Malware Analysis Report

2025-01-23 04:39

Sample ID 240522-31exnsdh8t
Target 5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe
SHA256 652245e435118aa1cf279ec10811a7d8de742ad17df62d116af11708569f2c15
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

652245e435118aa1cf279ec10811a7d8de742ad17df62d116af11708569f2c15

Threat Level: Known bad

The file 5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 23:58

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 23:58

Reported

2024-05-23 00:01

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gejcjbah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gejcjbah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihoafpmp.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgkbipp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkihhhnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpocfncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhhocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhmepp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hogmmjfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaeiieeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihoafpmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Iknnbklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgkbipp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgkbipp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkihhhnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkihhhnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlakpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpocfncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpocfncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhhocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjhhocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhmepp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhmepp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hogmmjfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Hogmmjfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaeiieeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaeiieeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihoafpmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihoafpmp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ldahol32.dll C:\Windows\SysWOW64\Gicbeald.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File created C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Amammd32.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Hnempl32.dll C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Kcaipkch.dll C:\Windows\SysWOW64\Ghmiam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File created C:\Windows\SysWOW64\Hciofb32.dll C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Pffgja32.dll C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Kleiio32.dll C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File created C:\Windows\SysWOW64\Ahcocb32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Gknfklng.dll C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hpocfncj.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Cabknqko.dll C:\Windows\SysWOW64\Hlakpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File created C:\Windows\SysWOW64\Fndldonj.dll C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Ojhcelga.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File created C:\Windows\SysWOW64\Bhpdae32.dll C:\Windows\SysWOW64\Hckcmjep.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Oiogaqdb.dll C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Hpocfncj.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Gmgdddmq.exe N/A
File created C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Geolea32.exe N/A
File created C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File created C:\Windows\SysWOW64\Fenhecef.dll C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File created C:\Windows\SysWOW64\Nbniiffi.dll C:\Windows\SysWOW64\Hobcak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Fealjk32.dll C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Fpmkde32.dll C:\Windows\SysWOW64\Gejcjbah.exe N/A
File created C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hlakpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hobcak32.exe C:\Windows\SysWOW64\Hpocfncj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gejcjbah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gkgkbipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" C:\Windows\SysWOW64\Gejcjbah.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1888 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1888 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1888 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Gicbeald.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gejcjbah.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gejcjbah.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gejcjbah.exe
PID 1564 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gejcjbah.exe
PID 2684 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gkgkbipp.exe
PID 2684 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gkgkbipp.exe
PID 2684 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gkgkbipp.exe
PID 2684 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Gkgkbipp.exe
PID 3068 wrote to memory of 848 N/A C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Gaqcoc32.exe
PID 3068 wrote to memory of 848 N/A C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Gaqcoc32.exe
PID 3068 wrote to memory of 848 N/A C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Gaqcoc32.exe
PID 3068 wrote to memory of 848 N/A C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Gaqcoc32.exe
PID 848 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkihhhnm.exe
PID 848 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkihhhnm.exe
PID 848 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkihhhnm.exe
PID 848 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gkihhhnm.exe
PID 2388 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gmgdddmq.exe
PID 2388 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gmgdddmq.exe
PID 2388 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gmgdddmq.exe
PID 2388 wrote to memory of 2436 N/A C:\Windows\SysWOW64\Gkihhhnm.exe C:\Windows\SysWOW64\Gmgdddmq.exe
PID 2436 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Geolea32.exe
PID 2436 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Geolea32.exe
PID 2436 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Geolea32.exe
PID 2436 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Geolea32.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Ghmiam32.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Ghmiam32.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Ghmiam32.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Geolea32.exe C:\Windows\SysWOW64\Ghmiam32.exe
PID 2820 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Gkkemh32.exe
PID 2820 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Gkkemh32.exe
PID 2820 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Gkkemh32.exe
PID 2820 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Ghmiam32.exe C:\Windows\SysWOW64\Gkkemh32.exe
PID 1476 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Gmjaic32.exe
PID 1476 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Gmjaic32.exe
PID 1476 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Gmjaic32.exe
PID 1476 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Gmjaic32.exe
PID 1488 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gaemjbcg.exe
PID 1488 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gaemjbcg.exe
PID 1488 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gaemjbcg.exe
PID 1488 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gaemjbcg.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Hgbebiao.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Hgbebiao.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Hgbebiao.exe
PID 2460 wrote to memory of 540 N/A C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Hgbebiao.exe
PID 540 wrote to memory of 984 N/A C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Hahjpbad.exe
PID 540 wrote to memory of 984 N/A C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Hahjpbad.exe
PID 540 wrote to memory of 984 N/A C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Hahjpbad.exe
PID 540 wrote to memory of 984 N/A C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Hahjpbad.exe
PID 984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hpkjko32.exe
PID 984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hpkjko32.exe
PID 984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hpkjko32.exe
PID 984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hpkjko32.exe
PID 864 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 864 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 864 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 864 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Hpkjko32.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 1648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hkpnhgge.exe
PID 1648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hkpnhgge.exe
PID 1648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hkpnhgge.exe
PID 1648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hkpnhgge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 140

Network

N/A

Files

memory/1888-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1888-6-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Gicbeald.exe

MD5 af8db936a4b8852394e426b346bc6d80
SHA1 ab368917bca3e8cabce85d4b77ff40e103ddd4ae
SHA256 044577d15df0aa7468f7fdfeb30cc4d350e44b7a82fed866f6ce26b3fa882acf
SHA512 6f601624051353e7d9fd92880608f6fbafae5b649c3f459c40249849b3c7742b9b19f59ebcca06306c67c01548598dd964bf98c84373d1e23cca1c3548fb91d9

memory/1564-20-0x0000000000260000-0x00000000002A0000-memory.dmp

\Windows\SysWOW64\Gejcjbah.exe

MD5 3fb913b75693291e9055a59b006afab4
SHA1 ce86be1d64a5de558d037bb88950eb9cae4ffbc3
SHA256 ca29f306d697b614d2b45e6c7c38b6d9037454a28494cb610464c14fa18e18ac
SHA512 20c638d6c988abb8bf957a456359dc47b3a9c77895103cceff47d462b4a7ebeb740d43db85df5b8d0e850474dab10ef49f1b1a2f679ecb4991e266ddb296bfad

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 756c72d82083c905b164e264546e2936
SHA1 002a52306ebc8861fc7ab03a25104480f14d78ec
SHA256 6beeb4a0a821e3fc081b579bf11e46def814a346b903dd5b354d93e4f2b900ce
SHA512 04901925c2edd947822b9bf51b15362d407dbbd5070d7da29f159de85486ed5c3b7455029935d9c28123d74db2d412e800f2016efa7179c8abe7f323f331efeb

memory/2684-31-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3068-39-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Gaqcoc32.exe

MD5 2d97bc7d47daf5191820fe96940c5c40
SHA1 9ee6172f210e6784be1dd793d2570bd45557793c
SHA256 fc3cbef0cbcbb8f54c7546fffdb515bb4c085f9710243443abb551962e6eb8bf
SHA512 63d4de3940aed6e5e3f055ba48ea262b3cbf566844b1fb790f3f4a433184949273c50feb8f64ebc936db91389ec40bb6db6f1e78b965095044beb181836ad26d

memory/3068-47-0x00000000005D0000-0x0000000000610000-memory.dmp

\Windows\SysWOW64\Gkihhhnm.exe

MD5 4fdd64ffe99e62eefbc92542fd8c812b
SHA1 261f3f6b4a69bdfb4270606ab00f9e5fc5d71e72
SHA256 ea0aade98022b11e52ef4bfcca981a8c3b4ab6f992fd4f8b220d86d658ab8956
SHA512 c3710dbe8a38690de4417a53bae275086e036981620bc35012dac3c99d47693a9b32c562ecebcb92d262bcb2cb3496c3c7d01eae9be1ff05678228a631d2369e

memory/848-62-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2436-78-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 8321d624907e4163237d81792723eb4d
SHA1 06f2358c1ce16b235808851c825b88f36956e5fc
SHA256 fe10fc685cf236d10acdc1674b126242843f46968f264414fb9f791cbefa4609
SHA512 41fe325a15925b14d692971f0c2bb7fcbba8e9954e112cb60451e90aa1cbc9365434e7fad5a0cb73d1ea37a0ab7f05c598911791432a1ddadc2110fe183bf7fb

C:\Windows\SysWOW64\Geolea32.exe

MD5 81bdf265736f6a99585819018b05e086
SHA1 cddd1517172a26cc89939ce804cadcdb908502df
SHA256 32b0256966e27ccc0e33d106be75bfd4268aa78e29bcd2ffbd528d106b066744
SHA512 c8606fbedcde1f15c2c212445f3f9c13431b85201d7ebd02e0e91d016aee30ff3e08b6ff72d642d2dd5dc76cacc0c6ba6467dcb32ecc96d6637fcbaaaf534ceb

\Windows\SysWOW64\Ghmiam32.exe

MD5 480c3bd703fa125082e099933dd16782
SHA1 867fc9d12b17a78ca4a22c5f40375e1c220dca22
SHA256 a865a0ac6ee5a44b95e3f439819d61057d06541ece3a191c926b72bc972c45bc
SHA512 daff04a390206bcfd5462afaa927263b5de8268376804001d86eb367f3b9866d866921cb33d815f7cde51bb1cd02c8560786aafb1ae7cf31145f67656789e5a6

\Windows\SysWOW64\Gmjaic32.exe

MD5 53e2342fe6856000d58428ef8a68a920
SHA1 63836a3f7279df53cdb5131254b83eb6b033ab57
SHA256 4f5e38e4fe86bf0467469a59fa108ff7935a2f274f0a1a17fbe3c3fcf7cabb86
SHA512 50f4dc6c84114e416aca96d4b9d3e81987775cdf535ce461c660c0ee370faa62019f2bd9ef51e2b3cefb520efa42b438d7c3679e35a576390c94abf681de66b2

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 e30ae316bed21ea7f084d269ed01bd06
SHA1 c415d3b57eec85076f7f8ab9ab72704501545bf2
SHA256 498b163d20fb8e759e92b9c7a6a173be6fb743043eca3f4b6b08f075bef77bb4
SHA512 2612550e0aaa1661dd63497356d902fa3a67b5e15c8b25ec4d39182ab16bca64682a322b832cfba3714e0e3f9529fc1e13e5a231cf614308382d3f3afdd626cd

memory/1476-117-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2460-144-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 59c2863a71d82188b3bc5130b34a73a8
SHA1 527d379fd8bc5e58da9665890542055c0c62a109
SHA256 574748255cbdfb7545c3e5dc2756c8c953c1a9cce6e4c5178b24068f9db5fa29
SHA512 e2bda48683b38f23e3a089e04a17b06a65db5ea2048c907b7e41fd6406c5590d5a85151a440e62911afb63ef2054c51ac7e8be9c959c1ead8d10a43accb5c697

memory/1488-138-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 8d3e8ca61adf7eb78f197d28f4fe0f9e
SHA1 837c125735fac798fe20637da7a5067e5b66d314
SHA256 b8a291ed2aa914d80f981cecbd72342e49fee303dc8e87cfd4442062750363d9
SHA512 f9d7a314e12d04d74f13942efd0c21cc1eb33ec0eb878f90b2023685b47b46f71995addf6e4b6d6f0eb1696125c24728e5b23d6cc068587ff81b6772bf7bd47f

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 033c009b022fea443e65182801c26cd0
SHA1 cda2d943f61cc83c2c6c8e8d8fae145a2c1f204d
SHA256 bc2adaff0b5eb1fe7527b461e1e4cb0fbb954044f62cea3e24aefbb409c9a63f
SHA512 a1dc0ae68b824897e66372539a95726532c03b3d4ba8198c4a16f1cb262ccb189c81d21ff078fd1c7a6c25de9ceca9bdb001e6b7e52990cb422c0fd963e48bbe

memory/864-189-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 4221f11faa21678ed68a7a6b5a29b0fa
SHA1 24b76d8fb4a4b280e257a3e404fcad5f264cd418
SHA256 1835a9279be1ad24a1ca817cf182053f510b281a13631f2325ed2fc2a7e39bcd
SHA512 b3c9b04bb405c365ba7d430265baf53ae51b6f1382f122fda26ed3d1f5f15a44525fd4c1277a9ace80ba9675c684fad94ef4822429503b81749701cecbd2306f

memory/1976-217-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 5162d15e791e5f950eb1a313a284fc1e
SHA1 771523b6f75a99c965378770614b086530e1fc18
SHA256 6b5e2a844836777ae2e99ad5a0971851d09671f893d736ffa649b785ab5a8ad6
SHA512 f60b24156e9732f5167ef481c315336e2733dae943f495592c8625d3dce0529dcf9c880e7b495ba61130303356c55135b5e16e1b31e8a800ad41afd088741f7b

memory/1976-219-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2916-235-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1960-266-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1916-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/392-286-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1688-298-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1688-307-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1688-308-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2592-319-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 2d6274062fef9e50b8c41aca051c56ae
SHA1 b6c6cd9180db59a3b4d5ad84fc5528d3743d9c78
SHA256 cb38a9647e7ff064f362e6eab03fe9c68ea1e7730ec80cec8d02bbc40099665c
SHA512 86ea5e364e0302a5945d33abdb6aa44a2923de47adebbc6ffc8799f53302f38fde2a5bababa3261b638cca57b6274ad266f5e400d32cea037e43b5584f31728e

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 cd37c554323359c93ec1b5c8a7b0b751
SHA1 e3c4b0b395061b881e59d80f69c87c16480c70bb
SHA256 8e3c8e73cd87722cbee105be11cb558a901a58a83f7735051cc1b1a3021cbbb7
SHA512 da172918289ccd9235d368a35821a9bdabe39fafd4d3c98dee0b9cfb2ae84663f9e5fe34e520438c1b61cb155862ccb5c02c52be4bc8c397f50ae098da1cad8e

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 a8b86dfbda13f6b07b8b8a0f06802472
SHA1 7f9c610e1bc00e4683b7a3e619ae025d95184c1b
SHA256 27e3cb8a5af057be9882516b380a6ac887c07055a1336ae086eebd4215e7954c
SHA512 4892a3fe9d8e8b779f9b10a730128a498bd83e904444105b276c11feae8ef964329f73f1a107fa1ff6eacb550597e348335bc77bf5f27fac08dd66ea4baeb71d

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 682e641c30635b7bf56cdc79f578bf6e
SHA1 0e68b26b5a8aca84416be269760c1a4c57c21714
SHA256 8c8aa9a5709772c8888c35a8a57c072580f1ebab60446ebad8feeb8ecc71a811
SHA512 c89f3850a4b9e223e2870e6a76df9aeac4c546d916d2ce108e1ee5941162af3bf13292b01e4a350ead938e39fe0adf8b417b7914f6ae672c80d8063100623afe

memory/2960-394-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2140-393-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2960-392-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2960-391-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2756-390-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2756-389-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 046b81af578bfc49feaa0b7d1b127988
SHA1 cfbf6feaefa62ebc8182aebce5ad7057ea626bcf
SHA256 3a009ee71b9158944c3f7ba2a0412665b05e61cb15f76cd414928f0ece7c1631
SHA512 9ae88746920637618664ce6926913b117d93f7960810b3a73fc676242bbd28710fa5a4fd2c06d28a012edd08602827269a52c940549c8f613ef8667c73b810f5

memory/2756-372-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2944-371-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2944-362-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2552-361-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2552-360-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2552-351-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2536-350-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2536-349-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2536-345-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2516-339-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2516-338-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 a3db81b1ea4f2935a322a7bade6a141c
SHA1 379808c1d7c85ef9e51d6a364801f49fe82af3c2
SHA256 088da39503a645b480a0e55765f07c2f676d2fd9df63edaed11732bb4eb6962b
SHA512 5d75a8eb2d7bb876e74ffdf6fc410d87634b34485afe0db9947af38bc48f8e2568d8871ac67854d2efdf4f6b02fc25ed64cea046757f9a67ae74808a9893d960

memory/2516-333-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2592-331-0x0000000001F60000-0x0000000001FA0000-memory.dmp

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 1dc2005b73090e7ea90814dd43d22770
SHA1 9dec6a5a1dfdb82bbc5d7d9d04934983cdd47d72
SHA256 179c90465e7e6fc38eb34b7482388b634c5311fd432fb5a9a3c004fbdb7444be
SHA512 51824338e92f80ad95e49df1dcb304fd57825857da6831cd7748c1513fe53c06286255ab65800166e10170cffdea01ea29862b1f1241d0fa05805b985bd4c244

memory/1700-318-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/1700-317-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 4a21237ef81a1da5e3df391d376a961e
SHA1 fe161b7d96f3e7669fc5c7e01ceb86abc07de255
SHA256 8dc850ead68690cba054d6590953d384d61a6d0f0d4bb2e6373b08f7e20b856d
SHA512 fb4a02c3b884927369c3a79e501a660d67a34ef7d395e8b30b62fafea20c4525528b46061ebd0ad37949c4e0536e1cfc989f876593ef35203d257da20b2b5f65

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 218ae320f4bf5384122eb654cea68f71
SHA1 804187ebf4b14948a2d4eddec15002b863422154
SHA256 425e481e517568e9c3bb6f174f9b86e7a736479d3d13a08f481fdbb4992b38cc
SHA512 048cf2e0123f7a92d2def43c8957e12d32406894f7c09bd3dc7815419fcab61bbb09b57e34cff68ff37d55baf8dbc590132e665868a820bba6bd328432c18659

memory/1916-297-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1916-296-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 5d691da1b544c0184e2269ea1c77789a
SHA1 6e4e6718d76b49328fba2055fcce748f4bdd96d8
SHA256 00f7ed64012ecf0a1857960664fd90e57d36da05dafe2caca595d9b2612c4179
SHA512 29d46edd2671440cd2bd86d7f5d682bd67b9d649f4d9a32a20d4ef4f3e174f95a518ab0bcb2705487aa624befd55b93f68ed78496be4a38b861d7ec25316bc49

memory/392-285-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 a8ca437322be24b22bcdea890ba8a446
SHA1 297056335997c8b93cac5ab3b6a3ab94a014cc2c
SHA256 5f9228a5c89d94103d6cd9e2ba5c1bd715b55dc660e57b0ccdf4cbb561a1f75c
SHA512 61832a87dd0d2bc58ca90d86e0dbcc4200effd502200ffacc7308c7bcde8db61c509f642c8b3c8559db778d45efab394ec8c24b9bb9363f91254e6b97452b900

memory/392-279-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1148-275-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Hobcak32.exe

MD5 6bdac8af771c30afde5dffa928087ef5
SHA1 19c28210024d1e12d1dc80c3bc1e755ec8141a48
SHA256 6dbdf8722d9d9fbbf2ee15d2f46beb425ad477d062b03df818d99a4dcfc7aba1
SHA512 cf425b6d0b5ce5c3614e1cdd46b2097a90f229bf0d7a12782d7a550048423a131546a01992842979f4b2469ca103dde390c6b306a3cb0c486e697eef2af74ef3

memory/1960-265-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1960-260-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 2c65475df31cb28f2fc491d3dcf024d0
SHA1 62a94d2b4fffb6497a24cc8a585d2bc3e0373064
SHA256 75fcd959607e1089c3f2a8de3ebac347bc4310dea4b89a5680a6c4cab4feb878
SHA512 69fabf922436e177a42825b36be56319fbe29cddb3bbce8fd8ce55ff572f91c4f5f79d9b6aa00f64029bcd70724c0c6be3422c6eec512c5cb3c57dd1077024bb

memory/2100-259-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Windows\SysWOW64\Hiekid32.exe

MD5 365beff0169af940214c5b9426d7af1f
SHA1 0a922c31f9e766ab7d7979dc8ab42fae3e4dd00c
SHA256 24ec13bf37e86227b0053222c394fac1f393442bf398ca78082367ddd04eef7f
SHA512 37f0e88f95cfc7447f6b77e21316079fcff772e0a0429de627c24617ff63a7015b51c19dc352de7b66f21a255d2db228edec622007850afedccba4a72972fbc1

memory/2100-246-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2916-245-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2916-244-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hggomh32.exe

MD5 cb6f869a84f0c3419b07af0345bd2d6d
SHA1 ceaef1b9913a409ae09786cf17ac8f9f04ef2beb
SHA256 9ce936f6b2056e74f4bc8289f660e29a269131b85c4d464798d153e7d034bf54
SHA512 d26f4f3f77b73890348563b9f077212bcd91bc48a474f5ee4bc78c306b6bf78a8df3dc7ee448af24c99c65ba785ad33c27a27ce50683aa6b452a7ef1defeb6af

memory/1972-234-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1972-233-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 fe201ea0ac600eb02ab403dae385f151
SHA1 95011a3cda3297152b3cf5ffec4e7d404f8a915a
SHA256 1d3f492a561b6b868dc190493d57c6092bb483e56ace368f92a51e61ce25a862
SHA512 382c8a2f1f6c041ac36483f5d1cea4cfa755558d5bb0d40ec380623a913b0a8f775e0b0150322b483a4233bb6ec283a173df734301e0567090ce224dcdde683b

memory/1972-224-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1976-223-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/1648-211-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 c316f27b806d48e56f1b3030ad3cf01a
SHA1 c36e2fe916dd0f4fc2b89a3919dc42b33072b69d
SHA256 f2aa17f3f17c5b280e473d27013e531dead4a0200113071b575a50e065db90fd
SHA512 8d5c8118d996244254cddbde10440339b7c47253a40a66f13ae343f57e9c42aa4affb7273ed28fc5762cc638f70352546c1e8516c1a8337aa377f6acb368b79a

memory/1648-198-0x0000000000400000-0x0000000000440000-memory.dmp

memory/864-192-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 7f3c5cb196828b34314b370ae58857ac
SHA1 95273962fcdfcef2679f3223bfb2282200195969
SHA256 5a7e7255e4727d9169062dedeb649d0738f247543dda5b374c8f95ca090efd6a
SHA512 886d473ee6c70937459e07000722b28dbeed6b57b7f7c90a5e80a2620d0f599a7d8cdfe83ad71ec74ea5d811ff4eeb95a811391f238495049cb37f4d01880f41

memory/984-183-0x0000000000250000-0x0000000000290000-memory.dmp

memory/984-170-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2460-151-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1476-129-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2788-99-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2788-91-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1888-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1564-396-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3068-397-0x0000000000400000-0x0000000000440000-memory.dmp

memory/848-398-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2388-399-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2436-400-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2788-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2820-402-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1476-403-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2460-404-0x0000000000400000-0x0000000000440000-memory.dmp

memory/540-405-0x0000000000400000-0x0000000000440000-memory.dmp

memory/984-406-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1648-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1976-408-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1972-409-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2916-410-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2100-411-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1148-412-0x0000000000400000-0x0000000000440000-memory.dmp

memory/392-413-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1916-414-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1688-415-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1700-416-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2592-417-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2516-418-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2536-419-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2552-420-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2944-421-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2756-422-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 23:58

Reported

2024-05-23 00:01

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iogopi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfgklkoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqoloc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qbonoghb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdjblf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jejbhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbbajjlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbbajjlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lhgdmb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhoahh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfccogfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdaile32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lklnconj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mllccpfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blnjecfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipkdek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jblmgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gnohnffc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkgmoncl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fecadghc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecbeip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kalcik32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afeban32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpqlfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amkhmoap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bigbmpco.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfjcep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dedkogqm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dinael32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcbdcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfccogfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iccpniqp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amnebo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnljkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eafbmgad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddcogo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbojlfdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojemig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbiockdj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kheekkjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbbnbemf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qhhpop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fecadghc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdbnmbhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aflpkpjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbbicl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abcgjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfgklkoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfhmjf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hccggl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijbbfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bacjdbch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbldphde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjhbfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koljgppp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfaigclq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egpnooan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdhbpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbldphde.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcmfnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fncibg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fglnkm32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pfandnla.exe N/A
N/A N/A C:\Windows\SysWOW64\Pplobcpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdjgha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhhpop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akkffkhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aknbkjfh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajhndkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Agimkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpdnjple.exe N/A
N/A N/A C:\Windows\SysWOW64\Bacjdbch.exe N/A
N/A N/A C:\Windows\SysWOW64\Baegibae.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnlhncgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmapodj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnaaib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enfckp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqppci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdnhih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbbicl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgoakc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fecadghc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fajbjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbiockdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejhef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gihpkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbbajjlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahokfag.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnlodjpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnnljj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbldphde.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnbeeiji.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilfennic.exe N/A
N/A N/A C:\Windows\SysWOW64\Iogopi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilkoim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipihpkkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipkdek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jblmgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbojlfdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlikkkhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kheekkjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcmfnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khiofk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lakfeodm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfiokmkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhoahh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhanngbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcfbkpab.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfgklkoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfihbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqoloc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncpeaoih.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmjfodne.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqhoeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oonlfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojemig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbkml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfccogfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmlla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmphaaln.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfhmjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbonoghb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmdblp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjhbfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abcgjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amikgpcc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bejceb32.dll C:\Windows\SysWOW64\Fglnkm32.exe N/A
File created C:\Windows\SysWOW64\Gnohnffc.exe C:\Windows\SysWOW64\Fdpnda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jacpcl32.exe C:\Windows\SysWOW64\Jnbgaa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Poidhg32.exe C:\Windows\SysWOW64\Piolkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Bfaigclq.exe N/A
File created C:\Windows\SysWOW64\Dnljkk32.exe C:\Windows\SysWOW64\Dinael32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcfbkpab.exe C:\Windows\SysWOW64\Mhanngbl.exe N/A
File created C:\Windows\SysWOW64\Lamlphoo.exe C:\Windows\SysWOW64\Llpchaqg.exe N/A
File created C:\Windows\SysWOW64\Bpgjpb32.exe C:\Windows\SysWOW64\Bikeni32.exe N/A
File created C:\Windows\SysWOW64\Nkeoha32.dll C:\Windows\SysWOW64\Bikeni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbmlmmjd.exe C:\Windows\SysWOW64\Cehlcikj.exe N/A
File created C:\Windows\SysWOW64\Lmnbjama.dll C:\Windows\SysWOW64\Pplobcpp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnaaib32.exe C:\Windows\SysWOW64\Cpmapodj.exe N/A
File opened for modification C:\Windows\SysWOW64\Egpnooan.exe C:\Windows\SysWOW64\Enhifi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhoeef32.exe C:\Windows\SysWOW64\Jogqlpde.exe N/A
File created C:\Windows\SysWOW64\Mllccpfj.exe C:\Windows\SysWOW64\Mafofggd.exe N/A
File created C:\Windows\SysWOW64\Ccegac32.dll C:\Windows\SysWOW64\Gbbajjlp.exe N/A
File created C:\Windows\SysWOW64\Pfgbakef.dll C:\Windows\SysWOW64\Pfccogfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Gqbneq32.exe C:\Windows\SysWOW64\Gkefmjcj.exe N/A
File created C:\Windows\SysWOW64\Koljgppp.exe C:\Windows\SysWOW64\Kahinkaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Koljgppp.exe C:\Windows\SysWOW64\Kahinkaf.exe N/A
File created C:\Windows\SysWOW64\Lhgdmb32.exe C:\Windows\SysWOW64\Lamlphoo.exe N/A
File created C:\Windows\SysWOW64\Pfandnla.exe C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Baegibae.exe C:\Windows\SysWOW64\Bacjdbch.exe N/A
File created C:\Windows\SysWOW64\Eoggpbpn.dll C:\Windows\SysWOW64\Mekdffee.exe N/A
File created C:\Windows\SysWOW64\Jfbnnelf.dll C:\Windows\SysWOW64\Nchhfild.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpgjpb32.exe C:\Windows\SysWOW64\Bikeni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnbeeiji.exe C:\Windows\SysWOW64\Hbldphde.exe N/A
File created C:\Windows\SysWOW64\Ojemig32.exe C:\Windows\SysWOW64\Oonlfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbaclegm.exe C:\Windows\SysWOW64\Biiobo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qhhpop32.exe C:\Windows\SysWOW64\Pdjgha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ampaho32.exe C:\Windows\SysWOW64\Amnebo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgihop32.exe C:\Windows\SysWOW64\Djegekil.exe N/A
File created C:\Windows\SysWOW64\Pcbdcf32.exe C:\Windows\SysWOW64\Pdqcenmg.exe N/A
File created C:\Windows\SysWOW64\Bemlhj32.exe C:\Windows\SysWOW64\Bldgoeog.exe N/A
File created C:\Windows\SysWOW64\Bbdcakkc.dll C:\Windows\SysWOW64\Fajbjh32.exe N/A
File created C:\Windows\SysWOW64\Dbkqqe32.dll C:\Windows\SysWOW64\Jblmgf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpedeiff.exe C:\Windows\SysWOW64\Bbaclegm.exe N/A
File opened for modification C:\Windows\SysWOW64\Binhnomg.exe C:\Windows\SysWOW64\Bpedeiff.exe N/A
File created C:\Windows\SysWOW64\Nepmal32.dll C:\Windows\SysWOW64\Cdjblf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djegekil.exe C:\Windows\SysWOW64\Dpmcmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enlcahgh.exe C:\Windows\SysWOW64\Eafbmgad.exe N/A
File opened for modification C:\Windows\SysWOW64\Kahinkaf.exe C:\Windows\SysWOW64\Jhoeef32.exe N/A
File created C:\Windows\SysWOW64\Qmdblp32.exe C:\Windows\SysWOW64\Qbonoghb.exe N/A
File created C:\Windows\SysWOW64\Eknphfld.dll C:\Windows\SysWOW64\Bboffejp.exe N/A
File created C:\Windows\SysWOW64\Ljnakk32.dll C:\Windows\SysWOW64\Jhoeef32.exe N/A
File created C:\Windows\SysWOW64\Hccggl32.exe C:\Windows\SysWOW64\Gbbkocid.exe N/A
File created C:\Windows\SysWOW64\Ffmnibme.dll C:\Windows\SysWOW64\Medglemj.exe N/A
File created C:\Windows\SysWOW64\Dqjhif32.dll C:\Windows\SysWOW64\Akihcfid.exe N/A
File created C:\Windows\SysWOW64\Mckmcadl.dll C:\Windows\SysWOW64\Nmjfodne.exe N/A
File created C:\Windows\SysWOW64\Egpnooan.exe C:\Windows\SysWOW64\Enhifi32.exe N/A
File created C:\Windows\SysWOW64\Kocphojh.exe C:\Windows\SysWOW64\Kopcbo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hbldphde.exe C:\Windows\SysWOW64\Hnnljj32.exe N/A
File created C:\Windows\SysWOW64\Defgao32.dll C:\Windows\SysWOW64\Abcgjg32.exe N/A
File created C:\Windows\SysWOW64\Cpmapodj.exe C:\Windows\SysWOW64\Bnlhncgi.exe N/A
File created C:\Windows\SysWOW64\Gkefmjcj.exe C:\Windows\SysWOW64\Gqpapacd.exe N/A
File created C:\Windows\SysWOW64\Bpcaaeme.dll C:\Windows\SysWOW64\Qhhpop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lhgdmb32.exe C:\Windows\SysWOW64\Lamlphoo.exe N/A
File created C:\Windows\SysWOW64\Bbaclegm.exe C:\Windows\SysWOW64\Biiobo32.exe N/A
File created C:\Windows\SysWOW64\Kalcik32.exe C:\Windows\SysWOW64\Kdhbpf32.exe N/A
File created C:\Windows\SysWOW64\Ndfchkio.dll C:\Windows\SysWOW64\Cibkohef.exe N/A
File created C:\Windows\SysWOW64\Ddcogo32.exe C:\Windows\SysWOW64\Ddqbbo32.exe N/A
File created C:\Windows\SysWOW64\Ipihpkkd.exe C:\Windows\SysWOW64\Ilkoim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe C:\Windows\SysWOW64\Ipkdek32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dbkhnk32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbojlfdp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojemig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll" C:\Windows\SysWOW64\Bfabmmhe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hahokfag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Khkdad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddlig32.dll" C:\Windows\SysWOW64\Heepfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" C:\Windows\SysWOW64\Pplobcpp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baegibae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gejhef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhanngbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfccogfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfaigclq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" C:\Windows\SysWOW64\Fglnkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jhoeef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abcgjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll" C:\Windows\SysWOW64\Dpmcmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdjblf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Koljgppp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhofnpp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qfgfpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcmfnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll" C:\Windows\SysWOW64\Pcbkml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" C:\Windows\SysWOW64\Binhnomg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll" C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jejbhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll" C:\Windows\SysWOW64\Jnbgaa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhgmcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Piolkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" C:\Windows\SysWOW64\Fecadghc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll" C:\Windows\SysWOW64\Abcgjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" C:\Windows\SysWOW64\Bfaigclq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll" C:\Windows\SysWOW64\Dgihop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijbbfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kahinkaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll" C:\Windows\SysWOW64\Kopcbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll" C:\Windows\SysWOW64\Pmmlla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jogqlpde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kopcbo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akkffkhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll" C:\Windows\SysWOW64\Gbiockdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll" C:\Windows\SysWOW64\Dnljkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll" C:\Windows\SysWOW64\Cdaile32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijdf32.dll" C:\Windows\SysWOW64\Llpchaqg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lhgdmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkgmoncl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aimhmkgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfabmmhe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll" C:\Windows\SysWOW64\Bacjdbch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Koljgppp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll" C:\Windows\SysWOW64\Qfjcep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll" C:\Windows\SysWOW64\Ddqbbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbmlmmjd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hnlodjpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ampaho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgohiia.dll" C:\Windows\SysWOW64\Fdpnda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Halaloif.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnbgaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll" C:\Windows\SysWOW64\Aimhmkgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bpbpecen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll" C:\Windows\SysWOW64\Hahokfag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhcdb32.dll" C:\Windows\SysWOW64\Hnlodjpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbojlfdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" C:\Windows\SysWOW64\Adjjeieh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Pfandnla.exe
PID 1600 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Pfandnla.exe
PID 1600 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe C:\Windows\SysWOW64\Pfandnla.exe
PID 4428 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Pfandnla.exe C:\Windows\SysWOW64\Pplobcpp.exe
PID 4428 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Pfandnla.exe C:\Windows\SysWOW64\Pplobcpp.exe
PID 4428 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Pfandnla.exe C:\Windows\SysWOW64\Pplobcpp.exe
PID 1488 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Pdjgha32.exe
PID 1488 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Pdjgha32.exe
PID 1488 wrote to memory of 1288 N/A C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Pdjgha32.exe
PID 1288 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Pdjgha32.exe C:\Windows\SysWOW64\Qhhpop32.exe
PID 1288 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Pdjgha32.exe C:\Windows\SysWOW64\Qhhpop32.exe
PID 1288 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Pdjgha32.exe C:\Windows\SysWOW64\Qhhpop32.exe
PID 1004 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Qhhpop32.exe C:\Windows\SysWOW64\Akkffkhk.exe
PID 1004 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Qhhpop32.exe C:\Windows\SysWOW64\Akkffkhk.exe
PID 1004 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Qhhpop32.exe C:\Windows\SysWOW64\Akkffkhk.exe
PID 3060 wrote to memory of 1092 N/A C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 3060 wrote to memory of 1092 N/A C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 3060 wrote to memory of 1092 N/A C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 1092 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aajhndkb.exe
PID 1092 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aajhndkb.exe
PID 1092 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aajhndkb.exe
PID 2204 wrote to memory of 936 N/A C:\Windows\SysWOW64\Aajhndkb.exe C:\Windows\SysWOW64\Agimkk32.exe
PID 2204 wrote to memory of 936 N/A C:\Windows\SysWOW64\Aajhndkb.exe C:\Windows\SysWOW64\Agimkk32.exe
PID 2204 wrote to memory of 936 N/A C:\Windows\SysWOW64\Aajhndkb.exe C:\Windows\SysWOW64\Agimkk32.exe
PID 936 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Agimkk32.exe C:\Windows\SysWOW64\Bpdnjple.exe
PID 936 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Agimkk32.exe C:\Windows\SysWOW64\Bpdnjple.exe
PID 936 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Agimkk32.exe C:\Windows\SysWOW64\Bpdnjple.exe
PID 4760 wrote to memory of 4328 N/A C:\Windows\SysWOW64\Bpdnjple.exe C:\Windows\SysWOW64\Bacjdbch.exe
PID 4760 wrote to memory of 4328 N/A C:\Windows\SysWOW64\Bpdnjple.exe C:\Windows\SysWOW64\Bacjdbch.exe
PID 4760 wrote to memory of 4328 N/A C:\Windows\SysWOW64\Bpdnjple.exe C:\Windows\SysWOW64\Bacjdbch.exe
PID 4328 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Bacjdbch.exe C:\Windows\SysWOW64\Baegibae.exe
PID 4328 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Bacjdbch.exe C:\Windows\SysWOW64\Baegibae.exe
PID 4328 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Bacjdbch.exe C:\Windows\SysWOW64\Baegibae.exe
PID 1596 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Baegibae.exe C:\Windows\SysWOW64\Bnlhncgi.exe
PID 1596 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Baegibae.exe C:\Windows\SysWOW64\Bnlhncgi.exe
PID 1596 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Baegibae.exe C:\Windows\SysWOW64\Bnlhncgi.exe
PID 4140 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Bnlhncgi.exe C:\Windows\SysWOW64\Cpmapodj.exe
PID 4140 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Bnlhncgi.exe C:\Windows\SysWOW64\Cpmapodj.exe
PID 4140 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Bnlhncgi.exe C:\Windows\SysWOW64\Cpmapodj.exe
PID 2544 wrote to memory of 4256 N/A C:\Windows\SysWOW64\Cpmapodj.exe C:\Windows\SysWOW64\Cnaaib32.exe
PID 2544 wrote to memory of 4256 N/A C:\Windows\SysWOW64\Cpmapodj.exe C:\Windows\SysWOW64\Cnaaib32.exe
PID 2544 wrote to memory of 4256 N/A C:\Windows\SysWOW64\Cpmapodj.exe C:\Windows\SysWOW64\Cnaaib32.exe
PID 4256 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Cnaaib32.exe C:\Windows\SysWOW64\Enfckp32.exe
PID 4256 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Cnaaib32.exe C:\Windows\SysWOW64\Enfckp32.exe
PID 4256 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Cnaaib32.exe C:\Windows\SysWOW64\Enfckp32.exe
PID 1436 wrote to memory of 4960 N/A C:\Windows\SysWOW64\Enfckp32.exe C:\Windows\SysWOW64\Fqppci32.exe
PID 1436 wrote to memory of 4960 N/A C:\Windows\SysWOW64\Enfckp32.exe C:\Windows\SysWOW64\Fqppci32.exe
PID 1436 wrote to memory of 4960 N/A C:\Windows\SysWOW64\Enfckp32.exe C:\Windows\SysWOW64\Fqppci32.exe
PID 4960 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Fqppci32.exe C:\Windows\SysWOW64\Fdnhih32.exe
PID 4960 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Fqppci32.exe C:\Windows\SysWOW64\Fdnhih32.exe
PID 4960 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Fqppci32.exe C:\Windows\SysWOW64\Fdnhih32.exe
PID 4828 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Fdnhih32.exe C:\Windows\SysWOW64\Fbbicl32.exe
PID 4828 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Fdnhih32.exe C:\Windows\SysWOW64\Fbbicl32.exe
PID 4828 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Fdnhih32.exe C:\Windows\SysWOW64\Fbbicl32.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Fbbicl32.exe C:\Windows\SysWOW64\Fgoakc32.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Fbbicl32.exe C:\Windows\SysWOW64\Fgoakc32.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Fbbicl32.exe C:\Windows\SysWOW64\Fgoakc32.exe
PID 2236 wrote to memory of 3748 N/A C:\Windows\SysWOW64\Fgoakc32.exe C:\Windows\SysWOW64\Fecadghc.exe
PID 2236 wrote to memory of 3748 N/A C:\Windows\SysWOW64\Fgoakc32.exe C:\Windows\SysWOW64\Fecadghc.exe
PID 2236 wrote to memory of 3748 N/A C:\Windows\SysWOW64\Fgoakc32.exe C:\Windows\SysWOW64\Fecadghc.exe
PID 3748 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Fecadghc.exe C:\Windows\SysWOW64\Fajbjh32.exe
PID 3748 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Fecadghc.exe C:\Windows\SysWOW64\Fajbjh32.exe
PID 3748 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Fecadghc.exe C:\Windows\SysWOW64\Fajbjh32.exe
PID 4092 wrote to memory of 636 N/A C:\Windows\SysWOW64\Fajbjh32.exe C:\Windows\SysWOW64\Gbiockdj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Qhhpop32.exe

C:\Windows\system32\Qhhpop32.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Enfckp32.exe

C:\Windows\system32\Enfckp32.exe

C:\Windows\SysWOW64\Fqppci32.exe

C:\Windows\system32\Fqppci32.exe

C:\Windows\SysWOW64\Fdnhih32.exe

C:\Windows\system32\Fdnhih32.exe

C:\Windows\SysWOW64\Fbbicl32.exe

C:\Windows\system32\Fbbicl32.exe

C:\Windows\SysWOW64\Fgoakc32.exe

C:\Windows\system32\Fgoakc32.exe

C:\Windows\SysWOW64\Fecadghc.exe

C:\Windows\system32\Fecadghc.exe

C:\Windows\SysWOW64\Fajbjh32.exe

C:\Windows\system32\Fajbjh32.exe

C:\Windows\SysWOW64\Gbiockdj.exe

C:\Windows\system32\Gbiockdj.exe

C:\Windows\SysWOW64\Gejhef32.exe

C:\Windows\system32\Gejhef32.exe

C:\Windows\SysWOW64\Gihpkd32.exe

C:\Windows\system32\Gihpkd32.exe

C:\Windows\SysWOW64\Gbbajjlp.exe

C:\Windows\system32\Gbbajjlp.exe

C:\Windows\SysWOW64\Hahokfag.exe

C:\Windows\system32\Hahokfag.exe

C:\Windows\SysWOW64\Hnlodjpa.exe

C:\Windows\system32\Hnlodjpa.exe

C:\Windows\SysWOW64\Hnnljj32.exe

C:\Windows\system32\Hnnljj32.exe

C:\Windows\SysWOW64\Hbldphde.exe

C:\Windows\system32\Hbldphde.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Ilfennic.exe

C:\Windows\system32\Ilfennic.exe

C:\Windows\SysWOW64\Iogopi32.exe

C:\Windows\system32\Iogopi32.exe

C:\Windows\SysWOW64\Ilkoim32.exe

C:\Windows\system32\Ilkoim32.exe

C:\Windows\SysWOW64\Ipihpkkd.exe

C:\Windows\system32\Ipihpkkd.exe

C:\Windows\SysWOW64\Ipkdek32.exe

C:\Windows\system32\Ipkdek32.exe

C:\Windows\SysWOW64\Jblmgf32.exe

C:\Windows\system32\Jblmgf32.exe

C:\Windows\SysWOW64\Jbojlfdp.exe

C:\Windows\system32\Jbojlfdp.exe

C:\Windows\SysWOW64\Jlikkkhn.exe

C:\Windows\system32\Jlikkkhn.exe

C:\Windows\SysWOW64\Kheekkjl.exe

C:\Windows\system32\Kheekkjl.exe

C:\Windows\SysWOW64\Kcmfnd32.exe

C:\Windows\system32\Kcmfnd32.exe

C:\Windows\SysWOW64\Khiofk32.exe

C:\Windows\system32\Khiofk32.exe

C:\Windows\SysWOW64\Lakfeodm.exe

C:\Windows\system32\Lakfeodm.exe

C:\Windows\SysWOW64\Lfiokmkc.exe

C:\Windows\system32\Lfiokmkc.exe

C:\Windows\SysWOW64\Mhoahh32.exe

C:\Windows\system32\Mhoahh32.exe

C:\Windows\SysWOW64\Mhanngbl.exe

C:\Windows\system32\Mhanngbl.exe

C:\Windows\SysWOW64\Mcfbkpab.exe

C:\Windows\system32\Mcfbkpab.exe

C:\Windows\SysWOW64\Nfgklkoc.exe

C:\Windows\system32\Nfgklkoc.exe

C:\Windows\SysWOW64\Nfihbk32.exe

C:\Windows\system32\Nfihbk32.exe

C:\Windows\SysWOW64\Nqoloc32.exe

C:\Windows\system32\Nqoloc32.exe

C:\Windows\SysWOW64\Ncpeaoih.exe

C:\Windows\system32\Ncpeaoih.exe

C:\Windows\SysWOW64\Nmjfodne.exe

C:\Windows\system32\Nmjfodne.exe

C:\Windows\SysWOW64\Oqhoeb32.exe

C:\Windows\system32\Oqhoeb32.exe

C:\Windows\SysWOW64\Oonlfo32.exe

C:\Windows\system32\Oonlfo32.exe

C:\Windows\SysWOW64\Ojemig32.exe

C:\Windows\system32\Ojemig32.exe

C:\Windows\SysWOW64\Pcbkml32.exe

C:\Windows\system32\Pcbkml32.exe

C:\Windows\SysWOW64\Pfccogfc.exe

C:\Windows\system32\Pfccogfc.exe

C:\Windows\SysWOW64\Pmmlla32.exe

C:\Windows\system32\Pmmlla32.exe

C:\Windows\SysWOW64\Pmphaaln.exe

C:\Windows\system32\Pmphaaln.exe

C:\Windows\SysWOW64\Pfhmjf32.exe

C:\Windows\system32\Pfhmjf32.exe

C:\Windows\SysWOW64\Qbonoghb.exe

C:\Windows\system32\Qbonoghb.exe

C:\Windows\SysWOW64\Qmdblp32.exe

C:\Windows\system32\Qmdblp32.exe

C:\Windows\SysWOW64\Qjhbfd32.exe

C:\Windows\system32\Qjhbfd32.exe

C:\Windows\SysWOW64\Abcgjg32.exe

C:\Windows\system32\Abcgjg32.exe

C:\Windows\SysWOW64\Amikgpcc.exe

C:\Windows\system32\Amikgpcc.exe

C:\Windows\SysWOW64\Amkhmoap.exe

C:\Windows\system32\Amkhmoap.exe

C:\Windows\SysWOW64\Abhqefpg.exe

C:\Windows\system32\Abhqefpg.exe

C:\Windows\SysWOW64\Amnebo32.exe

C:\Windows\system32\Amnebo32.exe

C:\Windows\SysWOW64\Ampaho32.exe

C:\Windows\system32\Ampaho32.exe

C:\Windows\SysWOW64\Adjjeieh.exe

C:\Windows\system32\Adjjeieh.exe

C:\Windows\SysWOW64\Bigbmpco.exe

C:\Windows\system32\Bigbmpco.exe

C:\Windows\SysWOW64\Bboffejp.exe

C:\Windows\system32\Bboffejp.exe

C:\Windows\SysWOW64\Biiobo32.exe

C:\Windows\system32\Biiobo32.exe

C:\Windows\SysWOW64\Bbaclegm.exe

C:\Windows\system32\Bbaclegm.exe

C:\Windows\SysWOW64\Bpedeiff.exe

C:\Windows\system32\Bpedeiff.exe

C:\Windows\SysWOW64\Binhnomg.exe

C:\Windows\system32\Binhnomg.exe

C:\Windows\SysWOW64\Bfaigclq.exe

C:\Windows\system32\Bfaigclq.exe

C:\Windows\SysWOW64\Cgfbbb32.exe

C:\Windows\system32\Cgfbbb32.exe

C:\Windows\SysWOW64\Cdjblf32.exe

C:\Windows\system32\Cdjblf32.exe

C:\Windows\SysWOW64\Cgklmacf.exe

C:\Windows\system32\Cgklmacf.exe

C:\Windows\SysWOW64\Ccblbb32.exe

C:\Windows\system32\Ccblbb32.exe

C:\Windows\SysWOW64\Cdaile32.exe

C:\Windows\system32\Cdaile32.exe

C:\Windows\SysWOW64\Dinael32.exe

C:\Windows\system32\Dinael32.exe

C:\Windows\SysWOW64\Dnljkk32.exe

C:\Windows\system32\Dnljkk32.exe

C:\Windows\SysWOW64\Dpmcmf32.exe

C:\Windows\system32\Dpmcmf32.exe

C:\Windows\SysWOW64\Djegekil.exe

C:\Windows\system32\Djegekil.exe

C:\Windows\SysWOW64\Dgihop32.exe

C:\Windows\system32\Dgihop32.exe

C:\Windows\SysWOW64\Ejjaqk32.exe

C:\Windows\system32\Ejjaqk32.exe

C:\Windows\SysWOW64\Ecbeip32.exe

C:\Windows\system32\Ecbeip32.exe

C:\Windows\SysWOW64\Enhifi32.exe

C:\Windows\system32\Enhifi32.exe

C:\Windows\SysWOW64\Egpnooan.exe

C:\Windows\system32\Egpnooan.exe

C:\Windows\SysWOW64\Eafbmgad.exe

C:\Windows\system32\Eafbmgad.exe

C:\Windows\SysWOW64\Enlcahgh.exe

C:\Windows\system32\Enlcahgh.exe

C:\Windows\SysWOW64\Fncibg32.exe

C:\Windows\system32\Fncibg32.exe

C:\Windows\SysWOW64\Fqbeoc32.exe

C:\Windows\system32\Fqbeoc32.exe

C:\Windows\SysWOW64\Fglnkm32.exe

C:\Windows\system32\Fglnkm32.exe

C:\Windows\SysWOW64\Fdpnda32.exe

C:\Windows\system32\Fdpnda32.exe

C:\Windows\SysWOW64\Gnohnffc.exe

C:\Windows\system32\Gnohnffc.exe

C:\Windows\SysWOW64\Gqpapacd.exe

C:\Windows\system32\Gqpapacd.exe

C:\Windows\SysWOW64\Gkefmjcj.exe

C:\Windows\system32\Gkefmjcj.exe

C:\Windows\SysWOW64\Gqbneq32.exe

C:\Windows\system32\Gqbneq32.exe

C:\Windows\SysWOW64\Gbbkocid.exe

C:\Windows\system32\Gbbkocid.exe

C:\Windows\SysWOW64\Hccggl32.exe

C:\Windows\system32\Hccggl32.exe

C:\Windows\SysWOW64\Hcedmkmp.exe

C:\Windows\system32\Hcedmkmp.exe

C:\Windows\SysWOW64\Hjolie32.exe

C:\Windows\system32\Hjolie32.exe

C:\Windows\SysWOW64\Heepfn32.exe

C:\Windows\system32\Heepfn32.exe

C:\Windows\SysWOW64\Halaloif.exe

C:\Windows\system32\Halaloif.exe

C:\Windows\SysWOW64\Hgeihiac.exe

C:\Windows\system32\Hgeihiac.exe

C:\Windows\SysWOW64\Hghfnioq.exe

C:\Windows\system32\Hghfnioq.exe

C:\Windows\SysWOW64\Icogcjde.exe

C:\Windows\system32\Icogcjde.exe

C:\Windows\SysWOW64\Ibpgqa32.exe

C:\Windows\system32\Ibpgqa32.exe

C:\Windows\SysWOW64\Ilhkigcd.exe

C:\Windows\system32\Ilhkigcd.exe

C:\Windows\SysWOW64\Iccpniqp.exe

C:\Windows\system32\Iccpniqp.exe

C:\Windows\SysWOW64\Inkaqb32.exe

C:\Windows\system32\Inkaqb32.exe

C:\Windows\SysWOW64\Ijbbfc32.exe

C:\Windows\system32\Ijbbfc32.exe

C:\Windows\SysWOW64\Jaljbmkd.exe

C:\Windows\system32\Jaljbmkd.exe

C:\Windows\SysWOW64\Jejbhk32.exe

C:\Windows\system32\Jejbhk32.exe

C:\Windows\SysWOW64\Jnbgaa32.exe

C:\Windows\system32\Jnbgaa32.exe

C:\Windows\SysWOW64\Jacpcl32.exe

C:\Windows\system32\Jacpcl32.exe

C:\Windows\SysWOW64\Jogqlpde.exe

C:\Windows\system32\Jogqlpde.exe

C:\Windows\SysWOW64\Jhoeef32.exe

C:\Windows\system32\Jhoeef32.exe

C:\Windows\SysWOW64\Kahinkaf.exe

C:\Windows\system32\Kahinkaf.exe

C:\Windows\SysWOW64\Koljgppp.exe

C:\Windows\system32\Koljgppp.exe

C:\Windows\SysWOW64\Kdhbpf32.exe

C:\Windows\system32\Kdhbpf32.exe

C:\Windows\SysWOW64\Kalcik32.exe

C:\Windows\system32\Kalcik32.exe

C:\Windows\SysWOW64\Kopcbo32.exe

C:\Windows\system32\Kopcbo32.exe

C:\Windows\SysWOW64\Kocphojh.exe

C:\Windows\system32\Kocphojh.exe

C:\Windows\SysWOW64\Khkdad32.exe

C:\Windows\system32\Khkdad32.exe

C:\Windows\SysWOW64\Lklnconj.exe

C:\Windows\system32\Lklnconj.exe

C:\Windows\SysWOW64\Lojfin32.exe

C:\Windows\system32\Lojfin32.exe

C:\Windows\SysWOW64\Llngbabj.exe

C:\Windows\system32\Llngbabj.exe

C:\Windows\SysWOW64\Llpchaqg.exe

C:\Windows\system32\Llpchaqg.exe

C:\Windows\SysWOW64\Lamlphoo.exe

C:\Windows\system32\Lamlphoo.exe

C:\Windows\SysWOW64\Lhgdmb32.exe

C:\Windows\system32\Lhgdmb32.exe

C:\Windows\SysWOW64\Mekdffee.exe

C:\Windows\system32\Mekdffee.exe

C:\Windows\SysWOW64\Mkgmoncl.exe

C:\Windows\system32\Mkgmoncl.exe

C:\Windows\SysWOW64\Mdbnmbhj.exe

C:\Windows\system32\Mdbnmbhj.exe

C:\Windows\SysWOW64\Mafofggd.exe

C:\Windows\system32\Mafofggd.exe

C:\Windows\SysWOW64\Mllccpfj.exe

C:\Windows\system32\Mllccpfj.exe

C:\Windows\SysWOW64\Medglemj.exe

C:\Windows\system32\Medglemj.exe

C:\Windows\SysWOW64\Nchhfild.exe

C:\Windows\system32\Nchhfild.exe

C:\Windows\SysWOW64\Nooikj32.exe

C:\Windows\system32\Nooikj32.exe

C:\Windows\SysWOW64\Nhgmcp32.exe

C:\Windows\system32\Nhgmcp32.exe

C:\Windows\SysWOW64\Nbbnbemf.exe

C:\Windows\system32\Nbbnbemf.exe

C:\Windows\SysWOW64\Ofijnbkb.exe

C:\Windows\system32\Ofijnbkb.exe

C:\Windows\SysWOW64\Pdqcenmg.exe

C:\Windows\system32\Pdqcenmg.exe

C:\Windows\SysWOW64\Pcbdcf32.exe

C:\Windows\system32\Pcbdcf32.exe

C:\Windows\SysWOW64\Piolkm32.exe

C:\Windows\system32\Piolkm32.exe

C:\Windows\SysWOW64\Poidhg32.exe

C:\Windows\system32\Poidhg32.exe

C:\Windows\SysWOW64\Pomncfge.exe

C:\Windows\system32\Pomncfge.exe

C:\Windows\SysWOW64\Qfgfpp32.exe

C:\Windows\system32\Qfgfpp32.exe

C:\Windows\SysWOW64\Qfjcep32.exe

C:\Windows\system32\Qfjcep32.exe

C:\Windows\SysWOW64\Qkfkng32.exe

C:\Windows\system32\Qkfkng32.exe

C:\Windows\SysWOW64\Aflpkpjm.exe

C:\Windows\system32\Aflpkpjm.exe

C:\Windows\SysWOW64\Akihcfid.exe

C:\Windows\system32\Akihcfid.exe

C:\Windows\SysWOW64\Aimhmkgn.exe

C:\Windows\system32\Aimhmkgn.exe

C:\Windows\SysWOW64\Apgqie32.exe

C:\Windows\system32\Apgqie32.exe

C:\Windows\SysWOW64\Aecialmb.exe

C:\Windows\system32\Aecialmb.exe

C:\Windows\SysWOW64\Aeffgkkp.exe

C:\Windows\system32\Aeffgkkp.exe

C:\Windows\SysWOW64\Afeban32.exe

C:\Windows\system32\Afeban32.exe

C:\Windows\SysWOW64\Bfhofnpp.exe

C:\Windows\system32\Bfhofnpp.exe

C:\Windows\SysWOW64\Bldgoeog.exe

C:\Windows\system32\Bldgoeog.exe

C:\Windows\SysWOW64\Bemlhj32.exe

C:\Windows\system32\Bemlhj32.exe

C:\Windows\SysWOW64\Bpbpecen.exe

C:\Windows\system32\Bpbpecen.exe

C:\Windows\SysWOW64\Bikeni32.exe

C:\Windows\system32\Bikeni32.exe

C:\Windows\SysWOW64\Bpgjpb32.exe

C:\Windows\system32\Bpgjpb32.exe

C:\Windows\SysWOW64\Bfabmmhe.exe

C:\Windows\system32\Bfabmmhe.exe

C:\Windows\SysWOW64\Blnjecfl.exe

C:\Windows\system32\Blnjecfl.exe

C:\Windows\SysWOW64\Cibkohef.exe

C:\Windows\system32\Cibkohef.exe

C:\Windows\SysWOW64\Cehlcikj.exe

C:\Windows\system32\Cehlcikj.exe

C:\Windows\SysWOW64\Cbmlmmjd.exe

C:\Windows\system32\Cbmlmmjd.exe

C:\Windows\SysWOW64\Cpqlfa32.exe

C:\Windows\system32\Cpqlfa32.exe

C:\Windows\SysWOW64\Cfjeckpj.exe

C:\Windows\system32\Cfjeckpj.exe

C:\Windows\SysWOW64\Cbaehl32.exe

C:\Windows\system32\Cbaehl32.exe

C:\Windows\SysWOW64\Ddqbbo32.exe

C:\Windows\system32\Ddqbbo32.exe

C:\Windows\SysWOW64\Ddcogo32.exe

C:\Windows\system32\Ddcogo32.exe

C:\Windows\SysWOW64\Dedkogqm.exe

C:\Windows\system32\Dedkogqm.exe

C:\Windows\SysWOW64\Ddekmo32.exe

C:\Windows\system32\Ddekmo32.exe

C:\Windows\SysWOW64\Dmnpfd32.exe

C:\Windows\system32\Dmnpfd32.exe

C:\Windows\SysWOW64\Dbkhnk32.exe

C:\Windows\system32\Dbkhnk32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6916 -ip 6916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 57.214.39.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/1600-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1600-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Pfandnla.exe

MD5 6e70b23fc1c66af183e5dcbeaeeafd59
SHA1 b63c310ec02592357852ae80fff16b2356378347
SHA256 d41938b445938d9db2c83353d6dc57082f30bc6dc44668542ec9e26638bed1de
SHA512 6a40b41aa206f6d014a3162b80fe5ad89113958b720961223f14bcb5c0711490ff58eb148708a4bbd4ffb866a7d1f7d1f6ce8a133156b8193c75802fdbb3f0cf

memory/4428-8-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pplobcpp.exe

MD5 3f3b34abba9b5089bc2b2e245ebbc4de
SHA1 b1bce6b9095c95ec966ff2d9fe3dbc55eb37602a
SHA256 5da9d8fdd68182c734dda769e2acff2656ba35fa4a7119fe2cb2392ea50e5748
SHA512 d8d3bd3ab815a514894f285ae12f63e585b9a32fdfc8035ebd55a7b4ef1c01ab282f41f18f10196f8edfc63e6ff6df2c0973dc0d83729fa64538253b2905a8b5

memory/1488-16-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pdjgha32.exe

MD5 69a95bd45af7d4bda06ba3845e8c35a9
SHA1 2dca44b2f16f5a9f0edbed1efff40cfac785c72a
SHA256 74d0e03284b0ede75fe826790efeed09583d785f7c13d48e7f56ac688c525ba9
SHA512 7e0619d35d76856604f01e70c91504839317b36035e83f36ff020d149562e29cb5e6e8913930fef9232740baf77e4b883d7e9a48faab5f7b07a686c60218bcb4

memory/1288-24-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qhhpop32.exe

MD5 a2482588f77ea614c1f58dc3e239b675
SHA1 52ee0755ed06fe5f3d3503557c780f982bcbe3b8
SHA256 e628b513908ded6c85eb2b89f921619ae3d4e1fb7930f31a04e9a80ed57d0e81
SHA512 5387ebcf63b9c00f5b7af1f40862b3ae6a4ae39269e56bc739030a2581ba9076db930d3570751782c52c1b666a4cc79d9dbd1a4af19b754ac8fd4d8dbb28ac1f

memory/1004-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Akkffkhk.exe

MD5 2d1c7806abe736fe97a1d2d173d0bf35
SHA1 dc2840598cb84e7e13d31be629ef39cc54000e6b
SHA256 cf57e7fbe02622931de55ed434ccd135518c1346d955f073c08a2817e4438002
SHA512 d2874579b4ed6096d10bf2a83ef9bb37ab0a3e6a4659bb542e838cd3159b1b35b170cd68879329cee1d03ade258706a8d42ce166b69ef8671bb7a29b75fce58b

memory/3060-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aknbkjfh.exe

MD5 ff19aa0f337b793e7509d4a669c1928a
SHA1 4f493a724b008df5b486ba8bfc442dfab2bd3510
SHA256 d7eee62520a43105859162d04c36e507bb0f48697cb1c987ad3d34abc29689fe
SHA512 39f4484e89b25e585d7bc6a48efbd57da2b1fd8682bb1ad87ee36ebc73626611b4158e57c647b31b3c57d994c6c1515d1f84f0bbd8378be92a281b395052d2ed

memory/1092-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aajhndkb.exe

MD5 ce6da4274efda9412e6b36e2e8011a14
SHA1 d3bf1d03674f793457cdcd6300505212cebc6a7f
SHA256 7de51623cbd5a84cf58fca2fc622175b6a97cbfa2bc4148c6d5423432295191f
SHA512 68940a07d60d8613b60b581781263528716267f2204d363d6944057437f3f32d985ae7072831a86673dec1f337977be06c5728ba0438b724cb3dcffb1fba15aa

memory/2204-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Agimkk32.exe

MD5 abf9ee4b66754fbb2b4b00b6f8aa3d8b
SHA1 a86fc6abb6b98a95cf5c9e1b7232d65a341d9f43
SHA256 0cc592371aa944fc7092744e0699cb8ebf85c63f6aaff0845cdda6f937df1b79
SHA512 7afec649e068c8d6ff690eee7c3dd06aae9c02a69f971d6376b3bc2ad9bd718c3b54676cd9c030a67916b9f1ddee9c49eef397820754e55c76c6c3547d178cfe

memory/936-64-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bpdnjple.exe

MD5 49bbb2ba6551f59b31f14f0a332b4558
SHA1 4f82e398d448f7ef3f133d87a987bc68af6a31c2
SHA256 9f66088e9aee43d90e6cc620f2949b8da05f7a88769594e625b1bab86e62f0e2
SHA512 ac1f1b226ad0d24ca8c5148543aacce7161f8e66ccf129d16a7f3f1444851b506a9b3eb430ac9d9e70b34145aa8cd4017fecd90ebe4046a1390cdaa9e0cf0270

memory/4760-72-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bacjdbch.exe

MD5 125761460a6c3477fc83f969eef46e91
SHA1 031aa2101df9c2e85f6fbdcdcc46ad3076bd6074
SHA256 17ae524d268951bf28e4446abfbbbe1b5aa2fa2ac33afacad5158e9930951267
SHA512 cce2a3bcd46d98f2d60c65b1834710b723e1c664f45d2a0eab85deac58128ee6df08690d149f7f30f7b7ac38e5b73cbc4cae763f4b85cbbfd3698b04293c2291

memory/4328-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Baegibae.exe

MD5 48e5de6752c88a750fe5d45c7810a152
SHA1 78711ba2ab66d819cce38002735b0bf12123a08e
SHA256 6d759a45b6ed99bfbed7a6ac1f4ac692c44f173a7f32d4840b8ef0e50ac93e18
SHA512 0e2dcb0e79570689c3f5453b6ae1f2bf0fa16a059923e05fa7dd726bf97e628eeb4ed4dace93d0fb403dc749ba273c206d32b3cdf34271043695a8c37332648d

memory/1596-89-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bnlhncgi.exe

MD5 2f58684c700672a2de3d7d1876b1e5f2
SHA1 dd9f9a31ca24c8b651775827cd091c8d00f15f19
SHA256 cba28c17b1feca3c0c665c542d537ec42202a5b0fac78502924ae79b5069e1ab
SHA512 a355a1049e829650ab5075c7abe26d0ec006fe38d4e469f42ece485e1f677853709e474617ba72cb16f0878026bf39d5dbfe6dd8a1ce7e4cfb346622f787c2e0

memory/4140-96-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cpmapodj.exe

MD5 55c3c1988e50f233b950a9d8b2cf6117
SHA1 5c5cceb44c5c4832069e5c0e60a1f74055078e59
SHA256 30c3bf1b31c17dff5cc94691a447bbe4d11ff54206df9c7d35b044fd7edb9432
SHA512 edcac3d7c031ea0ad821f5089c80def48cc24a31c5473b9176b12b7e057292cb35ddaf076a056f4d49928a11bd0491709fd1218b37bfdbbeeb76a1b7580d1cd9

memory/2544-104-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cnaaib32.exe

MD5 3b02d1db435af7f94b80492671c2a7da
SHA1 2c74d3595c56a1a8dd5190e1087ba27b194a7585
SHA256 a189fc81210acf93755e4a850dfbecb35c63bb7d432b1a782a6df8a5bc24ebe2
SHA512 a3be1accb67e45d710dbea7084c2cfd9b8586815e5b2bf9ebd3ca949d45f48c2dce7ded554951905228438f56f10e167040856a4507325a88d4e9b340ca9d184

memory/4256-112-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Enfckp32.exe

MD5 a6ba03d7bd0af120225a6446efafdc2b
SHA1 2f333f819595f58d5129b7255d9b3f6a55c6209e
SHA256 ebe31de4f5849c4c113e052bb69fc5e3aefcb24a4dfd94e70b832b97cb5d83c9
SHA512 76413d1365f94e069ef2a3f0b63933b524a09dd1e472c72c4648106a5e9544571f3218bd48dc0eda0d4773c8712536ab2c44dc2e6ba055b60c381e0c2ef7a494

memory/1436-121-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fqppci32.exe

MD5 27cb1d831836a5c92debd0f3c3fcc9a2
SHA1 dd4ef1dc10b3e76f293e4fa6814a850f1ac3194a
SHA256 f25de1d2c3b02d0c56807d72298ac2b60a0b6739e7c78c57410cacd016c0f4f9
SHA512 6d90bbcfce6d4307d9d2f6b8a1e4986861872a5976bca5e6311f27c1624267d27715e5c3ebdafa4020d1553449cce23922a05d2cc7fd31e306febc8f3f862fe4

memory/4960-129-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fdnhih32.exe

MD5 ee4a13e6e26be79c091a824fdf7e977c
SHA1 ab72b7f4cb9b38d219bdbb98e7a4a3f9b4da0bbb
SHA256 278edd019a7d0bed4540b2c8317e260d4c73076760eb7e1ee7ac4490fb5cf7ea
SHA512 9cb575d04da6aa6f79e87f7b610d746f0c25b9b805660f2fd4693bb88966a27046dde0952ffd2651e39133349e8c80a42d9594954c3c97a3db45d11844c9ba06

memory/4828-136-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fbbicl32.exe

MD5 3558fc5e99421dc019e66a0cf75d0798
SHA1 8e20df90070a1a90893919e0c2e85c466a27ed84
SHA256 b441edb8603fa184a4be5ad5fde5a023dabb899e5696b93087833f1962b16241
SHA512 9f9df128d4556262bd5d0aec8c758160b02eec7a9f2aa2abc08f6b3738e1db60145333244c969bf76b4156c2a7a9b85e710f1450bb12c01cefd21df8b9fe4270

memory/2684-144-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fgoakc32.exe

MD5 6c297537d30fb0e186258b3486e68ce0
SHA1 f30764eada7ea682a1a636664660ce8ba5e90771
SHA256 74a68403ba4f129462c224cacc428dae60d0f004ff787bb06160c00cb0360db4
SHA512 3c3752a7d0847d39137cae9651c1789f5822cd35ce97ada73011b47f4f834d30f0ff003f7c1bae933e9eeeeea1a643b377b1e351342cca0aec699bb034ff2aaf

memory/2236-152-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fecadghc.exe

MD5 e1f7de0c1b9d0b4d873e1eb401ecae83
SHA1 49742bacb31b246e0136c7edafa30f5aad9db0e7
SHA256 1536d45245a045b948b9a83f52512cb61dc49d4275d0a04e6d6ba22152e21c68
SHA512 84c70241dc36d1947970f574c1c452a366d0534a2cfa47f355283c5b8011bf5e98981e9c023502acf1ee7e157b33569cda39dccc4582bf40af1fc5ee9c315efa

C:\Windows\SysWOW64\Fajbjh32.exe

MD5 fcb4b88c8939ae85179ea77900995993
SHA1 7f866a342b94badf9c8856b54911d581ad84b938
SHA256 ea6b39fd78689f9ae8e8792d6025197e914bda462535d0dad781adc719eaeeec
SHA512 3ebc50569a5fc0b0a3a946352287e378070f1f27548b1a48380c68a458a4dd35bba6ade3d12f02cabea4be12c4a85159f8fb1a61bfad821859007acb0302ab68

memory/3748-160-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4092-168-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gbiockdj.exe

MD5 675126ecb57f83e90dc692cebe51a1a4
SHA1 fb1fd0b11843b31c557e3b276c8ba64829573057
SHA256 d698617077cbb8a81f15a89e215a88e0a0052601410e43aa6c422379da9bf680
SHA512 e0e28b2d3b04e072742e4a49f03841070dfce8e13d3d6ea55fe730e5f3bc6ea026d4bcb6ba2f48c33d7546a18d1d593697e495f1f30e7ec8fc5a62621bf62175

memory/636-176-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gejhef32.exe

MD5 239d9e2f2bcb855e69180959055356f5
SHA1 5445d5da65478d91298a66b22ee9742585162cf5
SHA256 66795ed1f40d948e04875dca03987f628b7105840402493b1fcdb00833dca6cc
SHA512 230dfed0fd0a91f428ab28efe20c0a41b0d2a32c4c10792caf38b205687a3df1f30b841d49fc385a12de96a3e92b65aaefdcb3899efb91aa91caac5b6dc8e5fa

memory/4980-187-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gihpkd32.exe

MD5 7ae8f4f5b01e448dd84acabef3cf8484
SHA1 372d41ba6ca71e186e4c4b1057a49b72d35d0081
SHA256 b3e9e71b52c41f330566bee96c0fde77397b6989a6c1ecf6250d63262ee1c449
SHA512 cf9f97c1896743586b4df5236f61aec292dc55ae92262f0d3378f9f770d4c5ce6e3ace1455a49bfe884b7f205e9d625535642c717e345d2de84ed65cc6e38d6a

memory/3920-193-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gbbajjlp.exe

MD5 7662a188b3f84101d1d22534b08bbbbf
SHA1 09ceff2dd958aa6161a369738754d89fed70574f
SHA256 e91a6e69c59028d8bd473cd431c08ef19a6ed52660bdcaba44f27dccfea12d01
SHA512 6736d857ae7a98d05f6290f0131e66d0dd4252755919935730da1e933c770662f9ba3ea3c836b6375e54fe50e1dd5997014562cdc4abdbc9f306c916154509f9

memory/2184-200-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hahokfag.exe

MD5 08f8e661b6a5e9c73f427753764c59d5
SHA1 55be81e95b3fe5991e56bd4bc5ea16e6dda1cf97
SHA256 8bb38ae309ea362b73eaaeae5e949a683d6da3a1a88d5337a49ed5ae3199039e
SHA512 926e1a4117b8c5934f5c69ad1ebea8fa932bb7726134cea6dc7081de9d84e08932096b6f4e4ae131acda7414c262c43e7083e9443f862eb4d96b64ff59bbe718

memory/2872-209-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hnlodjpa.exe

MD5 50a8e0bc40c2b46203f68dbda1462457
SHA1 c2f463ad3540e87ff3743ed85fd02f8cd0c4390b
SHA256 25604438338e1f84d83573a595b620220e4964a7de09aeb6c0caec7810d38617
SHA512 053f6ca4b58221493463161b8a29c07ed6133432050e72e26a813ae5c3f6742b73d634c7b79e84dad493c98b76630af95589a3ce34d2d0e5bc892e0efa117ecf

memory/3808-217-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hnnljj32.exe

MD5 8debaae7fb0c3c540fc237a2914d2907
SHA1 f9ac908b7f8726d8fddb2b3688ff5f11cedab79f
SHA256 276024c225073f5d078bcdf2388b3a1d27cc06cee15a1f0f31cd22104a52065d
SHA512 c5535d9094012407f9f9b7334dc66daf34c2439979369500107d7a96d87046196feeadbc10d51a78ffef0a0a7864a8971547fd875c686d1f11a3f318b3de2c5b

memory/1948-224-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hbldphde.exe

MD5 59ffce5187ba97d3db6dd3a7cff701d7
SHA1 ffd1cb65f97f2191d8b6a6b9fec36195ee9cbd22
SHA256 2b796df763cf8fa65d6a6446bb1d021b0667b3ea540c725e35cf3eac3e8ce81a
SHA512 611fd519b614cd559afea074055fc2a0b5a9d82220183724924aef2ab9edabce0d5a6b5661be950c23fa6c137356624c7ddd814647689b3f0f11399e783844c3

memory/388-233-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4460-241-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hnbeeiji.exe

MD5 415232e84c10ea9af88818c4a00feaed
SHA1 658ae639a22a3445a48679ed5bf910f5ee8eb363
SHA256 09f0504695db31807924052758a9415d2ff6202d17067849771bf77101912f9f
SHA512 4df8541a98f90feb3b85725dba36651900603f00c02d4d837cbe05f6c3ccc5b6f40b07560b71a673fed2848c56674bef8bf7534c2adf8c7b8b5377ff4f1ac6b9

C:\Windows\SysWOW64\Ilfennic.exe

MD5 96259aa5ae10c01e5de21a159f2a86bb
SHA1 698499baaffc1a2e137af583e368c80c63c9ea51
SHA256 3794f48abe77bcd167658c88234340bdd3752147e93774f83cfb6085740bd227
SHA512 4627e9cb790beff5e8d53472e52e0dbb009ee7d3118770be4b60df7c89badad23ae8197c8f9389da1968d3ff18b93bdf068b5a5dc08d79d22139b7739807927e

memory/728-248-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Iogopi32.exe

MD5 8bb072cc6ae2a0db15fc89f3863e2b18
SHA1 546d4bba122e1d99e9dfe258ea263217b6e4fd66
SHA256 fad72fef8ce8265a92f375932e147e135059b2b6f013921b51f50454e74dd774
SHA512 5d85d3fb529c4e8369e03e12f96deaebc6eece384a697705a7d2e969c489e51db47f8ef736273d495acb41abc188288f43dc141e26e9c9121cf3bae0687691b9

memory/2244-261-0x0000000000400000-0x0000000000440000-memory.dmp

memory/448-263-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ipihpkkd.exe

MD5 56b53f33d63e4501af6ab5268b2ce3e0
SHA1 6df4570372798f646bac9375e90c64dfd30b268f
SHA256 24807b435e819d1f5d689b494002953e578e18921cebd9e37b10aa9392290b45
SHA512 a349ae9a60ebf7937eaaec4edf7045c0c034c17112a2a367a115fb85278bbae94d8fca82c3a15b02b67d484063470648fd45333bf2d557095920f75bb2c70d5e

memory/384-269-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3336-275-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3520-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2884-287-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jlikkkhn.exe

MD5 aea67cd9281adf06ef4e4a08aebddf55
SHA1 79282b3c88f6ef8236fd06fd06655ca59ffca62d
SHA256 9bc8f7fbc77c24b7e8c91405f25a7763b124d79c91314530dca9001c034dc402
SHA512 68e81b0a42aab6a4a71383660a5ba37bdd46178fb454e7d0d8a1f4e7664527ffc85d73e3ad9986fe80f9079c964e8cb873235f3fae4b49e4de84b19df946f2b7

memory/3752-293-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3320-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1384-305-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4184-311-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lakfeodm.exe

MD5 f9f141ba6477a52aae3c2d72c20a5586
SHA1 1d5e16b79aa1f71bda232933377d7f24705b40cd
SHA256 21849678c107aab76a7d8d1a7dfc7921b45d05d155d85a18c98343146317f976
SHA512 5b036d94b08637feae7baf5b6517d87d6eec76277e09176ab2b34867e966114002c9e77251b6bcf134acb407ed16551405d41bfaa3dee0bfe15ea19b9778a901

memory/3912-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/904-323-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mhoahh32.exe

MD5 4ecc7897ce20418327325114069da913
SHA1 9080885c3e0b0a2721d22e3c4cdeb3390df9002a
SHA256 d8389c5de7848dd7bc837a131abb7b7941fc8abf636666431a65af2e430afe8b
SHA512 5a470bbed1b13f5e5ab9a38b68f51a67ce1c364d17ffa3ac0b33c3e097859ae785e359667e9d7b31e76cf923900f2c751d1cf73f0c2b20669833ad439dfe66aa

memory/4640-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2140-335-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mcfbkpab.exe

MD5 a16206993a6ff2b388f6c2f07eff3e9b
SHA1 9729ea2f086d6b9cb99c0746629f1a679ba826b1
SHA256 875f6a8ff5c785db1a506da49a12e93a58b347aa324d7447a1cdd5593a9b1b2f
SHA512 a5a32bf8afb8ea8f86ea3460f417e0225c8f9a01428edf77908b0df5f08399164271c157d1e7426999bb3d7bddb05774e6f198eb36626cca23ef77652da60095

memory/620-341-0x0000000000400000-0x0000000000440000-memory.dmp

memory/220-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3524-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4396-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3636-365-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4296-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4492-377-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4508-383-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2856-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1536-395-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pfccogfc.exe

MD5 a01718b0834e16e92f90ea6d01900cbf
SHA1 2df78071a2b0048c84bd3dfaca1c43bb571a8e27
SHA256 a1b7ecab25a5c95f3e63aa91fb7fad70742f44c12e518ccbee433bfc1ae43734
SHA512 246fb4518843d0ec19905efed439603fcb92f3d86b2e9cb4c3e7ffacaaca8d1bf46ad429aa72c3f5a14c26d541eb40cb22af65e4df48270e40bdff0a11e7ab8a

memory/3600-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2876-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4260-413-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1188-419-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qbonoghb.exe

MD5 a9cfc265c3bebf95ec1f811c738648b8
SHA1 8d66ef3cf8c645753a887d03c146b372d7100be0
SHA256 178d654237f93a66e335a28f784b226caf24a25a33f27fbd4574927d69a629b7
SHA512 f6022cfc75d36d3b8f29b089bfd498a5095abb74b77fd773cc79159e8246b9411a02ee3ad00f64fa4deb3c9050dd4b7c43d431f8c7d5f4ab38dc8c60d6a60c22

memory/3744-429-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4596-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4968-443-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2368-442-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3164-449-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Amkhmoap.exe

MD5 4d204e06e9ff2c1e468f6e645f7e3c86
SHA1 01d635c2a3da5fe90a7bc4f7abab9866bbb9e900
SHA256 b7c27d32a8dab001aef487899f676b9af61edc545a60cb641d25faf6f2912392
SHA512 25c8258503ff7d8e278aeb8440bed3650aef73dde166f06c7c9ca2fd97d5f6d34238260d11b1ddc8014867c3622d0502d423a2f22966d16da3d80f1d24d8eb9f

memory/2456-459-0x0000000000400000-0x0000000000440000-memory.dmp

memory/232-461-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4996-467-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5196-473-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Adjjeieh.exe

MD5 22a5bbd567fadfd61c82ca7c0d0187a1
SHA1 0f5a58b9ebf20c47206f55fbfc7bbc2116631eeb
SHA256 03fd356e07d96cdc2dd2e5640d627af5b2c914894363b5c0b4f22dada646a7af
SHA512 f367aacb702574088c9025f0f85991b19f2de647fe7c35b1348d3c2824d9ef72e962e71a995fbbd8e0dc02e06c360f70d0d923a18769a7246d135fb7e570e08b

memory/5236-479-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5288-490-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5324-496-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5364-497-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5412-507-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5456-509-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5512-515-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bfaigclq.exe

MD5 060a15d6ef3313b9e185a6b3ac31957a
SHA1 6ca638cc631434b336be6570f607551b1c873106
SHA256 440af50fd7e6fe83eada09fbd85d1ec6900aad6bd6b032e73545570520518f3c
SHA512 4fdfb73d4640e08a1c6a3207068ae2468889b30c773fa51f3e14f6e112bccbd94e279db41af023311c16c2cab524680491432519a25646340cd1ef9d9539ce49

memory/5552-525-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5592-527-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5632-533-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cgklmacf.exe

MD5 21910181a0ef8559ae7784fdd3758270
SHA1 f0956d92d54ed07beffb298a86229ec2c8b04f86
SHA256 76da7ca52184f3b2dec8bd378e8ce08639220a61e7634aa0522e6df06bfa2332
SHA512 43c0bdb9e8cde2fc39d1d14bd1a8e909026d58ba769589679df4d06f41c5b83c742dca809f81b2fb6556c6ef09cd1f5d9e114564416d83bfa60a5476a729ea64

memory/1600-539-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5676-540-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5720-546-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4428-552-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5760-553-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1488-559-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5804-560-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1288-566-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5848-567-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dpmcmf32.exe

MD5 c4051a0ad5a4e5711e4770ae0fad621e
SHA1 7bc3eea5a54af92269544e168bea4725c7eb4ce5
SHA256 032b0791850ba6f92c04bd077a06cc61cec2f114b9f20344eb71ef2d3b0fd4dc
SHA512 ed6ea781b7d0508d6cd75e7022d9d5760f33195a680e5916bebc830fe388445c028f30f01899c197a2e59390556b5329fecfe83b7253f2ef70e0452ca7871bf5

memory/1004-573-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5892-574-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5936-581-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3060-580-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5980-588-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1092-587-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ejjaqk32.exe

MD5 8b2eee1a42d13ce35f123ada14da54d6
SHA1 5e95b4297c83d70b0423b8f3c7e5bc390660a355
SHA256 93f717592cf27eccfcadaa3bc059eabd7f766a77b2017088c4f1a0b1fb88744a
SHA512 044a37ae0e214d90feb7dc95d01bc54e8eb539b730ddbe5614e8d86dc2afca220c6276f2d1ccfa493743a63b48d85ef6b754e920f1b6b656575ef57be4c14f53

memory/2204-594-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Eafbmgad.exe

MD5 032b73416a57b1c1e6ecfecf20a8bc7a
SHA1 186a664b28729849f4ace0ca8c4b553ee3246b57
SHA256 24c9fe64582c37273cb5aec075b25feae1b6be6f241642bbbd188551789c4e16
SHA512 832683bca29dea3e6f4b98d8c8869d58bd29f17f9a512b50e42afae99c2da9debce80004cb4035001cec5bbceb60c25d6c7d4c631c30d0a0053458692aa1ccf0

C:\Windows\SysWOW64\Fdpnda32.exe

MD5 59c3cc968c56762d4a815cdbf88775ae
SHA1 bc04544a9c6daa3a8ec0d1f9560fda6867efb4a1
SHA256 d878fb5f9a7ae9b682a1751814dfa9aceb2219e38a7efd0402801200c102fbc1
SHA512 f4f9591c59570455d7be7bf3994e72bb9710c6aac6bf44428f392d9ef55a5f3035863ec815b3148c9ae6ac8988bcc92cc886bc59f45524ec5e60050e788fdceb

C:\Windows\SysWOW64\Gkefmjcj.exe

MD5 8250d43cb0533457be78d2eb66b52118
SHA1 f423333ee8522e0748279c255ea85aafc217041e
SHA256 dbdc6b298cb8323d16ad826b5444bb032c35bd4670d6bd6c3f6a8a1c134015ef
SHA512 a670680e5ee3f6689548bc0630444876d9449aff5c5fd60aaeb2d59e6efb2e7dab00dbc49c072c02a829640cfd44b08c393c66071f8bee1c9d24908ea3506b20

C:\Windows\SysWOW64\Gbbkocid.exe

MD5 604956fc31513cb7387a2aa7b71107d0
SHA1 8482daab6a9b7ccdb766c4de7f3f8f6eece63e6e
SHA256 a2ea17c2e6017462b87c9b63513579c540ae15b1578207ac057bd7cb755f7ed0
SHA512 d91e1a098e25449c530cf97c9deb557c73a9f7a92e742a7361b1323fafaf4abc4a106c417db1426f40099fa2b49a5ac117cbf0423402c867030f204afbd9ffc2

C:\Windows\SysWOW64\Hghfnioq.exe

MD5 83cdf98b665b0e3d06bd85b48a3ff120
SHA1 326d8fbd7d662e326621b813d2d892e632cc519f
SHA256 89a4b7f39d2ab624c2123ce1ca0ea8e51a4080eef558e80a585dc032459fd48d
SHA512 a3cee4fa13442152413ba9d442c253e0f015cae1e7e61abcd7fd8dc104e7fe91e235dbe7c464130d214da1d871782d4e5d1b898f5afaa9b91b36d20aadeacfde

C:\Windows\SysWOW64\Jaljbmkd.exe

MD5 b56f4bf312a3a022397267c38fcf1129
SHA1 5fd782acad9063c442ed29f551a6c8cde9e718f1
SHA256 be7194609affb9d8556462f1715ac73fe0c559747c7d1cc72789c2bbe9a4b377
SHA512 39ded62949f2f9f3a4f68f4cc341173ed94abef31c3dafeb7651c36f273990e1f4538b31023177fd82c11f4da1aa34513e593b5ab8dffdc3deb1c5401604ada2

C:\Windows\SysWOW64\Jnbgaa32.exe

MD5 af71ccd468462003eb49bded72317341
SHA1 7c330385cb2851ead96d2efb9605e7ae868222f5
SHA256 638c4d7239f9b7cd47f7bc3bcd5a4cb850d5342a8a37b1f2c0951e4d53829775
SHA512 877bc21b5509ed8282616fc2c6bcb12fef01d5e7dd890c3fbd662d006b451e2ae432bc608ea0128bbf766f4d1416f08978093917fd8a7a722419ba77436ab0ac

C:\Windows\SysWOW64\Kahinkaf.exe

MD5 7735fb7415a2b81aa1f07aa013d6e473
SHA1 a7da6666bf478cce44981cbaffda7505edd57bb2
SHA256 78f4d4bd8f09f470a45d1944ae4c68db2783bc8b3b5a2b18a02df4521b0eea84
SHA512 87a08f0a30ec7677607c4740f85dc806ef27f18ee3562569028c9fe1be824bbf7bfdc3f45ec467573ede024dbdd1a1a7a50c625506f087b3e33f1ecc655f6fb7

C:\Windows\SysWOW64\Kdhbpf32.exe

MD5 480850297d5c048fda2be18b50ef97ec
SHA1 1cb54a6deeb93fd602d90e5dd1892c2245950f5f
SHA256 bd99d27f69ddfbd508733aa20f413f89951467f6da94b93d5156d82625f7f039
SHA512 a5662f7c44f203a9b13c0be39e8abad227699703df16f38a414734db96c07c5bb6f8add4dbdaf8f19c225d71f72ad3ec6131654010d71674bad740a06292ff1e

C:\Windows\SysWOW64\Lklnconj.exe

MD5 1b0a84af28b680c023a60d0f4d626743
SHA1 785e976226e5667800504953059374de2d99e9c6
SHA256 a5b3773f35c980dfabd48cc2a3e6d072628d545c1d3603d4ec3c0428f5baa12f
SHA512 7a6f70cd314ba57efc80b959d424fc668b9484fdc1b2ac8622e1e9856e7b506ca831e7fed27c14cad52e51405b4ba852b73f3736967b8f36d813afc7a764b640

C:\Windows\SysWOW64\Llngbabj.exe

MD5 53668319cbac25f14f12d2711b4764ae
SHA1 c5e0551eb98120e57345df5c3654e3cf2547ce18
SHA256 03794e7fdac91c9ea8c12559f35dedc6d209f09c9a8e666c5bd9c3783f3c8728
SHA512 3c870afbb36beabe6d997ff80e8f46cc7b4bf17246f821920553326c16120181622538a9ca2ea172003a02c79a2946f4133c99a484fe9013c6fa7460810889e5

C:\Windows\SysWOW64\Mllccpfj.exe

MD5 9336a546bd234f25bdd4495b33a297b6
SHA1 b313fa44b87bef894a1e8f1ee9385d8f63270bb7
SHA256 0ff0ca1ce0a3e2cf3525239fba5c00713018741fc1be0a18ea40d5b2877dd8c6
SHA512 f19038ae8d7576da81caac91dcb165ff1923fa74870905640820aa8e9b2f04a244155f6237fa52acda330cd12bbc2a4ab3a10ae0b0d89135e9316fbc5701e017

C:\Windows\SysWOW64\Nchhfild.exe

MD5 459ddededdcf740884726fb8297a2e9a
SHA1 503a2a68382d95be8be205d698930edd8ac51a53
SHA256 f6fe0e77460c1edd295951d26e3c32c155f09ff159c44a90c1c23007f48d97c9
SHA512 7e4d95c99f6af3ef46a6dbbd8d4c01a2d71111394cc8882e473f03c4d4d1ed3df7f3fd4f9c44359972e926e534ebe5bc192f94d4d9d26eb12e51326dd4b1b3b1

C:\Windows\SysWOW64\Nhgmcp32.exe

MD5 f305a5dcbfaa0bef273a81cc808b24fd
SHA1 d4926ffbb8336080aa16dedaf35b884f1ef18684
SHA256 eec20ed7b33b9560e115d07ad2090811146346cc4e1194e29fadcbb844d463d1
SHA512 4fd1b356485afe1a6a243b7abf436997ec4a7fc7328e929fad24b68471ddca1056eea4708204193c19e0e728a5470c57f5d08cc0232f46bc3a588a924e8bffab

C:\Windows\SysWOW64\Poidhg32.exe

MD5 3b72ced0b63ac54f69e5404e70e3f18f
SHA1 48953dd97fe51e8e3127d33a061d16b3b9efe099
SHA256 82b72c08bae1f03ba316231af17ff1e0e5bd80a4c92c8362e59a967f3e08b781
SHA512 091c6a4e50bb798101367d1b93eebf261348442e8eb7661bc599c7da4f6a1b9c0b82b9bef306c7236fae9ed1c37d454c8f6765bc07b6baeeaf5481a4db1e47b6

C:\Windows\SysWOW64\Qfgfpp32.exe

MD5 65f2694590a05eb3c9e60c198c084b76
SHA1 a904d252019436dfae50bee7f9e90b8afc72173b
SHA256 8c80ab15a5934c2b5200eb244601a71fbc5ac87071ea03635a17eadf386aff68
SHA512 7c76ec03e8e3a2249f50ea4f8736732bb571bb40dec5aad39372c51b8d4308a5c9b9341111d3a15a8b4b66a7b3587ac9cdbfa4451280e0e1a4dd88b8a5e2b4b0

C:\Windows\SysWOW64\Bfhofnpp.exe

MD5 ee792de5ad4cba4e3bb486e3380a87ab
SHA1 92130e90a1e0320821f6a119652bfa338fc5faa3
SHA256 65644e3b38e56dc439050b0a0e5388d41c59ff3a8000f2e269facbe6771dc5c7
SHA512 d9244a9daa7a3c8105cf1e0a6d2bf4c74abec65cc26f3445c3bcb20568dcd56455806143d26b3e6365d01093955a85540f840fc05c35ee573cfb49766940cf9c

C:\Windows\SysWOW64\Cibkohef.exe

MD5 14e76e781e703d3a84fdeef8b5396b7d
SHA1 d6c81d70ce7f326e22c487b48c7fe2c7d5c96e30
SHA256 76311cc81a810a72b99aa5d254baed7c0f609731b9a0fec66066115cdf618d86
SHA512 dc8004c50160045bd4bf9a0ab65371c6ed5f1dec4517430be678b2df1279fa90df5cc1be292c7933e91f0352c91ce3ecdcbeccbb8b9ace1779fa7ce4ccf92b77

C:\Windows\SysWOW64\Cfjeckpj.exe

MD5 4ffc0286ca0c302c9cfe874efe9d9a35
SHA1 19f059f94f710caab9c424fc6981f2abf61869ed
SHA256 18cd7795342af7743abfb1c672aeceea304f617341046e4268ccfb0a491adb95
SHA512 ad0d9c9640dbbcca4c0a11ee42153d37d67ec144398e9758bb8622eeabf913fbcad44dc8ae0ead9fccca38eeaf5e9c94c641ab9c30c575c51c9909351791901b

C:\Windows\SysWOW64\Ddqbbo32.exe

MD5 b50acade379e9fe3ac4ab4a2537de67a
SHA1 3f921c059ce76ccfc87cb2b6af89e524b0329482
SHA256 df4a98ca78b0381cefe761817dab6f2c1e1d540d2cdc181eee2aaba7ed7f58e6
SHA512 d136470abc357cdeae1a418e6badab437f5bdfaa9201f503454962bb8c00474b7099fe0cc7345ca581a3998b27a20aac9e72b1db435d52fe1efcd4da114e1653

C:\Windows\SysWOW64\Ddekmo32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e