Analysis Overview
SHA256
23e660244272a1428b7591bed1c32c7abc634b8bdb8257a0de60a9f9aa03f6d7
Threat Level: Known bad
The file 37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Gozi
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 00:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 00:40
Reported
2024-05-19 00:43
Platform
win7-20240221-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ennaieib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnneja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhjgal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ebgacddo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fhffaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ffkcbgek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ecmkghcl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecmkghcl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Egdilkbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fehjeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egdilkbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Dchali32.exe | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eeempocb.exe | C:\Windows\SysWOW64\Ebgacddo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fnpnndgp.exe | C:\Windows\SysWOW64\Fhffaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epieghdk.exe | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbkgnfbd.exe | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chhpdp32.dll | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpajnpao.dll | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iknnbklc.exe | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iknnbklc.exe | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndkakief.dll | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbelkc32.dll | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipjchc32.dll | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhpdae32.dll | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmgdddmq.exe | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| File created | C:\Windows\SysWOW64\Alogkm32.dll | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| File created | C:\Windows\SysWOW64\Fglhobmg.dll | C:\Windows\SysWOW64\Dhjgal32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgaqgh32.exe | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcqgok32.dll | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocjcidbb.dll | C:\Windows\SysWOW64\Gonnhhln.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgpdcgoc.dll | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ioijbj32.exe | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhmcfkme.exe | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaqcoc32.exe | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgmhlp32.dll | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfpjfeia.dll | C:\Windows\SysWOW64\Dnneja32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hckcmjep.exe | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqpofkjo.dll | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfbenjka.dll | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Fenhecef.dll | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfmjcmjd.dll | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eeempocb.exe | C:\Windows\SysWOW64\Ebgacddo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Geolea32.exe | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokeef32.dll | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbgmbg32.exe | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gegfdb32.exe | C:\Windows\SysWOW64\Gonnhhln.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkihhhnm.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Jondlhmp.dll | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eeqdep32.exe | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emhlfmgj.exe | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Egdilkbf.exe | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmloladn.dll | C:\Windows\SysWOW64\Fhffaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hicodd32.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hepmggig.dll | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Doobajme.exe | C:\Windows\SysWOW64\Dqlafm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjilieka.exe | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| File created | C:\Windows\SysWOW64\Fndldonj.dll | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdamqndn.exe | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcaipkch.dll | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| File created | C:\Windows\SysWOW64\Nobdlg32.dll | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epieghdk.exe | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fphafl32.exe | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahpjhc32.dll | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Anllbdkl.dll | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ieqeidnl.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" | C:\Windows\SysWOW64\Ecmkghcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhmcfkme.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Egdilkbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ebgacddo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ennaieib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" | C:\Windows\SysWOW64\Ennaieib.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebgacddo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" | C:\Windows\SysWOW64\Dqlafm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" | C:\Windows\SysWOW64\Ebgacddo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" | C:\Windows\SysWOW64\Gonnhhln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Dhjgal32.exe
C:\Windows\system32\Dhjgal32.exe
C:\Windows\SysWOW64\Dqelenlc.exe
C:\Windows\system32\Dqelenlc.exe
C:\Windows\SysWOW64\Dhmcfkme.exe
C:\Windows\system32\Dhmcfkme.exe
C:\Windows\SysWOW64\Ddcdkl32.exe
C:\Windows\system32\Ddcdkl32.exe
C:\Windows\SysWOW64\Dgaqgh32.exe
C:\Windows\system32\Dgaqgh32.exe
C:\Windows\SysWOW64\Dnlidb32.exe
C:\Windows\system32\Dnlidb32.exe
C:\Windows\SysWOW64\Dchali32.exe
C:\Windows\system32\Dchali32.exe
C:\Windows\SysWOW64\Dnneja32.exe
C:\Windows\system32\Dnneja32.exe
C:\Windows\SysWOW64\Dqlafm32.exe
C:\Windows\system32\Dqlafm32.exe
C:\Windows\SysWOW64\Doobajme.exe
C:\Windows\system32\Doobajme.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Ecmkghcl.exe
C:\Windows\system32\Ecmkghcl.exe
C:\Windows\SysWOW64\Ejgcdb32.exe
C:\Windows\system32\Ejgcdb32.exe
C:\Windows\SysWOW64\Eeqdep32.exe
C:\Windows\system32\Eeqdep32.exe
C:\Windows\SysWOW64\Emhlfmgj.exe
C:\Windows\system32\Emhlfmgj.exe
C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
C:\Windows\SysWOW64\Egamfkdh.exe
C:\Windows\system32\Egamfkdh.exe
C:\Windows\SysWOW64\Epieghdk.exe
C:\Windows\system32\Epieghdk.exe
C:\Windows\SysWOW64\Ebgacddo.exe
C:\Windows\system32\Ebgacddo.exe
C:\Windows\SysWOW64\Eeempocb.exe
C:\Windows\system32\Eeempocb.exe
C:\Windows\SysWOW64\Egdilkbf.exe
C:\Windows\system32\Egdilkbf.exe
C:\Windows\SysWOW64\Ennaieib.exe
C:\Windows\system32\Ennaieib.exe
C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
C:\Windows\SysWOW64\Fehjeo32.exe
C:\Windows\system32\Fehjeo32.exe
C:\Windows\SysWOW64\Fhffaj32.exe
C:\Windows\system32\Fhffaj32.exe
C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
C:\Windows\SysWOW64\Ffkcbgek.exe
C:\Windows\system32\Ffkcbgek.exe
C:\Windows\SysWOW64\Fjgoce32.exe
C:\Windows\system32\Fjgoce32.exe
C:\Windows\SysWOW64\Fpdhklkl.exe
C:\Windows\system32\Fpdhklkl.exe
C:\Windows\SysWOW64\Fjilieka.exe
C:\Windows\system32\Fjilieka.exe
C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
C:\Windows\SysWOW64\Ffpmnf32.exe
C:\Windows\system32\Ffpmnf32.exe
C:\Windows\SysWOW64\Fphafl32.exe
C:\Windows\system32\Fphafl32.exe
C:\Windows\SysWOW64\Fbgmbg32.exe
C:\Windows\system32\Fbgmbg32.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Fmlapp32.exe
C:\Windows\system32\Fmlapp32.exe
C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
C:\Windows\SysWOW64\Gonnhhln.exe
C:\Windows\system32\Gonnhhln.exe
C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Ghhofmql.exe
C:\Windows\system32\Ghhofmql.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Gkihhhnm.exe
C:\Windows\system32\Gkihhhnm.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Geolea32.exe
C:\Windows\system32\Geolea32.exe
C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hicodd32.exe
C:\Windows\system32\Hicodd32.exe
C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hckcmjep.exe
C:\Windows\system32\Hckcmjep.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
C:\Windows\SysWOW64\Hcnpbi32.exe
C:\Windows\system32\Hcnpbi32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hodpgjha.exe
C:\Windows\system32\Hodpgjha.exe
C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 140
Network
Files
memory/2000-0-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dhjgal32.exe
| MD5 | a800b09c1166121918b72f2ad2899025 |
| SHA1 | c8c30938678af6ff6bb3e2840e52826bc4684d8e |
| SHA256 | e1c1a567a8e81c6d2c312f6b037dd7266596fa86ee25b0a73883cd9ba1b66f5e |
| SHA512 | c31e76c4ea6f1ecceb6d43a96871dc0e4a73f84afe67a05743cc1dac313595afe4425cbd6769ca8f022a7213755a0a818a989f63165ad8b7609ec24c70e91d99 |
memory/2000-6-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2824-14-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2000-13-0x0000000000250000-0x00000000002A3000-memory.dmp
\Windows\SysWOW64\Dqelenlc.exe
| MD5 | 4d379fbab98d9725ea9a0e563fde4673 |
| SHA1 | 0d09042dcfdee1ab90dfb091f66b2b00743bf4cf |
| SHA256 | 84a8eeb871b4c2ddbe3bcfe410887a41d7546662b0babf30e50aa982626daf9b |
| SHA512 | a779af5c0df67823dcb22136cc47b12d8836443026010b1e12e3c72d44c880458670004a2a21e3ff6ad9a0554ebabe1816a866ce871615bac6627445955e19bf |
memory/2520-40-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dhmcfkme.exe
| MD5 | c8d1a5ebc1a5abc4ac45e77dd113ac8b |
| SHA1 | a34cd4475dae0273d5b20c6f668f1b3dfe7e2390 |
| SHA256 | 9e50c08d1e79fff4295e8218aa0e06e16c348b31d7ab79bc68e9b96727f3394a |
| SHA512 | a86d9198cb1246d2b589735fc7d5200fe3c3783c7fc1ddbb75fd7b655fd193e2a1572d2ae0ae5a5e26b266174cc2af97a429257a5358b10252c7237a56da3354 |
memory/2512-34-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Ddcdkl32.exe
| MD5 | 0eb90bc9a2f8a6cc0df89b24a1777e9d |
| SHA1 | 5d8fc2297149e83e42bbd92f139c5ea126841d9b |
| SHA256 | 26fc6bc7c4098516ffe6a3bccbb42f32052da7fa29eabad265ced6f948140bd3 |
| SHA512 | de8123b7ba3678f692d0b83c217ce7dcb11ee4880663da92370cc308ffb4eab44699fa1df2ef8f7725751250ae46274c7fe2ddc623e63eb1624b668ed83a6928 |
memory/2484-53-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dgaqgh32.exe
| MD5 | c19f2b835469fcb91e8a42814c24a0f5 |
| SHA1 | 45c827042508d2392dcc98d67a5244d94deeb477 |
| SHA256 | e1b0d28db9b18e644b360a7bccd6546cfb013ca9e69961a91b49fb9e55740c12 |
| SHA512 | c34ebfdbfff25c7ada825cfc36c61bcf7ea9e960ede85e4d848d15b8b055a4eb937c5f1ffe2a6b33cb44e088ebf9e4185767309402bb20b5929248871d643514 |
memory/2484-66-0x0000000000290000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Dnlidb32.exe
| MD5 | 8e8c2e77de6afd719a04e5536adb886e |
| SHA1 | 859142a2d5f44e9416214ef511ff0e75df66920d |
| SHA256 | 17f55b54a5a99c6c8d9003933892e3441d2de4c8c0d2825d81322468842ba596 |
| SHA512 | 464457867fa99dc834c805af427e53a89613cb5539b619aa49700a8ddf8e97e38e333bbf02c07fb068e948df76e97768423e87c12bc3cfc9649031c4afd4f50f |
memory/2420-80-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dchali32.exe
| MD5 | fb871f4e18e3213665a4c1783fdeb9b9 |
| SHA1 | f2bed9341c11ab2029e4f9c3d6801beeed67748c |
| SHA256 | 4127637fa1f6f52ecc3c346c136a3032284a920a8f28b289f41e149612c23c9c |
| SHA512 | d132a36b7e4f64f7e552d1aef0a5c651ac957865dd7b5d1d18af1ac27a06fdd5cfcace8ca1879928c9cd9d5695514259484943518373cbb2954b83bc3d46c474 |
C:\Windows\SysWOW64\Dnneja32.exe
| MD5 | 9718f184c41038243434ed038a9586cd |
| SHA1 | e19ca633f6a6d8cc999f79899cdda9d8841e674b |
| SHA256 | 97e1ca5d03495a1d492dd55d56e439046d7cde5c18c0ed98f8d8dd272bb4aded |
| SHA512 | 0cd7cb134af282762508e5da1f9fbc94a62fd371e838f5d408ee4adcfc14648984ef5b86b1b0624d4f3246e53ddcd5fcd976ca8b3de321e2796e3be487fad758 |
C:\Windows\SysWOW64\Dqlafm32.exe
| MD5 | 0e2538afdf2f0978142abc0c452dc7bf |
| SHA1 | 74d74a8b9ce2dbb53761b8ff3087c2760f2df8e7 |
| SHA256 | fc1ed04d3f69c200c051d682d8c3251ab949c12df25a96adae5c72d88b312768 |
| SHA512 | da74468d13615cc1c8a4741f7951fddb83ca2a874a92d9480e399561a2e6089298707fed85172f32d685d998291f9e9c67e812b0acea2d6bc12a491be1ca1c10 |
memory/2660-120-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Doobajme.exe
| MD5 | 51a6a7c921db766d5fb89ec02bac1ce4 |
| SHA1 | 1013a30b1c1f2eab4fd4f461730829f639b60553 |
| SHA256 | c3d64b200c51ddb3d564e42da3d50706da9c48e026f0b498fa228d40e1ab8737 |
| SHA512 | 8db6416b70a14e89b244bfc94d84865fbb4cf706b32da8cbfebb556b0c0d196d7dc28f2be2faa12c0c6a90f437464c59b902728a8d65109c8cc1db2cafd9e007 |
C:\Windows\SysWOW64\Emcbkn32.exe
| MD5 | edaecbcf0e64100cd8b4fc0b15e3267d |
| SHA1 | 254f0e9057f39c2a257f157262f3da14e4cd5f00 |
| SHA256 | e5cf1beb112e28806b3fe1821a0b128d4cda760b4d711fc7bdd60f3ad86bf471 |
| SHA512 | 195948b59fc41f5ff54332281759ed64c42042250eaf2d8dfcf5279f9194c1e0be0017470d36ca915dfbc3cf175c29fbee0401d3b0e5f7728f1b36499fec6710 |
memory/1228-146-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ecmkghcl.exe
| MD5 | 56b1d96ce0e640dd2c83a619421e075c |
| SHA1 | f53da46f554e76806c266b77d9ee6422634bd85a |
| SHA256 | b9e16b83c0daf403525fa5117d507f7fe4115b6df1a71b8585d377be05619eec |
| SHA512 | 1c41ed46e57d42799e9717fdbe35ce68f5b7dd0242343604c5af874eb586a8c7b3b4fbc6a6fd9b49975fc4c223c9dfca3d9abf6f639a38f69bca600975c76982 |
C:\Windows\SysWOW64\Ejgcdb32.exe
| MD5 | 985c6e76118bc4075fcaba0013cdfbca |
| SHA1 | 77c092dedec5db75eab715eeee8d30c92126d230 |
| SHA256 | d379a303262c175ac77613cb2e0fddea2e7391a49e4723adc8746f6fc4228350 |
| SHA512 | bfab6f84f3638344de09b3ad67acbafa01b74ee9c20aafee5062ebf3139cdba1bb679c96116cd1fbef0a6f05b39dbe395eb64eef5d84ee761bfe9d496ba3a622 |
memory/296-172-0x0000000000400000-0x0000000000453000-memory.dmp
memory/296-184-0x0000000000460000-0x00000000004B3000-memory.dmp
C:\Windows\SysWOW64\Emhlfmgj.exe
| MD5 | 348016c6776fbf0b5fea3fe96fa05969 |
| SHA1 | fc7a70b8b95c21bfeb80683e40f60d4c1a616acf |
| SHA256 | 240ac451d2d70b0e60af60a406258c12ff9ddf48d416b70a7ba043be739fec23 |
| SHA512 | c10601a28fecf260a0c678dd8dea450bfcba690969b845ecc09d747769f3314c07cdbb21b46cd3b9e839b6b864c03fe855095ced73cdadbfe8c89e300edb1dcf |
memory/3020-205-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Epfhbign.exe
| MD5 | 98356c0b2f8c5cdbbb04fff892e7f2b7 |
| SHA1 | 43e01ddb6e3dd239a2d527a55e3b982159e9a0df |
| SHA256 | ee80ed53550caadd71aa93b8db349aed77bdb51de594c508d47d17565e1b9187 |
| SHA512 | a2a5f7eb17e9b11eca0c3636744502adf861d52a40b35019e346dc6f38e8eaa154b2e4a7c99266b8bf82f219fa7cfc908dfee6cc4071246bb87b79a6f80ffaeb |
memory/1084-215-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1440-238-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1440-252-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ennaieib.exe
| MD5 | b936ec7d4fa113a57216280047d06390 |
| SHA1 | ce557af740f632144dc986894828aa7902190aab |
| SHA256 | 5bcfbb9e6b15335d29b15e55d8e6aa9991668fd5a0a2f7e0d0f3958474bf352c |
| SHA512 | c2b2fc571b6962d36f854e9b2dd26cd1635dc297781d63d47cf76837190b6ca4b11ede79f5b8662e65c0683f29e00ab2c2dd9d09abdd876626e5fdb67b8e789f |
memory/1868-313-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Fejgko32.exe
| MD5 | a63fa5a1162c758ec6a5546e8a7e7680 |
| SHA1 | 183989017ec5f8615664b5cc60bcd27f9fc40be7 |
| SHA256 | f51512f01d948ad03374cd44f8cd9a9af8fdbe2be28b47192cf459a480127daa |
| SHA512 | d1bf9ff27b89d4489380c7d35f5da181aca56b860b2cb112fd4d68b0b1f2875e4752c3dd2edc583a0b67b131c64be5c7082830d5ab81e1e53694470383d5dcef |
C:\Windows\SysWOW64\Ffkcbgek.exe
| MD5 | 6eaa87b85fca9a1e000c026494dbe0e0 |
| SHA1 | d8d53458118f951759e41e566f9a8ae914d276db |
| SHA256 | 78e950e99f5d69cdb8e25d89bac83429205e0d8223e69b90521ce11c41b2c5c1 |
| SHA512 | 49ede01ee6b18b76897b66086805216fa25b0a95c8ca676da45f9c34de9d5824a9b2feff8151062be2e8129c5a2ad0dc9d6ca17bc047f4fe77f9e58110d5c3d8 |
memory/2636-355-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2720-367-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2492-381-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1852-389-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1852-403-0x0000000000300000-0x0000000000353000-memory.dmp
C:\Windows\SysWOW64\Ffpmnf32.exe
| MD5 | 2043469f1862bea080b07ea4f4af212c |
| SHA1 | 9f22d735d68fb07292f594be186974fa3600edaa |
| SHA256 | cbea449fdaaf12282db8e85a6fc83d016ed7e7ab80b6d301f795d3db19c64cd5 |
| SHA512 | 3c9854d923beec24135a5e94c02d389c564d7f5dec7c9539e6f106727608b153146cea4d210f84729b479fefb4628daa97e7dd93d144a76d7b238401d22364da |
memory/2600-408-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | 5886de4300738f5f592528f0d6229613 |
| SHA1 | 9920657f488d1363a736de9dc5b0b9e5562594eb |
| SHA256 | ce321f26baacdcd81cfa557b73b3182cfff68e760d3a942d137a66bdeb029bce |
| SHA512 | e41280c5d4ca064c4c89bb11fe51b0d3ed104988629127716036ae38622f2e584c46c5640cd0e37c4389e4e178a94406e54ba39ffc6d3a5d992015d24fedac7d |
memory/480-440-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1588-467-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Gegfdb32.exe
| MD5 | d3700287fa3ead27bf223345bf085d9c |
| SHA1 | 7cfe0a40e798139fd843dbd5135b2dc2279be720 |
| SHA256 | 629f72576bd0f60648d05a340614c7cb1a406f50c21fe7d49654177e2e202a99 |
| SHA512 | cbed78b6bfb63651bdbabb403a43702c3b4ff50eb8ae871a7e5da33a41dfa353d0131fa2506616f12c20863d7e2c29d0b8cf520ac36462f3a750c98a5d8e6a78 |
memory/1408-487-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | 734c9a27708e18c719205767b7c1b3e0 |
| SHA1 | ee01593a8be0b7a8a223e85c7677391b67a87a37 |
| SHA256 | 49f64da556fffc64241fd43000fc6211a517dd57db460271426c5a2983ae024d |
| SHA512 | e81376a794c312f4b098619b239d10a00ebc704e972f8984f1c8d0866c627010f7160fb8fb5fba2938bef542c3c6e5d6da5e44c661dc84738dca327573f8cc39 |
memory/2316-503-0x0000000000300000-0x0000000000353000-memory.dmp
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 504d51f721b212a4715baae90a7b685d |
| SHA1 | b9536b54d6ad77c87eca728a7b17474163691da2 |
| SHA256 | 9859c075314bc56ccb8c4f5bd6d0e9d291e3c94f7f113d175325d8afa0ed6d9c |
| SHA512 | 2ca99e5eba694521e4c1841049f45fb8ba4ec23071c17a59259447e58e7cc8edeca30aee88e5e22c1f0e5d2d9c7e6010b5d7fbb2150e98e0a83fa99eb930151f |
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | db99b39d91b4c010a392bda996763edb |
| SHA1 | b5195440ed6b13f45c8245c481b99d34903848f6 |
| SHA256 | 4a1bfefa1b630eb1b41494b572210309fbd1ef285879ee06997eebd47cd2dc75 |
| SHA512 | 727ad03210f021d808c974e9ed4d1105b979c9d5a61b086aaba8a579b77da1f438617f74c6a1317ffd7c2a8a730b783d6f04e63ac828023d99757aaa516ab372 |
C:\Windows\SysWOW64\Gkihhhnm.exe
| MD5 | b98a75debeb07d9a8c16140a7f6f04ff |
| SHA1 | 0c905d673d1cc7c1a256e0c3caf6880fdb693505 |
| SHA256 | 12fdf314c0465e8b870a0e7820a3f6f0129246a0bbdd6cd38150d3851c55506b |
| SHA512 | d8d87a4942cc1c1c787f3f9dad30b0d520e23d07a23457c7d2387d7ec0feda27b1418205e9b3e095efb72825ced6525815ee4039ef6f8ca130530d198afa3e3b |
C:\Windows\SysWOW64\Gdamqndn.exe
| MD5 | 45b78a8b9b24b038aeb9e92e4f8ff347 |
| SHA1 | ad8e0399ca7cd0864d34856ca42bee509e3164ae |
| SHA256 | a69b8c63826b89f1d1dc206e1e91bf5e5de4452d0fe12d596d035726b7fb9040 |
| SHA512 | d08a79c400a3cbba92cb367425f96dda17023a4be748ad1f589181dd77c6f832a7d22a724292b8af4de650cecc17f69d2b39d65e81b747d8c878af5a4bd0a842 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | 7d50dac7cf1d3be84994a547ddeef940 |
| SHA1 | 70934a798c50cd77a77f14068cb79986e66f0c3d |
| SHA256 | 391ca995d3f7120fa39217eb211aea9f1daff6d035f31b9bda701e3d9756ce2d |
| SHA512 | 5bbc8f2aece3bac06b86074202f44c92f1441f7dafb162d384cc91c9ce4b7b4d28cdd9a7190456e754e67892cdc1d8803615a8e91d0f8737cc7fc666f647115a |
C:\Windows\SysWOW64\Gmjaic32.exe
| MD5 | 72b7cd70674e4370ec49f743ac6e340d |
| SHA1 | 959eaa2b2f83dc6dddc3dfb14cdcbc82838e3bfa |
| SHA256 | fb15b554f2fa354f1e4f87565630bd666ce3740dd285987dad63f14cadb55b23 |
| SHA512 | c05b17ada987bff9b6c8f5213da96acbee0fb90b95239c9be22f894c5ddeffa1e1770fb5271f929f1587a3bbf6c8f73274ce27b46861724961da201d6c938b8a |
C:\Windows\SysWOW64\Ghoegl32.exe
| MD5 | 8c401b1d6123dc4c8f08ea05929317df |
| SHA1 | cdff14c76611ef71528861fa3b037aa84db8ee2a |
| SHA256 | 269c3803f65bd4a9d8b17f60edd9c2f7d9501632db62ffeb9ceea890c85dbea0 |
| SHA512 | 29b3892d3a48249c87d2256f804602ef467793ef3d4eac25ab7d86a67652e4314e2fbd295100cf6eef26d95962ad87c480070947f0e9b652905ebb34732a6fe5 |
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | 3a4adc8a3acd640446419c5d4d1166a0 |
| SHA1 | 55f3d2949d4e6f8add7b8ca2a3665ca0228fb3f5 |
| SHA256 | f966e5d1e2c805ca35778dbc7f48ecb1c3411ff462d9d5aa8f513728b337f33e |
| SHA512 | 23e2b12c3396c224854d24c472cee85697c30dce042f88c2e310db4d409daca6f803b77a294e1eff848b3a63c2597498ea6611b8d030ed8cd0a43e670dea0888 |
C:\Windows\SysWOW64\Hpkjko32.exe
| MD5 | 70e61310efe82ffdf5d9202b835d7d45 |
| SHA1 | 51db77a8515eb5246d5ad76870f31e50609bf8f2 |
| SHA256 | 4ec7c93db13b07dd7e1f005c34641a725bec53dd2143026faf00a7ab5968eda1 |
| SHA512 | 3136a96dc2363498d254177ceac8fd8a71d857abedf7314ffc823d4babde43c823e41731eb944a57a134d54f94143cb962395b618b05b6293f54e6631b7c9562 |
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | 7860ea1dd959165a5231c6060d076482 |
| SHA1 | d08c79f1abe97631631c628567e8b3657ef8f052 |
| SHA256 | 2d08b4f3a422d5a33fd4b3da5f3b835e0e50e0b5f505f12e01130b53a65853f8 |
| SHA512 | 12dd01db5766502a5221c0ecc194c65affccfa2df9965eb0117d192608f4eae0ee390874884e78c7c83f66af7b721c4c45adba558450e815dda1a82bb83d3918 |
C:\Windows\SysWOW64\Hlakpp32.exe
| MD5 | acfdcc5e2e0a8ec5b2bffcd1c8f8eba6 |
| SHA1 | 3cd3cd52b89480fa1b9874f2b6fad02cf2ea2487 |
| SHA256 | ae75f1b0b284db36b12fc8e63da145bd73bbab4ce489b233d52356b80330e26d |
| SHA512 | 0a0a2a9aad09ccd645c42d3e138c19052a644962ffab5007a3115ce6ba949defeec6ba08dd521e2485cd317de30ca6028f0cde072dc067953dd9ace7cb04c58e |
C:\Windows\SysWOW64\Hckcmjep.exe
| MD5 | 0fb948b2f63a469ae4b688c1f4b0699d |
| SHA1 | 2cede1332f923809c52016322c274ae1d68f3467 |
| SHA256 | 7d4e457f34e5b717601da1db3ceda71c19af537393fdd4e4c6dc9d79f6432d0d |
| SHA512 | 3b5a80fed6b4101ea5c2f5db6115888ac16588dcea271cce3920903c6bf5845b1d5107d7b7dfd8de166dd163ba8d28b80cca81b28703efe43d68ee35864934bf |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | 8474107795db2411a3bd306d5dd73fb0 |
| SHA1 | 8053df277e7aedd873f2253ae0367b99fe0e0aca |
| SHA256 | 4bb91eaecec30d674a6c2903e667a1362d907f3444ab22349daf172de590d389 |
| SHA512 | 9ef0becd8b22fc37b089b77ce71179f1dccbf6721fa7e3b56bf6ff24b749dfcd074fd5d7870919dc56eba89e633b8a73c72d8b38d31fb2247b25fbad74738042 |
C:\Windows\SysWOW64\Hnagjbdf.exe
| MD5 | ee4976def93eb7f9ae0a6a65dee9b9ec |
| SHA1 | 174076c2bd2a23a9911cceb1fc36ab6e4f127841 |
| SHA256 | bc95b7cc283c39b7ce22e4ba565ec4235c7e8303264dcbc7c93d31c08b769252 |
| SHA512 | 7a5d627a8749cbdf61a1f52bad198e00caf82322d6775f84c874ec1920ee86fae66a7f6c58e00c77c1e6ac9942ce38efb69080c34c6492a70adef26d39c9796b |
C:\Windows\SysWOW64\Hcnpbi32.exe
| MD5 | 6ee85e6679cb1779b3be309f5b1d6170 |
| SHA1 | 07c4e0679eaff18f32bc47bcba5ce9b27b7c5aeb |
| SHA256 | d79481391fc38a65daa512e80c493de27ab9721b6bc52c82a8c8a76f8e491ac1 |
| SHA512 | ee5ef453e5cb50efa4edc9ba7a094135bbe40326fe6726411d404e2accfc3f8b1a088ea83a628f8b67e9cb0f3a69bbd678b610cead4d434237486f4b93364717 |
C:\Windows\SysWOW64\Hjhhocjj.exe
| MD5 | 467b6e12f63988e5f23d53ae6b0be596 |
| SHA1 | bb917aaa0e638a3895f98bd6460b15d7180c9dca |
| SHA256 | faba16dae73998d37a46e9aa075e3813273786216f384c9f3a43546786393444 |
| SHA512 | 79545b7872616027156ac5d71e34000b15b33589f76b35e100a3238587d2dc3c221415188b7c62ccd8f1eac3aa49ed91447bb712b9cfd2fca48b028ec4b639e4 |
C:\Windows\SysWOW64\Hodpgjha.exe
| MD5 | 3a4233f90d0a9e3dafaa7e768ddfdfd1 |
| SHA1 | ad19494527e1e9d1d06c84d510b4caa5e3201df7 |
| SHA256 | 9d9a49f0661d029a125fcba410a97f11b8115e86442f5d650a6c0e02ed346da6 |
| SHA512 | 34fa9c4af362656ab993a2ac2ff72927cc55eeb2ef06c2c7bdd8c1272c2a3706d97c60ca71ac15bd6f5165825a112b12fac539bec0828528523ae389a029d8b3 |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | fc5b05b49a8a300820b1ee8ae4cee6bc |
| SHA1 | 1b930598ff70466127648c1b932b91fc7e7459e0 |
| SHA256 | 9d0d9b1ccdb446f283a717b9779a19362466e38a532730a3a97cd558af39f7da |
| SHA512 | d1bc06e330c21e9d91660e21db09ca7ee8be5c00028cd20bfa429f24f9b9990da534886fc07150269c6f8f210114a76454487cefdb338740408bdb3a5a21e47c |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 4f335a42a44e09e8ab8dada3bb6b7481 |
| SHA1 | 4da349389653b07265f3def19e60673f8a7f31a9 |
| SHA256 | de363bb3fbe3fd3d70e570aac3d358d84a4010bf1b50da35090d9d8655c8d00d |
| SHA512 | f746eddae5f7d624b8a940c6051f0b44baf6fe7d1a9399516f380c182021f7bbb216b006467be95c4a20058fa7a818c635ae3301bc0ee270f5ec9840340b2f68 |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 9e15adc31c609c139382798cce97595f |
| SHA1 | 91ef4d0c1107a5f4fd8a92278e4ddc9a5ee8307e |
| SHA256 | a119beb93eb05abe557108f0b96492e70060b565e23606334c930c1e1724df4a |
| SHA512 | 6ae846d7964004493cfbc1235eda72ef45e41e66700359a9c137eb49b09ddb02b267060f9e3bdf525ea1cf18a9d134976deca928566d0fef76841ee404e43a2f |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | 1eb893d7cfccb3dedaf0d00d092f918f |
| SHA1 | 8b47279a77773e0c80afb32ee1ec723524f8cf61 |
| SHA256 | 9247a732adda3db8957eaf62672f57e8eff205311cf5485d94028c3031d5c761 |
| SHA512 | 8ddecdba211a9e6f926c4500790e1e37f48f12cdfda739172ae24c53ed00c66c6663156f5abc7edcbfcd4e61ad4b18e602f016ca8eab738ca8ada39d1291089b |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | 731387c0575000c6a56ee5dfd7107bb7 |
| SHA1 | 9e119adc6d06a520906b52a7221b48ff05f90ae8 |
| SHA256 | 72841673c601cb0683ad1e5ea8356cba9e77c6ae51b07ab8689ac558b42dc9d8 |
| SHA512 | 1d221ee36af5f3d9abfd45b4dabdf64bd7fa998b382bd7e2c0e734a2fdb6b643d9a9c6b71a893cf28e606b512763b342c12986e6349aa15b85a706a3e9590537 |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | d828d47ccfe8e4a6a812e0eef23a6f7e |
| SHA1 | 1752f458c91ec95eb151885c447f4f600b8ffd94 |
| SHA256 | b37087b22d5b2716db6733c043fd7c23eee2c45627371ed99edcd29ce1475bf2 |
| SHA512 | e6a9746eb74b6f6dce9f0434b304cf55031a75c11b97b0add60568c8d7c776a2f82b11a2c3d3b3664eb67f0ee6ca96cfa339cf6fa18fe9852b35bb96d730a572 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 4041af86d070611037e417d8bac8b281 |
| SHA1 | ca2ac429235cac98112d80afb343331e295cb7e2 |
| SHA256 | 76c3e69e43f6cb20ca2161f12d60c8a3ee05f6e73a5976243a4d93513f562b11 |
| SHA512 | 213235c1da96473c84e858b368aaeb293a1d20d6bf0f24bcd3a663bf5afd468b5eac12f5d502a494ddb5251e5aa2354bc94240851f0769282d14a19cffd34481 |
C:\Windows\SysWOW64\Iknnbklc.exe
| MD5 | 616b55a7e57544566b84e9a67bfe597f |
| SHA1 | 622a549c8bc136ac5fa22cfe8e38aef20ce68caf |
| SHA256 | 83df9ff1dca3134260c1afc3b97edc13bd6980d0b8c11afa11c6c5f574ca2f2f |
| SHA512 | fb7fb4a78bda8863d6367ba41fd4585e5e46779fb430d969c7a03d3240a8cd744275158588cafa91e4e8b1c53a4c871ef3b715a00eab188320cb0ea24835ecee |
C:\Windows\SysWOW64\Ieqeidnl.exe
| MD5 | d0495e2e3e1cb7271bc155ffdc088b01 |
| SHA1 | a426e2b85422205a3236168bd6f35e37ca4033f5 |
| SHA256 | 9c8139498c135fb64c246a8344c730b7317db9a87a1fc21129da3d102b9c9edc |
| SHA512 | 2356ece5679739fc1346a6b536f1dcdfa25d6b3569e6bb79d34a2961d554e1d1ac32c32ec64631d356140540465876030822e33b056604040fd7e51aec4b7b4c |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | f3e54124154bbd88ff5457e540f22548 |
| SHA1 | 988f7b9b84425e31b7de5ff7a3184155d63eb930 |
| SHA256 | d35e16395db166feb4b713f61ae58e3750c3e96c420b9f5b5a61c7e95c55764c |
| SHA512 | 0a3a4eccf8f05460f9a39c51dd74312107f696f690ce7c649c53661787b128c9b1f0a863819f0e5990a001ddbfa6a4cb2bae1a03a593fbfbb71f3661c04dc443 |
C:\Windows\SysWOW64\Hacmcfge.exe
| MD5 | 18b76470a206b9208c407db18334e71f |
| SHA1 | 811ce59841782edf49261d1f7a98d83e01c51faf |
| SHA256 | 51feb15c43cfdf5d6bf5d6c39fa80387e4d8476178261a538faf0d161009f1ec |
| SHA512 | d7481e2688411400c456adf37875ae1c14d374075520af32ed418867fd3234f8a7b908100d58cc6fd7ab9635328530759327125f1ee1ba6b52ced22cca4bc003 |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | eaae1db21b043820ad19304dda87234e |
| SHA1 | 3454b2caa579fa53c57784bd535d98cef92d4a98 |
| SHA256 | 9724a45d286a5ec3bb27c14f2f536eb11a62af7e13a6c926e71cfcb4b6122c89 |
| SHA512 | cb00138c66f9a15aa56e8fbe4cf018e97be69490a493d71f039f079bc6f283cf2abde7d490d2c5a1e25b6df7af93d9e5abfbfdc8bf5af3c6ec26568fc1155b37 |
C:\Windows\SysWOW64\Hobcak32.exe
| MD5 | 6ea04d14215e88e29e072c3b030a9bb8 |
| SHA1 | 83c94fded0f557d44a70c96be6f26ee3333ee02d |
| SHA256 | 82e6324013b0290bee1575878d4d5d9961df11cbdc69b2dcabc27d95a6e25411 |
| SHA512 | fe936ef3aae8c89ab2851037a66746993aa0bf60d447ca127a05ee031da21a03f544bee2975b57cd9ff572b953e59253853fe9b9d74fd91c4885c381b0f74d23 |
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | 11f32107381417d1ebdd77c45ceb880e |
| SHA1 | 7c25f6830185473d5882c1945aea05d44cff0789 |
| SHA256 | ce564fed22f530d5c129e7e722eaa3a9ddcdc1447297daa3106ba3ae80b2a613 |
| SHA512 | 7b8e3898f7cdb6a84da7dec756ab7f43b02defd94f5149b25ecb6a06a5005a379a598ce8b00b021fd0f92c6d04de9b81a17713e861e0d09c90889096d313a3ca |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | ebe9d98ef7c9a966e34348e86e891700 |
| SHA1 | 39df54b9c5acfdbc6b778836a9524488d8371644 |
| SHA256 | 4425847757abc13653c6a34a943b2aec24957469428c905fe4dd349859de18aa |
| SHA512 | 112ea2988dc7668f3f3e18455ac2dcaa11627294f53d2015257cee3e647def1fb13362b63dc113cbfe50b1b2cc6660d30c46dc46585e0a6714d14178a9363c24 |
C:\Windows\SysWOW64\Hicodd32.exe
| MD5 | 8d0ad3c78cec27140ede8f814380d347 |
| SHA1 | 3f84f06b29ca0d5b5cfa372d3fd195def88963db |
| SHA256 | 75d9340280aefc202395b82bcf39a906ddbd4bde93da9347a74c50c75412fb2c |
| SHA512 | e6aad617ffdb8c586dbdef5a2c5d8cd4569f15411baf0ed9a64b435cce94cfa7c57122aacb4589204f352f780cd2c019e797c4237763da7866946f4ed07198a6 |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | 4fe39a2ce044c6b9498f408d7c43aab3 |
| SHA1 | 9330c3b10838b0ed0fcaa8efd6ea20a8b19666d0 |
| SHA256 | 2692c82321528b92952d24b4dcefa0a8b7ac456b2d1f337a2e42b226ac19ee7c |
| SHA512 | 0fdfeee3ea165abea214992e9bac1e2bd6edf71df6b8531a4948dc52981f72189a21cbe5839b0371de6ce9ed8f8e66f0afe4de843e454326c4bdec5284a18a36 |
C:\Windows\SysWOW64\Hknach32.exe
| MD5 | f2f35dfc8f38e2cb30fe68a6ef2c316d |
| SHA1 | 836ea9b70398444fca4bb29760a2de09afce94b9 |
| SHA256 | 1129680583d3d8e933ad2902bb338b0f47888844c0cbc97ca246804675d8cfca |
| SHA512 | 2948181d6130141c150a0d3f65a71542293ba7713852efb99593ff039a0d02ab59b789af0497de508d99cab49c85580dc6dc32855f7469149a90cc9dcbe721dd |
C:\Windows\SysWOW64\Geolea32.exe
| MD5 | f456ccd07303a4dbcd774aab30d248aa |
| SHA1 | dffd692f91115af3fbbe90fc854a930e65ec441e |
| SHA256 | 728f3ff958c10ec930be3564f8ba1487ae79836a149843ec6beb2612f6dbea01 |
| SHA512 | 82432a49d64abbe6d4cd71fba31ac14c092f9c67704f09db2278ef8a08627a86aa4a52ccadc26ce0b89732d230ada103dcd7cca1c73e41557f536431b82bbadb |
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | 4bda2e46b036300733732fcf387c8b3e |
| SHA1 | 38ca22115a1e95b753bd127c93ec8e95e7c17e41 |
| SHA256 | d5cae2362a2bbec71a7d8563e4ea0741dfd2ff704eec860e5ba96593dae883e9 |
| SHA512 | 8f9d303ce37ba5c441665013b0ef71ae1da0507d59984e44f7df3b831ee9f58bd6b1ad784016c904cbaccf0a9b31adeb91a299c451202354122e0603a8851aaa |
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | 72ae4302362191a01041f1d17d482fa3 |
| SHA1 | 2a3258da2e15946012f18deeaffb3cb7207bda9d |
| SHA256 | 66fafe5f39c33fdfe4ad0627a368dd2442346a50f39fda7939688d18d90d66b5 |
| SHA512 | 749c082d3ba28731f9765ff221fef5af581ecc2202530efd83805885232671487a54db72455449fc277858b9133250c9f3164d6f83a43e514e324d25fcd942e1 |
C:\Windows\SysWOW64\Ghhofmql.exe
| MD5 | c4eb003074de2c5b9b94fc3c941dce52 |
| SHA1 | 4f7adcc4127996818d9cebf2762518eef2cc2293 |
| SHA256 | a502b3996d50d5c63e69afdc8894d1995b12a836ebc9881f4f1df97024714900 |
| SHA512 | dc5bd8036ff4b837be2a5e54968629cf7bd97d1c991a8793c85e5cc4518f99a996bb0f0186bfc92e2720e90df5beb4249f5675ae8b61d01c137534a5da8fd8c4 |
memory/2316-498-0x0000000000300000-0x0000000000353000-memory.dmp
memory/2316-484-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1408-483-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1408-482-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1588-481-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/1588-476-0x0000000000260000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Gonnhhln.exe
| MD5 | 13419e25763fb6db54ccb2d5e1e1c14a |
| SHA1 | ba523e6812d3a9563418eb490615bb5b946f7285 |
| SHA256 | 3ab78a8dbc4d7ce5b56663f95fd637122abc94defc933dd4b2af6476a6443471 |
| SHA512 | 69a0dd20295186da2f05bf461d26ce991111658d838014bf3809807b2482bf442ad2b9a88d9ea6800a1034318880c35176b1197aea10f6576fa14f1002d11c07 |
memory/1612-466-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1612-461-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1612-460-0x0000000000400000-0x0000000000453000-memory.dmp
memory/480-459-0x0000000000290000-0x00000000002E3000-memory.dmp
memory/480-458-0x0000000000290000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Globlmmj.exe
| MD5 | cdf148b9a1de14a86b3ce7b1bccd4550 |
| SHA1 | 3990a23b8a7287deaadbc8805a90c3b583229e5e |
| SHA256 | 01bc9e0f93986f7644cbab992b338dba68958085d062e3b46fa71f6fe1ab4783 |
| SHA512 | 3754f23f3949979ca80219f54d14f602293cbd63a25c3754f4e015b91ee14749cd89c95682bd195d1caec2a642c68f3f3ecdadd195342070077cc8d2fc13afb1 |
C:\Windows\SysWOW64\Fmlapp32.exe
| MD5 | 0e5b88c55efedbcab97a6514e1a0bb49 |
| SHA1 | bfa62e6df4aaedefe5864f80232a3d9dafc5e92b |
| SHA256 | 49b707f43b159e524df142599dd8e71f6b3178dbb993ecf50da278cbd4d79d70 |
| SHA512 | f1df89fa6eff070114fd4e5729ad6a67be457a141ef974c779649513720304c1f89ee6882185427320ba815cae790b649c99eae56e1dec7d3e5f540f2423b0b6 |
memory/1556-445-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1556-439-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1556-435-0x0000000000400000-0x0000000000453000-memory.dmp
memory/764-434-0x0000000001F70000-0x0000000001FC3000-memory.dmp
C:\Windows\SysWOW64\Fbgmbg32.exe
| MD5 | 91fcf85b8e39ee004c6ca2cb3282bf10 |
| SHA1 | 0bae70ce9306b4e5e82e5c62db20b9800036e4fa |
| SHA256 | a6d7cdf95f4d696e9c8ebe240f8536a9c3811a7a5f88ef6dbcca871dd255b429 |
| SHA512 | 16d7ce32d002a04a245ad69d4287530537820be43d8f912919987eaacd0f0417a977ab4ce6d59d7ebda5922f0bfae84edbcc751917a32035176304f408c2ecc6 |
memory/764-425-0x0000000001F70000-0x0000000001FC3000-memory.dmp
memory/1692-423-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Fphafl32.exe
| MD5 | 8c3d973b9d4325f2d2c6a17c76912b42 |
| SHA1 | d5f8353a9841faf8ce6090b5d998618ca61bf437 |
| SHA256 | 9d5aad8fcaf7d7d35e7a94bcdb72dab5bde769abc0911255cdb342ebf21ecc3f |
| SHA512 | d31cd965224bf55905735486054579c52322ec7503ac067ec5570cc8283af9edd075fc34c162638b5eabc2abd61f1b50014d89974494c02a4762176d96d17fe9 |
memory/1692-413-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2600-409-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1852-399-0x0000000000300000-0x0000000000353000-memory.dmp
C:\Windows\SysWOW64\Fdapak32.exe
| MD5 | f7f4409d7f2f5cf552c6e9076835d2c4 |
| SHA1 | 3605eca0d184b9590a382774301f2532229202a4 |
| SHA256 | 558dbcbbe5b955374e6563a339447c974300b5598363cd7f5461df2ae01ae638 |
| SHA512 | dedfb9a360260fbbf755477d991019d46cb9785bf9da98067a915ae3ec46734b3e7bfc8c6b6380999cdef71f3f3729130ee13c4f6d5ffb71d5232015251ae5ab |
memory/2808-388-0x00000000002E0000-0x0000000000333000-memory.dmp
memory/2808-387-0x00000000002E0000-0x0000000000333000-memory.dmp
C:\Windows\SysWOW64\Fmhheqje.exe
| MD5 | 8b841797e383812cf36cba1090293a8e |
| SHA1 | 13303fcb66c3bfe043a3d998193e948793e3775b |
| SHA256 | 347586ab936e8918e02519d9486bca4d09caccd221c1621190466034e5ad1914 |
| SHA512 | b193b72c6e44d55764727d99bd79f2e80cca20699dfbaf3ace9d9ebca2089a8f901ebd8cbea2eeea73938b419b1d47a1507717ec5447699242f50a8f60568acd |
memory/2808-382-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Fjilieka.exe
| MD5 | a1e0f019dc2d76e32e7bf94c2ed3f654 |
| SHA1 | f50f2c1f0d22d07e3c89cc3cd101ee07c5d87367 |
| SHA256 | e5ea8cab0c39fd69300f485947593be7ed132bb4e211d5a225b23a4e2f77e12b |
| SHA512 | 4e53e2386cb8a1b9cc2ccd7b8179bbb2b81ea1eb007ef80d3c5a1750bd79da426b8c848e8fa44aa247a9afdaeef1098cd0e37f16192a1fb8d854195145b0ad92 |
memory/2492-368-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2720-366-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Fpdhklkl.exe
| MD5 | 78ec63dc1e3f840ac423a12b2adcfbbf |
| SHA1 | c4a4a119054cdb3e2dfae5e5630dbbdedd181e01 |
| SHA256 | 7420e57385f5249b8dfa3403b7b9f60d701ac5be5a562b1f9cc960d9af58525b |
| SHA512 | 21f61efb8d0dbb2d9563f7a417cce5ec9a621a1762c2e8afc41025632578da674fc2b901627ef2dc8a859c15041d9349d9de5eb738bd7dddc4c9b99998cc3df5 |
memory/2720-362-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2636-356-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Fjgoce32.exe
| MD5 | 0af30cf35973adfd53bfc93fbe6374ee |
| SHA1 | 7a981146b967c583e7db78218477fc7e464d556c |
| SHA256 | edb89b231e2453a002fcf4d16819b6949524444fd5f7d636e62a87fdc4f3c6af |
| SHA512 | ec5e30ca3fb6ed454bea88584da80921526136ad7b6debc0e78c27e15b987ea273d58a2336d3eb06cad6797c84469a036cb6e9e45a731f8542eb1016b81b1c52 |
memory/2636-350-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2888-349-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/2888-348-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/2888-335-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1508-334-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1508-333-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1508-329-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1868-327-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1868-322-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Fnpnndgp.exe
| MD5 | 367fde71f70a0d16a6977a0e742a4b6f |
| SHA1 | 054eb7a4b4e67ba5e6755d99f85f0a49fc372c69 |
| SHA256 | d98be7bc10c81dab23b086cd018a06cee9c1d65cf9feb40ffc1940b0f7deea08 |
| SHA512 | ea3777984b82979d4c38cf970d6c656ee109c5aa4c6a188202fc8546c7090db1d89b9da0afae534b3bbc0233cbce8700c1760eeec72a545cbbd81ee3d271c6ee |
memory/2768-312-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/2768-311-0x0000000000260000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Fhffaj32.exe
| MD5 | 8aaacf14aa786ae152e6241d43be1d56 |
| SHA1 | 3070efebd2e50dbee48b85ffc076ac068991d8bd |
| SHA256 | 4ba186e0e7e4a83ffcdf80d4346b6071cc19d234b365917ea683431711cb5e8e |
| SHA512 | 125ef185a7abded4983ea4b98ffc8dec50f7f4917304fd55e481dc72fdf8ffb7b92138dbcbdf020d44402d1f6c328a34047439a1f2a6af442ae006a418e2bd34 |
memory/2768-307-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1996-301-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1996-300-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Fehjeo32.exe
| MD5 | 105fa135a2589da9eb6ec6b23e334838 |
| SHA1 | fedb29f37b6056fe8bfddaab8d50ba3cac9627f7 |
| SHA256 | 3af26040add7d52480c2955226390091ab6a157a2c76a6d801c7d4e8490237c6 |
| SHA512 | c43bccddcbc90e8c2913d75794126ff0d64c8d862d64299fea7962442942f8734301ccdd382eb779ef68f400a6fe37b0faa0c705b7c6db6b5b435fce11d2572b |
memory/1996-291-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2928-290-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2928-289-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Ebinic32.exe
| MD5 | 5b3334638b21848f7cbc6bc4e3685ff1 |
| SHA1 | 351d20f108f662a011ba897779341ffcf901b156 |
| SHA256 | 00767bfa5c5feff546da449ec17bbeb107ba4db5ac73fe6a88f26f17e7a8091e |
| SHA512 | 191b08c09b1af6df87b539b7590c5602c0734b42a1c7fe2d512e296afe95e96cbb049a15fa57af5db24858c593ad0bdc73f186e97c6c0110359c29cc0e16c8bd |
memory/960-284-0x00000000004D0000-0x0000000000523000-memory.dmp
memory/960-283-0x00000000004D0000-0x0000000000523000-memory.dmp
memory/960-274-0x0000000000400000-0x0000000000453000-memory.dmp
memory/768-269-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/768-268-0x0000000000260000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Egdilkbf.exe
| MD5 | 2ed634df44703c21b0042719daac2e0a |
| SHA1 | fe85bf38dbd44712e2acb6749689063d67ed8232 |
| SHA256 | 41932d625b42db89aa61d16c621f390e840dbdf1c535de438ec2a0f2190663c4 |
| SHA512 | a592db19c90fa6c8a0ed4ed24c2f5a2c3c938d9e232c8824333364eb23090f505c71f00a5426bae0d1f7fcbaff0f5628ea991bb4c488cd352c1989bf01d7cee9 |
memory/768-259-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1888-258-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/1888-257-0x0000000000460000-0x00000000004B3000-memory.dmp
C:\Windows\SysWOW64\Eeempocb.exe
| MD5 | bfb4b57b275e2dea0e1753614f18ea8c |
| SHA1 | 06fd316dfd008c3fb9efdf91c0327bb263b8fbc0 |
| SHA256 | f19d70aa4cfa1221fa399b1783adcc77a5d35832a7759671ca92c30fe9583a19 |
| SHA512 | 0d4f716317a822e24328f27bafa430442ddca88e22b54936ab15bd092324e1883c4fb44c0d5a4fd4798656187c7b3b44feb5e74ea787926a6e99193937a4fa40 |
memory/1440-250-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ebgacddo.exe
| MD5 | 76cd2050e0c5ee690d3f836fdbdfe9a4 |
| SHA1 | 93a0d54c1c4d28d2140bf013608856afe1e0e7d4 |
| SHA256 | 9c241af15f9e89ddf4ffdd683014cc0e0e518fdcc95dfb12758a1b05d3673d65 |
| SHA512 | 1378176b7826b87f63688018b9ed3919dd7e3e509adf315f56b2d165a3b6ee267ed40a0d71476b94503e4ea2d4f5e1ea82a8ec9e3eefa3b802e06794053971f7 |
memory/452-236-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/452-237-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Epieghdk.exe
| MD5 | 48c3155c4ad974ba80c0a6cf7ff15186 |
| SHA1 | 3674a39f39e6a9db99bb7b163a48046bbd256b9b |
| SHA256 | 53b06383abeb73f0eb8456092f99a240b2a0fd75f9259990772844b09a943419 |
| SHA512 | 4c8f8fcb0072b8bdbcb9950723a935add25c003c07910595386bfa7748e464b8826ba0d66ab1ce41663bb2dc6400652f854697c15589a026b21516ce8848ab76 |
memory/452-231-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1084-230-0x00000000002A0000-0x00000000002F3000-memory.dmp
C:\Windows\SysWOW64\Egamfkdh.exe
| MD5 | d3e2ac2da112bd1d27adfa2ffc6919ac |
| SHA1 | 1088f5d3ab6acc2e71d434040a2c89348b3c663d |
| SHA256 | cf2c41102bbfd07f08080ac98b2321702e1c3bf849463f735877dfe83bd855c2 |
| SHA512 | 303e185ec1dad791c454aa84ea12aa5dabff62f8b654bdcf18e9adc3e7f9dc8028ff67caf05bf477e836dbc65148911f1a3e6cc21f1da88227056272789dd6d6 |
memory/1084-222-0x00000000002A0000-0x00000000002F3000-memory.dmp
memory/3020-214-0x0000000000310000-0x0000000000363000-memory.dmp
memory/2016-199-0x00000000002A0000-0x00000000002F3000-memory.dmp
memory/2016-194-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eeqdep32.exe
| MD5 | 6ce7febc6077faa4bbca3b4e66cfffdc |
| SHA1 | 64ac7e79701e404a3d44c2d3b35a6cfcb7f7c6b9 |
| SHA256 | 40c60eb4ad00eb29084a49016a8c77402041e69e68a73bbe129000866e67ba38 |
| SHA512 | 1442e5ca925970aaa34b521875d7ce923238ae3ffea714e180d196ab132f58688f4ab6200f8324143b142aeb4b3a01f4e8b57800b7e4632fd928e850c2136a5d |
memory/296-185-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/2128-160-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1516-138-0x0000000000400000-0x0000000000453000-memory.dmp
memory/864-118-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/864-106-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1688-93-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2532-78-0x0000000000310000-0x0000000000363000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 00:40
Reported
2024-05-19 00:43
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngndaccj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngndaccj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jniood32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adcjop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mqkiok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agimkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mqkiok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ppjbmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Adcjop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ppjbmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ompfej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agimkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
Gozi
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ngndaccj.exe | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bphgeo32.exe | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caageq32.exe | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkqaoe32.exe | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmggcl32.dll | C:\Windows\SysWOW64\Jniood32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aablof32.dll | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdmmeo32.exe | C:\Windows\SysWOW64\Agimkk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lggejg32.exe | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apmhiq32.exe | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipgijcij.dll | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kofkbk32.exe | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfnoqc32.exe | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncnofeof.exe | C:\Windows\SysWOW64\Mqkiok32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lfbped32.exe | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebcmfjll.dll | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eehnaq32.dll | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhblffgn.dll | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aagkhd32.exe | C:\Windows\SysWOW64\Adcjop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Llodgnja.exe | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lggejg32.exe | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| File created | C:\Windows\SysWOW64\Difebl32.dll | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jniood32.exe | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgifbhid.exe | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ompfej32.exe | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| File created | C:\Windows\SysWOW64\Apmhiq32.exe | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jponoqjl.dll | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agimkk32.exe | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oabhfg32.exe | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| File created | C:\Windows\SysWOW64\Phfcipoo.exe | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| File created | C:\Windows\SysWOW64\Bphgeo32.exe | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Liabph32.dll | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ppjbmc32.exe | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qpeahb32.exe | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgphpe32.exe | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhphmj32.exe | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mfnoqc32.exe | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oabhfg32.exe | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qfkqjmdg.exe | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Hehhjm32.dll | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Adcjop32.exe | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kegpifod.exe | C:\Windows\SysWOW64\Jniood32.exe | N/A |
| File created | C:\Windows\SysWOW64\Adfnba32.dll | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnffoibg.dll | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmmeo32.exe | C:\Windows\SysWOW64\Agimkk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhkfkmmg.exe | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okhbek32.dll | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekppjn32.dll | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Phfcipoo.exe | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfgomdnj.dll | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjecbd32.dll | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbmimp32.dll | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Phcgcqab.exe | C:\Windows\SysWOW64\Ppjbmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmpockdl.dll | C:\Windows\SysWOW64\Adcjop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgifbhid.exe | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbpflbpa.dll | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| File created | C:\Windows\SysWOW64\Nphihiif.dll | C:\Windows\SysWOW64\Ompfej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfkqjmdg.exe | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhphmj32.exe | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kofkbk32.exe | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfiedd32.dll | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agimkk32.exe | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mqkiok32.exe | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojomcopk.exe | C:\Windows\SysWOW64\Ngndaccj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ompfej32.exe | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" | C:\Windows\SysWOW64\Agimkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll" | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jniood32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" | C:\Windows\SysWOW64\Ppjbmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll" | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ppjbmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll" | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll" | C:\Windows\SysWOW64\Ngndaccj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ppjbmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojfcdnjc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll" | C:\Windows\SysWOW64\Oabhfg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kjgeedch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll" | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" | C:\Windows\SysWOW64\Ompfej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mqkiok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll" | C:\Windows\SysWOW64\Caageq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agimkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
C:\Windows\SysWOW64\Kegpifod.exe
C:\Windows\system32\Kegpifod.exe
C:\Windows\SysWOW64\Kjgeedch.exe
C:\Windows\system32\Kjgeedch.exe
C:\Windows\SysWOW64\Kofkbk32.exe
C:\Windows\system32\Kofkbk32.exe
C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
C:\Windows\SysWOW64\Llodgnja.exe
C:\Windows\system32\Llodgnja.exe
C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
C:\Windows\SysWOW64\Mfnoqc32.exe
C:\Windows\system32\Mfnoqc32.exe
C:\Windows\SysWOW64\Mgphpe32.exe
C:\Windows\system32\Mgphpe32.exe
C:\Windows\SysWOW64\Mqkiok32.exe
C:\Windows\system32\Mqkiok32.exe
C:\Windows\SysWOW64\Ncnofeof.exe
C:\Windows\system32\Ncnofeof.exe
C:\Windows\SysWOW64\Ngndaccj.exe
C:\Windows\system32\Ngndaccj.exe
C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
C:\Windows\SysWOW64\Ompfej32.exe
C:\Windows\system32\Ompfej32.exe
C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
C:\Windows\SysWOW64\Oabhfg32.exe
C:\Windows\system32\Oabhfg32.exe
C:\Windows\SysWOW64\Ppjbmc32.exe
C:\Windows\system32\Ppjbmc32.exe
C:\Windows\SysWOW64\Phcgcqab.exe
C:\Windows\system32\Phcgcqab.exe
C:\Windows\SysWOW64\Phfcipoo.exe
C:\Windows\system32\Phfcipoo.exe
C:\Windows\SysWOW64\Qfkqjmdg.exe
C:\Windows\system32\Qfkqjmdg.exe
C:\Windows\SysWOW64\Qpeahb32.exe
C:\Windows\system32\Qpeahb32.exe
C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
C:\Windows\SysWOW64\Agimkk32.exe
C:\Windows\system32\Agimkk32.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bhkfkmmg.exe
C:\Windows\system32\Bhkfkmmg.exe
C:\Windows\SysWOW64\Bphgeo32.exe
C:\Windows\system32\Bphgeo32.exe
C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
C:\Windows\SysWOW64\Cgifbhid.exe
C:\Windows\system32\Cgifbhid.exe
C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
C:\Windows\SysWOW64\Dhphmj32.exe
C:\Windows\system32\Dhphmj32.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 2168 -ip 2168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 400
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/3176-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3176-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Jniood32.exe
| MD5 | 2e0efb17ea84d274acc5581b5568aa7a |
| SHA1 | 459388c0c51ce5ab39e7dc2a72dab8f157780608 |
| SHA256 | 6b89682610d8e6bb0b3714f7fd9db7828c2d05e1ab595193f9a0b54c5fa56332 |
| SHA512 | a21e28a6bb1b38f578c38c336c6190cdc3e8a46741bc3fc584bc8df4303fa7004074a7e7ecc5086c2015ad73fb0e96ae49da03879cf35cf0037fc8731c86b1d7 |
memory/4944-8-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kegpifod.exe
| MD5 | c9b64111593ff5eaf059e7358bb0ccbb |
| SHA1 | b830c309f4a09dc6066bed18334690d780b5c0db |
| SHA256 | 18bb5d0d97ccf08d6b341bb0449015bf3eec37a0074dc5085c1f237ad8d2ac06 |
| SHA512 | 2b3c475a2e45a5a93cbf8dc5ec258f383ffab5af246232d5273614e4add5a0238efe6c9e3cf5cc2291fbc65926222bbd50bc189cc53a96758d001c6858a35ae8 |
memory/4016-16-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kjgeedch.exe
| MD5 | d9ac596b3634aa8b16ad2824bcb270fc |
| SHA1 | a19005579a62826815d1d1ed4d1bc7f9c8c10c7e |
| SHA256 | e43a7c5c2092bc0d6521f82084c8433cf7b8fea964b785e1015e6de53b3805a3 |
| SHA512 | 81558907da848174f5ab03976321baeb97dd917c02b4165723bcb435d2518d75c915fd0215ee70863a010068595241be77215d42309647f5aec06fc6dfbd6af7 |
C:\Windows\SysWOW64\Kjgeedch.exe
| MD5 | 572757ec7576a9e112a5c3ffb0fde2ef |
| SHA1 | 7691e309771995319421808c0884195c95ead2f7 |
| SHA256 | 9db554b48d881943cda1dc97ab5ba8096240168a7d6bfc933059271967003076 |
| SHA512 | 0416c08b5df1e2c61ae9a86ae539f6fd9d68c2b034512a211fc7fc5f9ab8762968b5b75abc05eecb569d6d015eba4062c2b1222ae4bd3e34506b265800675b81 |
memory/404-24-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kofkbk32.exe
| MD5 | 31c77b84682d651ac9c9ab964e65602b |
| SHA1 | ce9409b2b65789f06d39d93a7235f6204eb060e7 |
| SHA256 | 7b817982dc2b36919937cd60f1e8b407b3d983a152a376cc8d80a4d27fd7f07a |
| SHA512 | f8e2c3459633f600679e41e6d2f3ff48c37b3afd2fb097c8ba9d7185da0efe7369cde759e677762dbd0fac24630bc43d3243ec8212ef5146ff35995442995f71 |
memory/2724-32-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lfbped32.exe
| MD5 | e3f1502ef372bc42ca7b7709d6d05e51 |
| SHA1 | ae370b859637a84eb1fd003f69f75a5997092b09 |
| SHA256 | e0cb2da5b924e99fafc309622c72f6f46867108ca59663b8758900f106e32acf |
| SHA512 | b7001d3d58edabe95d361c1315706e826d057038d06a56f7535ddb75640ba67e9686af1d66d6c1a409b58a2ce7db80741333fca0ae3a42fece6339dca30e96b8 |
memory/32-40-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Llodgnja.exe
| MD5 | 7bcb9c8b99ffad4d2632f0307b5934be |
| SHA1 | 4c2276913bc1ff9a4ebb657d4e2fa16b3f7dee64 |
| SHA256 | 41f40a10b329a606082ab50b1d7bddbb0a0270d81c60d346c9d06830245bbfe8 |
| SHA512 | 11b6cf2b38f3e30404d51b03d353bea34642817b22e76b561c4198e71130cea65fa261e0a8dcbc63b75466c584882320f08bf14dc759793fd5ba54920686b65c |
memory/880-48-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lggejg32.exe
| MD5 | 98e8faab66b03f64d2fe3c759a285a5c |
| SHA1 | 6c0ce8258d0303bf8ab82257e135752efefdacc8 |
| SHA256 | b3ac1ca54c0dc636024cec4dc7f32b7a341d741b7a7adf4cb662d2463beb6a28 |
| SHA512 | 1aea47e6684367b24d1ed145c1f73bdedb095927435ac0c123ed2a9854d39422cf67bcd1b5c4bfaf34f27d0b873ea3579690208abb7e3b8c699e84956f3a1822 |
memory/2904-57-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Mfnoqc32.exe
| MD5 | fafa988d54b9d9e6d7da644a1b25a824 |
| SHA1 | 4ec326546a78352a2e765f4917ffbede881335ad |
| SHA256 | 099a9f76a6d539fd0335ac5dba460d217ad68d584a8eb624dfef17de3cbb0d28 |
| SHA512 | d0ec17daa238db01415838b4bcf77b3ab777364b3256f128153e1a3f46d8ef9b5ec0fc5b6839392f5f8f7fb1efa5c6f54e7bfcc79e9825e72f5fb13c95d3d603 |
memory/1016-64-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Mgphpe32.exe
| MD5 | b555a6a1846b8801f18ba15501454deb |
| SHA1 | 0a6669111421b8d171920ff9848300a91c8fab13 |
| SHA256 | 9a3c8f49a17dbeee503f7fdcc8696d8ff8217b070610e1bce523e046e959f361 |
| SHA512 | 6844aa4e1b1d58cac60a96f791edd45e228fc7ae067a4e3f591a649921e359a8320d91137dd902d34c023be3608a7e9d2df898c8f4f779f2b0af30c5acc7f2c6 |
memory/1432-73-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Mqkiok32.exe
| MD5 | 6e07ba17d90198364606162a36f068d4 |
| SHA1 | 42d2ea10b2dab5e26556a9bbf46eca4eeffafb5e |
| SHA256 | 1e80ec8dc6b530fb6235ce33715c52c3fb0fe5aaea306bb744d721ea8d76375f |
| SHA512 | 24605aa22f0d4c663ec846d63b515cd951d0d2b28a7972dfa5fe2d5f3d601d1124fde738230651e8babd1d53b42a7ad59d16843cc7f8d86ce266e6857847dec7 |
memory/2884-80-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ncnofeof.exe
| MD5 | 2cd3325b1c9ac4cb7549035b63786166 |
| SHA1 | 503f50f8d7603beb6aede37b0a5f147a9ca99bec |
| SHA256 | 512f8778765844975c134702ad93671265d6c014d446da848d0a854a181304d5 |
| SHA512 | d54a0c529ef6b006bd0542c53471d11f1780cc802e97712e7ee9f6876aef2021a536b65239b1c9d907be473e55feafc574924ca848f10f4438b3736a050c1af6 |
memory/3088-89-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ngndaccj.exe
| MD5 | 31992000aac1dbd6c44bc7bc5289ac56 |
| SHA1 | a039f53c55624d48ff420ad339d02885cab373e6 |
| SHA256 | f2c8b6ac8f3ef34bb6a80cb863ae1b4aa472b7f000c88de3a5f19941e52d76e5 |
| SHA512 | b57fcf297c2a62f360208668f8a18a65f857400c1fb8a495613631264aab16a7cfb4fb2bacd51949be0a71870640e15b6f67859c6107805359b6f0d812aac3b1 |
memory/4304-97-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ojomcopk.exe
| MD5 | 41d3542b18d662841bd083af7cbf056f |
| SHA1 | 7989b7ceb9bf9281069585c978d3528249758cc6 |
| SHA256 | 4a1c2cf4434625570b84c7194e27e4daf72320a9b76f655bd15137220a8d69bd |
| SHA512 | b174f82702ce4a78a7b2bcae4c37af9fdb2f50c91152771a0c2fa153005dc683e4aa59e5a566acd22b5c5cd7bd73a52457d7c47c5c8865bcc61157d74faa9030 |
memory/1708-104-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ompfej32.exe
| MD5 | 3d1ee23f412c47fea2e7563355110f54 |
| SHA1 | fbae44c9c0489e6a657773856be6f8a93177b4a1 |
| SHA256 | 421f0262cdaf60af62d5d657730846f7fd9c6191cdc6403506f85ea890e347ba |
| SHA512 | 573a562eadbada5c106731877dfe3bc7ec0fee767c39f3e92975fba15d69affbca14160896238ce6a116a965f00262be0842ab7adf57b0d064689693a817accd |
memory/2124-113-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ojfcdnjc.exe
| MD5 | b2fc5f1c46f2d5dd903f21ff83ebb7a0 |
| SHA1 | 352893cb7167f8e6b6daa43d3fe46d115b619dc1 |
| SHA256 | 6b04ee75421e734189dc43efcbbf1e721c9a710aefc4f46b89bd570d3f2932f2 |
| SHA512 | 85f3f45b336d09b4de175207371c12a00a997acb5ceb1f2daa80f274f7643071f9ffcb60940abec85d1eb25a50cd77e80566fa4e3a15b61009193ae6040aec74 |
memory/5100-121-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Oabhfg32.exe
| MD5 | 79c093c46c2388278d5fd75db87b3de6 |
| SHA1 | e1320b025d2aaed0fc0fd182c951b25f55ed29e3 |
| SHA256 | 9f1b9a72b90a9433f5d605eedafe48cd958a2fc37c2f8ad0c73ff6ccd9e7a2c3 |
| SHA512 | f3e16d936e989e8c8c8e6f11941d924fc24ce10ebae2a597ed5cd73008817ea212007e9d6f314040c7881352d3cab0db03b3b3f7b0658d29c37f8439cf5d5936 |
memory/2356-128-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ppjbmc32.exe
| MD5 | a2a0ee18f2475e1adea5e39a3c73459e |
| SHA1 | 71244d2b07d5edb8df4eae7557f69908947efbb2 |
| SHA256 | 8fb6529b17561d172dbcdff04c93dd3e3137b6078ca5d7477d1172a77a346b2a |
| SHA512 | 73ed26499101e83f1a30a672c90dd29ca2ea8424dccb1fa044ede2f54f782f7a5e34ae414735514692c86c373900b28800e2a686f00b651bca9bf1b2f2d5d5d5 |
memory/2728-137-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Phcgcqab.exe
| MD5 | 6923dfd67434ccb4d6c70f9f80089a59 |
| SHA1 | 217a77eb6f5402ab1d1f298fef4ad0e839755217 |
| SHA256 | e486d3a3a2e62d82032f374fe808832d0b9d6bfb9e04d0f20659e78fd62908b1 |
| SHA512 | 4cece493317fcfc8b9f0ad14135907ea1019e5ec413448598852551729435fc4fd1bad4429bcec5cc28fffe439a3078c0363ed1ee139694a9fc310790fed6839 |
memory/4604-145-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Phfcipoo.exe
| MD5 | 29defcba2de0e37d95b7690acca91081 |
| SHA1 | 91bbb78619e3183f41c194aa18542fd958092746 |
| SHA256 | be20ed4569b424c48f5b5deffefe7a142003dea419f8a8265af8466c3f21024e |
| SHA512 | ed18a646952964226d4a89d6048145f850b100c1181a8a189c896dae11214f2c0540c1d551a23293f0c86f019ea5e61375e701d0444c740905d42712607d9c18 |
memory/2348-153-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qfkqjmdg.exe
| MD5 | 1bfa5fc85f2632ddf8ee69b8170a0a9e |
| SHA1 | 4160d536c45e43928ead6b3e22945734ef43cf7c |
| SHA256 | 1fefbefa2930ebd96f76818fc42f98f59e0ebd81a5f42748879b6a234de12966 |
| SHA512 | 3a8b869a9f604cf53dc34d4948958e3c7e91eedc442af7d9ef642b2db07ad9906699d16a036417549a64824763ff042429d0d259691c3c4334939805cc2f09d6 |
memory/4040-160-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qpeahb32.exe
| MD5 | 46e1119548f8dc0301107970bde1a7a5 |
| SHA1 | 3613aac161256064dbe145b99dbcfac12747534f |
| SHA256 | 6b7b2506c50580c403a6a0e64b6a05b404c4944268150e071f768ee6f4ab6722 |
| SHA512 | 77df3687ec2ca9aff15bf6825f5375bffb9a28517650249fae1c78ec77f3e42980b73b591074241b377169447f19ed1a4b9d1cf987ddaa5ac581398d2e0ed142 |
memory/4496-168-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aagkhd32.exe
| MD5 | 1e9ce22b33473cc4b8856889f3354dc8 |
| SHA1 | 8e0269e4be719a08847add5504d6fb978a85ca6b |
| SHA256 | 32c70271a8b5e7f604d31c29719010dc3fd4192824bacb7dfe269505a023ceac |
| SHA512 | c45f3b29a75281f05ff436740537d60570e524c46645962cf4883751b85cb79a18292aaced255f7c228e0ea23db336781d0cecb05edbdad40d6e65008e8f502e |
C:\Windows\SysWOW64\Adcjop32.exe
| MD5 | 29724dd2e1b03076aeffd95226dc1ead |
| SHA1 | 33477a9d60ba21622c33baab45d48af259d97bbd |
| SHA256 | 281795cdf7bec73056165a45d35a8d2ad1ce4e982e0857bc695ac60062f024df |
| SHA512 | 6bc9c37035c03858b6f6cac1a614524fe79fab2d353cece4740e19436da9ffc20c0a05f909bbe2283eebbacee373265d4f031f637e93c75b347c578e8baeaca4 |
memory/5056-177-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1784-185-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Apmhiq32.exe
| MD5 | aeb468513c31939f3e46b1f8cc77c404 |
| SHA1 | 5cb3370db66e7cc3d203c8781e41a0c83a0da829 |
| SHA256 | c4b58f1cf645a80a5ebfa6a4eee2a2351a58da111d074e9432941070e24e7a49 |
| SHA512 | 1c3f61b9280454500589c730db8d93d48414d7912572978538878af907e1a547098fc0b9bd3f83867c487e3a62b6832abd394fb2f450cfce280cad527fd19ddf |
memory/2916-192-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Agimkk32.exe
| MD5 | 0175fabddf42227b235129281360389f |
| SHA1 | 32a7a9719c43fd1669a689c41e8304933861141b |
| SHA256 | 8ead895f2f4f113ba4014108b434de7c96434c52c279bef0c631441d432c3868 |
| SHA512 | 510a60148e194ac3314dc346e6b4931fd82953f6835371aad0ccf76dcb009c48b9d645ecdb9b8a3459a13e093813f4bf20f5cea2e7d7d3be4019ae1d9cdd8757 |
memory/4348-201-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bdmmeo32.exe
| MD5 | ce889e86769a824a05effc58dbe17123 |
| SHA1 | 8977bda2418d2aeb2cdda4826dfd8b687cf91fa0 |
| SHA256 | e25fa9cc23de5b83583997dd655cd96ef5378547b3b9f06e2a968c467fdc30a5 |
| SHA512 | 2abf358e23a1bf6858333b9dba3abe4e4e81daf31c2dbac969fbb5c32794030bb4e8ef60eb27ab88353c6b782cb98be3438f1c8cb4b1f4a04eaacfda14ce0bd2 |
memory/2400-208-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bhkfkmmg.exe
| MD5 | 4e157e3bee84a3261e64db0c8d1dd2a7 |
| SHA1 | 04db357d99f987040c80a7c71fd49dfdfc3d935c |
| SHA256 | a46d6f6f4da648c31afb108ef48ecd577c32561811d6f83907b0ac80984b1033 |
| SHA512 | 484e4897a4833d98f95b6488135d107f69b46b1432c50981272bf04d961d9b6aa971839e9b5ff2b8f00f80bf4f40aeda147da65c122671b2276784dbcd1e2b22 |
memory/2416-216-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bphgeo32.exe
| MD5 | 6bf452212e09d98ef0d8594976b6912c |
| SHA1 | eb94cf9d8b988e5710be2264f13e15036bbd4c1b |
| SHA256 | abe1b4e0212b1a37883408ebe574deb2bca055dc65709144a2f5e3665f16b952 |
| SHA512 | 45d4e5572a634e720baea477512ed72c641a73ae7a237653646c799fe87185c49126622d510cee9679e5e7b939d934806e15174ff1953e7892516379e8924faf |
memory/3220-224-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cpmapodj.exe
| MD5 | 471e6f8614a4bc93611d9b0fab194660 |
| SHA1 | 3b0ec92d46945697993d96257aad9079a4bdb5ea |
| SHA256 | 7a47fffd0eb8dceb0077592c450434c698fcd7d3de88e81b440e68c988148e85 |
| SHA512 | 739f7ad2bb110f58421d96767175e8802ab5c377f1fbd69fb8adaeae16ef186c41313dc0d412f38246d5155e25a65f5c7c3889921772069f3123607137d63cd5 |
memory/2448-232-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cgifbhid.exe
| MD5 | 6cccf81dd4eec17aefe79dc89831fce6 |
| SHA1 | d6c37c1f60b4e83cc456c79c00a4e588c6a232b2 |
| SHA256 | b54e5879b6c0d18fd4a3a79476c5ebbfb32f388d93bf52d73bb752750bdcc831 |
| SHA512 | 9a7c128d8d7a494e7caa0d8611ec5e8f421ff2eeab37338cc4c02498f09c790f7178eee9058c8a6fb71da0a3ac3b29dd54efb8d2700fbf6c2a5a1eb9bea758c6 |
memory/4020-240-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Caageq32.exe
| MD5 | 8ba2a4f7548554bc4b1a889a03c1f390 |
| SHA1 | 54671d58a567e247d43256bc657893f96d48209c |
| SHA256 | 88441ac4f92ebc761404eecb61591dcfb7904eb89976409c7befd7791308c8f9 |
| SHA512 | 8898be261f914f2d995cccd84afeeb9850d91e47602a7919b1217df462cd441542d342b016d54c940e70bbc9ead8b5e7a2a4f8cfea9748535c4752c75a80cad9 |
memory/2132-248-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dhphmj32.exe
| MD5 | c2bf37555da2cccd78b9e8f970531ac4 |
| SHA1 | d8a7dfb0a846e6882158b59d752ebafcf4038cfc |
| SHA256 | 948a7dc386d4f267f616d22bc650b4eb37322c871a7e9074c9bfe74728d45025 |
| SHA512 | d7a0f139550864bc82bc1bbb00aaa597cf4fc01d640deba1d7b4382438cd1a9c1032951d3e1c3701f7f0d40e05ffc60c68a450872b61bb009b5fc448c1185309 |
memory/4640-256-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2168-263-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2168-271-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4640-273-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2132-275-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2416-283-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2916-289-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4604-301-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2356-305-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1708-311-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1432-319-0x0000000000400000-0x0000000000453000-memory.dmp
memory/880-325-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4016-333-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3176-337-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4944-335-0x0000000000400000-0x0000000000453000-memory.dmp
memory/404-331-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2724-329-0x0000000000400000-0x0000000000453000-memory.dmp
memory/32-327-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2904-323-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1016-321-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2884-317-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3088-315-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4304-313-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2124-309-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5100-307-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2728-303-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2348-299-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4040-297-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4496-295-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5056-293-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1784-291-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4348-288-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2400-286-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2448-282-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3220-280-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4020-277-0x0000000000400000-0x0000000000453000-memory.dmp