Malware Analysis Report

2024-10-16 04:29

Sample ID 240601-3a2nraba72
Target 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe
SHA256 01ee5dfc93b1ab96f600e79b6cecea4d7d89e1061f1fe91c5ef2c7b99f1d905a
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01ee5dfc93b1ab96f600e79b6cecea4d7d89e1061f1fe91c5ef2c7b99f1d905a

Threat Level: Known bad

The file 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 23:19

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 23:19

Reported

2024-06-01 23:22

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fejgko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmafennb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hiekid32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Epdkli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gogangdc.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaeiieeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Idceea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Lkoabpeg.dll C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Hepmggig.dll C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Kifjcn32.dll C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File created C:\Windows\SysWOW64\Hgbebiao.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Efncicpm.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Glqllcbf.dll C:\Windows\SysWOW64\Hgilchkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Gacpdbej.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Efncicpm.exe N/A
File created C:\Windows\SysWOW64\Jpbpbqda.dll C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Epdkli32.exe N/A
File created C:\Windows\SysWOW64\Hgmhlp32.dll C:\Windows\SysWOW64\Dgodbh32.exe N/A
File created C:\Windows\SysWOW64\Gieojq32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Elpbcapg.dll C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Iebpge32.dll C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hckcmjep.exe N/A
File created C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Gmibbifn.dll C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Nbniiffi.dll C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Hckcmjep.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Dgodbh32.exe C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Mmqgncdn.dll C:\Windows\SysWOW64\Dmafennb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Omabcb32.dll C:\Windows\SysWOW64\Hgbebiao.exe N/A
File created C:\Windows\SysWOW64\Lpdhmlbj.dll C:\Windows\SysWOW64\Efncicpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File opened for modification C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Polebcgg.dll C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Qdcbfq32.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Njmekj32.dll C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Cnkajfop.dll C:\Windows\SysWOW64\Hahjpbad.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dgodbh32.exe N/A
File created C:\Windows\SysWOW64\Hllopfgo.dll C:\Windows\SysWOW64\Gkkemh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Dhflmk32.dll C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File created C:\Windows\SysWOW64\Dchfknpg.dll C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Gfoihbdp.dll C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Chhpdp32.dll C:\Windows\SysWOW64\Gieojq32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dgodbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fejgko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Epieghdk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Feeiob32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2980 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2980 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2980 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 1228 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1228 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1228 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1228 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 2284 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 2284 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 2284 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 2284 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 2808 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2808 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2808 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2808 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2152 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2152 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2152 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2152 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2536 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2536 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2536 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2536 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epdkli32.exe
PID 2508 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2508 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2508 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2508 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Epdkli32.exe C:\Windows\SysWOW64\Efncicpm.exe
PID 2132 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2132 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2132 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2132 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Epieghdk.exe
PID 2884 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 2884 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 2884 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 2884 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Eiaiqn32.exe
PID 3024 wrote to memory of 1316 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 3024 wrote to memory of 1316 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 3024 wrote to memory of 1316 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 3024 wrote to memory of 1316 N/A C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 1316 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fejgko32.exe
PID 1316 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fejgko32.exe
PID 1316 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fejgko32.exe
PID 1316 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fejgko32.exe
PID 1636 wrote to memory of 328 N/A C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1636 wrote to memory of 328 N/A C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1636 wrote to memory of 328 N/A C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1636 wrote to memory of 328 N/A C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 328 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 328 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 328 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 328 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Fbdqmghm.exe
PID 1592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Feeiob32.exe
PID 1592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Feeiob32.exe
PID 1592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Feeiob32.exe
PID 1592 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Fbdqmghm.exe C:\Windows\SysWOW64\Feeiob32.exe
PID 2084 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 2084 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 2084 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 2084 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Gpknlk32.exe
PID 2492 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gieojq32.exe
PID 2492 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gieojq32.exe
PID 2492 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gieojq32.exe
PID 2492 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Gieojq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 140

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Dgodbh32.exe

MD5 d2ad7e430e1f75b810851a475ce3e1bd
SHA1 efa38a60fc9e89f7560a328e628ba917f929fa04
SHA256 fd275edfc0d6d8e18c0468f549b02d41b7822af5d0b1b14e6266fcc08436c5e2
SHA512 9d3c34d28452b10d3e3074ba53d066f24c99aeb818d74fe07ee6b1efdc41e8d14f84938e0b61061eaf863f57956087ecb17e9e6cc0c72b6a76f8d13400f039a3

memory/2980-6-0x0000000000480000-0x00000000004B4000-memory.dmp

\Windows\SysWOW64\Dgaqgh32.exe

MD5 100c0cb3745a6dd1929e46d49031f777
SHA1 15f6b9ab4b5cf69fc6f5f5288af86946ffe89ef2
SHA256 36bfac386438cc8e3883a99d9b2d9c8c797caa74d83bb133b668485941a78c19
SHA512 d2cffca6895f1ca6bad868bc26ba0883b83f3977155bdb23a070343aa1c3882f89db81c9511c43537b41767c26287591bd500c60b410e7185d15a91592349503

memory/2284-27-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1228-26-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1228-25-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Dgdmmgpj.exe

MD5 b75bd3afce77c654ff3085ae1e213b6e
SHA1 a7f2db8a81fd81e44cd8976a40b605986325ca47
SHA256 652712beaad87055dc9716d40764be46e60023920d26eedda309b5f81676c328
SHA512 142b66c909c3055e02ec531da136a1209c5e03662775387b02dce0876aa83dcbc1be3ad1f7372730242e7bf7406f27aedb8b1018061c9979c3357e4b8983a89b

memory/2808-41-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dmafennb.exe

MD5 9007db0141c43c6f44667358ebcb3708
SHA1 87d73f62db2d21b36df9bfb3bb962bf62d2c81f3
SHA256 898c114cbe09505914ddd6ea8b34469eee0fa7c6270e1ea9e81e755f7e318536
SHA512 6fa5a053edda4e89c9ed4baca312842eb1e401d9599c5c2316b9e30bfd322659ff3a5ed8b8d2430b2560dcd4ef36a30123901e042492817e3d6b8d30ee932979

memory/2284-40-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2152-54-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mmqgncdn.dll

MD5 bfda311143aa579c9915aedbc4e39b12
SHA1 2c5acfe45b726413ee705d3a30299d0a5e87aa10
SHA256 ce204b2bb9e31b1aa3fbb8f2273a3ed9417b8398f382a4a6b557b4b0cf7f9fc6
SHA512 787f213dff0bea30ee195441f052994a8db363b8ae6b36a3e3b62d9d2d181a3caab8941f8d4d01205bf21ed6932427f87a277ee91642709453eda514f964c230

\Windows\SysWOW64\Emcbkn32.exe

MD5 706c33011009502e5b9e82fa0651c347
SHA1 8656c9a8d7b0b4e65a9fdb09f79b933fbb7f2d8a
SHA256 383c515e01a95491269b13a9bde3f46bc7811951fd853dacfa1ce6f75e6d8fa6
SHA512 accb3b26784bf146ddf3d880e2c2221ea2cb0997efab21ba4c662939d2dcab702fccbf5517871e2f1d97c370400e80e706e5014515e56361c156d65c893465cb

memory/2536-67-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Epdkli32.exe

MD5 7dd3f22f020c55e863b984b51e63b81d
SHA1 9d164af3dd320506cb17bd645a8546ee9ee29a99
SHA256 8e96c8d9625786cc05e50508d1605d58b93357d6b80f5855416ab6c0f980079c
SHA512 5d5b0b21c2271221bc4b2e4c0558810e7afee79da4af37943e1b3b8357bfbf1c850e45202199e752b8cf17d57cae1b1de99adb9844192935e3a4a4a4ae106d38

memory/2132-95-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 3dbfb29c6a81530dcf97788bab2115e0
SHA1 abd7804393d27bad3441d781b98f1f82ac8d9f2f
SHA256 d6a894e4e3c5ddd7d50d9f553e9141f300a62f379ebf5b993d35dee88880cb00
SHA512 df147e2acbbbf3f1ab4532dfd04ed728342eba188a7c46e1ccd8d54e18109c03c3c6c6c7431de323c356f945a7ba2f0cd4df2b877c4b3aa6eddea1eee2f611ec

memory/2508-93-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2508-82-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2536-79-0x00000000002C0000-0x00000000002F4000-memory.dmp

\Windows\SysWOW64\Epieghdk.exe

MD5 e2b69d10ecc7b4a16574e1c407c356fe
SHA1 416bbf58885d863378fc393b3367ccad0b1f67b1
SHA256 8245ffccc29cda1d44cc453502fd2911accbb7addca25c5253a45bfefab8ce3d
SHA512 0b0f2181196dca86d97e47d49216385a2a44c441238f73ac66117fff3c7a89f72b3db536b34e1d754aec073507d161290357376526549b5096b1d4fb58f5bd6d

memory/2132-103-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2884-113-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Eiaiqn32.exe

MD5 fa3e3c1bf4fa2e2bd6333c835ee6d893
SHA1 6c06eba34bfe118c5a6a9b080b0ab17772316b26
SHA256 4892c6d3ce0ed02890868203cc767d6534f0aa7575a1dce70a83e43228a648b5
SHA512 1eeddfee99ff591aad65246ecc44ce8fb6855ada17589360ead1ca0c30438d71adbb75928c0cb27fc2648d2259c90dad5959e8da2d2c12a3ada6fadc3a911268

memory/2884-117-0x0000000000480000-0x00000000004B4000-memory.dmp

memory/3024-123-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Fjdbnf32.exe

MD5 621321c3dd1277a2b57cc27b1f053c61
SHA1 604499f667ccae8b478e3318e0e3ea290e2522cb
SHA256 168e935266b4e1e3abdc804c7560f51efa316969050ead0b1f3be83077979897
SHA512 7b0369f3818d16a2ee30408056ed80fcef693614f3d0c5acb32dbfc5b3cda0888a0ab805e1c9141b8f9b20b5bc4074a17780574eadfe328f86e831edf6ec03f4

memory/3024-135-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1316-137-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Fejgko32.exe

MD5 5ce255ec25a6195cabf88d469db2d739
SHA1 3b11994f1a31a367c494e31c33971ec64976557c
SHA256 2f4d543cd9511c0ff63051f78162bec3f4f753c07a91805d30942052f72a7bf4
SHA512 b44b74d9748b70d3f0bcbbf861eb58c76978352bc2ce7e83a773c6b0c06bee5c747ade40cdef03d956119df23f7904827dba70694d6a7990cdf6638ce1461ffa

memory/1636-151-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1316-150-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Filldb32.exe

MD5 ed79e2dc78347be2ce9df54dd8a01147
SHA1 252b63973ff5732a7aff7512e0c4fa9a601230ee
SHA256 e64436746cdfe5841446b5398f15e8dfecc63a85ecaba6a3f399626951d76741
SHA512 33b516792ea30ff9f44f23ea340fde2a055c575ae01ae615031cf4d688097c4a8631b3add87a1f0fab5d595fe5162319bfbbfc4618ce4f8bdcdc83d333b40e55

memory/1636-158-0x00000000004B0000-0x00000000004E4000-memory.dmp

memory/1592-178-0x0000000000400000-0x0000000000434000-memory.dmp

memory/328-177-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 5638733101eb9e10a7e83c78309015e6
SHA1 9307d277e9da8ab3178be1c728f716340a2705f0
SHA256 367be812d91462a2e94f014c67022eb202681c6777f66cef291492fac7005145
SHA512 c11d65d4aaf14c7d66ac54cd35546b80c7d4cc53ae88bbdd50647ec8016ebd8405190ebe70d4dced18ffd3f0479b60c306d8c459c663224812c2a86e1f1bcee4

\Windows\SysWOW64\Feeiob32.exe

MD5 de47c5b1a313d2bad9917021fc309e49
SHA1 15d9db3f8480a3ae9b4f91475253a7c729b649fc
SHA256 fd5c4d0bf4957c3c130b9ee937d38a439cff1bf03f528374ab18c22bf72c9711
SHA512 baecc7ff6b4e1606b6fdc69243c12d9639f4b8f32a5e7310d0f02ccacf98df759bc500fd5b83acbe5d8bedbbc639d349d640b420903fdb531ffacbcd11a1c5a1

memory/1592-190-0x00000000002E0000-0x0000000000314000-memory.dmp

\Windows\SysWOW64\Gpknlk32.exe

MD5 6956a065b5189ec694a714dc3d311442
SHA1 941198ea0fd5a27498a3dd78836c05d01e7c0847
SHA256 35b599ed9ac51ce62f8238be6b7357e11a4358cb6e28856c5e69a0efb814d1e2
SHA512 5c1808254c9eb2c5db2c5aad83ddf5d0b3a18da0f99c925df3ce0bedeae1f4c66e9d0272e6be33eed015cf8c9855a745d019db45bef3120d06d51204ce86fa93

memory/2084-192-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2492-205-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Gieojq32.exe

MD5 e2b324635d9f76e47b230392b1999bfd
SHA1 1ef392047bc31cc1c598630a9932881cc7d1242b
SHA256 256687f8b442e02da40b3516efeaf51d5b03774b09f34242257481263028e4d3
SHA512 17f215d850b501eb338de4f748d87b9ede5e44c7257d3ff24119f8eafe949f29493e48042650a5296b7767725edc8f1124baff3933ea425dc512c26ce33484ca

memory/2492-212-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 5214225412ee817c8688f4c6234c88c7
SHA1 74b8cf7a997c98d1f3eefc86f87eee625f84fc10
SHA256 a9f58cde6706320e0592b14b4248f985806e26b25b578c7835ddceeba8491cd4
SHA512 54412674c59c562c81c75670f5407cd1c893bede0a5c15d6428ea1bc479c3595c64a154b1c8db469889c283d114ad8c9976f9bd8934f550b8da7da4c7715d9f3

memory/688-233-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1028-229-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2492-228-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 c728cbc4e44b5206c02b08c7c6159d52
SHA1 aa72b395fe0d9d0328dc8875b92a9617389f1858
SHA256 268cb4d6ea1bc9a460ab6192e6ae2dea54f78ae173fdd5c07aa7fd3cba3938e1
SHA512 b00f52b7c78324c009ac175a5b38c37c15414444c080ca5e634b402d5696e9eeffec4be2fb93779a0ab70573c462c32431a17dca5479602b085ff7180a11cc72

memory/2472-240-0x0000000000400000-0x0000000000434000-memory.dmp

memory/688-239-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 259fcb4937d89597b128562fc867ce71
SHA1 17bfb9fa03842f8aaccc70a8c0df025acecc594c
SHA256 47d9df207e7e1c0b0475d94abf3e50338b2ec96a2e91875906cc05e620f327cc
SHA512 e6e49f76aef2ebdb3f3430322ac712db260bdcbf9367125024ade3db8021da565ca739015506ad4b1fd8e17ad531e8746c0651797e2e1b1c49013412a396ec33

memory/1792-250-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-249-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1792-259-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 6a28910e7fd3bb03dfa678d59ad67600
SHA1 7da905b35ed2f248cc5f29c714a85a7372a2d649
SHA256 53ce9367ec0e06c8655c77c3663e99105f38129812f86d32e64f9a4886d66a37
SHA512 739b7cbd588c7cd1f07a6161caa2e450ca91cb995d749aa89266da1bd2bd58b22e2ae7ec98e6ec4657436d419169eb3cfec75813cea9a61d3e08efe1b835668b

C:\Windows\SysWOW64\Gogangdc.exe

MD5 95e0909f27d3c4bfff49c81e3e0a253c
SHA1 1fd17d74e5deb297ced8affd01086f6dd2614166
SHA256 6e97d9917f9a1c1f10f60ff5fbdcaaf67eb6cf0b22d40ad5f8a0d480d3232419
SHA512 62c28570983590f3fbb336bce43748288fe5aa07951e365bf41b30e6506f5b1eb3eefa5f54210c964f4824f51f32116b76206e0dd23915e6d44f257a97692f3f

memory/1728-268-0x00000000002B0000-0x00000000002E4000-memory.dmp

memory/1348-269-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 3ff1bb8b0e7969dfc147511106b49bec
SHA1 3e5e77144e6d753d382103b67a600976136ccc2e
SHA256 2b13eb6df504873a1cc5c6e36bf19c8c3e383d4f881883f2e61c48dee2f0919f
SHA512 b5ffdcf580a68c3b58c22356b61f5c960fa6137bc1ed3e25285234bbe9990c265a551e2bd2974669ef59c8fcc0c8107aab80bc2a3174d96b1d3b3c87e891588e

memory/744-288-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1724-287-0x0000000000280000-0x00000000002B4000-memory.dmp

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 1900272a8d035a127a3c55978005dac8
SHA1 53716d0bd329a2167ae5d803c56226e71b1e638d
SHA256 de8f1b09ae5cd6b6b20594ccff4ca2d82104055967878641e49c00eba906920b
SHA512 e22b873ab45a15ccbfcfd038694ee175a43a8a7a0578eea60fc5b3d5bd534216cfe7507f7acd820ade25979982bfbec1bfe39624bc5a388154090f2ed9b8b156

memory/1724-283-0x0000000000400000-0x0000000000434000-memory.dmp

memory/744-297-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 f9474cbce274d1af27d5884309638a7b
SHA1 4efd6b16318aec6ec51e9d1dfe4f670744eb42d1
SHA256 fda40c853e8e45bf19ddfd4f75aa87fc7655e015ba1cd76dffc72cb837778a30
SHA512 1e022f7653fb90210deb165327ff92807d8625ee9bce9e820484051b314c1f84f5798c5842cb63f3be454cd44bf741850c92d3f8d7c90833ed12cc890058d257

memory/2128-309-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2972-308-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2972-307-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 dafcb2004599489333187a496d532ee7
SHA1 f3be70ec78d422d277c6761420dcdcb864d84558
SHA256 81de1b951034153632a76fa44e6df92ce46acde978ea37a5bac7e10a8256c690
SHA512 82662a97d00c5b771379ea15e0f4de2eff8e592c1a3613f2a90a728b8d49376a55343e2c729042a2e957acb249e2b9dacae59934c24c9c3cdbc9f89cea4a6310

memory/2972-302-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 66328638a816f2b046cd7951f8628365
SHA1 3fdbb3b4dcf5f18c2b612d8e1ac241bab3cf6561
SHA256 216ba97961c097fa06042838fecb7d8dd3a2adcf7bdac0d55220682ab085d75d
SHA512 838395246d08dee1b6d9014692f631f05e0ab51080ca2786f1220eb82727652f4b1ac8c89bc461c5b04c16eddb7d3d092d90433a8d4cb530f5fa0c6d5a9f796b

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 e12ed60cc571042ab8841f7c38ad66f0
SHA1 1e5b0dd6c1f4a777947c98f46c8c0d2c452f155b
SHA256 feb73d70ff72bc636627a1751686b950ff6ebde959a1125c435fcad836cbf0bb
SHA512 b22c6a1dadd54ef17c23daf756b966c2bf4715ac711b1bed1c37b220aa081f16cd1e0635cf0ce1024e987795591e1b962c77145bb510f4eeed30294a3a32c614

memory/2196-334-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2196-330-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2184-329-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2196-328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2128-327-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2128-326-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Hiekid32.exe

MD5 3890d7ec58d69007dea829f2394eaf99
SHA1 693a1435ff6b209e92f668acec5c92a0c87138c3
SHA256 717a4cef555caca50d040ef1d7e227d6edd9c05a7372eb5adefb103681fa9c37
SHA512 46aac860b9fa385a206da640a0b7ac8ec4b933715891f79b538abf502646a39f47bae9b7cd4d927b71e112f587ac8470e5a6db90d3f6aa47528d25c6b43e469f

memory/2600-348-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 abfe1ff35ab6e4f533329aa9309b7456
SHA1 0cf4c3d06f7b2968475dc89113b4ae6283d6647d
SHA256 b1bd12f12c5ca3b9e05be01ec9c56ca49bbac1c0c28de197e4a38c726455ffc8
SHA512 7a1760a24dceb27993c410d03fb18428ab345f1e6d275bcfd7b72a85758db5cd7f6c5bdffdd211a67ddb248212862deea53008e6ccfedddc6c58622e9b2025f4

memory/2600-346-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2184-345-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/2184-344-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/1736-353-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2600-352-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Hpapln32.exe

MD5 c19449d631ec236576f42661b5b9bc4c
SHA1 ad7ad2fa8c98acd3802a476bf22704b2bb5fafc2
SHA256 4b4d8c86026f231afd87fb0ab3a272174ccce31675c4b8fecd765f17918bd5e2
SHA512 9a4b73dd39bae5619fb3f2913a1acb7be7194ae1a11b054ef1fdfc68fa099bac1b828b54c7622752094f0a45556aae1ab0334e85a87bf1cf32750d6a8a0b9a90

memory/2768-367-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1736-363-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1736-362-0x0000000000260000-0x0000000000294000-memory.dmp

C:\Windows\SysWOW64\Henidd32.exe

MD5 fa520323e2da6172e34531cad225f51e
SHA1 5a6b0ced0e06c089b2dd6cef83f64f2fbe76b0e3
SHA256 3b92ac0c13847885e5165a67a1852af02182047abdc4e3a30486a60d304dc3cc
SHA512 4bc2618f92f1e0446bbe178193edddb4d4b1070153b45c82f61574be08c7a31bd5e6cd4293ebb80a6896e215db19c96f2de96ea97af6a3b3e1e0aa9cedf62506

memory/2828-375-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2768-374-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2768-373-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 5c1799a9337384ebaf181fa0e5559347
SHA1 9023a418520d7f608994082f341d3bf3aeb7b182
SHA256 1dc140ef8c1000a8d6860d187043c5a78795b4e1f3c81be4f159e601587f9f11
SHA512 a548e26c0d428546c8ff003fa2121cd1722332a0a17ea4a0b627c6681a033971c4fec54c8c02b849a3a1c018bda462ef580285adce4a75ddc25a926a17bad289

memory/2540-390-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2828-389-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2828-388-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Idceea32.exe

MD5 0b2c0142939cdb1c3da85a7089e76f0b
SHA1 8c22486a6cf8a7caf5abc77a4fe03c474c345c93
SHA256 ec88cb122092c44561b9aaab571b2ca9931b0a4053068982592aaf510fc39f63
SHA512 ccf877987538f61b4418e5709612e5a41bdc47ce9b807dafd411d2afd6b84285e9c49ac74058aa9412e33a65cd0ab6b56f0177f54a0f8e2ccae52afc653bb10b

memory/2688-396-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2540-395-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/2688-402-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 d7793a993b4687c242bdfd989dccff83
SHA1 a829b8d65e620db96f5e2219487d98fd8a22f518
SHA256 21789f30391bf4b783cf9d418828622df96db8e6e495515c4e5a7eca6311190c
SHA512 710fe649a2040329743801b2b1349e458106e5043adb6c14815c877eb54c8901f6fb28bfcd5380d992b6b7182257be3b38fe90d8cd1f265eb2fee45651d29fd9

memory/2688-406-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2332-407-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2980-408-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1228-409-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2284-410-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2808-411-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2152-412-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2536-413-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2508-414-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2132-415-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2884-416-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3024-417-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1316-418-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1636-419-0x0000000000400000-0x0000000000434000-memory.dmp

memory/328-420-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1592-421-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2084-422-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2492-423-0x0000000000400000-0x0000000000434000-memory.dmp

memory/688-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-425-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1792-426-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1728-427-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1348-428-0x0000000000400000-0x0000000000434000-memory.dmp

memory/744-429-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2972-430-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2128-431-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 23:19

Reported

2024-06-01 23:22

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdiooblp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Icifbang.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ibnccmbo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cliaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mmpijp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ndokbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abkjdnoa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhkapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipdqba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nljofl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ednaqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhcpgmjf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dbllbibl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hfcicmqp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icgjmapi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqhacgdh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chpada32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhidjpqc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmhhehlb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ndaggimg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkidenlg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbcilkjg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfembo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chbnia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dekhneap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dadeieea.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dafbne32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpnchp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpqiemge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlampmdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ncfdie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhaebcen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Daolnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fckajehi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ildkgc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipbdmaah.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojaelm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlgmpogj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ojllan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hbgmcnhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bobcpmfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cojjqlpk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdkldb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkgqfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Echknh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iiaephpc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iemppiab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ibqpimpl.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qecppkdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmhlekj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qchmagie.exe N/A
N/A N/A C:\Windows\SysWOW64\Agffge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abkjdnoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Acocaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Andgoobc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeopki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaepqjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Abemjmgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhaebcen.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjpaooda.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgipldd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdhfhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnnjen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkcmdhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Blbknaib.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblckl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmpcdfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhikcb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bobcpmfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbnpqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bemlmgnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdolhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfdia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkidenlg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceoibflm.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdainc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cliaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklaknjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbcilkjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cddecc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chpada32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cknnpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cojjqlpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cahfmgoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdfbibnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Chbnia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckpjfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cefoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdiooblp.exe N/A
N/A N/A C:\Windows\SysWOW64\Clpgpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Conclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbjoljdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehkhecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdkldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chghdqbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckedalaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Doqpak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbllbibl.exe N/A
N/A N/A C:\Windows\SysWOW64\Daolnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekhneap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhidjpqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkgqfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Docmgjhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dboigi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daaicfgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Demecd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhkapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlgmpogj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doeiljfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dadeieea.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Lpqiemge.exe N/A
File created C:\Windows\SysWOW64\Ndaggimg.exe C:\Windows\SysWOW64\Nljofl32.exe N/A
File created C:\Windows\SysWOW64\Bobiobnp.dll C:\Windows\SysWOW64\Dhmgki32.exe N/A
File created C:\Windows\SysWOW64\Mlampmdo.exe C:\Windows\SysWOW64\Mibpda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndfqbhia.exe C:\Windows\SysWOW64\Nnlhfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cklaknjd.exe C:\Windows\SysWOW64\Cliaoq32.exe N/A
File created C:\Windows\SysWOW64\Gokdeeec.exe C:\Windows\SysWOW64\Ghaliknf.exe N/A
File created C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mgddhf32.exe N/A
File created C:\Windows\SysWOW64\Dohfbj32.exe C:\Windows\SysWOW64\Dlijfneg.exe N/A
File created C:\Windows\SysWOW64\Bkblkg32.dll C:\Windows\SysWOW64\Ibqpimpl.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbjoljdo.exe C:\Windows\SysWOW64\Conclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ehnglm32.exe C:\Windows\SysWOW64\Edbklofb.exe N/A
File opened for modification C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Afoeiklb.exe N/A
File created C:\Windows\SysWOW64\Nniadn32.dll C:\Windows\SysWOW64\Mdckfk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnlhfn32.exe C:\Windows\SysWOW64\Ngbpidjh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdiooblp.exe C:\Windows\SysWOW64\Cefoce32.exe N/A
File created C:\Windows\SysWOW64\Fojlngce.exe C:\Windows\SysWOW64\Fllpbldb.exe N/A
File created C:\Windows\SysWOW64\Hmhhehlb.exe C:\Windows\SysWOW64\Heapdjlp.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkalchij.exe C:\Windows\SysWOW64\Fhcpgmjf.exe N/A
File created C:\Windows\SysWOW64\Cleqadmh.dll C:\Windows\SysWOW64\Andgoobc.exe N/A
File created C:\Windows\SysWOW64\Bnnjen32.exe C:\Windows\SysWOW64\Bdhfhe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fojlngce.exe C:\Windows\SysWOW64\Fllpbldb.exe N/A
File created C:\Windows\SysWOW64\Fllifblf.dll C:\Windows\SysWOW64\Jbeidl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jianff32.exe C:\Windows\SysWOW64\Jfcbjk32.exe N/A
File created C:\Windows\SysWOW64\Acbmpm32.dll C:\Windows\SysWOW64\Ednaqo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffimfqgm.exe C:\Windows\SysWOW64\Fckajehi.exe N/A
File created C:\Windows\SysWOW64\Pacghh32.dll C:\Windows\SysWOW64\Imdgqfbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pqbdjfln.exe N/A
File created C:\Windows\SysWOW64\Keoakjca.dll C:\Windows\SysWOW64\Chpada32.exe N/A
File created C:\Windows\SysWOW64\Eemnjbaj.exe C:\Windows\SysWOW64\Ecoangbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Lingibiq.exe N/A
File created C:\Windows\SysWOW64\Lpqiemge.exe C:\Windows\SysWOW64\Lmbmibhb.exe N/A
File created C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lmgfda32.exe N/A
File created C:\Windows\SysWOW64\Bdkfmkdc.dll C:\Windows\SysWOW64\Kdgljmcd.exe N/A
File created C:\Windows\SysWOW64\Kqoieqhe.dll C:\Windows\SysWOW64\Elbmlmml.exe N/A
File created C:\Windows\SysWOW64\Mjddiqoc.dll C:\Windows\SysWOW64\Jfcbjk32.exe N/A
File created C:\Windows\SysWOW64\Gnbinq32.dll C:\Windows\SysWOW64\Kbhoqj32.exe N/A
File created C:\Windows\SysWOW64\Kdihjfbe.dll C:\Windows\SysWOW64\Fcckif32.exe N/A
File created C:\Windows\SysWOW64\Fdnjgmle.exe C:\Windows\SysWOW64\Fbpnkama.exe N/A
File created C:\Windows\SysWOW64\Clncadfb.dll C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File created C:\Windows\SysWOW64\Lommhphi.dll C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe C:\Windows\SysWOW64\Bhhdil32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abemjmgg.exe C:\Windows\SysWOW64\Aaepqjpd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dccbbhld.exe C:\Windows\SysWOW64\Dohfbj32.exe N/A
File created C:\Windows\SysWOW64\Eaklidoi.exe C:\Windows\SysWOW64\Echknh32.exe N/A
File created C:\Windows\SysWOW64\Amhpcomb.dll C:\Windows\SysWOW64\Liimncmf.exe N/A
File created C:\Windows\SysWOW64\Bdhfhe32.exe C:\Windows\SysWOW64\Bbgipldd.exe N/A
File created C:\Windows\SysWOW64\Conclk32.exe C:\Windows\SysWOW64\Clpgpp32.exe N/A
File created C:\Windows\SysWOW64\Ljodkeij.dll C:\Windows\SysWOW64\Lpqiemge.exe N/A
File created C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File created C:\Windows\SysWOW64\Ijhkffjm.dll C:\Windows\SysWOW64\Conclk32.exe N/A
File created C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgnilpah.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Abkjdnoa.exe C:\Windows\SysWOW64\Agffge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhemmlhc.exe C:\Windows\SysWOW64\Fkalchij.exe N/A
File created C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mdmnlj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe C:\Windows\SysWOW64\Nckndeni.exe N/A
File opened for modification C:\Windows\SysWOW64\Chbnia32.exe C:\Windows\SysWOW64\Cdfbibnb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhqcam32.exe C:\Windows\SysWOW64\Febgea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe C:\Windows\SysWOW64\Lmppcbjd.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mdmnlj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Olfobjbg.exe C:\Windows\SysWOW64\Ocnjidkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File created C:\Windows\SysWOW64\Hfcicmqp.exe C:\Windows\SysWOW64\Hbgmcnhf.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cklaknjd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dkoggkjo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ibnccmbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daaicfgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehimanbq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfhlejnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bdolhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Imfdff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" C:\Windows\SysWOW64\Lbjlfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgnafam.dll" C:\Windows\SysWOW64\Dhidjpqc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ildkgc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kepelfam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mpoefk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oneklm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Conclk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cdkldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dboigi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinpgcmg.dll" C:\Windows\SysWOW64\Daolnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kefkme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Miifeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll" C:\Windows\SysWOW64\Pgefeajb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cknnpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll" C:\Windows\SysWOW64\Edpnfo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" C:\Windows\SysWOW64\Eemnjbaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ikbnacmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll" C:\Windows\SysWOW64\Mgddhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" C:\Windows\SysWOW64\Acqimo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cbjoljdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Melnob32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Deanodkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" C:\Windows\SysWOW64\Jcgbco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdhdajea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cklaknjd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dlgmpogj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfkkboc.dll" C:\Windows\SysWOW64\Edbklofb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Febgea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" C:\Windows\SysWOW64\Gcojed32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbaipkbi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll" C:\Windows\SysWOW64\Blfdia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cehkhecb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecoangbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll" C:\Windows\SysWOW64\Gicinj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ibqpimpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iemppiab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" C:\Windows\SysWOW64\Jfcbjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll" C:\Windows\SysWOW64\Odkjng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abemjmgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jcgbco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" C:\Windows\SysWOW64\Ojoign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhaebcen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll" C:\Windows\SysWOW64\Gohhpe32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 552 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 552 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe C:\Windows\SysWOW64\Qecppkdm.exe
PID 4668 wrote to memory of 1136 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qkmhlekj.exe
PID 4668 wrote to memory of 1136 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qkmhlekj.exe
PID 4668 wrote to memory of 1136 N/A C:\Windows\SysWOW64\Qecppkdm.exe C:\Windows\SysWOW64\Qkmhlekj.exe
PID 1136 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Qkmhlekj.exe C:\Windows\SysWOW64\Qchmagie.exe
PID 1136 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Qkmhlekj.exe C:\Windows\SysWOW64\Qchmagie.exe
PID 1136 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Qkmhlekj.exe C:\Windows\SysWOW64\Qchmagie.exe
PID 3188 wrote to memory of 456 N/A C:\Windows\SysWOW64\Qchmagie.exe C:\Windows\SysWOW64\Agffge32.exe
PID 3188 wrote to memory of 456 N/A C:\Windows\SysWOW64\Qchmagie.exe C:\Windows\SysWOW64\Agffge32.exe
PID 3188 wrote to memory of 456 N/A C:\Windows\SysWOW64\Qchmagie.exe C:\Windows\SysWOW64\Agffge32.exe
PID 456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Abkjdnoa.exe
PID 456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Abkjdnoa.exe
PID 456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Agffge32.exe C:\Windows\SysWOW64\Abkjdnoa.exe
PID 2920 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Abkjdnoa.exe C:\Windows\SysWOW64\Acocaf32.exe
PID 2920 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Abkjdnoa.exe C:\Windows\SysWOW64\Acocaf32.exe
PID 2920 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Abkjdnoa.exe C:\Windows\SysWOW64\Acocaf32.exe
PID 3172 wrote to memory of 4840 N/A C:\Windows\SysWOW64\Acocaf32.exe C:\Windows\SysWOW64\Andgoobc.exe
PID 3172 wrote to memory of 4840 N/A C:\Windows\SysWOW64\Acocaf32.exe C:\Windows\SysWOW64\Andgoobc.exe
PID 3172 wrote to memory of 4840 N/A C:\Windows\SysWOW64\Acocaf32.exe C:\Windows\SysWOW64\Andgoobc.exe
PID 4840 wrote to memory of 4844 N/A C:\Windows\SysWOW64\Andgoobc.exe C:\Windows\SysWOW64\Aeopki32.exe
PID 4840 wrote to memory of 4844 N/A C:\Windows\SysWOW64\Andgoobc.exe C:\Windows\SysWOW64\Aeopki32.exe
PID 4840 wrote to memory of 4844 N/A C:\Windows\SysWOW64\Andgoobc.exe C:\Windows\SysWOW64\Aeopki32.exe
PID 4844 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Aeopki32.exe C:\Windows\SysWOW64\Aaepqjpd.exe
PID 4844 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Aeopki32.exe C:\Windows\SysWOW64\Aaepqjpd.exe
PID 4844 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Aeopki32.exe C:\Windows\SysWOW64\Aaepqjpd.exe
PID 4108 wrote to memory of 1840 N/A C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Abemjmgg.exe
PID 4108 wrote to memory of 1840 N/A C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Abemjmgg.exe
PID 4108 wrote to memory of 1840 N/A C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Abemjmgg.exe
PID 1840 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Abemjmgg.exe C:\Windows\SysWOW64\Bhaebcen.exe
PID 1840 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Abemjmgg.exe C:\Windows\SysWOW64\Bhaebcen.exe
PID 1840 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Abemjmgg.exe C:\Windows\SysWOW64\Bhaebcen.exe
PID 4416 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bhaebcen.exe C:\Windows\SysWOW64\Bjpaooda.exe
PID 4416 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bhaebcen.exe C:\Windows\SysWOW64\Bjpaooda.exe
PID 4416 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Bhaebcen.exe C:\Windows\SysWOW64\Bjpaooda.exe
PID 2964 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Bjpaooda.exe C:\Windows\SysWOW64\Bbgipldd.exe
PID 2964 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Bjpaooda.exe C:\Windows\SysWOW64\Bbgipldd.exe
PID 2964 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Bjpaooda.exe C:\Windows\SysWOW64\Bbgipldd.exe
PID 2360 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Bbgipldd.exe C:\Windows\SysWOW64\Bdhfhe32.exe
PID 2360 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Bbgipldd.exe C:\Windows\SysWOW64\Bdhfhe32.exe
PID 2360 wrote to memory of 3204 N/A C:\Windows\SysWOW64\Bbgipldd.exe C:\Windows\SysWOW64\Bdhfhe32.exe
PID 3204 wrote to memory of 3468 N/A C:\Windows\SysWOW64\Bdhfhe32.exe C:\Windows\SysWOW64\Bnnjen32.exe
PID 3204 wrote to memory of 3468 N/A C:\Windows\SysWOW64\Bdhfhe32.exe C:\Windows\SysWOW64\Bnnjen32.exe
PID 3204 wrote to memory of 3468 N/A C:\Windows\SysWOW64\Bdhfhe32.exe C:\Windows\SysWOW64\Bnnjen32.exe
PID 3468 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Bnnjen32.exe C:\Windows\SysWOW64\Bdkcmdhp.exe
PID 3468 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Bnnjen32.exe C:\Windows\SysWOW64\Bdkcmdhp.exe
PID 3468 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Bnnjen32.exe C:\Windows\SysWOW64\Bdkcmdhp.exe
PID 3532 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bdkcmdhp.exe C:\Windows\SysWOW64\Blbknaib.exe
PID 3532 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bdkcmdhp.exe C:\Windows\SysWOW64\Blbknaib.exe
PID 3532 wrote to memory of 788 N/A C:\Windows\SysWOW64\Bdkcmdhp.exe C:\Windows\SysWOW64\Blbknaib.exe
PID 788 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Blbknaib.exe C:\Windows\SysWOW64\Bblckl32.exe
PID 788 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Blbknaib.exe C:\Windows\SysWOW64\Bblckl32.exe
PID 788 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Blbknaib.exe C:\Windows\SysWOW64\Bblckl32.exe
PID 4040 wrote to memory of 4032 N/A C:\Windows\SysWOW64\Bblckl32.exe C:\Windows\SysWOW64\Bdmpcdfm.exe
PID 4040 wrote to memory of 4032 N/A C:\Windows\SysWOW64\Bblckl32.exe C:\Windows\SysWOW64\Bdmpcdfm.exe
PID 4040 wrote to memory of 4032 N/A C:\Windows\SysWOW64\Bblckl32.exe C:\Windows\SysWOW64\Bdmpcdfm.exe
PID 4032 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdmpcdfm.exe C:\Windows\SysWOW64\Bhikcb32.exe
PID 4032 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdmpcdfm.exe C:\Windows\SysWOW64\Bhikcb32.exe
PID 4032 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdmpcdfm.exe C:\Windows\SysWOW64\Bhikcb32.exe
PID 1744 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Bhikcb32.exe C:\Windows\SysWOW64\Bobcpmfc.exe
PID 1744 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Bhikcb32.exe C:\Windows\SysWOW64\Bobcpmfc.exe
PID 1744 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Bhikcb32.exe C:\Windows\SysWOW64\Bobcpmfc.exe
PID 1988 wrote to memory of 4248 N/A C:\Windows\SysWOW64\Bobcpmfc.exe C:\Windows\SysWOW64\Bbnpqk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qkmhlekj.exe

C:\Windows\system32\Qkmhlekj.exe

C:\Windows\SysWOW64\Qchmagie.exe

C:\Windows\system32\Qchmagie.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Abkjdnoa.exe

C:\Windows\system32\Abkjdnoa.exe

C:\Windows\SysWOW64\Acocaf32.exe

C:\Windows\system32\Acocaf32.exe

C:\Windows\SysWOW64\Andgoobc.exe

C:\Windows\system32\Andgoobc.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Bjpaooda.exe

C:\Windows\system32\Bjpaooda.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Bdhfhe32.exe

C:\Windows\system32\Bdhfhe32.exe

C:\Windows\SysWOW64\Bnnjen32.exe

C:\Windows\system32\Bnnjen32.exe

C:\Windows\SysWOW64\Bdkcmdhp.exe

C:\Windows\system32\Bdkcmdhp.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Bdmpcdfm.exe

C:\Windows\system32\Bdmpcdfm.exe

C:\Windows\SysWOW64\Bhikcb32.exe

C:\Windows\system32\Bhikcb32.exe

C:\Windows\SysWOW64\Bobcpmfc.exe

C:\Windows\system32\Bobcpmfc.exe

C:\Windows\SysWOW64\Bbnpqk32.exe

C:\Windows\system32\Bbnpqk32.exe

C:\Windows\SysWOW64\Bemlmgnp.exe

C:\Windows\system32\Bemlmgnp.exe

C:\Windows\SysWOW64\Bdolhc32.exe

C:\Windows\system32\Bdolhc32.exe

C:\Windows\SysWOW64\Blfdia32.exe

C:\Windows\system32\Blfdia32.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Ceoibflm.exe

C:\Windows\system32\Ceoibflm.exe

C:\Windows\SysWOW64\Cdainc32.exe

C:\Windows\system32\Cdainc32.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cklaknjd.exe

C:\Windows\system32\Cklaknjd.exe

C:\Windows\SysWOW64\Cbcilkjg.exe

C:\Windows\system32\Cbcilkjg.exe

C:\Windows\SysWOW64\Cddecc32.exe

C:\Windows\system32\Cddecc32.exe

C:\Windows\SysWOW64\Chpada32.exe

C:\Windows\system32\Chpada32.exe

C:\Windows\SysWOW64\Cknnpm32.exe

C:\Windows\system32\Cknnpm32.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cahfmgoo.exe

C:\Windows\system32\Cahfmgoo.exe

C:\Windows\SysWOW64\Cdfbibnb.exe

C:\Windows\system32\Cdfbibnb.exe

C:\Windows\SysWOW64\Chbnia32.exe

C:\Windows\system32\Chbnia32.exe

C:\Windows\SysWOW64\Ckpjfm32.exe

C:\Windows\system32\Ckpjfm32.exe

C:\Windows\SysWOW64\Cefoce32.exe

C:\Windows\system32\Cefoce32.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Clpgpp32.exe

C:\Windows\system32\Clpgpp32.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cbjoljdo.exe

C:\Windows\system32\Cbjoljdo.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Cdkldb32.exe

C:\Windows\system32\Cdkldb32.exe

C:\Windows\SysWOW64\Chghdqbf.exe

C:\Windows\system32\Chghdqbf.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Doqpak32.exe

C:\Windows\system32\Doqpak32.exe

C:\Windows\SysWOW64\Dbllbibl.exe

C:\Windows\system32\Dbllbibl.exe

C:\Windows\SysWOW64\Daolnf32.exe

C:\Windows\system32\Daolnf32.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Dboigi32.exe

C:\Windows\system32\Dboigi32.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Dkjmlk32.exe

C:\Windows\system32\Dkjmlk32.exe

C:\Windows\SysWOW64\Doeiljfn.exe

C:\Windows\system32\Doeiljfn.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dlijfneg.exe

C:\Windows\system32\Dlijfneg.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Dccbbhld.exe

C:\Windows\system32\Dccbbhld.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dkoggkjo.exe

C:\Windows\system32\Dkoggkjo.exe

C:\Windows\SysWOW64\Dedkdcie.exe

C:\Windows\system32\Dedkdcie.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Ekacmjgl.exe

C:\Windows\system32\Ekacmjgl.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Eaklidoi.exe

C:\Windows\system32\Eaklidoi.exe

C:\Windows\SysWOW64\Ehedfo32.exe

C:\Windows\system32\Ehedfo32.exe

C:\Windows\SysWOW64\Elppfmoo.exe

C:\Windows\system32\Elppfmoo.exe

C:\Windows\SysWOW64\Ecjhcg32.exe

C:\Windows\system32\Ecjhcg32.exe

C:\Windows\SysWOW64\Eeidoc32.exe

C:\Windows\system32\Eeidoc32.exe

C:\Windows\SysWOW64\Edkdkplj.exe

C:\Windows\system32\Edkdkplj.exe

C:\Windows\SysWOW64\Elbmlmml.exe

C:\Windows\system32\Elbmlmml.exe

C:\Windows\SysWOW64\Eoaihhlp.exe

C:\Windows\system32\Eoaihhlp.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Eapedd32.exe

C:\Windows\system32\Eapedd32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Ekhjmiad.exe

C:\Windows\system32\Ekhjmiad.exe

C:\Windows\SysWOW64\Ecoangbg.exe

C:\Windows\system32\Ecoangbg.exe

C:\Windows\SysWOW64\Eemnjbaj.exe

C:\Windows\system32\Eemnjbaj.exe

C:\Windows\SysWOW64\Edpnfo32.exe

C:\Windows\system32\Edpnfo32.exe

C:\Windows\SysWOW64\Ehljfnpn.exe

C:\Windows\system32\Ehljfnpn.exe

C:\Windows\SysWOW64\Eofbch32.exe

C:\Windows\system32\Eofbch32.exe

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Fcckif32.exe

C:\Windows\system32\Fcckif32.exe

C:\Windows\SysWOW64\Fafkecel.exe

C:\Windows\system32\Fafkecel.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fllpbldb.exe

C:\Windows\system32\Fllpbldb.exe

C:\Windows\SysWOW64\Fojlngce.exe

C:\Windows\system32\Fojlngce.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Fhcpgmjf.exe

C:\Windows\system32\Fhcpgmjf.exe

C:\Windows\SysWOW64\Fkalchij.exe

C:\Windows\system32\Fkalchij.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Fckajehi.exe

C:\Windows\system32\Fckajehi.exe

C:\Windows\SysWOW64\Ffimfqgm.exe

C:\Windows\system32\Ffimfqgm.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Flceckoj.exe

C:\Windows\system32\Flceckoj.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Fbpnkama.exe

C:\Windows\system32\Fbpnkama.exe

C:\Windows\SysWOW64\Fdnjgmle.exe

C:\Windows\system32\Fdnjgmle.exe

C:\Windows\SysWOW64\Glebhjlg.exe

C:\Windows\system32\Glebhjlg.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gcojed32.exe

C:\Windows\system32\Gcojed32.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Gdqgmmjb.exe

C:\Windows\system32\Gdqgmmjb.exe

C:\Windows\SysWOW64\Gkkojgao.exe

C:\Windows\system32\Gkkojgao.exe

C:\Windows\SysWOW64\Gbdgfa32.exe

C:\Windows\system32\Gbdgfa32.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gohhpe32.exe

C:\Windows\system32\Gohhpe32.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gokdeeec.exe

C:\Windows\system32\Gokdeeec.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Heapdjlp.exe

C:\Windows\system32\Heapdjlp.exe

C:\Windows\SysWOW64\Hmhhehlb.exe

C:\Windows\system32\Hmhhehlb.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hoiafcic.exe

C:\Windows\system32\Hoiafcic.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Hfcicmqp.exe

C:\Windows\system32\Hfcicmqp.exe

C:\Windows\SysWOW64\Iiaephpc.exe

C:\Windows\system32\Iiaephpc.exe

C:\Windows\SysWOW64\Icgjmapi.exe

C:\Windows\system32\Icgjmapi.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Iicbehnq.exe

C:\Windows\system32\Iicbehnq.exe

C:\Windows\SysWOW64\Ikbnacmd.exe

C:\Windows\system32\Ikbnacmd.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Ipbdmaah.exe

C:\Windows\system32\Ipbdmaah.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Imfdff32.exe

C:\Windows\system32\Imfdff32.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jioaqfcc.exe

C:\Windows\system32\Jioaqfcc.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jcefno32.exe

C:\Windows\system32\Jcefno32.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jianff32.exe

C:\Windows\system32\Jianff32.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jidklf32.exe

C:\Windows\system32\Jidklf32.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jfhlejnh.exe

C:\Windows\system32\Jfhlejnh.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jlednamo.exe

C:\Windows\system32\Jlednamo.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kepelfam.exe

C:\Windows\system32\Kepelfam.exe

C:\Windows\SysWOW64\Kdqejn32.exe

C:\Windows\system32\Kdqejn32.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kpgfooop.exe

C:\Windows\system32\Kpgfooop.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Mgagbf32.exe

C:\Windows\system32\Mgagbf32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mdehlk32.exe

C:\Windows\system32\Mdehlk32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Ncfdie32.exe

C:\Windows\system32\Ncfdie32.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Odkjng32.exe

C:\Windows\system32\Odkjng32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8436 -ip 8436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8436 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/552-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qecppkdm.exe

MD5 9c97369dcb521801354a652253ed3e6a
SHA1 5f320cd1aec0b8646b8627083e99a6ebc30ea190
SHA256 89a9173ba6f4ded23b417d5ad923ce554611e083ff353a35d72fd5ee13359aa8
SHA512 5cc562a3c32525f504638b5e82f906eda750c897f8af8ebf3d07cb2dff99ad1271640ddfe457511fbcf140c4f0153bf7d9787455997b237f2c20b63f7fe306cb

memory/4668-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qkmhlekj.exe

MD5 455b3f0581d07b9ed7feab4659aa2e10
SHA1 7b8a07e82b94ea97bfe672de5cfffb34583985cb
SHA256 6e4e17dcb0c64aaa2a453e58d7581a63f71037cb98557a80a47f1a09075fc202
SHA512 9647cca7d0def080b7972931a5f1e163d717ed2b156a0fe74f426c02bd77c077b8f374882cd2a23608224ee5a3c2029d5742583c38a79e684b40beb8df75e11f

memory/1136-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qchmagie.exe

MD5 50a4392160986b3bdf73413cb10e850b
SHA1 5078d8b37311765cc3bfbdd5c9cedfd1e90b1f54
SHA256 b077221f9f2fd9a7c775fd9bd370303148dc303b95b0850b6ceecd19004b853d
SHA512 d196561959b457d7a8d50aefeaeb8f9a8b8d0ed71a99e3735ba79e8dee3c704bb78dd41bda77b49bb5c98ad6f3e11de2c558bfae1cc4c769ca2b063101ae7167

memory/3188-24-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Agffge32.exe

MD5 86905872ec2bb49e145288bc6344db6e
SHA1 a5dc05c5fa5aabf3e10824bb2e7de80c07aa7af3
SHA256 c52a6df188a9457fdd3f43c70f20612dc0e201b9f1c03b54063bad1eb3126800
SHA512 c964b85818e8396721b5ff9d23a0b08766e539980d1cede733c79eef681267414e6a4cdfbe4346abaaf3e6fa6e401439973d9084e49bf696131e94649ee6af8c

C:\Windows\SysWOW64\Lcfcfldc.dll

MD5 9156bbdda940612cbdc02abcb44fbb41
SHA1 6a5b2d4628623f9536bac3eb32bcd8df26336e84
SHA256 32a2f6674a2122d1fe8ba6b6158f7b86416a9269b97e1e600ae1ff9efa31bef1
SHA512 17b111be3cb5ea93b54dd09b491db2cd471e836d52c13ff64a305fec9fe2a9c266eecc0a389bc3467d28a79497ce9809f3e3b5c466604d30f67044e197c5cba6

memory/456-32-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Abkjdnoa.exe

MD5 2aea34b38099547d074b83f8400e44a4
SHA1 c0dd4b1ad7c773c9678d6e0cc9a794c771dbf40f
SHA256 b461452179fda9b7b58f178772b3d26e1006df782e8961fe612771fe8233b2a8
SHA512 51974de6fd4a58729b8b461feb419a63a9ac0e10e6ec4ad880b59b733e0d9d28370d874e09bb9fc736978ea53c48424d7ee6e5ea14cb5d80b8ebfd2a56b3f67a

memory/2920-40-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Acocaf32.exe

MD5 1b2d8ccce3e25bc2d5e297f7fda823c8
SHA1 ac44e37fb4d680f244bba5761fc066a4a1cf1799
SHA256 b15d38545560f055b1b1cecee98cc74a0cb75640fa80a9da0d43f773e4b4e8f7
SHA512 f84e7f64b13a13977fbf570fbd3d1f30893a29a73dee81e3b2c3e95e05991854a42e255c4d549f9692befcc3c21064754e9e2777567690b065ce617a0bc91c9f

memory/3172-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Andgoobc.exe

MD5 dee962545afdbd3c811ae601481f3ff4
SHA1 8e7874bbb44f01ad6f4e831832230123d1fc69a9
SHA256 024692ef75bb8b99d105e3befed39261feb8c6c14b536b1258ec9f43486c565f
SHA512 9b151abb5d242041ccd6af5b4cf9c661139b6674d2c9dbeb9e2a1e2927f1f282b1f9dfd03f42686529103b8935a566d406238dfbf51a52e4430162acf1526b24

memory/4840-60-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aeopki32.exe

MD5 843be66e8901e62ba4a4bcbd54470774
SHA1 13f0b1b49fd35168d45bf27793b5b587f45bf5ef
SHA256 f89d10e22766729579068f4f23bae3bbd7cf5bfde3356205fc925e83e88b2569
SHA512 429e27ce399783b2c752f6735603bbd81ba396d1fccabe9c9ad7ca7e397044bf730941b72a613c8755153be3f330f726702b7891b69d3b5f24b211a7af9017c0

memory/4844-64-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aaepqjpd.exe

MD5 b825c4865148643b04e60ad028a6ecfd
SHA1 1ff58f4a5b8ec5d11010108d3a523dd83db6852c
SHA256 d020c703d8fd5f22cbbab08c0a61a3e4747cd0ec913dc6752becb0a764ec0fca
SHA512 40522ab93d93b9abc947117bc5bf0ceb06b830af1c5f84057f7860779da1f8c0429c6a1bdabc49a0bb89e78618e3fe9baf8da7f20048b4de0653cf737ee7ac96

memory/4108-71-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Abemjmgg.exe

MD5 f217d4cd67e532ac49c2d3ffbdc34f14
SHA1 14a3b2d576b01d118c473220df8ffe076b9047e8
SHA256 82ace6c0fe46052861175c4b3aa45fb91718d243e71fdc163a8aa3d41ad4a692
SHA512 6f62ccd7cc7ea164ef6467fc652cc2157adc3ab23983251c57d53152fa0e188a8131e89818770f5edf10c5dd1dc401b7e56337c584969da375ac1d049182744c

memory/1840-80-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bhaebcen.exe

MD5 6eb49c89a7079f67ea6154fce9731ef7
SHA1 164f48990441446194c5f54e0a99d34916b9e5d0
SHA256 535f9dba59b1545e026c0b79b10e62520fcd07f95e67e1a71abb9a1b8aae7806
SHA512 e9ee3c3a3c7bad8aaa654839c4ace09290c7e6a13a6def71417f700d6328b4d70b765ce347f2fdb864dd67c1b351f4dc10742ef7cc3a467af646acece3a14060

memory/4416-92-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjpaooda.exe

MD5 567105d323ddf99ad7fe82232a44346d
SHA1 53c48ad4180d38c54e1d0aca41df370e0da23f4d
SHA256 1f18062ce27a83909b1de4c4c70fd23aba0706f9302d506d3e70a826cdc98cb0
SHA512 b90c76ed58af1f6d8665c8bfac109db3791c668ab3a808ebc96ff2fdfd03b0f2928916ffb59c9628d46947c9955ecbdf9e7e6fcff16d93e311e70c8de28850c4

memory/2964-99-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bbgipldd.exe

MD5 162cf0c918c352a4ec054e0d40c3d223
SHA1 084151b34bed30aca3029cca1d575f2874b06430
SHA256 b72fa705a03e53570c31b1258855084889695f9293b4c25a99ed2b6e63503deb
SHA512 35cfe3078f40c32f48f549e7f35e5d8b12c6a4b86765360596b61c7839ee597f736c59c9237d8f128119982b2448c738433ad21163f4d356bbe056e5818ec7ff

C:\Windows\SysWOW64\Bdhfhe32.exe

MD5 306f335872c642f30185ccaefd49254c
SHA1 c787f842b3ad5c326a3435810fae483fde01f230
SHA256 2bbda22ee0d5e3da3ec6af0145f6686c911e49488af28fc7b1fcc1e821b353bc
SHA512 b1e5facc485f3f4b96c66ac31f82ad794d702cac7c6a804fc57b04c23405c029bc71b041a79cd968eb96a96e57f9269d5452a49060c98c9a60cf735d4e349077

memory/3204-116-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bnnjen32.exe

MD5 3906faca4a56a1e9ac47a2517ee8edb6
SHA1 19e797fc964e4fdc0f446ffd494f7b97762245ed
SHA256 e066495fdbf9a741dcedbabaf933f05862b97ad65f465e067b90a997376d90aa
SHA512 ecccafa4ee87aa043c13fcdf765fd7cc508a6d70ad18f03694db8cc4981f7d7e3952da363796a4e466a5ac6a9410504b9fc8794453052e95579edaaccf1e8c01

C:\Windows\SysWOW64\Bdkcmdhp.exe

MD5 971f6615743ab4c1ae96ad6fcd1e39c2
SHA1 5e2a8e5129ac148f58357e08b9cf717d3e5ced9b
SHA256 61c580a3e95bef8c76573bad002647785902666367d322adc24e92a564afff7e
SHA512 eed38833875336deae658ded81819b89f33ecfcae0abb8adc2c693f929c3a712edcda3670dcfac633f2bff003ee1fdeeaab8591a98630979369e2a009ccf0595

C:\Windows\SysWOW64\Bblckl32.exe

MD5 55f7acf0489953fdc35a33e9a4e1ad15
SHA1 e99816dd0f6980c40c6df9c8933fab215d584125
SHA256 be18c573bddc85e1f51df4c9a34e79875976e707075875f6d798bad3ffc68101
SHA512 d3a9d18bd9b2e7e16e289119fad3725cdbae1fae192f222d8027dbafa3a47c6033825002694cd7a497fc5d5195a550a7d08b6c7a8e5f0cd0c4479d3b31d0fa1a

C:\Windows\SysWOW64\Bhikcb32.exe

MD5 7187daaf89547feb0008ae80ef585345
SHA1 462046a1aecd966198a3cbf81fe4577f0caec1cd
SHA256 3bbe725e4b508932ce2fb29f338b2904ab3a83adaf281920db2052a0a189f711
SHA512 8c45b763ed626d1787e7a4444c9186b5bc3745d1656a0ecd06cc43d1b0ddb86a2f14de4970cf14cfee55b17c652bb1d8018ec323bd778dc9c8bf3e727c079a41

C:\Windows\SysWOW64\Bemlmgnp.exe

MD5 358f71f7f7a20f8bc2a826fff04aebb6
SHA1 cf4bb14b9a3e3fea6bbbeb1b92808f7749407a28
SHA256 53af0e028b472917a771f70536d9272db922329cfdb4c560df759d7f85dfdf40
SHA512 3bfd8a48de94a1312b6fb58fc21ad0f1c9ed83efc45a642f5b27765455194ae5109eada510dd8691de99973907f8cb1b1442036826ae8eb53476f363312e03e6

C:\Windows\SysWOW64\Blfdia32.exe

MD5 00f30061ea75a84fa025536fa39efa0e
SHA1 e8d227269d6410de1f395dc0e464db4410d79a0a
SHA256 3ca95fb5019049bef58b037d1f785309c36568999476bbe4d42a19f4acd3202e
SHA512 23222a3d4271efbb000054d86a330eb49f4936065e1f5f0f911f260e0945ba3db05f778367c5fb83c519da257f121df7f9a08009bd53f9b28387a3e8d81b395f

C:\Windows\SysWOW64\Cbqlfkmi.exe

MD5 4b7d7c2c0e879c6f958bc289cc0c8586
SHA1 1e95e20888c32b39a6040cfbe68ccd78decdc097
SHA256 ec3dae84ee4098c454fa2a54c7513d308f207cb61a119bf72c059ca7306b7ad9
SHA512 c144c893095253a874a204082dd096d6ebc88aeab2def09bebefc3afd40b96c4629d6dbde46ea811099867d9e12e719e53c541194c41976491d2770a082b7256

C:\Windows\SysWOW64\Cliaoq32.exe

MD5 6e7f5aadf2135e7b6c72490e60f8ec71
SHA1 02ac01c8a151136ffb72a1913d75bd7648dae43e
SHA256 2a0112aa338314ff9ee714909a0ed5ac0d7e8d39d2d9927c7c1592c5e264be5f
SHA512 60e4e726ffca550b0a2046638c4dd28e03c3f44ad0a98dedfdf8200337b998fd703b870c6c68f0f0ba96851acf610a4eb614cfc86717ee849c1967f6bb9e8aa2

C:\Windows\SysWOW64\Cbcilkjg.exe

MD5 6a92336c564de2dd06dbfa183ab88d65
SHA1 964759985dd8193ed6f5cdfb537a6a6a27dad8d3
SHA256 066f4f0b0756d55b04ec1050f89f95dbb4cdc55a37f1e0e5c321948c3dc9f9b7
SHA512 31996655afdb80e9d85ac1c37436db5fa614f3f0a111c6b5e23fcd99ddc13cf69c5066cbc319652745610303b856ebf0be75ee9b035c3c759404b25128f84e8f

memory/3532-435-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2480-458-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2308-462-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2472-495-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5180-689-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5540-699-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5508-698-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5464-697-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5432-696-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5392-695-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5360-694-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5324-693-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5284-692-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5252-691-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5216-690-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5140-688-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4608-687-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3440-686-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3504-685-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4952-684-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2100-683-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1760-682-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1884-681-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5072-680-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4768-679-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1984-678-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1348-507-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2664-506-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1320-505-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5096-504-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1016-503-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2356-502-0x0000000000400000-0x0000000000434000-memory.dmp

memory/532-501-0x0000000000400000-0x0000000000434000-memory.dmp

memory/220-494-0x0000000000400000-0x0000000000434000-memory.dmp

memory/744-493-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4984-492-0x0000000000400000-0x0000000000434000-memory.dmp

memory/784-491-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4904-490-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3084-489-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1440-488-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1688-487-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1676-486-0x0000000000400000-0x0000000000434000-memory.dmp

memory/772-485-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2160-484-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4736-483-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1756-482-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-481-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2604-480-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1964-479-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2620-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3452-477-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2112-476-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4344-474-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3252-473-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4760-472-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3944-471-0x0000000000400000-0x0000000000434000-memory.dmp

memory/628-470-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1980-469-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3972-468-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2408-463-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3052-461-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2152-460-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4604-457-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5024-456-0x0000000000400000-0x0000000000434000-memory.dmp

memory/452-455-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1096-459-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2164-454-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4480-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4012-450-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4320-449-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2056-448-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3320-447-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2384-444-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4248-441-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1988-440-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1744-439-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4032-438-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4040-437-0x0000000000400000-0x0000000000434000-memory.dmp

memory/788-436-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3468-434-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3520-452-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cklaknjd.exe

MD5 b835b1495878889c112938f5c93ba0c0
SHA1 afc582184ecd925c80fa3d494a44604b962e99e7
SHA256 357f1f3d393884b7791925b4aedb97dd07a03d29398f871f498d4fc27d6d1c06
SHA512 6b78d9eeed9335f80f2f160a11df3f004677f303a75ccbd5f23f4a629da2c41853dccb6c60073acb3cd894b6c9e463d40f5c3c8d5bd9ff7c728a4ab3492cb3a5

C:\Windows\SysWOW64\Cdainc32.exe

MD5 6dfd5510a35418bd0f751f7938dce2ba
SHA1 59cbe94c84a6d6963b97c2856773b84e0aa81ff5
SHA256 2e8bec187c0f250d54476ef3eb25071b9d8966e0974388f379cf51a1e5fcb5fc
SHA512 cd0d5eda8a7c09565a04c9a561a6af9db261dc3e4dfe50ec151f7952cd7da17dc798c887370d342b5021420a3fd6ee0abd31c245aa89a1c8e2ab8fc6e79b34db

C:\Windows\SysWOW64\Ceoibflm.exe

MD5 a6f91b4b1de8faead0ca77dc513372ae
SHA1 bf2d23d2db313f9e49f8c43327abdc1d139622a0
SHA256 782c1ec27c30ca81c1fcf718e2a1910778d5d46f6500362b75c87e2dfb258e3c
SHA512 e4099f275a1ade68ed2109ea471005d0dadf782e686620db3b32814e05d1bb41f4711be275a60b2daa4a7650aea6c8fcbd0873869504a10c256f986b77056c43

C:\Windows\SysWOW64\Bkidenlg.exe

MD5 bc7c4c546d181cc2bafe149e214bfd3b
SHA1 844ca30a22051026d5a64fe9be9d6b608e469c3e
SHA256 dd18209ae739475cfabe011966e3ff6793a0078a5958764a15d6b44486808423
SHA512 450b1acfe35ce859cb786216c8a9ad57542d0521503c2a631af2a016b93ca908e8dc9ef28e05598870f2c2c0278d994114934c7c73c3b048e510f53d57313722

C:\Windows\SysWOW64\Bdolhc32.exe

MD5 94f1148df5bab6b789d6cd729e1291f5
SHA1 8491cb0afe8f9c65961b549980a2aa8448c7f7cf
SHA256 03f3add9b023c1e0145a83f0a574b258f1690f6a2ffcfee33cf7d5c0104be900
SHA512 179393bb69f7c3a2438f1919ecdbd1eb27948c026f2d34848f9389107ff949ddcb869639708b7397520af71ac3fdc3d55c92d145cecbbfc5fd3659de290922db

C:\Windows\SysWOW64\Bbnpqk32.exe

MD5 1d1d882adb400279b715ffc3925222cd
SHA1 368077bc9248bf825c3992d5792b74140902d811
SHA256 be0b604d0cf1554715cf689d363afe7c2a1bbfcad24a26571d1508547b21bf35
SHA512 33fd4e64c80c9fdb1039c5db83e232f63ec6eadbbe8ed5e1e7921650ac3749ef03ad28124b621e4e6721ca19e32a27bbf29a0510405f4db0065467163b5b1c9b

C:\Windows\SysWOW64\Bobcpmfc.exe

MD5 3318eb289d9edcbd3d3ebc8c4f73d15a
SHA1 e9275198fa8232ae4794d64995ff2cb78fec89c6
SHA256 3ddfa13386f5442e64a14f0669b3f51e01b27b2658eda34b3705445ef8e87f76
SHA512 e83843cdd70649792f16f61b7fa06bcad17eb77197cdb25681e9abbbf08819a21df4df3dee479b92d0de0a1d58b65b1aec413e1c97d6ab57f633003c5e21ba3f

C:\Windows\SysWOW64\Bdmpcdfm.exe

MD5 14b581c8419a8154ad20e5705d8afd82
SHA1 8e2883b6a805a5c13baa0492da7db5c02c2c959c
SHA256 8d88719964f1c43747e94c44c304b0968b1bf76f39e6cd412bf6cef80c55bcbd
SHA512 08a22d08cd813acddb80c22620c907c91164adfbcf7a99c82151663ff53ff92afef4bbfd8a2195297e049628f4934675bde784499cce408b0d4b708cc23e3938

C:\Windows\SysWOW64\Blbknaib.exe

MD5 baba530ba4de87cf5cd4c3355f780772
SHA1 251ef4e457f5027fd66a84ade7db98a4bb89a900
SHA256 eb1ab27e8e84eed318016c56576b0c1ad72c40d5789d60b4e6e2f721d5520339
SHA512 71fd496fb2511e33c189ea178fa5a31574cfb5f9f29faf53de5e81b0f00f359a5fcc8b4ba550c0c5985ecaada134d7a7120026c5d43850610cfabcfaf86fe3df

memory/2360-109-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jbeidl32.exe

MD5 69ec60906a29265bd9c40fc1a35afe6c
SHA1 5807bedbce9a0c02f8209981642dcc4830fd380a
SHA256 12b928bad87db5562d2839b3e88d3184412d619bc9b9ca7b1e49c37867d5b558
SHA512 2561feff28a317a775be114e328a7ea8bdb412797f98ccea80ff6905c3c411f2c9b3ecbcb712f48ae9887dd957fe15fd29fd87525e9baa7545b508ed21994ca4

C:\Windows\SysWOW64\Kepelfam.exe

MD5 f8f9393e574fb3ace27f13c2cb96f89b
SHA1 cb350a3da85d849f4013bab935b1bf57455b2e24
SHA256 a2c0aae2d544278b010ea6d882fcd3a8d9c5b6b9ea57e1548ad46644151ed35c
SHA512 fa2a833fc17bd7429289a6cc11cbf296793e0241a8e116bba759315c6d44438f7cffb3dee7cc728afb495c91fd7b41a39a0891df3130b839aea00c1962c79f2f

C:\Windows\SysWOW64\Kbceejpf.exe

MD5 70bfc118a0d3ba7cfa195d60263a18bb
SHA1 a2d6160d512a7bf59d49c6bf4dab12c9aea815bb
SHA256 e28033ed795ea75ade57cf5a3b100b3556c723f41cf5785d6dd48c85b39193df
SHA512 8a03936edd92cfcbc97d06c9bd90aedfd19a7d2e9f79ca51eb50e60726872acd261b6d373b9ea13d27e5aaee1d1752410c1f8b24061f6fa80869545bca6ba3ad

C:\Windows\SysWOW64\Kpgfooop.exe

MD5 82eaaa3567564fc16295b083a0cc8d72
SHA1 586e091d06571effa2b5d70586cac6231e20313a
SHA256 2a1588e6127b37e1a6d5a24424525ad523cc010043d9fe96003024039f1028e5
SHA512 5245e3672e708daa0d421a5a29c9afe337a08ba1d712998eb6b247aff690d2d3408c45b65acc6675d1ab2c5c735b8b1bc1b188ea20713973119b3a85d53ca4c0

C:\Windows\SysWOW64\Lpcfkm32.exe

MD5 efc3bc983a2cba8bc482ddd2722c9e38
SHA1 0c723e672ef3774722848f92bc5889561d5ce918
SHA256 4eeaf7ef4102e60b3ef48058e887c0e97fe28f96947d491e76feefe484d2ef4d
SHA512 113f112eec77f6eb7463c151d15ebad5775b91c8e5f19bb67ad4a598fc094ded1eef0d0bf7a501c233631e674a6fae373985aa826bd94a624e08c2724da3dcf8

C:\Windows\SysWOW64\Lllcen32.exe

MD5 4a113ebe9b7e22c0fc9df5c54e28c34b
SHA1 db45b5613bd93d24b562a1042108fb76e287b4b5
SHA256 21442015243030c6f5517a887633ff7a01dc60d715f405f2af8180632604f2ca
SHA512 5726a856e9243556db932a3ba6621400df890e36f3ac128da72c0436b6d1e49358a1e6d7cd84c94d9439be73c42e96b3034a72bc3e03be186bc8874066d05902

C:\Windows\SysWOW64\Ndaggimg.exe

MD5 04891ebc22e82e0f7477029d7014a35e
SHA1 189ea474d27d57cc3b0687048430e27bad2f54ac
SHA256 898ffc77d3088c19b69bea782ea3a7077115a4244d537fbd9000c22d4033ada3
SHA512 2b7c2dbfa80d7b2e696d33542833f3f83c49e0fabb79ade9566d54f2ac0842e33b974ea377eddf1309672e3334b58c2a4a88e351524682ecd8af0a645c719610

C:\Windows\SysWOW64\Ndfqbhia.exe

MD5 d546bbbf6497c19d34abf844da837181
SHA1 eac7c74fab0c6cdcc18d9b9b818e8f171541604e
SHA256 0d25625f59f6c9cf6fd580536ae5933caa84bd934e0382270c5c6261ae4a4c0a
SHA512 1d826643754edfc646d4b055d5b287d4cfaab6960ef475bbc4a0faf40111935c2598fac6e8910f119553153b4c7314a1399649cb45da98006d620d9859adeefb

C:\Windows\SysWOW64\Njciko32.exe

MD5 51f7a4aa5ca1a85b5b5c85126f0e475e
SHA1 b6f1e263cfc7bc8cc13eae875142a0461e0b335d
SHA256 479283c6ef62672de247a02f5ecc21bdae66dd7cef5ed3e6fb5276c5d491aa75
SHA512 7fba6cf6df71b0f40aab64a66af991af44de8126615e56483123df18f6a7d7b393a34be7026b71116e689ea3b16ea0edf9aa5c63a135ca15f2f5d9312bd96a9a

C:\Windows\SysWOW64\Nfjjppmm.exe

MD5 562275d5c9c9b47a0100bac58fe5675f
SHA1 266b8e9c394cd25c31fc3428ba591f885794a109
SHA256 cf4509e3059ce12d4700688d67b26614b48236c4afc19be9fd3ae104958c76d3
SHA512 30707e8e25b1b0b11b26297314ce154031325707986948c5e3e88f0f315f47544cc2e60bfba59dd55fba25cdce61fee32c6ca00deff98fbf6fcfc3d99a07483e

C:\Windows\SysWOW64\Olfobjbg.exe

MD5 d8a653ec9b385aac35e6b38f04939a27
SHA1 2af35cfd7bf33730b04aa174d0676cb2a1ee2744
SHA256 63c7f1298f6eac3c3331181f2ee37a1ed5c32290d6f7a4ebbad624e96961bbb3
SHA512 51070d2de1ac547674012fbc873dc7628e2c6968277a1bd4cddbe222653aea8e425dfbb43e1de1a9ff7415eb91e8cce5c5fa382f28d9365c7d57f989ecd5e735

C:\Windows\SysWOW64\Ogbipa32.exe

MD5 8ab6b9e575384de6b344e154533dc401
SHA1 e81578ad01983bbb7eea1fb863e515ee716550f3
SHA256 278309bcc05422774a6aa73c07c6efa0c9a820cdc327487bf823b86c53511a5f
SHA512 73c170d688c3e4fa4468fd613ddcfb7b5e65d52f666dcb8c32a8cfdc09438f816c0c292609cfb1b0062956d4f6ee559758652862a0c0e0335a8bf2ce6a1e90c1

C:\Windows\SysWOW64\Ojaelm32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Pfjcgn32.exe

MD5 dd45f0cdddbe8772da588e060bcd4f39
SHA1 2c02c182f4e31f0335616ee46e6d95475d8494bd
SHA256 f5b294d76c706c914fd4115c04d706dc6ec16b2bdcf1f44b9fa33770f37a4537
SHA512 c7b7cb6ba3c2d848267dcdb0153faf67158f3311bed0c9fdfffc57695beb503806daf626619c674882d1c307897350c50238116670fe3066e24c37afecc3088b

C:\Windows\SysWOW64\Pqpgdfnp.exe

MD5 5656892723764d8e68155ff89601abc5
SHA1 1092797bea48ff330ff3dfe714f25417c576fc90
SHA256 0cf50b7e8c111210a32e6d3738250f97a59c8598af3ce1863ad9f19b8b85e122
SHA512 d872034ef5b13a81961818c103c412406812221143d1f23e9f2532395846562a0268cf0256ecf5a25a65d750a4c1f67aa624fe5c7afad9c37c4d0ee9f2eea738

C:\Windows\SysWOW64\Qmkadgpo.exe

MD5 a0a743aa1e4d5c6f21762ca592429f5a
SHA1 8566273b5cd6c911b6b32ee4ee8a0f095b26c397
SHA256 c645ff370bdc8c833470af013cfe06896d643c2f7545f1999efa8718d72e70c3
SHA512 1b57114f8175e9936b1ca14ec2201a8f4e83af09d1a3d13eb872129e57a4073d898d33cdb6e3e8b3a782bc531749eb6c91de3658b16f1956592a0d4bad6603a7

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 08bd650f8e612ec69292e157115f23c5
SHA1 e88abb524b723c96467901e035a22874f6ae88a0
SHA256 4a0af269bb984dba66455e5969cc835b5515713a0752ac2b8647dea9d1841f2a
SHA512 aa0384ae27117af8988e1a620975e4cd2813570daa791504f85f503f350634a80593663f92f2517a2eeb818cd166a9f275dfd3f6629929ae2e7abc1270cc9e84

C:\Windows\SysWOW64\Acqimo32.exe

MD5 ff7252318699626acf49f982b7fc87fc
SHA1 89f821997055f7fc94bde2693a2fdb8476160f87
SHA256 c45e30b4cecabe824ae838ce44ebd10f19c3f3e9df4774ea66f036f959bd7880
SHA512 aa888f1641bfdf33828caea2b8ed7c8568e1641838286861c6d1ef074f07f31f12560a86825a4abb8885abc83afd7fbbd5aa4da3cecdc25a3d5fa8c95415c190

C:\Windows\SysWOW64\Aadifclh.exe

MD5 6a93d71441bf33e51a7756e6576add15
SHA1 d57da49a39b3e08510c5337147951d7f65873d7e
SHA256 e40b644989d3165f6592c19583b9f57c2fb050348ac04f5deeb1930bd75fde3e
SHA512 3c4eb38a2e70c0d3dd5f92ff57523f68ae93ec52048f49580223f578ff6e82294d5462fb582b963bd2dc777d02067035f7629c95b124f15b8580d8cd08f934ac

C:\Windows\SysWOW64\Balpgb32.exe

MD5 edf242ecbb7ec687fe02fd04dcef5bb2
SHA1 8e0b705aadaff3014c87a5c13baf2495f2b4c44d
SHA256 cdce296cc91e13665858231ac2de6aa952742065e4a0abe1dde0d0ffd369c335
SHA512 da70f084014a35d4b615e4daad17d1fe7284ed52df96a3f65949bc3d1d861d65504b86b49a398e40de64afc0302434363ac48b2e212688471d697012cbebc3c7

C:\Windows\SysWOW64\Cjinkg32.exe

MD5 e4b9e68eb018a468558446fc638c3bef
SHA1 ddc7705ff0a92c763349bfa23b773cb124690b7a
SHA256 06b6ad34b2270a29151edd05c45abd225860417feb8ad9aad5251b814bc41e67
SHA512 583f375aef81b43aa9605ef71764ba26b82abb3b5c9c2566aed7b084574585da3d3c0fb16ca7d355ce99be695892163a69582c6d07fa8c4cc7ab755f2bee57ca

C:\Windows\SysWOW64\Cmqmma32.exe

MD5 b012b7fb2c7fb1e92a5d033389f1dbd2
SHA1 df92869feb7fb82d7af011a1125a2c5f94c50be6
SHA256 a86dec7a0ccc0743e84568bc43de86480f1091e98e5f646f94a8cc05c095168a
SHA512 e64f022983e85b350b3d1e686c66006c02b27035490f127e54887aff7a363e81141029bf11074511bec6c5b82d644c152ef9bf705f2e5f5afa68a80d293f112d

C:\Windows\SysWOW64\Dmjocp32.exe

MD5 02e4dff9f3b735bca43d0e568d9e6aa5
SHA1 db30f5aa18a924a93c251ed2ec704071cefb2100
SHA256 45c31d5b1551e9d34031ef3b17cb3acfcfaefef31375366ea0a1bb9a04ad2c20
SHA512 af0fd544fefccd00d9b22b731e76df1ac397238ae184575291819e313173504b62dc25baf25b1552bb983e895bbb312b51049daf0aa24f4584e98bd2ccd876e9