5dec7c9539e6f106727608b153146cea4d210f84729b479fefb4628daa97e7dd93d144a76d7b238401d22364da

memory/2600-408-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 5886de4300738f5f592528f0d6229613
SHA1 9920657f488d1363a736de9dc5b0b9e5562594eb
SHA256 ce321f26baacdcd81cfa557b73b3182cfff68e760d3a942d137a66bdeb029bce
SHA512 e41280c5d4ca064c4c89bb11fe51b0d3ed104988629127716036ae38622f2e584c46c5640cd0e37c4389e4e178a94406e54ba39ffc6d3a5d992015d24fedac7d

memory/480-440-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1588-467-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 d3700287fa3ead27bf223345bf085d9c
SHA1 7cfe0a40e798139fd843dbd5135b2dc2279be720
SHA256 629f72576bd0f60648d05a340614c7cb1a406f50c21fe7d49654177e2e202a99
SHA512 cbed78b6bfb63651bdbabb403a43702c3b4ff50eb8ae871a7e5da33a41dfa353d0131fa2506616f12c20863d7e2c29d0b8cf520ac36462f3a750c98a5d8e6a78

memory/1408-487-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 734c9a27708e18c719205767b7c1b3e0
SHA1 ee01593a8be0b7a8a223e85c7677391b67a87a37
SHA256 49f64da556fffc64241fd43000fc6211a517dd57db460271426c5a2983ae024d
SHA512 e81376a794c312f4b098619b239d10a00ebc704e972f8984f1c8d0866c627010f7160fb8fb5fba2938bef542c3c6e5d6da5e44c661dc84738dca327573f8cc39

memory/2316-503-0x0000000000300000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 504d51f721b212a4715baae90a7b685d
SHA1 b9536b54d6ad77c87eca728a7b17474163691da2
SHA256 9859c075314bc56ccb8c4f5bd6d0e9d291e3c94f7f113d175325d8afa0ed6d9c
SHA512 2ca99e5eba694521e4c1841049f45fb8ba4ec23071c17a59259447e58e7cc8edeca30aee88e5e22c1f0e5d2d9c7e6010b5d7fbb2150e98e0a83fa99eb930151f

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 db99b39d91b4c010a392bda996763edb
SHA1 b5195440ed6b13f45c8245c481b99d34903848f6
SHA256 4a1bfefa1b630eb1b41494b572210309fbd1ef285879ee06997eebd47cd2dc75
SHA512 727ad03210f021d808c974e9ed4d1105b979c9d5a61b086aaba8a579b77da1f438617f74c6a1317ffd7c2a8a730b783d6f04e63ac828023d99757aaa516ab372

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 b98a75debeb07d9a8c16140a7f6f04ff
SHA1 0c905d673d1cc7c1a256e0c3caf6880fdb693505
SHA256 12fdf314c0465e8b870a0e7820a3f6f0129246a0bbdd6cd38150d3851c55506b
SHA512 d8d87a4942cc1c1c787f3f9dad30b0d520e23d07a23457c7d2387d7ec0feda27b1418205e9b3e095efb72825ced6525815ee4039ef6f8ca130530d198afa3e3b

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 45b78a8b9b24b038aeb9e92e4f8ff347
SHA1 ad8e0399ca7cd0864d34856ca42bee509e3164ae
SHA256 a69b8c63826b89f1d1dc206e1e91bf5e5de4452d0fe12d596d035726b7fb9040
SHA512 d08a79c400a3cbba92cb367425f96dda17023a4be748ad1f589181dd77c6f832a7d22a724292b8af4de650cecc17f69d2b39d65e81b747d8c878af5a4bd0a842

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 7d50dac7cf1d3be84994a547ddeef940
SHA1 70934a798c50cd77a77f14068cb79986e66f0c3d
SHA256 391ca995d3f7120fa39217eb211aea9f1daff6d035f31b9bda701e3d9756ce2d
SHA512 5bbc8f2aece3bac06b86074202f44c92f1441f7dafb162d384cc91c9ce4b7b4d28cdd9a7190456e754e67892cdc1d8803615a8e91d0f8737cc7fc666f647115a

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 72b7cd70674e4370ec49f743ac6e340d
SHA1 959eaa2b2f83dc6dddc3dfb14cdcbc82838e3bfa
SHA256 fb15b554f2fa354f1e4f87565630bd666ce3740dd285987dad63f14cadb55b23
SHA512 c05b17ada987bff9b6c8f5213da96acbee0fb90b95239c9be22f894c5ddeffa1e1770fb5271f929f1587a3bbf6c8f73274ce27b46861724961da201d6c938b8a

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 8c401b1d6123dc4c8f08ea05929317df
SHA1 cdff14c76611ef71528861fa3b037aa84db8ee2a
SHA256 269c3803f65bd4a9d8b17f60edd9c2f7d9501632db62ffeb9ceea890c85dbea0
SHA512 29b3892d3a48249c87d2256f804602ef467793ef3d4eac25ab7d86a67652e4314e2fbd295100cf6eef26d95962ad87c480070947f0e9b652905ebb34732a6fe5

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 3a4adc8a3acd640446419c5d4d1166a0
SHA1 55f3d2949d4e6f8add7b8ca2a3665ca0228fb3f5
SHA256 f966e5d1e2c805ca35778dbc7f48ecb1c3411ff462d9d5aa8f513728b337f33e
SHA512 23e2b12c3396c224854d24c472cee85697c30dce042f88c2e310db4d409daca6f803b77a294e1eff848b3a63c2597498ea6611b8d030ed8cd0a43e670dea0888

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 70e61310efe82ffdf5d9202b835d7d45
SHA1 51db77a8515eb5246d5ad76870f31e50609bf8f2
SHA256 4ec7c93db13b07dd7e1f005c34641a725bec53dd2143026faf00a7ab5968eda1
SHA512 3136a96dc2363498d254177ceac8fd8a71d857abedf7314ffc823d4babde43c823e41731eb944a57a134d54f94143cb962395b618b05b6293f54e6631b7c9562

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 7860ea1dd959165a5231c6060d076482
SHA1 d08c79f1abe97631631c628567e8b3657ef8f052
SHA256 2d08b4f3a422d5a33fd4b3da5f3b835e0e50e0b5f505f12e01130b53a65853f8
SHA512 12dd01db5766502a5221c0ecc194c65affccfa2df9965eb0117d192608f4eae0ee390874884e78c7c83f66af7b721c4c45adba558450e815dda1a82bb83d3918

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 acfdcc5e2e0a8ec5b2bffcd1c8f8eba6
SHA1 3cd3cd52b89480fa1b9874f2b6fad02cf2ea2487
SHA256 ae75f1b0b284db36b12fc8e63da145bd73bbab4ce489b233d52356b80330e26d
SHA512 0a0a2a9aad09ccd645c42d3e138c19052a644962ffab5007a3115ce6ba949defeec6ba08dd521e2485cd317de30ca6028f0cde072dc067953dd9ace7cb04c58e

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 0fb948b2f63a469ae4b688c1f4b0699d
SHA1 2cede1332f923809c52016322c274ae1d68f3467
SHA256 7d4e457f34e5b717601da1db3ceda71c19af537393fdd4e4c6dc9d79f6432d0d
SHA512 3b5a80fed6b4101ea5c2f5db6115888ac16588dcea271cce3920903c6bf5845b1d5107d7b7dfd8de166dd163ba8d28b80cca81b28703efe43d68ee35864934bf

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 8474107795db2411a3bd306d5dd73fb0
SHA1 8053df277e7aedd873f2253ae0367b99fe0e0aca
SHA256 4bb91eaecec30d674a6c2903e667a1362d907f3444ab22349daf172de590d389
SHA512 9ef0becd8b22fc37b089b77ce71179f1dccbf6721fa7e3b56bf6ff24b749dfcd074fd5d7870919dc56eba89e633b8a73c72d8b38d31fb2247b25fbad74738042

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 ee4976def93eb7f9ae0a6a65dee9b9ec
SHA1 174076c2bd2a23a9911cceb1fc36ab6e4f127841
SHA256 bc95b7cc283c39b7ce22e4ba565ec4235c7e8303264dcbc7c93d31c08b769252
SHA512 7a5d627a8749cbdf61a1f52bad198e00caf82322d6775f84c874ec1920ee86fae66a7f6c58e00c77c1e6ac9942ce38efb69080c34c6492a70adef26d39c9796b

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 6ee85e6679cb1779b3be309f5b1d6170
SHA1 07c4e0679eaff18f32bc47bcba5ce9b27b7c5aeb
SHA256 d79481391fc38a65daa512e80c493de27ab9721b6bc52c82a8c8a76f8e491ac1
SHA512 ee5ef453e5cb50efa4edc9ba7a094135bbe40326fe6726411d404e2accfc3f8b1a088ea83a628f8b67e9cb0f3a69bbd678b610cead4d434237486f4b93364717

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 467b6e12f63988e5f23d53ae6b0be596
SHA1 bb917aaa0e638a3895f98bd6460b15d7180c9dca
SHA256 faba16dae73998d37a46e9aa075e3813273786216f384c9f3a43546786393444
SHA512 79545b7872616027156ac5d71e34000b15b33589f76b35e100a3238587d2dc3c221415188b7c62ccd8f1eac3aa49ed91447bb712b9cfd2fca48b028ec4b639e4

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 3a4233f90d0a9e3dafaa7e768ddfdfd1
SHA1 ad19494527e1e9d1d06c84d510b4caa5e3201df7
SHA256 9d9a49f0661d029a125fcba410a97f11b8115e86442f5d650a6c0e02ed346da6
SHA512 34fa9c4af362656ab993a2ac2ff72927cc55eeb2ef06c2c7bdd8c1272c2a3706d97c60ca71ac15bd6f5165825a112b12fac539bec0828528523ae389a029d8b3

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 fc5b05b49a8a300820b1ee8ae4cee6bc
SHA1 1b930598ff70466127648c1b932b91fc7e7459e0
SHA256 9d0d9b1ccdb446f283a717b9779a19362466e38a532730a3a97cd558af39f7da
SHA512 d1bc06e330c21e9d91660e21db09ca7ee8be5c00028cd20bfa429f24f9b9990da534886fc07150269c6f8f210114a76454487cefdb338740408bdb3a5a21e47c

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 4f335a42a44e09e8ab8dada3bb6b7481
SHA1 4da349389653b07265f3def19e60673f8a7f31a9
SHA256 de363bb3fbe3fd3d70e570aac3d358d84a4010bf1b50da35090d9d8655c8d00d
SHA512 f746eddae5f7d624b8a940c6051f0b44baf6fe7d1a9399516f380c182021f7bbb216b006467be95c4a20058fa7a818c635ae3301bc0ee270f5ec9840340b2f68

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 9e15adc31c609c139382798cce97595f
SHA1 91ef4d0c1107a5f4fd8a92278e4ddc9a5ee8307e
SHA256 a119beb93eb05abe557108f0b96492e70060b565e23606334c930c1e1724df4a
SHA512 6ae846d7964004493cfbc1235eda72ef45e41e66700359a9c137eb49b09ddb02b267060f9e3bdf525ea1cf18a9d134976deca928566d0fef76841ee404e43a2f

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 1eb893d7cfccb3dedaf0d00d092f918f
SHA1 8b47279a77773e0c80afb32ee1ec723524f8cf61
SHA256 9247a732adda3db8957eaf62672f57e8eff205311cf5485d94028c3031d5c761
SHA512 8ddecdba211a9e6f926c4500790e1e37f48f12cdfda739172ae24c53ed00c66c6663156f5abc7edcbfcd4e61ad4b18e602f016ca8eab738ca8ada39d1291089b

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 731387c0575000c6a56ee5dfd7107bb7
SHA1 9e119adc6d06a520906b52a7221b48ff05f90ae8
SHA256 72841673c601cb0683ad1e5ea8356cba9e77c6ae51b07ab8689ac558b42dc9d8
SHA512 1d221ee36af5f3d9abfd45b4dabdf64bd7fa998b382bd7e2c0e734a2fdb6b643d9a9c6b71a893cf28e606b512763b342c12986e6349aa15b85a706a3e9590537

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 d828d47ccfe8e4a6a812e0eef23a6f7e
SHA1 1752f458c91ec95eb151885c447f4f600b8ffd94
SHA256 b37087b22d5b2716db6733c043fd7c23eee2c45627371ed99edcd29ce1475bf2
SHA512 e6a9746eb74b6f6dce9f0434b304cf55031a75c11b97b0add60568c8d7c776a2f82b11a2c3d3b3664eb67f0ee6ca96cfa339cf6fa18fe9852b35bb96d730a572

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 4041af86d070611037e417d8bac8b281
SHA1 ca2ac429235cac98112d80afb343331e295cb7e2
SHA256 76c3e69e43f6cb20ca2161f12d60c8a3ee05f6e73a5976243a4d93513f562b11
SHA512 213235c1da96473c84e858b368aaeb293a1d20d6bf0f24bcd3a663bf5afd468b5eac12f5d502a494ddb5251e5aa2354bc94240851f0769282d14a19cffd34481

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 616b55a7e57544566b84e9a67bfe597f
SHA1 622a549c8bc136ac5fa22cfe8e38aef20ce68caf
SHA256 83df9ff1dca3134260c1afc3b97edc13bd6980d0b8c11afa11c6c5f574ca2f2f
SHA512 fb7fb4a78bda8863d6367ba41fd4585e5e46779fb430d969c7a03d3240a8cd744275158588cafa91e4e8b1c53a4c871ef3b715a00eab188320cb0ea24835ecee

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 d0495e2e3e1cb7271bc155ffdc088b01
SHA1 a426e2b85422205a3236168bd6f35e37ca4033f5
SHA256 9c8139498c135fb64c246a8344c730b7317db9a87a1fc21129da3d102b9c9edc
SHA512 2356ece5679739fc1346a6b536f1dcdfa25d6b3569e6bb79d34a2961d554e1d1ac32c32ec64631d356140540465876030822e33b056604040fd7e51aec4b7b4c

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 f3e54124154bbd88ff5457e540f22548
SHA1 988f7b9b84425e31b7de5ff7a3184155d63eb930
SHA256 d35e16395db166feb4b713f61ae58e3750c3e96c420b9f5b5a61c7e95c55764c
SHA512 0a3a4eccf8f05460f9a39c51dd74312107f696f690ce7c649c53661787b128c9b1f0a863819f0e5990a001ddbfa6a4cb2bae1a03a593fbfbb71f3661c04dc443

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 18b76470a206b9208c407db18334e71f
SHA1 811ce59841782edf49261d1f7a98d83e01c51faf
SHA256 51feb15c43cfdf5d6bf5d6c39fa80387e4d8476178261a538faf0d161009f1ec
SHA512 d7481e2688411400c456adf37875ae1c14d374075520af32ed418867fd3234f8a7b908100d58cc6fd7ab9635328530759327125f1ee1ba6b52ced22cca4bc003

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 eaae1db21b043820ad19304dda87234e
SHA1 3454b2caa579fa53c57784bd535d98cef92d4a98
SHA256 9724a45d286a5ec3bb27c14f2f536eb11a62af7e13a6c926e71cfcb4b6122c89
SHA512 cb00138c66f9a15aa56e8fbe4cf018e97be69490a493d71f039f079bc6f283cf2abde7d490d2c5a1e25b6df7af93d9e5abfbfdc8bf5af3c6ec26568fc1155b37

C:\Windows\SysWOW64\Hobcak32.exe

MD5 6ea04d14215e88e29e072c3b030a9bb8
SHA1 83c94fded0f557d44a70c96be6f26ee3333ee02d
SHA256 82e6324013b0290bee1575878d4d5d9961df11cbdc69b2dcabc27d95a6e25411
SHA512 fe936ef3aae8c89ab2851037a66746993aa0bf60d447ca127a05ee031da21a03f544bee2975b57cd9ff572b953e59253853fe9b9d74fd91c4885c381b0f74d23

C:\Windows\SysWOW64\Hggomh32.exe

MD5 11f32107381417d1ebdd77c45ceb880e
SHA1 7c25f6830185473d5882c1945aea05d44cff0789
SHA256 ce564fed22f530d5c129e7e722eaa3a9ddcdc1447297daa3106ba3ae80b2a613
SHA512 7b8e3898f7cdb6a84da7dec756ab7f43b02defd94f5149b25ecb6a06a5005a379a598ce8b00b021fd0f92c6d04de9b81a17713e861e0d09c90889096d313a3ca

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 ebe9d98ef7c9a966e34348e86e891700
SHA1 39df54b9c5acfdbc6b778836a9524488d8371644
SHA256 4425847757abc13653c6a34a943b2aec24957469428c905fe4dd349859de18aa
SHA512 112ea2988dc7668f3f3e18455ac2dcaa11627294f53d2015257cee3e647def1fb13362b63dc113cbfe50b1b2cc6660d30c46dc46585e0a6714d14178a9363c24

C:\Windows\SysWOW64\Hicodd32.exe

MD5 8d0ad3c78cec27140ede8f814380d347
SHA1 3f84f06b29ca0d5b5cfa372d3fd195def88963db
SHA256 75d9340280aefc202395b82bcf39a906ddbd4bde93da9347a74c50c75412fb2c
SHA512 e6aad617ffdb8c586dbdef5a2c5d8cd4569f15411baf0ed9a64b435cce94cfa7c57122aacb4589204f352f780cd2c019e797c4237763da7866946f4ed07198a6

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 4fe39a2ce044c6b9498f408d7c43aab3
SHA1 9330c3b10838b0ed0fcaa8efd6ea20a8b19666d0
SHA256 2692c82321528b92952d24b4dcefa0a8b7ac456b2d1f337a2e42b226ac19ee7c
SHA512 0fdfeee3ea165abea214992e9bac1e2bd6edf71df6b8531a4948dc52981f72189a21cbe5839b0371de6ce9ed8f8e66f0afe4de843e454326c4bdec5284a18a36

C:\Windows\SysWOW64\Hknach32.exe

MD5 f2f35dfc8f38e2cb30fe68a6ef2c316d
SHA1 836ea9b70398444fca4bb29760a2de09afce94b9
SHA256 1129680583d3d8e933ad2902bb338b0f47888844c0cbc97ca246804675d8cfca
SHA512 2948181d6130141c150a0d3f65a71542293ba7713852efb99593ff039a0d02ab59b789af0497de508d99cab49c85580dc6dc32855f7469149a90cc9dcbe721dd

C:\Windows\SysWOW64\Geolea32.exe

MD5 f456ccd07303a4dbcd774aab30d248aa
SHA1 dffd692f91115af3fbbe90fc854a930e65ec441e
SHA256 728f3ff958c10ec930be3564f8ba1487ae79836a149843ec6beb2612f6dbea01
SHA512 82432a49d64abbe6d4cd71fba31ac14c092f9c67704f09db2278ef8a08627a86aa4a52ccadc26ce0b89732d230ada103dcd7cca1c73e41557f536431b82bbadb

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 4bda2e46b036300733732fcf387c8b3e
SHA1 38ca22115a1e95b753bd127c93ec8e95e7c17e41
SHA256 d5cae2362a2bbec71a7d8563e4ea0741dfd2ff704eec860e5ba96593dae883e9
SHA512 8f9d303ce37ba5c441665013b0ef71ae1da0507d59984e44f7df3b831ee9f58bd6b1ad784016c904cbaccf0a9b31adeb91a299c451202354122e0603a8851aaa

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 72ae4302362191a01041f1d17d482fa3
SHA1 2a3258da2e15946012f18deeaffb3cb7207bda9d
SHA256 66fafe5f39c33fdfe4ad0627a368dd2442346a50f39fda7939688d18d90d66b5
SHA512 749c082d3ba28731f9765ff221fef5af581ecc2202530efd83805885232671487a54db72455449fc277858b9133250c9f3164d6f83a43e514e324d25fcd942e1

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 c4eb003074de2c5b9b94fc3c941dce52
SHA1 4f7adcc4127996818d9cebf2762518eef2cc2293
SHA256 a502b3996d50d5c63e69afdc8894d1995b12a836ebc9881f4f1df97024714900
SHA512 dc5bd8036ff4b837be2a5e54968629cf7bd97d1c991a8793c85e5cc4518f99a996bb0f0186bfc92e2720e90df5beb4249f5675ae8b61d01c137534a5da8fd8c4

memory/2316-498-0x0000000000300000-0x0000000000353000-memory.dmp

memory/2316-484-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1408-483-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1408-482-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1588-481-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/1588-476-0x0000000000260000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 13419e25763fb6db54ccb2d5e1e1c14a
SHA1 ba523e6812d3a9563418eb490615bb5b946f7285
SHA256 3ab78a8dbc4d7ce5b56663f95fd637122abc94defc933dd4b2af6476a6443471
SHA512 69a0dd20295186da2f05bf461d26ce991111658d838014bf3809807b2482bf442ad2b9a88d9ea6800a1034318880c35176b1197aea10f6576fa14f1002d11c07

memory/1612-466-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1612-461-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1612-460-0x0000000000400000-0x0000000000453000-memory.dmp

memory/480-459-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/480-458-0x0000000000290000-0x00000000002E3000-memory.dmp

C:\Windows\SysWOW64\Globlmmj.exe

MD5 cdf148b9a1de14a86b3ce7b1bccd4550
SHA1 3990a23b8a7287deaadbc8805a90c3b583229e5e
SHA256 01bc9e0f93986f7644cbab992b338dba68958085d062e3b46fa71f6fe1ab4783
SHA512 3754f23f3949979ca80219f54d14f602293cbd63a25c3754f4e015b91ee14749cd89c95682bd195d1caec2a642c68f3f3ecdadd195342070077cc8d2fc13afb1

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 0e5b88c55efedbcab97a6514e1a0bb49
SHA1 bfa62e6df4aaedefe5864f80232a3d9dafc5e92b
SHA256 49b707f43b159e524df142599dd8e71f6b3178dbb993ecf50da278cbd4d79d70
SHA512 f1df89fa6eff070114fd4e5729ad6a67be457a141ef974c779649513720304c1f89ee6882185427320ba815cae790b649c99eae56e1dec7d3e5f540f2423b0b6

memory/1556-445-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1556-439-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1556-435-0x0000000000400000-0x0000000000453000-memory.dmp

memory/764-434-0x0000000001F70000-0x0000000001FC3000-memory.dmp

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 91fcf85b8e39ee004c6ca2cb3282bf10
SHA1 0bae70ce9306b4e5e82e5c62db20b9800036e4fa
SHA256 a6d7cdf95f4d696e9c8ebe240f8536a9c3811a7a5f88ef6dbcca871dd255b429
SHA512 16d7ce32d002a04a245ad69d4287530537820be43d8f912919987eaacd0f0417a977ab4ce6d59d7ebda5922f0bfae84edbcc751917a32035176304f408c2ecc6

memory/764-425-0x0000000001F70000-0x0000000001FC3000-memory.dmp

memory/1692-423-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Fphafl32.exe

MD5 8c3d973b9d4325f2d2c6a17c76912b42
SHA1 d5f8353a9841faf8ce6090b5d998618ca61bf437
SHA256 9d5aad8fcaf7d7d35e7a94bcdb72dab5bde769abc0911255cdb342ebf21ecc3f
SHA512 d31cd965224bf55905735486054579c52322ec7503ac067ec5570cc8283af9edd075fc34c162638b5eabc2abd61f1b50014d89974494c02a4762176d96d17fe9

memory/1692-413-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2600-409-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1852-399-0x0000000000300000-0x0000000000353000-memory.dmp

C:\Windows\SysWOW64\Fdapak32.exe

MD5 f7f4409d7f2f5cf552c6e9076835d2c4
SHA1 3605eca0d184b9590a382774301f2532229202a4
SHA256 558dbcbbe5b955374e6563a339447c974300b5598363cd7f5461df2ae01ae638
SHA512 dedfb9a360260fbbf755477d991019d46cb9785bf9da98067a915ae3ec46734b3e7bfc8c6b6380999cdef71f3f3729130ee13c4f6d5ffb71d5232015251ae5ab

memory/2808-388-0x00000000002E0000-0x0000000000333000-memory.dmp

memory/2808-387-0x00000000002E0000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 8b841797e383812cf36cba1090293a8e
SHA1 13303fcb66c3bfe043a3d998193e948793e3775b
SHA256 347586ab936e8918e02519d9486bca4d09caccd221c1621190466034e5ad1914
SHA512 b193b72c6e44d55764727d99bd79f2e80cca20699dfbaf3ace9d9ebca2089a8f901ebd8cbea2eeea73938b419b1d47a1507717ec5447699242f50a8f60568acd

memory/2808-382-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Fjilieka.exe

MD5 a1e0f019dc2d76e32e7bf94c2ed3f654
SHA1 f50f2c1f0d22d07e3c89cc3cd101ee07c5d87367
SHA256 e5ea8cab0c39fd69300f485947593be7ed132bb4e211d5a225b23a4e2f77e12b
SHA512 4e53e2386cb8a1b9cc2ccd7b8179bbb2b81ea1eb007ef80d3c5a1750bd79da426b8c848e8fa44aa247a9afdaeef1098cd0e37f16192a1fb8d854195145b0ad92

memory/2492-368-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2720-366-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 78ec63dc1e3f840ac423a12b2adcfbbf
SHA1 c4a4a119054cdb3e2dfae5e5630dbbdedd181e01
SHA256 7420e57385f5249b8dfa3403b7b9f60d701ac5be5a562b1f9cc960d9af58525b
SHA512 21f61efb8d0dbb2d9563f7a417cce5ec9a621a1762c2e8afc41025632578da674fc2b901627ef2dc8a859c15041d9349d9de5eb738bd7dddc4c9b99998cc3df5

memory/2720-362-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2636-356-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 0af30cf35973adfd53bfc93fbe6374ee
SHA1 7a981146b967c583e7db78218477fc7e464d556c
SHA256 edb89b231e2453a002fcf4d16819b6949524444fd5f7d636e62a87fdc4f3c6af
SHA512 ec5e30ca3fb6ed454bea88584da80921526136ad7b6debc0e78c27e15b987ea273d58a2336d3eb06cad6797c84469a036cb6e9e45a731f8542eb1016b81b1c52

memory/2636-350-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2888-349-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/2888-348-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/2888-335-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1508-334-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1508-333-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1508-329-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1868-327-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1868-322-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 367fde71f70a0d16a6977a0e742a4b6f
SHA1 054eb7a4b4e67ba5e6755d99f85f0a49fc372c69
SHA256 d98be7bc10c81dab23b086cd018a06cee9c1d65cf9feb40ffc1940b0f7deea08
SHA512 ea3777984b82979d4c38cf970d6c656ee109c5aa4c6a188202fc8546c7090db1d89b9da0afae534b3bbc0233cbce8700c1760eeec72a545cbbd81ee3d271c6ee

memory/2768-312-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/2768-311-0x0000000000260000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 8aaacf14aa786ae152e6241d43be1d56
SHA1 3070efebd2e50dbee48b85ffc076ac068991d8bd
SHA256 4ba186e0e7e4a83ffcdf80d4346b6071cc19d234b365917ea683431711cb5e8e
SHA512 125ef185a7abded4983ea4b98ffc8dec50f7f4917304fd55e481dc72fdf8ffb7b92138dbcbdf020d44402d1f6c328a34047439a1f2a6af442ae006a418e2bd34

memory/2768-307-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1996-301-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1996-300-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 105fa135a2589da9eb6ec6b23e334838
SHA1 fedb29f37b6056fe8bfddaab8d50ba3cac9627f7
SHA256 3af26040add7d52480c2955226390091ab6a157a2c76a6d801c7d4e8490237c6
SHA512 c43bccddcbc90e8c2913d75794126ff0d64c8d862d64299fea7962442942f8734301ccdd382eb779ef68f400a6fe37b0faa0c705b7c6db6b5b435fce11d2572b

memory/1996-291-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2928-290-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/2928-289-0x00000000002D0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Ebinic32.exe

MD5 5b3334638b21848f7cbc6bc4e3685ff1
SHA1 351d20f108f662a011ba897779341ffcf901b156
SHA256 00767bfa5c5feff546da449ec17bbeb107ba4db5ac73fe6a88f26f17e7a8091e
SHA512 191b08c09b1af6df87b539b7590c5602c0734b42a1c7fe2d512e296afe95e96cbb049a15fa57af5db24858c593ad0bdc73f186e97c6c0110359c29cc0e16c8bd

memory/960-284-0x00000000004D0000-0x0000000000523000-memory.dmp

memory/960-283-0x00000000004D0000-0x0000000000523000-memory.dmp

memory/960-274-0x0000000000400000-0x0000000000453000-memory.dmp

memory/768-269-0x0000000000260000-0x00000000002B3000-memory.dmp

memory/768-268-0x0000000000260000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Egdilkbf.exe

MD5 2ed634df44703c21b0042719daac2e0a
SHA1 fe85bf38dbd44712e2acb6749689063d67ed8232
SHA256 41932d625b42db89aa61d16c621f390e840dbdf1c535de438ec2a0f2190663c4
SHA512 a592db19c90fa6c8a0ed4ed24c2f5a2c3c938d9e232c8824333364eb23090f505c71f00a5426bae0d1f7fcbaff0f5628ea991bb4c488cd352c1989bf01d7cee9

memory/768-259-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1888-258-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/1888-257-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Eeempocb.exe

MD5 bfb4b57b275e2dea0e1753614f18ea8c
SHA1 06fd316dfd008c3fb9efdf91c0327bb263b8fbc0
SHA256 f19d70aa4cfa1221fa399b1783adcc77a5d35832a7759671ca92c30fe9583a19
SHA512 0d4f716317a822e24328f27bafa430442ddca88e22b54936ab15bd092324e1883c4fb44c0d5a4fd4798656187c7b3b44feb5e74ea787926a6e99193937a4fa40

memory/1440-250-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ebgacddo.exe

MD5 76cd2050e0c5ee690d3f836fdbdfe9a4
SHA1 93a0d54c1c4d28d2140bf013608856afe1e0e7d4
SHA256 9c241af15f9e89ddf4ffdd683014cc0e0e518fdcc95dfb12758a1b05d3673d65
SHA512 1378176b7826b87f63688018b9ed3919dd7e3e509adf315f56b2d165a3b6ee267ed40a0d71476b94503e4ea2d4f5e1ea82a8ec9e3eefa3b802e06794053971f7

memory/452-236-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/452-237-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Epieghdk.exe

MD5 48c3155c4ad974ba80c0a6cf7ff15186
SHA1 3674a39f39e6a9db99bb7b163a48046bbd256b9b
SHA256 53b06383abeb73f0eb8456092f99a240b2a0fd75f9259990772844b09a943419
SHA512 4c8f8fcb0072b8bdbcb9950723a935add25c003c07910595386bfa7748e464b8826ba0d66ab1ce41663bb2dc6400652f854697c15589a026b21516ce8848ab76

memory/452-231-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1084-230-0x00000000002A0000-0x00000000002F3000-memory.dmp

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 d3e2ac2da112bd1d27adfa2ffc6919ac
SHA1 1088f5d3ab6acc2e71d434040a2c89348b3c663d
SHA256 cf2c41102bbfd07f08080ac98b2321702e1c3bf849463f735877dfe83bd855c2
SHA512 303e185ec1dad791c454aa84ea12aa5dabff62f8b654bdcf18e9adc3e7f9dc8028ff67caf05bf477e836dbc65148911f1a3e6cc21f1da88227056272789dd6d6

memory/1084-222-0x00000000002A0000-0x00000000002F3000-memory.dmp

memory/3020-214-0x0000000000310000-0x0000000000363000-memory.dmp

memory/2016-199-0x00000000002A0000-0x00000000002F3000-memory.dmp

memory/2016-194-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 6ce7febc6077faa4bbca3b4e66cfffdc
SHA1 64ac7e79701e404a3d44c2d3b35a6cfcb7f7c6b9
SHA256 40c60eb4ad00eb29084a49016a8c77402041e69e68a73bbe129000866e67ba38
SHA512 1442e5ca925970aaa34b521875d7ce923238ae3ffea714e180d196ab132f58688f4ab6200f8324143b142aeb4b3a01f4e8b57800b7e4632fd928e850c2136a5d

memory/296-185-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/2128-160-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1516-138-0x0000000000400000-0x0000000000453000-memory.dmp

memory/864-118-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/864-106-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1688-93-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2532-78-0x0000000000310000-0x0000000000363000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 00:40

Reported

2024-05-19 00:43

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncnofeof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kofkbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aagkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncnofeof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngndaccj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngndaccj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpeahb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kegpifod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llodgnja.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apmhiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jniood32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llodgnja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phfcipoo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojomcopk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phcgcqab.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phfcipoo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adcjop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apmhiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjgeedch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lfbped32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhphmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bphgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgifbhid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhphmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lggejg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mqkiok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfbped32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qpeahb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgifbhid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjgeedch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kofkbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oabhfg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agimkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kegpifod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpmapodj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Caageq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lggejg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mqkiok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppjbmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adcjop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpmapodj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojomcopk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppjbmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caageq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgphpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oabhfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phcgcqab.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgphpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ompfej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agimkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bphgeo32.exe N/A

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jniood32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kegpifod.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjgeedch.exe N/A
N/A N/A C:\Windows\SysWOW64\Kofkbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfbped32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llodgnja.exe N/A
N/A N/A C:\Windows\SysWOW64\Lggejg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfnoqc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgphpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqkiok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnofeof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngndaccj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojomcopk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompfej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabhfg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppjbmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcgcqab.exe N/A
N/A N/A C:\Windows\SysWOW64\Phfcipoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpeahb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adcjop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aagkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apmhiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agimkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmmeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphgeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmapodj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgifbhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Caageq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhphmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkqaoe32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ngndaccj.exe C:\Windows\SysWOW64\Ncnofeof.exe N/A
File opened for modification C:\Windows\SysWOW64\Bphgeo32.exe C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Caageq32.exe C:\Windows\SysWOW64\Cgifbhid.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe C:\Windows\SysWOW64\Dhphmj32.exe N/A
File created C:\Windows\SysWOW64\Fmggcl32.dll C:\Windows\SysWOW64\Jniood32.exe N/A
File created C:\Windows\SysWOW64\Aablof32.dll C:\Windows\SysWOW64\Kegpifod.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Agimkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lggejg32.exe C:\Windows\SysWOW64\Llodgnja.exe N/A
File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe C:\Windows\SysWOW64\Aagkhd32.exe N/A
File created C:\Windows\SysWOW64\Ipgijcij.dll C:\Windows\SysWOW64\Kofkbk32.exe N/A
File created C:\Windows\SysWOW64\Kofkbk32.exe C:\Windows\SysWOW64\Kjgeedch.exe N/A
File created C:\Windows\SysWOW64\Mfnoqc32.exe C:\Windows\SysWOW64\Lggejg32.exe N/A
File created C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Mqkiok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lfbped32.exe C:\Windows\SysWOW64\Kofkbk32.exe N/A
File created C:\Windows\SysWOW64\Ebcmfjll.dll C:\Windows\SysWOW64\Lggejg32.exe N/A
File created C:\Windows\SysWOW64\Eehnaq32.dll C:\Windows\SysWOW64\Bphgeo32.exe N/A
File created C:\Windows\SysWOW64\Hhblffgn.dll C:\Windows\SysWOW64\Phfcipoo.exe N/A
File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe C:\Windows\SysWOW64\Adcjop32.exe N/A
File created C:\Windows\SysWOW64\Llodgnja.exe C:\Windows\SysWOW64\Lfbped32.exe N/A
File created C:\Windows\SysWOW64\Lggejg32.exe C:\Windows\SysWOW64\Llodgnja.exe N/A
File created C:\Windows\SysWOW64\Difebl32.dll C:\Windows\SysWOW64\Mfnoqc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jniood32.exe C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgifbhid.exe C:\Windows\SysWOW64\Cpmapodj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ompfej32.exe C:\Windows\SysWOW64\Ojomcopk.exe N/A
File created C:\Windows\SysWOW64\Apmhiq32.exe C:\Windows\SysWOW64\Aagkhd32.exe N/A
File created C:\Windows\SysWOW64\Jponoqjl.dll C:\Windows\SysWOW64\Oabhfg32.exe N/A
File created C:\Windows\SysWOW64\Agimkk32.exe C:\Windows\SysWOW64\Apmhiq32.exe N/A
File created C:\Windows\SysWOW64\Oabhfg32.exe C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
File created C:\Windows\SysWOW64\Phfcipoo.exe C:\Windows\SysWOW64\Phcgcqab.exe N/A
File created C:\Windows\SysWOW64\Bphgeo32.exe C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
File created C:\Windows\SysWOW64\Liabph32.dll C:\Windows\SysWOW64\Lfbped32.exe N/A
File created C:\Windows\SysWOW64\Ppjbmc32.exe C:\Windows\SysWOW64\Oabhfg32.exe N/A
File created C:\Windows\SysWOW64\Qpeahb32.exe C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
File created C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mfnoqc32.exe N/A
File created C:\Windows\SysWOW64\Dhphmj32.exe C:\Windows\SysWOW64\Caageq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe C:\Windows\SysWOW64\Lggejg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Phfcipoo.exe N/A
File created C:\Windows\SysWOW64\Hehhjm32.dll C:\Windows\SysWOW64\Phcgcqab.exe N/A
File opened for modification C:\Windows\SysWOW64\Adcjop32.exe C:\Windows\SysWOW64\Qpeahb32.exe N/A
File created C:\Windows\SysWOW64\Kegpifod.exe C:\Windows\SysWOW64\Jniood32.exe N/A
File created C:\Windows\SysWOW64\Adfnba32.dll C:\Windows\SysWOW64\Ncnofeof.exe N/A
File created C:\Windows\SysWOW64\Cnffoibg.dll C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
File created C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Agimkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhkfkmmg.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File created C:\Windows\SysWOW64\Okhbek32.dll C:\Windows\SysWOW64\Cpmapodj.exe N/A
File created C:\Windows\SysWOW64\Ekppjn32.dll C:\Windows\SysWOW64\Caageq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phfcipoo.exe C:\Windows\SysWOW64\Phcgcqab.exe N/A
File created C:\Windows\SysWOW64\Mfgomdnj.dll C:\Windows\SysWOW64\Qpeahb32.exe N/A
File created C:\Windows\SysWOW64\Gjecbd32.dll C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
File created C:\Windows\SysWOW64\Kbmimp32.dll C:\Windows\SysWOW64\Llodgnja.exe N/A
File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Ppjbmc32.exe N/A
File created C:\Windows\SysWOW64\Pmpockdl.dll C:\Windows\SysWOW64\Adcjop32.exe N/A
File created C:\Windows\SysWOW64\Cgifbhid.exe C:\Windows\SysWOW64\Cpmapodj.exe N/A
File created C:\Windows\SysWOW64\Lbpflbpa.dll C:\Windows\SysWOW64\Ojomcopk.exe N/A
File created C:\Windows\SysWOW64\Nphihiif.dll C:\Windows\SysWOW64\Ompfej32.exe N/A
File created C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Phfcipoo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhphmj32.exe C:\Windows\SysWOW64\Caageq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kofkbk32.exe C:\Windows\SysWOW64\Kjgeedch.exe N/A
File created C:\Windows\SysWOW64\Cfiedd32.dll C:\Windows\SysWOW64\Kjgeedch.exe N/A
File opened for modification C:\Windows\SysWOW64\Agimkk32.exe C:\Windows\SysWOW64\Apmhiq32.exe N/A
File created C:\Windows\SysWOW64\Mqkiok32.exe C:\Windows\SysWOW64\Mgphpe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Ngndaccj.exe N/A
File created C:\Windows\SysWOW64\Ompfej32.exe C:\Windows\SysWOW64\Ojomcopk.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qpeahb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" C:\Windows\SysWOW64\Qpeahb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qpeahb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgphpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpmapodj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgphpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" C:\Windows\SysWOW64\Agimkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bphgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phcgcqab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phfcipoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll" C:\Windows\SysWOW64\Aagkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apmhiq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bphgeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgifbhid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kofkbk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oabhfg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhphmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" C:\Windows\SysWOW64\Kofkbk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jniood32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" C:\Windows\SysWOW64\Ncnofeof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" C:\Windows\SysWOW64\Ppjbmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" C:\Windows\SysWOW64\Cgifbhid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llodgnja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll" C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ppjbmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojomcopk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" C:\Windows\SysWOW64\Cpmapodj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgifbhid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhphmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll" C:\Windows\SysWOW64\Kegpifod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" C:\Windows\SysWOW64\Kjgeedch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfbped32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll" C:\Windows\SysWOW64\Ngndaccj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ppjbmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kegpifod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kegpifod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lggejg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll" C:\Windows\SysWOW64\Oabhfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjgeedch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll" C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Caageq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncnofeof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" C:\Windows\SysWOW64\Ompfej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" C:\Windows\SysWOW64\Phcgcqab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llodgnja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phcgcqab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" C:\Windows\SysWOW64\Mgphpe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mqkiok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aagkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll" C:\Windows\SysWOW64\Caageq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agimkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" C:\Windows\SysWOW64\Bphgeo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Jniood32.exe
PID 3176 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Jniood32.exe
PID 3176 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe C:\Windows\SysWOW64\Jniood32.exe
PID 4944 wrote to memory of 4016 N/A C:\Windows\SysWOW64\Jniood32.exe C:\Windows\SysWOW64\Kegpifod.exe
PID 4944 wrote to memory of 4016 N/A C:\Windows\SysWOW64\Jniood32.exe C:\Windows\SysWOW64\Kegpifod.exe
PID 4944 wrote to memory of 4016 N/A C:\Windows\SysWOW64\Jniood32.exe C:\Windows\SysWOW64\Kegpifod.exe
PID 4016 wrote to memory of 404 N/A C:\Windows\SysWOW64\Kegpifod.exe C:\Windows\SysWOW64\Kjgeedch.exe
PID 4016 wrote to memory of 404 N/A C:\Windows\SysWOW64\Kegpifod.exe C:\Windows\SysWOW64\Kjgeedch.exe
PID 4016 wrote to memory of 404 N/A C:\Windows\SysWOW64\Kegpifod.exe C:\Windows\SysWOW64\Kjgeedch.exe
PID 404 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Kjgeedch.exe C:\Windows\SysWOW64\Kofkbk32.exe
PID 404 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Kjgeedch.exe C:\Windows\SysWOW64\Kofkbk32.exe
PID 404 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Kjgeedch.exe C:\Windows\SysWOW64\Kofkbk32.exe
PID 2724 wrote to memory of 32 N/A C:\Windows\SysWOW64\Kofkbk32.exe C:\Windows\SysWOW64\Lfbped32.exe
PID 2724 wrote to memory of 32 N/A C:\Windows\SysWOW64\Kofkbk32.exe C:\Windows\SysWOW64\Lfbped32.exe
PID 2724 wrote to memory of 32 N/A C:\Windows\SysWOW64\Kofkbk32.exe C:\Windows\SysWOW64\Lfbped32.exe
PID 32 wrote to memory of 880 N/A C:\Windows\SysWOW64\Lfbped32.exe C:\Windows\SysWOW64\Llodgnja.exe
PID 32 wrote to memory of 880 N/A C:\Windows\SysWOW64\Lfbped32.exe C:\Windows\SysWOW64\Llodgnja.exe
PID 32 wrote to memory of 880 N/A C:\Windows\SysWOW64\Lfbped32.exe C:\Windows\SysWOW64\Llodgnja.exe
PID 880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Llodgnja.exe C:\Windows\SysWOW64\Lggejg32.exe
PID 880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Llodgnja.exe C:\Windows\SysWOW64\Lggejg32.exe
PID 880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Llodgnja.exe C:\Windows\SysWOW64\Lggejg32.exe
PID 2904 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Lggejg32.exe C:\Windows\SysWOW64\Mfnoqc32.exe
PID 2904 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Lggejg32.exe C:\Windows\SysWOW64\Mfnoqc32.exe
PID 2904 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Lggejg32.exe C:\Windows\SysWOW64\Mfnoqc32.exe
PID 1016 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Mfnoqc32.exe C:\Windows\SysWOW64\Mgphpe32.exe
PID 1016 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Mfnoqc32.exe C:\Windows\SysWOW64\Mgphpe32.exe
PID 1016 wrote to memory of 1432 N/A C:\Windows\SysWOW64\Mfnoqc32.exe C:\Windows\SysWOW64\Mgphpe32.exe
PID 1432 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mqkiok32.exe
PID 1432 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mqkiok32.exe
PID 1432 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mqkiok32.exe
PID 2884 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Mqkiok32.exe C:\Windows\SysWOW64\Ncnofeof.exe
PID 2884 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Mqkiok32.exe C:\Windows\SysWOW64\Ncnofeof.exe
PID 2884 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Mqkiok32.exe C:\Windows\SysWOW64\Ncnofeof.exe
PID 3088 wrote to memory of 4304 N/A C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Ngndaccj.exe
PID 3088 wrote to memory of 4304 N/A C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Ngndaccj.exe
PID 3088 wrote to memory of 4304 N/A C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Ngndaccj.exe
PID 4304 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Ngndaccj.exe C:\Windows\SysWOW64\Ojomcopk.exe
PID 4304 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Ngndaccj.exe C:\Windows\SysWOW64\Ojomcopk.exe
PID 4304 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Ngndaccj.exe C:\Windows\SysWOW64\Ojomcopk.exe
PID 1708 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Ompfej32.exe
PID 1708 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Ompfej32.exe
PID 1708 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Ompfej32.exe
PID 2124 wrote to memory of 5100 N/A C:\Windows\SysWOW64\Ompfej32.exe C:\Windows\SysWOW64\Ojfcdnjc.exe
PID 2124 wrote to memory of 5100 N/A C:\Windows\SysWOW64\Ompfej32.exe C:\Windows\SysWOW64\Ojfcdnjc.exe
PID 2124 wrote to memory of 5100 N/A C:\Windows\SysWOW64\Ompfej32.exe C:\Windows\SysWOW64\Ojfcdnjc.exe
PID 5100 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ojfcdnjc.exe C:\Windows\SysWOW64\Oabhfg32.exe
PID 5100 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ojfcdnjc.exe C:\Windows\SysWOW64\Oabhfg32.exe
PID 5100 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Ojfcdnjc.exe C:\Windows\SysWOW64\Oabhfg32.exe
PID 2356 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Oabhfg32.exe C:\Windows\SysWOW64\Ppjbmc32.exe
PID 2356 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Oabhfg32.exe C:\Windows\SysWOW64\Ppjbmc32.exe
PID 2356 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Oabhfg32.exe C:\Windows\SysWOW64\Ppjbmc32.exe
PID 2728 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Ppjbmc32.exe C:\Windows\SysWOW64\Phcgcqab.exe
PID 2728 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Ppjbmc32.exe C:\Windows\SysWOW64\Phcgcqab.exe
PID 2728 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Ppjbmc32.exe C:\Windows\SysWOW64\Phcgcqab.exe
PID 4604 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Phfcipoo.exe
PID 4604 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Phfcipoo.exe
PID 4604 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Phfcipoo.exe
PID 2348 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Phfcipoo.exe C:\Windows\SysWOW64\Qfkqjmdg.exe
PID 2348 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Phfcipoo.exe C:\Windows\SysWOW64\Qfkqjmdg.exe
PID 2348 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Phfcipoo.exe C:\Windows\SysWOW64\Qfkqjmdg.exe
PID 4040 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Qpeahb32.exe
PID 4040 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Qpeahb32.exe
PID 4040 wrote to memory of 4496 N/A C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Qpeahb32.exe
PID 4496 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Qpeahb32.exe C:\Windows\SysWOW64\Adcjop32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Kjgeedch.exe

C:\Windows\system32\Kjgeedch.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Ompfej32.exe

C:\Windows\system32\Ompfej32.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/3176-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3176-1-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jniood32.exe

MD5 2e0efb17ea84d274acc5581b5568aa7a
SHA1 459388c0c51ce5ab39e7dc2a72dab8f157780608
SHA256 6b89682610d8e6bb0b3714f7fd9db7828c2d05e1ab595193f9a0b54c5fa56332
SHA512 a21e28a6bb1b38f578c38c336c6190cdc3e8a46741bc3fc584bc8df4303fa7004074a7e7ecc5086c2015ad73fb0e96ae49da03879cf35cf0037fc8731c86b1d7

memory/4944-8-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kegpifod.exe

MD5 c9b64111593ff5eaf059e7358bb0ccbb
SHA1 b830c309f4a09dc6066bed18334690d780b5c0db
SHA256 18bb5d0d97ccf08d6b341bb0449015bf3eec37a0074dc5085c1f237ad8d2ac06
SHA512 2b3c475a2e45a5a93cbf8dc5ec258f383ffab5af246232d5273614e4add5a0238efe6c9e3cf5cc2291fbc65926222bbd50bc189cc53a96758d001c6858a35ae8

memory/4016-16-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kjgeedch.exe

MD5 d9ac596b3634aa8b16ad2824bcb270fc
SHA1 a19005579a62826815d1d1ed4d1bc7f9c8c10c7e
SHA256 e43a7c5c2092bc0d6521f82084c8433cf7b8fea964b785e1015e6de53b3805a3
SHA512 81558907da848174f5ab03976321baeb97dd917c02b4165723bcb435d2518d75c915fd0215ee70863a010068595241be77215d42309647f5aec06fc6dfbd6af7

C:\Windows\SysWOW64\Kjgeedch.exe

MD5 572757ec7576a9e112a5c3ffb0fde2ef
SHA1 7691e309771995319421808c0884195c95ead2f7
SHA256 9db554b48d881943cda1dc97ab5ba8096240168a7d6bfc933059271967003076
SHA512 0416c08b5df1e2c61ae9a86ae539f6fd9d68c2b034512a211fc7fc5f9ab8762968b5b75abc05eecb569d6d015eba4062c2b1222ae4bd3e34506b265800675b81

memory/404-24-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Kofkbk32.exe

MD5 31c77b84682d651ac9c9ab964e65602b
SHA1 ce9409b2b65789f06d39d93a7235f6204eb060e7
SHA256 7b817982dc2b36919937cd60f1e8b407b3d983a152a376cc8d80a4d27fd7f07a
SHA512 f8e2c3459633f600679e41e6d2f3ff48c37b3afd2fb097c8ba9d7185da0efe7369cde759e677762dbd0fac24630bc43d3243ec8212ef5146ff35995442995f71

memory/2724-32-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lfbped32.exe

MD5 e3f1502ef372bc42ca7b7709d6d05e51
SHA1 ae370b859637a84eb1fd003f69f75a5997092b09
SHA256 e0cb2da5b924e99fafc309622c72f6f46867108ca59663b8758900f106e32acf
SHA512 b7001d3d58edabe95d361c1315706e826d057038d06a56f7535ddb75640ba67e9686af1d66d6c1a409b58a2ce7db80741333fca0ae3a42fece6339dca30e96b8

memory/32-40-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Llodgnja.exe

MD5 7bcb9c8b99ffad4d2632f0307b5934be
SHA1 4c2276913bc1ff9a4ebb657d4e2fa16b3f7dee64
SHA256 41f40a10b329a606082ab50b1d7bddbb0a0270d81c60d346c9d06830245bbfe8
SHA512 11b6cf2b38f3e30404d51b03d353bea34642817b22e76b561c4198e71130cea65fa261e0a8dcbc63b75466c584882320f08bf14dc759793fd5ba54920686b65c

memory/880-48-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Lggejg32.exe

MD5 98e8faab66b03f64d2fe3c759a285a5c
SHA1 6c0ce8258d0303bf8ab82257e135752efefdacc8
SHA256 b3ac1ca54c0dc636024cec4dc7f32b7a341d741b7a7adf4cb662d2463beb6a28
SHA512 1aea47e6684367b24d1ed145c1f73bdedb095927435ac0c123ed2a9854d39422cf67bcd1b5c4bfaf34f27d0b873ea3579690208abb7e3b8c699e84956f3a1822

memory/2904-57-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mfnoqc32.exe

MD5 fafa988d54b9d9e6d7da644a1b25a824
SHA1 4ec326546a78352a2e765f4917ffbede881335ad
SHA256 099a9f76a6d539fd0335ac5dba460d217ad68d584a8eb624dfef17de3cbb0d28
SHA512 d0ec17daa238db01415838b4bcf77b3ab777364b3256f128153e1a3f46d8ef9b5ec0fc5b6839392f5f8f7fb1efa5c6f54e7bfcc79e9825e72f5fb13c95d3d603

memory/1016-64-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mgphpe32.exe

MD5 b555a6a1846b8801f18ba15501454deb
SHA1 0a6669111421b8d171920ff9848300a91c8fab13
SHA256 9a3c8f49a17dbeee503f7fdcc8696d8ff8217b070610e1bce523e046e959f361
SHA512 6844aa4e1b1d58cac60a96f791edd45e228fc7ae067a4e3f591a649921e359a8320d91137dd902d34c023be3608a7e9d2df898c8f4f779f2b0af30c5acc7f2c6

memory/1432-73-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Mqkiok32.exe

MD5 6e07ba17d90198364606162a36f068d4
SHA1 42d2ea10b2dab5e26556a9bbf46eca4eeffafb5e
SHA256 1e80ec8dc6b530fb6235ce33715c52c3fb0fe5aaea306bb744d721ea8d76375f
SHA512 24605aa22f0d4c663ec846d63b515cd951d0d2b28a7972dfa5fe2d5f3d601d1124fde738230651e8babd1d53b42a7ad59d16843cc7f8d86ce266e6857847dec7

memory/2884-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ncnofeof.exe

MD5 2cd3325b1c9ac4cb7549035b63786166
SHA1 503f50f8d7603beb6aede37b0a5f147a9ca99bec
SHA256 512f8778765844975c134702ad93671265d6c014d446da848d0a854a181304d5
SHA512 d54a0c529ef6b006bd0542c53471d11f1780cc802e97712e7ee9f6876aef2021a536b65239b1c9d907be473e55feafc574924ca848f10f4438b3736a050c1af6

memory/3088-89-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ngndaccj.exe

MD5 31992000aac1dbd6c44bc7bc5289ac56
SHA1 a039f53c55624d48ff420ad339d02885cab373e6
SHA256 f2c8b6ac8f3ef34bb6a80cb863ae1b4aa472b7f000c88de3a5f19941e52d76e5
SHA512 b57fcf297c2a62f360208668f8a18a65f857400c1fb8a495613631264aab16a7cfb4fb2bacd51949be0a71870640e15b6f67859c6107805359b6f0d812aac3b1

memory/4304-97-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ojomcopk.exe

MD5 41d3542b18d662841bd083af7cbf056f
SHA1 7989b7ceb9bf9281069585c978d3528249758cc6
SHA256 4a1c2cf4434625570b84c7194e27e4daf72320a9b76f655bd15137220a8d69bd
SHA512 b174f82702ce4a78a7b2bcae4c37af9fdb2f50c91152771a0c2fa153005dc683e4aa59e5a566acd22b5c5cd7bd73a52457d7c47c5c8865bcc61157d74faa9030

memory/1708-104-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ompfej32.exe

MD5 3d1ee23f412c47fea2e7563355110f54
SHA1 fbae44c9c0489e6a657773856be6f8a93177b4a1
SHA256 421f0262cdaf60af62d5d657730846f7fd9c6191cdc6403506f85ea890e347ba
SHA512 573a562eadbada5c106731877dfe3bc7ec0fee767c39f3e92975fba15d69affbca14160896238ce6a116a965f00262be0842ab7adf57b0d064689693a817accd

memory/2124-113-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ojfcdnjc.exe

MD5 b2fc5f1c46f2d5dd903f21ff83ebb7a0
SHA1 352893cb7167f8e6b6daa43d3fe46d115b619dc1
SHA256 6b04ee75421e734189dc43efcbbf1e721c9a710aefc4f46b89bd570d3f2932f2
SHA512 85f3f45b336d09b4de175207371c12a00a997acb5ceb1f2daa80f274f7643071f9ffcb60940abec85d1eb25a50cd77e80566fa4e3a15b61009193ae6040aec74

memory/5100-121-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Oabhfg32.exe

MD5 79c093c46c2388278d5fd75db87b3de6
SHA1 e1320b025d2aaed0fc0fd182c951b25f55ed29e3
SHA256 9f1b9a72b90a9433f5d605eedafe48cd958a2fc37c2f8ad0c73ff6ccd9e7a2c3
SHA512 f3e16d936e989e8c8c8e6f11941d924fc24ce10ebae2a597ed5cd73008817ea212007e9d6f314040c7881352d3cab0db03b3b3f7b0658d29c37f8439cf5d5936

memory/2356-128-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ppjbmc32.exe

MD5 a2a0ee18f2475e1adea5e39a3c73459e
SHA1 71244d2b07d5edb8df4eae7557f69908947efbb2
SHA256 8fb6529b17561d172dbcdff04c93dd3e3137b6078ca5d7477d1172a77a346b2a
SHA512 73ed26499101e83f1a30a672c90dd29ca2ea8424dccb1fa044ede2f54f782f7a5e34ae414735514692c86c373900b28800e2a686f00b651bca9bf1b2f2d5d5d5

memory/2728-137-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Phcgcqab.exe

MD5 6923dfd67434ccb4d6c70f9f80089a59
SHA1 217a77eb6f5402ab1d1f298fef4ad0e839755217
SHA256 e486d3a3a2e62d82032f374fe808832d0b9d6bfb9e04d0f20659e78fd62908b1
SHA512 4cece493317fcfc8b9f0ad14135907ea1019e5ec413448598852551729435fc4fd1bad4429bcec5cc28fffe439a3078c0363ed1ee139694a9fc310790fed6839

memory/4604-145-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Phfcipoo.exe

MD5 29defcba2de0e37d95b7690acca91081
SHA1 91bbb78619e3183f41c194aa18542fd958092746
SHA256 be20ed4569b424c48f5b5deffefe7a142003dea419f8a8265af8466c3f21024e
SHA512 ed18a646952964226d4a89d6048145f850b100c1181a8a189c896dae11214f2c0540c1d551a23293f0c86f019ea5e61375e701d0444c740905d42712607d9c18

memory/2348-153-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qfkqjmdg.exe

MD5 1bfa5fc85f2632ddf8ee69b8170a0a9e
SHA1 4160d536c45e43928ead6b3e22945734ef43cf7c
SHA256 1fefbefa2930ebd96f76818fc42f98f59e0ebd81a5f42748879b6a234de12966
SHA512 3a8b869a9f604cf53dc34d4948958e3c7e91eedc442af7d9ef642b2db07ad9906699d16a036417549a64824763ff042429d0d259691c3c4334939805cc2f09d6

memory/4040-160-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qpeahb32.exe

MD5 46e1119548f8dc0301107970bde1a7a5
SHA1 3613aac161256064dbe145b99dbcfac12747534f
SHA256 6b7b2506c50580c403a6a0e64b6a05b404c4944268150e071f768ee6f4ab6722
SHA512 77df3687ec2ca9aff15bf6825f5375bffb9a28517650249fae1c78ec77f3e42980b73b591074241b377169447f19ed1a4b9d1cf987ddaa5ac581398d2e0ed142

memory/4496-168-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aagkhd32.exe

MD5 1e9ce22b33473cc4b8856889f3354dc8
SHA1 8e0269e4be719a08847add5504d6fb978a85ca6b
SHA256 32c70271a8b5e7f604d31c29719010dc3fd4192824bacb7dfe269505a023ceac
SHA512 c45f3b29a75281f05ff436740537d60570e524c46645962cf4883751b85cb79a18292aaced255f7c228e0ea23db336781d0cecb05edbdad40d6e65008e8f502e

C:\Windows\SysWOW64\Adcjop32.exe

MD5 29724dd2e1b03076aeffd95226dc1ead
SHA1 33477a9d60ba21622c33baab45d48af259d97bbd
SHA256 281795cdf7bec73056165a45d35a8d2ad1ce4e982e0857bc695ac60062f024df
SHA512 6bc9c37035c03858b6f6cac1a614524fe79fab2d353cece4740e19436da9ffc20c0a05f909bbe2283eebbacee373265d4f031f637e93c75b347c578e8baeaca4

memory/5056-177-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1784-185-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Apmhiq32.exe

MD5 aeb468513c31939f3e46b1f8cc77c404
SHA1 5cb3370db66e7cc3d203c8781e41a0c83a0da829
SHA256 c4b58f1cf645a80a5ebfa6a4eee2a2351a58da111d074e9432941070e24e7a49
SHA512 1c3f61b9280454500589c730db8d93d48414d7912572978538878af907e1a547098fc0b9bd3f83867c487e3a62b6832abd394fb2f450cfce280cad527fd19ddf

memory/2916-192-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Agimkk32.exe

MD5 0175fabddf42227b235129281360389f
SHA1 32a7a9719c43fd1669a689c41e8304933861141b
SHA256 8ead895f2f4f113ba4014108b434de7c96434c52c279bef0c631441d432c3868
SHA512 510a60148e194ac3314dc346e6b4931fd82953f6835371aad0ccf76dcb009c48b9d645ecdb9b8a3459a13e093813f4bf20f5cea2e7d7d3be4019ae1d9cdd8757

memory/4348-201-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bdmmeo32.exe

MD5 ce889e86769a824a05effc58dbe17123
SHA1 8977bda2418d2aeb2cdda4826dfd8b687cf91fa0
SHA256 e25fa9cc23de5b83583997dd655cd96ef5378547b3b9f06e2a968c467fdc30a5
SHA512 2abf358e23a1bf6858333b9dba3abe4e4e81daf31c2dbac969fbb5c32794030bb4e8ef60eb27ab88353c6b782cb98be3438f1c8cb4b1f4a04eaacfda14ce0bd2

memory/2400-208-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bhkfkmmg.exe

MD5 4e157e3bee84a3261e64db0c8d1dd2a7
SHA1 04db357d99f987040c80a7c71fd49dfdfc3d935c
SHA256 a46d6f6f4da648c31afb108ef48ecd577c32561811d6f83907b0ac80984b1033
SHA512 484e4897a4833d98f95b6488135d107f69b46b1432c50981272bf04d961d9b6aa971839e9b5ff2b8f00f80bf4f40aeda147da65c122671b2276784dbcd1e2b22

memory/2416-216-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bphgeo32.exe

MD5 6bf452212e09d98ef0d8594976b6912c
SHA1 eb94cf9d8b988e5710be2264f13e15036bbd4c1b
SHA256 abe1b4e0212b1a37883408ebe574deb2bca055dc65709144a2f5e3665f16b952
SHA512 45d4e5572a634e720baea477512ed72c641a73ae7a237653646c799fe87185c49126622d510cee9679e5e7b939d934806e15174ff1953e7892516379e8924faf

memory/3220-224-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cpmapodj.exe

MD5 471e6f8614a4bc93611d9b0fab194660
SHA1 3b0ec92d46945697993d96257aad9079a4bdb5ea
SHA256 7a47fffd0eb8dceb0077592c450434c698fcd7d3de88e81b440e68c988148e85
SHA512 739f7ad2bb110f58421d96767175e8802ab5c377f1fbd69fb8adaeae16ef186c41313dc0d412f38246d5155e25a65f5c7c3889921772069f3123607137d63cd5

memory/2448-232-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cgifbhid.exe

MD5 6cccf81dd4eec17aefe79dc89831fce6
SHA1 d6c37c1f60b4e83cc456c79c00a4e588c6a232b2
SHA256 b54e5879b6c0d18fd4a3a79476c5ebbfb32f388d93bf52d73bb752750bdcc831
SHA512 9a7c128d8d7a494e7caa0d8611ec5e8f421ff2eeab37338cc4c02498f09c790f7178eee9058c8a6fb71da0a3ac3b29dd54efb8d2700fbf6c2a5a1eb9bea758c6

memory/4020-240-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Caageq32.exe

MD5 8ba2a4f7548554bc4b1a889a03c1f390
SHA1 54671d58a567e247d43256bc657893f96d48209c
SHA256 88441ac4f92ebc761404eecb61591dcfb7904eb89976409c7befd7791308c8f9
SHA512 8898be261f914f2d995cccd84afeeb9850d91e47602a7919b1217df462cd441542d342b016d54c940e70bbc9ead8b5e7a2a4f8cfea9748535c4752c75a80cad9

memory/2132-248-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 c2bf37555da2cccd78b9e8f970531ac4
SHA1 d8a7dfb0a846e6882158b59d752ebafcf4038cfc
SHA256 948a7dc386d4f267f616d22bc650b4eb37322c871a7e9074c9bfe74728d45025
SHA512 d7a0f139550864bc82bc1bbb00aaa597cf4fc01d640deba1d7b4382438cd1a9c1032951d3e1c3701f7f0d40e05ffc60c68a450872b61bb009b5fc448c1185309

memory/4640-256-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2168-263-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2168-271-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4640-273-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2132-275-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2416-283-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2916-289-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4604-301-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2356-305-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1708-311-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1432-319-0x0000000000400000-0x0000000000453000-memory.dmp

memory/880-325-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4016-333-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3176-337-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4944-335-0x0000000000400000-0x0000000000453000-memory.dmp

memory/404-331-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2724-329-0x0000000000400000-0x0000000000453000-memory.dmp

memory/32-327-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-323-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1016-321-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2884-317-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3088-315-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4304-313-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2124-309-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5100-307-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2728-303-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2348-299-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4040-297-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4496-295-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5056-293-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1784-291-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4348-288-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2400-286-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2448-282-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3220-280-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4020-277-0x0000000000400000-0x0000000000453000-memory.dmp