Malware Analysis Report

2024-10-16 04:32

Sample ID 240601-3acpmaac7z
Target 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe
SHA256 fd845b7fe9aa1c8d6e2c3f3d315a88aff5ba878847d4d749ad8b6fd1873b2457
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd845b7fe9aa1c8d6e2c3f3d315a88aff5ba878847d4d749ad8b6fd1873b2457

Threat Level: Known bad

The file 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 23:18

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 23:18

Reported

2024-06-01 23:20

Platform

win7-20240215-en

Max time kernel

146s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apajlhka.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkbib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkodhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chemfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cngcjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cljcelan.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqelenlc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eajaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afkbib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amndem32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apcfahio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdjefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gddifnbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdlnkmha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmekoalh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnpmipql.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdooajdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emeopn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aalmklfi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcmgfkeg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amndem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgbdhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dflkdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdfflm32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmlgonbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aalmklfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbehoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcmgfkeg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbbfopeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmlgonbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmlgonbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdlhchf.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amndem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahchbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aalmklfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aalmklfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkbib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Apcfahio.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkodhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpmipql.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdjefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopicc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Cljcelan.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkeib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Doobajme.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebinic32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Bhpdae32.dll C:\Windows\SysWOW64\Hdhbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Ndejjf32.dll C:\Windows\SysWOW64\Amndem32.exe N/A
File created C:\Windows\SysWOW64\Dlcdphdj.dll C:\Windows\SysWOW64\Chemfl32.exe N/A
File created C:\Windows\SysWOW64\Nlbodgap.dll C:\Windows\SysWOW64\Ckdjbh32.exe N/A
File created C:\Windows\SysWOW64\Mkaggelk.dll C:\Windows\SysWOW64\Doobajme.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File created C:\Windows\SysWOW64\Ahchbf32.exe C:\Windows\SysWOW64\Aplpai32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Apajlhka.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File created C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Fmekoalh.exe C:\Windows\SysWOW64\Fjgoce32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gbkgnfbd.exe N/A
File created C:\Windows\SysWOW64\Qoflni32.dll C:\Windows\SysWOW64\Cgbdhd32.exe N/A
File created C:\Windows\SysWOW64\Fglhobmg.dll C:\Windows\SysWOW64\Dgmglh32.exe N/A
File created C:\Windows\SysWOW64\Emeopn32.exe C:\Windows\SysWOW64\Eijcpoac.exe N/A
File created C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Ebbgid32.exe N/A
File created C:\Windows\SysWOW64\Eiomkn32.exe C:\Windows\SysWOW64\Efppoc32.exe N/A
File created C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Lnnhje32.dll C:\Windows\SysWOW64\Globlmmj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe C:\Windows\SysWOW64\Hgilchkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Dflkdp32.exe N/A
File created C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Ddcdkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Ojhcelga.dll C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Ahchbf32.exe N/A
File created C:\Windows\SysWOW64\Fcmgfkeg.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File created C:\Windows\SysWOW64\Ddgkcd32.dll C:\Windows\SysWOW64\Dqelenlc.exe N/A
File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dgodbh32.exe N/A
File created C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe C:\Windows\SysWOW64\Ghfbqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Apcfahio.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bnpmipql.exe N/A
File opened for modification C:\Windows\SysWOW64\Epieghdk.exe C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bdjefj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Coklgg32.exe C:\Windows\SysWOW64\Cljcelan.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Ebbgid32.exe N/A
File created C:\Windows\SysWOW64\Ebedndfa.exe C:\Windows\SysWOW64\Ekklaj32.exe N/A
File created C:\Windows\SysWOW64\Pheafa32.dll C:\Windows\SysWOW64\Cbkeib32.exe N/A
File created C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Ckdjbh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Aalmklfi.exe N/A
File created C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Apcfahio.exe N/A
File created C:\Windows\SysWOW64\Iklgpmjo.dll C:\Windows\SysWOW64\Bdooajdc.exe N/A
File created C:\Windows\SysWOW64\Lpdhmlbj.dll C:\Windows\SysWOW64\Elmigj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe C:\Windows\SysWOW64\Ebinic32.exe N/A
File created C:\Windows\SysWOW64\Gbkgnfbd.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File created C:\Windows\SysWOW64\Qbbfopeg.exe C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ipghqomc.dll C:\Windows\SysWOW64\Afdlhchf.exe N/A
File created C:\Windows\SysWOW64\Jondlhmp.dll C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Globlmmj.exe N/A
File opened for modification C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cbkeib32.exe N/A
File created C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Fiaeoang.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Efppoc32.exe C:\Windows\SysWOW64\Ebedndfa.exe N/A
File opened for modification C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Egamfkdh.exe N/A
File created C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Enkece32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" C:\Windows\SysWOW64\Ahchbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" C:\Windows\SysWOW64\Dgmglh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afkbib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheafa32.dll" C:\Windows\SysWOW64\Cbkeib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqelenlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Doobajme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hdfflm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" C:\Windows\SysWOW64\Doobajme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afkbib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egamfkdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qbbfopeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aplpai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" C:\Windows\SysWOW64\Amndem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amndem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdooajdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clcflkic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" C:\Windows\SysWOW64\Afdlhchf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpdhklkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" C:\Windows\SysWOW64\Emeopn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" C:\Windows\SysWOW64\Ebpkce32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgbdhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfgmhd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Qbbfopeg.exe
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Qbbfopeg.exe
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Qbbfopeg.exe
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Qbbfopeg.exe
PID 2724 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Qbbfopeg.exe C:\Windows\SysWOW64\Qmlgonbe.exe
PID 2724 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Qbbfopeg.exe C:\Windows\SysWOW64\Qmlgonbe.exe
PID 2724 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Qbbfopeg.exe C:\Windows\SysWOW64\Qmlgonbe.exe
PID 2724 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Qbbfopeg.exe C:\Windows\SysWOW64\Qmlgonbe.exe
PID 2612 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Qmlgonbe.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 2612 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Qmlgonbe.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 2612 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Qmlgonbe.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 2612 wrote to memory of 3032 N/A C:\Windows\SysWOW64\Qmlgonbe.exe C:\Windows\SysWOW64\Afdlhchf.exe
PID 3032 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Amndem32.exe
PID 3032 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Amndem32.exe
PID 3032 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Amndem32.exe
PID 3032 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Afdlhchf.exe C:\Windows\SysWOW64\Amndem32.exe
PID 2792 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2792 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2792 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2792 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Amndem32.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ahchbf32.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ahchbf32.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ahchbf32.exe
PID 2396 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ahchbf32.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Ahchbf32.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Ahchbf32.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Ahchbf32.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2460 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Ahchbf32.exe C:\Windows\SysWOW64\Aalmklfi.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Aalmklfi.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2772 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2772 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2772 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 2772 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Afkbib32.exe
PID 1876 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 1876 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 1876 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 1876 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Afkbib32.exe C:\Windows\SysWOW64\Apcfahio.exe
PID 2372 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2372 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2372 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 2372 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Apcfahio.exe C:\Windows\SysWOW64\Bkodhe32.exe
PID 1284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 1284 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Bkodhe32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2888 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2888 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2888 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2888 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Bnpmipql.exe
PID 2288 wrote to memory of 536 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2288 wrote to memory of 536 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2288 wrote to memory of 536 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 2288 wrote to memory of 536 N/A C:\Windows\SysWOW64\Bnpmipql.exe C:\Windows\SysWOW64\Bdjefj32.exe
PID 536 wrote to memory of 600 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 536 wrote to memory of 600 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 536 wrote to memory of 600 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 536 wrote to memory of 600 N/A C:\Windows\SysWOW64\Bdjefj32.exe C:\Windows\SysWOW64\Bopicc32.exe
PID 600 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bdooajdc.exe
PID 600 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bdooajdc.exe
PID 600 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bdooajdc.exe
PID 600 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Bopicc32.exe C:\Windows\SysWOW64\Bdooajdc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Qbbfopeg.exe

C:\Windows\system32\Qbbfopeg.exe

C:\Windows\SysWOW64\Qmlgonbe.exe

C:\Windows\system32\Qmlgonbe.exe

C:\Windows\SysWOW64\Afdlhchf.exe

C:\Windows\system32\Afdlhchf.exe

C:\Windows\SysWOW64\Amndem32.exe

C:\Windows\system32\Amndem32.exe

C:\Windows\SysWOW64\Aplpai32.exe

C:\Windows\system32\Aplpai32.exe

C:\Windows\SysWOW64\Ahchbf32.exe

C:\Windows\system32\Ahchbf32.exe

C:\Windows\SysWOW64\Aalmklfi.exe

C:\Windows\system32\Aalmklfi.exe

C:\Windows\SysWOW64\Apajlhka.exe

C:\Windows\system32\Apajlhka.exe

C:\Windows\SysWOW64\Afkbib32.exe

C:\Windows\system32\Afkbib32.exe

C:\Windows\SysWOW64\Apcfahio.exe

C:\Windows\system32\Apcfahio.exe

C:\Windows\SysWOW64\Bkodhe32.exe

C:\Windows\system32\Bkodhe32.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Bnpmipql.exe

C:\Windows\system32\Bnpmipql.exe

C:\Windows\SysWOW64\Bdjefj32.exe

C:\Windows\system32\Bdjefj32.exe

C:\Windows\SysWOW64\Bopicc32.exe

C:\Windows\system32\Bopicc32.exe

C:\Windows\SysWOW64\Bdooajdc.exe

C:\Windows\system32\Bdooajdc.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cljcelan.exe

C:\Windows\system32\Cljcelan.exe

C:\Windows\SysWOW64\Coklgg32.exe

C:\Windows\system32\Coklgg32.exe

C:\Windows\SysWOW64\Cgbdhd32.exe

C:\Windows\system32\Cgbdhd32.exe

C:\Windows\SysWOW64\Cbkeib32.exe

C:\Windows\system32\Cbkeib32.exe

C:\Windows\SysWOW64\Chemfl32.exe

C:\Windows\system32\Chemfl32.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dqelenlc.exe

C:\Windows\system32\Dqelenlc.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dbehoa32.exe

C:\Windows\system32\Dbehoa32.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fcmgfkeg.exe

C:\Windows\system32\Fcmgfkeg.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Fphafl32.exe

C:\Windows\system32\Fphafl32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gbkgnfbd.exe

C:\Windows\system32\Gbkgnfbd.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 140

Network

N/A

Files

memory/2484-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Qbbfopeg.exe

MD5 674fddc98e79f3891427fd78d608cad4
SHA1 b10ea40980c6f90ae08d32565993924a2c37a19c
SHA256 1879e4586a231f818477dd8ad6d7988e8e312ef49815043e3fa8d6bea986d0ac
SHA512 56402ba06e2efb04fe0f6ee647221348f393b51cbe605768069ab240231a30233f21ea8c89e15fc3d50a501224d5ea4ac7ce3bcee028d7bf84e607987233904f

memory/2484-6-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2484-13-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Qmlgonbe.exe

MD5 49956f9593def930e2780f3ffa6730b7
SHA1 878819a3961af493f0e1d4080d8d007c6c42aaae
SHA256 93d7c6257009d525117a27f0bf7899a733c39bc53ae06f993db821eea5d8454e
SHA512 e1b5ba6092faf12657cd60d7c342e0b4702f2183af263c060cf8ed4035751e99fd6d84141552e6f4f7322e0ed670bade1f0b9c5f3e81965f8bd079e6b278d4b3

memory/2724-26-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2612-28-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2724-27-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Amndem32.exe

MD5 9329fcd4c04560d36770aa72db479d58
SHA1 f7cea5852ee8a373246698c801ecb4796248ccc4
SHA256 055a50e3f3a9ca1d3987e5276c48cd25b50ab6c94f983a5d62fcad6806a1b3a7
SHA512 d55d9b8b96926b24ee82968009d233107531145d555e0e457528862fed70213115e6cd90415aeac9eb3a7da4e73bc8176e9cb181f1150d6fc53fd54ba02f655c

C:\Windows\SysWOW64\Aplpai32.exe

MD5 2ecc0eb650ef9f64bd3dcd9fffb63df2
SHA1 643213f49d53c3e8bca582ecc2820fd2e6732834
SHA256 028b201f56f5e81612338936877846fb1963c997db49518042dce289a3998a52
SHA512 24438c9756f82a5a8fd0f60e4ca4360ef7f9cd99e53f3ec2196fb2c48f479a2ed4c0462b920c82ea92c82399ba80ce4b6c6261253206365cec1fd09422a5df4c

C:\Windows\SysWOW64\Ahchbf32.exe

MD5 a3eb50ee36547a03999c183573a8c792
SHA1 73ae18cdd6f9018a3b6694d0d0a40dc07feef34a
SHA256 008061c0c44d364545f3c135c48d94c9f9f0041429c9afba67460ada30d22938
SHA512 d7c9a3eeb6285fa1d72cb1319fb9a73c5ea20f040ecd657fefca56594433c74c6b78d1624a5d859c16078f18394ef67395b052c853f474a65aacf28653175b92

memory/2460-94-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2640-100-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aalmklfi.exe

MD5 f4c202df7b472fd81c5e8e15d51ecb00
SHA1 a7633e2282d471e99c88d900534aba31fd152ba1
SHA256 f2a51122f1908dd6aead8893a0c3085413c274b367c0ba68f1ae66c6d89f54ac
SHA512 4c845e6a471260fbadc723b7949638b978e06ee2441fd2a8962ed467395963c309f527e47dfa103c6ed227a8a9908ccdae0d083da4cfc1c255c22ab941039f53

memory/2772-114-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Apajlhka.exe

MD5 018e29d91013801bfce6ea58fc41250d
SHA1 8d1648145084337d9f558157ebf6e1f6f9f642d8
SHA256 d70c881c378300eb5951da764d3ff02d154b73518b6f8e762c660dfc8ec2528e
SHA512 1685b5abd2cbeed3c676d70c8c1170c0875b31c66de2247b647f15e91902d505185bc2718fd747568f8f09927204fc568ea11d30d03a29bd36520e39d964a8c5

\Windows\SysWOW64\Afkbib32.exe

MD5 0bcb5880250f19c01a6bc42aa0db38b1
SHA1 4f85684bb3b5f9346ef4391f2ddb36193107cad2
SHA256 c5e3d0cc5221853af2b84ae1a76209fa2f2c3ddf8997675f0a21bbaef52986ee
SHA512 ea5f803389bc453913ff9589db2996b7579027eac60cb28f8b50780d21380bf03919f156f1a3548d073b98006870ca2e4041dcc9d3f1466a8508e0f208470da4

\Windows\SysWOW64\Apcfahio.exe

MD5 b3c0f20d46247e11eb330b3d33fb55ee
SHA1 70adb78abc5655249898e7afb66272cdfcc966d9
SHA256 eb1e78f91eda5132fe13c84ff8519e2a383b9bbf1f658db2f4e3aafd20be1b1c
SHA512 d2ae407526314e0ac8a7f6028ba7947395196566275e026a0478f4aa62f7f489f57f4a9a154cdfd8f69a3f1de0c693c231209c872eb402f1167984989fa0e7ed

memory/2372-143-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1876-142-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1876-141-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1876-133-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2772-127-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Bkodhe32.exe

MD5 c51a0f194d6e7b76c396b2d20f26c3d7
SHA1 9a90fb22e9eab02cf8f438f95bbf0d599c7fd9b3
SHA256 27a90db5bc1199ec2bdc2e2a9b097235e086718493aca8a39b352d6365595cb7
SHA512 6b709fce8071f43fb25db26635e6b6a3218862c5da0ab4087f2bc08390cb1ba9604bd5b94bc51680d41d8a27174a1d77efde00a5fe9b7706fdaa6a12eb2cf39c

C:\Windows\SysWOW64\Bhcdaibd.exe

MD5 261591f3dcd6b319385ba81130051526
SHA1 ce768a9b56fe6f88e57f17ac0a4ea6143a1552e1
SHA256 535ff05fbecf47cd717d084361840fb49a497f4bcc1dcaa5881c381d6193e086
SHA512 5fecaad1ecfe99cb7d9a4d074a5cb38d56723a0a6ca84f4d6ca96e98813d1adde17ba367c859450dee6d4fc889e51149fd7aa91582285dba6222bf63cd89c582

memory/2288-189-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bdjefj32.exe

MD5 e64b6bf3ae7b8cc1cd3e98f711f3fafb
SHA1 7b00e6102e01a8f9dee230889679d2d221354061
SHA256 2998ac85bb73572d2297e73ab4b0c05d773c1b514f0fb48593916bd9e2bf2ed7
SHA512 8427c9638913cf7196dc13cbe372773bb6230ed9459ddf5dace1544ed34af4e72ad1985ea97e3cf618709efc957e036a86361ded74bdba465b55d3cf09a6722d

memory/536-200-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bopicc32.exe

MD5 77a5782e3000d20256b91d82f9b37bfd
SHA1 184e594d4830582c1a798cb896f207532f75dc82
SHA256 ee7a19e0f64fb4362276aa88d2bd1542e0ad141444b7ad606bd7a3b7d409a17b
SHA512 4bff21797d12192d709803416027b44b5ba018b244421dfb2c7f63882e1fcf98c041c6fd5e0624fa3cefceb7dbc92c6924e0eff56881845047997db8d4927167

memory/2924-228-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cngcjo32.exe

MD5 2fbe00201a55d39d14b58465a3c46508
SHA1 ce045aaf3e797cca5b37d192b87dcaa0451032bc
SHA256 ca44fc9a6187de3f2a21ef3bd87b4b4f5dac9c1e5fdbbbd132078fa357ae9a5a
SHA512 f887636431e40539c59f4cd7b1eac422eba25d88a4eb455219d4b028a62f79dff22ea2269e5c281a5fa357e0972a0b539f923d93de501f76009449049f4b1ee3

C:\Windows\SysWOW64\Cljcelan.exe

MD5 c93a28868c5a48573c04300c1dbc7780
SHA1 12deecd0521e34d490ce0f1cbb7886707b92424c
SHA256 72bd6bca46e4b53cd4be380c52199b09e8f6692c9d086a23516ba7573e14e036
SHA512 dc4b298f581a597d2c339c4e3a471dcb9ff740f401fbc4a6d61eaada2145e7da8d46ce30a99ea9b91e25ad25fa16711ddcf17b6235db1e51afb76ef06dfdac6e

memory/3028-249-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1228-248-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Coklgg32.exe

MD5 af4d0a0dcc6d5390ba7762a633cb2fd8
SHA1 9104481bf3e0ec736fd086ada61d0eaae1421d6d
SHA256 b0a8e66979f5865ecd83aad52d48b42ee084bc398c0dac8a43d72808713b50ff
SHA512 b642268dd38e94b699f511c2a13d77bf34e28d4873ca8ea6f74b9e18944897a9b6f487631e8a4c2d2c456bbdd73e0499febc80f2d3bf6ed4e9ab614ea68d31ae

memory/1816-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1716-268-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Cgbdhd32.exe

MD5 1c6289ff0534af745ffb8c5da26d16ad
SHA1 380ead3f9eafb7646d0d0638db0c17c955047d6f
SHA256 1ff058e64a07af70779ddff0037b3cfc8039b3489533efe5a0e73c2ce18c436e
SHA512 89f43b7bc36d7cb2fd20bda115e869a1001a58e9af948e9617a3e5c5cc190a2c7e4da509886021215f5ba3703e8b17042e91e727b884a0856cb542f583876b2b

memory/712-289-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1900-300-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1900-314-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1744-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2212-343-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 0d3116525f8f34b8a08149cb208e1dee
SHA1 50cdc20510764f8c355bd2ec655e50de5fa6826e
SHA256 6b3a1d971a16d5cfd8ab7adf1213b9921d7238b6dae0a3b72462672527b992bd
SHA512 486f9c5a310ffd71e7bbe958e2fc00b2b6d07c8c8124bf11f2684ba46f7489256b44ff7f187a4906e8fa70f3873292999ea5019ea7b3b5ec0644c3324213e99f

C:\Windows\SysWOW64\Dbehoa32.exe

MD5 a418504e7933d856f13ed902b260ce4d
SHA1 6197610c544facb98c4a52e2e293d49e567b4239
SHA256 03c536f2fd22a860dfb524afeab4aaac2cb24fa9ed912adc5deb916280f0a37c
SHA512 0a3ed5af3743cd3a51b3a6c033dd08616010041e3e57658cd112ea095defd858189158040aa3a39cc4dff9cc3b58f718ffa1f1a41fd8f548aa06ff5456a78938

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 44d0dc2e0c02aae5a2321df5ae02fe0d
SHA1 0b3e844ba15760769f6d990dd3497ae848ffda95
SHA256 57094dcbf39ea85fa78f96e66049c91520fc22bdbf5bf450a3269febc099e3d4
SHA512 a4933694c6ae2873839cc9c0f844a59b9f00778d1463a21ececbfc659e219967541c2d6e619b96059bf3da6751d57c42e32c4d598ceea5778c25059c5195e164

memory/1868-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1388-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2036-441-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2708-440-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2708-439-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Dfgmhd32.exe

MD5 b2a9b47b11456d5168d64336bd5ad2f6
SHA1 3840a27c1f96d998c661393ddc5b41af2d7350d9
SHA256 d3cc7859e40433bb3dafd4a5f5eb0fda27aefc948fa55c23eeedadd2d333e577
SHA512 6c83569d44cdb3f93b5d6eadc777de7f206d61e9683ff9f9f0593789c07014e313cc8dbcec2d4197f94e051f91327cbdb08c0634ad99935ed9eeb56265b3f781

memory/2500-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-468-0x0000000000300000-0x0000000000333000-memory.dmp

memory/1740-479-0x0000000000280000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 b4a022b665d699826943f7333d2fc79e
SHA1 698e8c020868ef9c39aa75ceb8365f8a9864e256
SHA256 a7f724c90f620c3eff2b97270f33ed60ed2f054981ee911c8765c0e37adbbbcb
SHA512 5f717370100656cd731c04b7d0c6702efcb9268de581ee48144adea9d2eb25c228e70492923e681437c1025485aba6690d6b98db84a5c4aa2ddc306f75b91807

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 0f7efe1c61be2598e67d7b80492d909b
SHA1 fdf228fd9f6ac94bffbd79489376223fec272ed4
SHA256 46f8b5bf242940f9979d83ba818dca07872dd71f14b556b1a2c416fadf160398
SHA512 926023f9c7c4621311f4f4805031f2c5413530ae861236e160c8c2e97b77009935e443ab47dc301c3fb13d6eae96758a4cd5c5b8c27442d7d5d9cc79202952fd

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 e5336d88cec95eff5064b33f43027e80
SHA1 ecce589df1fd46fdac55ada9921a0e5cf080cb4d
SHA256 1e2f62314046cb82ff5fd0e054a98a0a1799a9ccaad9a809591f396be0318f22
SHA512 3ef3d40fe29ae1121498830acc0d7c76bc1d25d3f0424945b2249a37402495f8ba133375246358a1b9b7e61d7d6c1129b348f3a310c2ec2fe110f2c5998e0ca4

C:\Windows\SysWOW64\Efppoc32.exe

MD5 eb8df208f75320c1c1fab3c6a6038898
SHA1 8c3d7e3cf9aa823dfca724ead25f0df89b72530e
SHA256 0cbd314de0df65b28e51140b017bac5f4068e4e9c5be73d50fd588e428408514
SHA512 967260ee49ec8d60528e5f2c6f6d16070ab711295f63107c6d3bda7ad31b82dd04705478a9f513b045506d22683c52602b6c4ea639d39a84e3ad45c5405bbb0b

C:\Windows\SysWOW64\Elmigj32.exe

MD5 17d3fa988de3e806c1a25fea6c1a7d52
SHA1 e04c17f6fb709206f7afb68723954526b694c492
SHA256 b5831b8c64f8d749c6393c2a0f266b68892f608d2364d8e516838b64e5071591
SHA512 f0e65c382f231397b81e5dc2b59dc874828e1734d15951b49d8208a24a2c16180ea1c69ac67a8ea03ecf0a34120a17d7b2c935f67d8c064acc8793ce68f6fcbd

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 cf7bf3726e0b20906a2057d12879a9ce
SHA1 85e0371ee6d2a621b593313a7c31f3c95f6b32c9
SHA256 ea8381c875abb2fb8091d9a1f52c74425d7614dc37aa7c5d76ea4b9aabaffe44
SHA512 3d359ec14c81527d84990fbc72afbc14860da6fa8d003b951294c5ed914e16bf37924fc72206da874fd2004303f66cec768b2568387cf5b7378ad6922678b846

C:\Windows\SysWOW64\Flabbihl.exe

MD5 0a350fbbefae1c6847a5a8e8ec26461c
SHA1 11b70c1b35469db67afc7017461957068323fd0f
SHA256 ffd128d5a7a104589865a4d01f1c5dd426f87d2fc8e11630b2cb876a7613d0a4
SHA512 242af93b5e38d65b95328cb2613692787b1d55e72ea61e71ed3700bb8e6ae6a45723772cb6a974cffe1510a66ec00e9616a23ded1b825b59d4f5f52a68eaab0d

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 7f1c86a58efa7c6257b8506590aeda99
SHA1 bfcb7763db9635710c3c410e60fc13564ca3a530
SHA256 2f4a024e62058c0245eba55e295c48b225e85d662fe184229ec330879e345c14
SHA512 12c5b78164faebcb0a703b4a3fcdaf47a5abad88a1f562fd6448a7dfc37ecf47db44d20d011c9cc6b51c91bc84914a75ed6d37a17adb009e3e8914de6356b171

C:\Windows\SysWOW64\Fcmgfkeg.exe

MD5 45a08efece758ca3dd300ee4d09e842f
SHA1 e7ab20969cf52bd9ebcdfc57eb8d7b689c4f46a4
SHA256 e1bd4f4b9c0fea45fa339261252c89f5344650a864672d9e4b6510d882898463
SHA512 54938953cc1bf84c0002ff561b31a0b4a94068b193db0e08d15bafa039943df7db2b5195f742c8bf8ef35fb8a50f886e1d3f087106083664485537f4f0c800e3

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 454a8e62590d4516ea64ea11cdfa1e03
SHA1 aa6bf2d6166d1776981d2e6a504de25b8198000a
SHA256 016cb5292848e33b18994c322621135bdc82817ab0e3c3d3f7df7d308daed239
SHA512 cf8ed70b3a6adc528f4fcff88d49c71626cc685df2d112067454c74140b1e03679f5190a3567652f4d7e915919567607834852736d115e95c6c20a810855315c

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 b46bfc319cf085a4d9860e22ff5a4630
SHA1 f2f001ce52024ae0244278243d739252dbe23f8f
SHA256 f01b4fe241ffd7600c0cb5077e63e655d170b2ba20c69fcf1bb3fdfaf5b8216e
SHA512 b7dff26d22731d42ef9c8f2368240625189b60a34af92e66b599e15ba535dc71699d0ff674dac9416774784a395cceacd4263dc015b00ca1df8a139330870635

C:\Windows\SysWOW64\Facdeo32.exe

MD5 9c7a01f3ce6211000c651ae9c63b202f
SHA1 5ae1095076b0c58862e60171726cf5ae084d1437
SHA256 a1fac3b785bbb53d8ac505c871bbc75c2f37effc83257e1c44709669d3b858e9
SHA512 599e9efbac8f4d64064d6ca65d4e2fc7dae6c90eb15662b5dd5a9729f6802e7fee5c31f607fe65a326a0b3c0d53d059e243c1e69b8d06dd443caedd72aee77f2

C:\Windows\SysWOW64\Fioija32.exe

MD5 fa42d85a19445d5ccdcf57d0a60257f9
SHA1 2fa0e36e2565f78d60969e902746020193c183a3
SHA256 a721fd081b052a09b6a5ecef161106c2cec6c5e293415462621b6d256a80c0b6
SHA512 aaba701afedb72955819dde6f85015964d519627d44b79120e61a4365f4944ea179d0d8fefb4ba5d4191f3198f0d81ebf4a7afa7f5a99962d3f23d229094e5ef

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 fd70a67cfd9875dd92b70c9d8a32e336
SHA1 460eeb71b9668694bca27da0671982ed5e60720d
SHA256 ce39b5c4ea37c7d45305ea7c9e87d1e0bbcc74f442c1ab9f6e87af2d19ccde40
SHA512 76074aff6a0476a02c72cb4aa23b0f3cbe19b7644e53b84267d33f18ba834d9d0be16ecb8b46bbe464756f68076ca1a832ee8d7fe44f7493ad06daa17627deb7

C:\Windows\SysWOW64\Globlmmj.exe

MD5 065791a0659e0efe78d6fc232076a0b7
SHA1 d4853e6e4ed5cb6eda55ca24ee5f39c72afcf95f
SHA256 06b6e41e3ffb203d914bf48fc16e6cda34d569f9b1fd2a4f1670f4fc8fbec53f
SHA512 c8606e0193473636198fd506d3d7b53a0675c9e3ab7d6358c823b674c7bac40ac36efe3916a16472cd3dfd8c76ae1d1fae2a7de0daab06c43d1e9fa4b3212423

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 e60c40fd8304be018d78ddbce5a5a39d
SHA1 e2f47cb089725a418c304759c8fa5dcb65872e58
SHA256 e3922bb8d020c3cc41436204feae42531610dfc1b82082e18ecbbd5fe4060f08
SHA512 2d48d3d9e553fb1569ac295321e4d61c4daa8e650dfc1c55d05362186f73a56463d8fe93394080e92e3162cdf17aae019aad01be7147c24460d6e89900cf4d28

C:\Windows\SysWOW64\Gbkgnfbd.exe

MD5 f4b8648da2070a3f9e5a8df5bd63db54
SHA1 ec243d65323eaf1a96b0992985a4840228ca775a
SHA256 9bf05310dd12b5c28f90e50a5725454255e133bcd0fdd271417729fc2f5d92f1
SHA512 d5c82931c4c73613e0e4da574af19cfdcf8bb7f752c769105343ea370a3baf13a58c3955f0651b5ad7b45682293b7566e577f89a27d36c7da8acb294ac1ad03f

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 053136a2b2f7c15fdb606e94b25b19e1
SHA1 cf51a4e03cd87d65c32aac7753ffcbf207a2c2bd
SHA256 a878c4b4e53658d812db68ee6a314176b7f9759280df865445a987d3feacb833
SHA512 c295720f085fa323e0a8cdf7513955bdcbfe09424c7335fd7d7b23d1b1a0ad17ce603d04278b9245a92e4eb97fb80e3ed91f23f7d44aabd5a46b6756c516c682

C:\Windows\SysWOW64\Gelppaof.exe

MD5 d235f6508ec1dffacb074e765ad2d29c
SHA1 254fbae711f1f70ff79f65f1a4afe91b4948c897
SHA256 10d80f9028b4c714564e412d06b7810128b9d3db436a964aed37a30a0b2a1563
SHA512 8e35928a234812c36d090b97c39db00dc6a8ccbdf2f4d32107427b89ba6b0b1798bc767f6c76a91179c394dc25cc426bfd4f68e92d92e08cb9b92c59d2040109

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 2c577e50d7b5f9b2d6b9cd5de20e0cce
SHA1 abaa9d138fd08f3ee0e79e36723b601b79f7156e
SHA256 ade04a5c7d6471f94a3c8e0c4c1f5d5a8554fe73a13612b3b761387dd8fd79f7
SHA512 23ceaffadc45059eedd524777c00e35df791b959b709bc83346a8305d5c05a19282eff131f71cce47a5dae29b47061540ae9fb6149e6c6548b588a2ebdbba6dc

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 8ee589812cc90a45d59848da33112ebf
SHA1 6e3f854add3c335c5ba1835a608ff5aa468ac225
SHA256 b7abaed3a97d0a83a7fdaf32175e3d668f6cbd475b1b4fbca3d2a1c122fa2be2
SHA512 ef3da4cf98c578f437702a7b1472f6d99b5d3035ad6531134569fbd3601b84441100af4cd0e90c46d6cae4165c72ecac282b68e3aede96fb5062a599b9b8a037

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 bd575dfefe08c8c3acc65da2ab7cf537
SHA1 a970a3516e1c312dfe0bc3572b5a68001afbadd3
SHA256 12ed9ad620e4311236059b8e94194ee8f58901a48c502a25c099198dbc14e9f1
SHA512 a60fecbca57a0d1914b0328a9d25d3a2ca9d0d34f6d145f375c26925129c9a0b23817ce3983fc78617329196f26473bd877628a818bf56e9c4249818bb5a6d39

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 7044626bb00006b37814c0aed760c3bf
SHA1 0b29d09d081e381fd259c2427edb30b1f11a79fa
SHA256 59069cf89baf6b93ab55111673cf7fac1c486eb23d0694294364d64d05e899ea
SHA512 4e79f1fc535f48f16777a2755fed8d884479a046e1f3c89f6d270b6c399d5f62b4d305c8bd9282113caad1775cab2bd04faf4abf6aa7236c084635fd2f1b154f

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 4ac0229556d3c33341932da3c4f069d8
SHA1 e98b934dd370c49f034eb300acc5f8c1189932c0
SHA256 583fe202e524de984cabe9222f41ca93c3d528fe9e41b2d88a52087a8ad43c45
SHA512 68de86b39ff41cc87801ccdeec6c93b0deb774fec30a98c24962a2d67ee266009a905fdf833759d34f584e66de4c12fb38df94003a0a9172769c47d5615008b4

C:\Windows\SysWOW64\Hpapln32.exe

MD5 ac715aa95d033dd157a5bc4f3b235fcc
SHA1 0501404b500c246c88b891ce604d21084a9626cb
SHA256 a3d0c960f78f52f0d2d36654714adc0521fe544eee175692fb8590bc0bdcf241
SHA512 2e67bef39e22cc20c7cf5f7e03526c3d2fde9051eea24bbef9e0ee861412202420733415838cde7fa982049c80929ad5f65120b5de42a3709925d0e0630725c1

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 8fdabc7efc1da5abafbc9a342b535de6
SHA1 d608d1bc2fb2e06604fde5c38982a7198e33bfb4
SHA256 88d8016b40ac088fbb0adeeccd793fa0ceb1aad2a36fa61c232145bb0d92cc5d
SHA512 0fe62c53fd1a8ec444a4072f3829d25eb531bfe6c287032c62fc026cfc7f5c684abc310c1590e7dea0f79d3277da7b14843e35e2d66ca91ac7147abd1697f7d8

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 0b077f769fd44bf771b9cdee8a9effae
SHA1 749d9e061278ba8da956895ff584bbb60c812da5
SHA256 56a63d5d5f8b95b5feb7f15b14038a77eb82c29ecd1d563794d84fad6e1309c5
SHA512 8282452571bfacacf20a7bb7dd308c165dee51292fdb2362f57e4a5c8122b16e6c20a3ac2bcedf085c0b055751ca4c97908c56b6dd9e6294e79481dfedcae1c8

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 796ea8a37490e5a6bbe6115955d2abde
SHA1 13c95e1470c5dadd9914d43abf601649e71fc845
SHA256 d137d4a8f8d377faacb36afeed887612e9b75149aa85d4ee5bc646f2814a067d
SHA512 89874ad6178a5f0ba257d67a3a14a57eff460863306be3d89682ff91db66037348c8e90e3c2d058c5c7d3d73a390572718aca8a5c91be886d870f5bc4c0bd609

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 0350dc51d6dabf91f48701684ee71729
SHA1 ff6d09f992dfed1839922392632de055f224f710
SHA256 104e5ac8cce8b0d1274309ed49d42ef31726490c63d2be23616617b5133cdfa1
SHA512 916eddd682e8ecc407e1974be7e00a302d73c7dec0cb13f8745fc487ade0cf1ddfa875c40f3ffc1afec9dc60d6b0180197f836e76a822ac333f94c064771a032

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 63437973be9c8ec67bcd1542072b1b07
SHA1 635bd51e921696b84ab9174f74146620028b73ef
SHA256 f6fbd82e0ba3314345a1d35339dcc2da440b5bb1ae4bcf6d22006b80948d3612
SHA512 aba902581484be521411e229e865fe39fb1278a0a35a639032c45c89ac361668e62c0f56d9b9ad7a063e2ff66a48c582f058ef3a4b8e1e0e648bdff81d01e4dd

C:\Windows\SysWOW64\Idceea32.exe

MD5 50f5c53d3f70f4b3c0bba80ef1e3472c
SHA1 f79affd679e8e21ab85b5564072c7fbdfb09c9fb
SHA256 36757e452feb3d8bce6b72ad376ae36927a1b69864d7394a8ece10d98f92004e
SHA512 9fc9ac26ed1b4a704908d2f57d904b5bfb1bd0c08f4eee56042dc3d020dc9173c7b6defa2ed12639d30719c04ead7e69d0389c3f3cd78289b5bc8be513106cee

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 2b0189b760680a8978282ddc133f4b74
SHA1 bab9684601b9d67fd102732d8034815f777a09b5
SHA256 e3d6fa35296de0a334b37cf820b31ddaf1ddc8bdf4e10e6d70922fc0080929b3
SHA512 2b8e5d41af2e5e5db1c64e9424e8d2316367fde41aa12e53db080e69f341e199135d9c4d3e2290eb4b72a33cfd90feb6dfbfd7ff73f2a2496367243f7ef990c4

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 d916f5ad9a76a11e6192daba2e47513a
SHA1 119c9b5572f50e84337a5162142e9a3b723e7ba4
SHA256 61284220914c77fd9f26c675193419692e6156a4a5c758569aea552bcd08e455
SHA512 edfc4b10537fc0aea5a7048826b79bbc8859ffe547f96af66087c807c9d231cce9ce6373d2bd8e93837fc4376fba39f47f861a095a6cd4357f6b47771c62e4d4

C:\Windows\SysWOW64\Hobcak32.exe

MD5 aee22f3ca9bb6d84eac02f3a9c76021a
SHA1 b4fabac9b69087576b4f0419986247b34faa74de
SHA256 0aee6a876b9593923ba08f9b60bc9f667d565ee459f2df02f2c81cee4ca944e3
SHA512 542f8e6c36250ac885af7ab0c331016ae725413629319dd2d12d4a6fe497092c87bd5e829a38881d6dc79367e54f86665ec2f71257039fb2cf2a4fe5d38473d0

C:\Windows\SysWOW64\Hggomh32.exe

MD5 905504126a948622e15ce05e5fbedd90
SHA1 ef4f44749369b3579ec7e259e7d718f495e7c290
SHA256 e4e6b823375cfabd3a472261fbb4da10e97da7bb168fc1e5e6528eb0bba49029
SHA512 fea651ed7d5d0afc5a554c32e0a910c26e4b18e9ab270dacbb4eae78f2eb67ca5fdd36b627d15ae7136bab23d323a9d29436c0541da9ff7d6b15df4bb27bda14

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 b818182eac4b80d39b29a02922059e39
SHA1 b4f7e3819356efea43a1b70054a24ccebf7a53b7
SHA256 047fa4cc6cf2fc57cc4c69dcf5cfc793d0d14102b51e8fa18e41fc109ffc48f9
SHA512 33430cee6eb5075d208253b8d426053959142ea114b76fbc894311cc19afff717af030fac5eab9ad2a541841b4b2d186f555f5db09aa1e093ed9b3a04b897fb0

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 e25b25ac44edab2d2e354fe635d24476
SHA1 f7ddc514f584cdca4c6b51be48f8fd7ac2d15d20
SHA256 23674b341c56ad8fb3e0326c18887ad230a622084e16bc6dd41a629561759759
SHA512 0d8c8d4306322a2cfd792d481e334600509c131dbb457bc7863d4b236bdbdb58c57e125b20892f10d6143f3888fce2a050c746e9c25afd3f809c8c94121764c7

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 ef5e81e7ab37b61f29bd205118f11c06
SHA1 64c00b46f2a871ddbaa74cca4dded1b190471493
SHA256 b205cd2eacb24faf28851a1ff681b9b106469d3d327bb5c5050b51f9818070cf
SHA512 7e856d55046d221b2698344c7881ccfa1dd330584f921c29c7ad9a425794ed86ec1f0eeab47f6e81e11fcc7edb4464226c241c32c949a0c628baffa3d97569e3

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 7138f5eafa32907985cab00f6803caa1
SHA1 19a7f7ca2021f1539906cdede0230a91702f8306
SHA256 9ae965882dfdc2062b62d7fae1aba692d489667f5e310f9815cb88f73d17bbd0
SHA512 5049efe850d1a019e034c806249e3ba2701fd4d3afc54f5616a3257b66756fdba2699a3d182f8adeb01659bbb1cda3c135f5d8b2a22d48e83d263a2149e5e4fd

C:\Windows\SysWOW64\Gogangdc.exe

MD5 c84645177e9326756eabb13099cb0e00
SHA1 522bfe30e5c665fe938f8102a655657d1570201f
SHA256 5b95bbd6c12a1be5f49ca759689bbca808219e709afd6b65bf10615e8058c8d6
SHA512 b606a028b821a3aa2ae2f55f8f20ba640e00be3cf8170c9a138683cf4d9b8371c5789792a849c69984fb324dff5f3baafc9ed7e26ff73c9be72fa0fa66269b8e

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 083449dae3ae68bdab00771c5fbabae6
SHA1 af410ec78c5b5305e55dfd9b699cf7231abbabad
SHA256 fa35214c9ef83c71b4a6c92b08b48c0ccaa7079358dbbf30a59ba8c37ff29557
SHA512 012de661988667a2dd2a652d1e6977b958a55e6fe72fca56ebc95a5fe8e30ec5357dc47f15968cc34a5b69f27cf2194a0763d48aef72f75b9a6f243b9935fadd

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 004a937d2ec1fcad09e40a70fed6a5ed
SHA1 0cac5b0c23ebceb8f009df90242a6b233f198a33
SHA256 9260d772cbe2821bb46d4072700b41631c75226747067c7fb0b47747d4ec2981
SHA512 d3b4860c2bf173fb7b2e76cd669536d1d7e690ec74929b2bb70884e405b3e1963056529031f0f81462c01bdc0d27be7202172bb266b3fa15b1d3a2005d3cdca9

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 18f6f93e8a905bf87d0b48bc3cc95cf1
SHA1 21d006207e2cfbdd7685f61cee5729bbae062327
SHA256 547d4afe140e6d5603875334f8e3ac2a642b0453bc3c37d6eb989ad4ca3812aa
SHA512 4dfbb655e29cad450c49041e405233a60c074c30a015bef5eaaf7ba0c1ce101c0cb908002b83516b7568271bc919eebcfb77e147340ee1b129ea538cf30c1b6f

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 dc29b5e01ba44c206eb8bb65ecddaac0
SHA1 77634201edb4e7c788e0464615f6bdf6d344a917
SHA256 17597a4274c67d730d2b275021e8f97f62d4e863cd685929220b8f4672eceef6
SHA512 425f86c7bdcbe025e05d2662de06d8bf92117f7ad8d347c260656b88f9ab4004098383f6246ddf62c64758455a99c73cd76909cf297343d329063612183403b4

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 58f560070e2c0bd7fc870e3e18838b81
SHA1 afa77a3187af0f04748121726b85214411bde64e
SHA256 6b72e09dbe7631a482102072682f8020592582b06738c070ec61f470922f8e25
SHA512 8b9d28a6f8bf2139e5c60601f7a2eee30a9f730ea41ffdf094c304a2cf9bd622b172debedce92cda9ec03a582cdff82a7914d58ae720facc4285dc1607729cb7

C:\Windows\SysWOW64\Fphafl32.exe

MD5 d9be9b98afded983f05b0923df7dd774
SHA1 9e3cc9da58cde70241dc19968a974bf7e9c18e5e
SHA256 a52a3a748f8ec161ff8145be74e5d9d1a3500dd1771ccf7da1deb653a7966ad8
SHA512 d5f93b861fb7c75a0a15d11e3cd86b7d34136538f19334832abc22796d32b30182ac446c5c1d2c5006fbdd9825c6132a097bb33c42e383e1bcdd460c4817cf96

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 495958c64de3dc1db454552646ff1bab
SHA1 b59cc2980e0c65cd29017106d2229539fe65dc5e
SHA256 81d04d37e6cf28dc946d565b6bb5d41b30e80ba45dd2db0d6875715bc33af9b0
SHA512 795758a6ebfa601efc11e705373ba04547b682087ac8cdfe85abefb127af4b3a33b6925344b1e7bdd312b80faa112ad061681b4590855919a7e700323a8f3397

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 7b63f74b8d61a2f3b3928e68cbdf9972
SHA1 2db765184562f0da10fca4da7b04748e0fedebdc
SHA256 a52c858f90a1a0e3a812f6838486bc56c18f3790e246c3bfc925466a2821e740
SHA512 88e646e2c10898d3ef81cce107e77ec0b0392e19228db8fd44decd10fda7fe760ec2c0bb2db8fa64637f44f387e968375c16502a9c552429ba6b55559f086346

C:\Windows\SysWOW64\Ebinic32.exe

MD5 8164fee6ffa6a1f64a40664f3097becd
SHA1 c484fc8a01c0bf19375a3e20a285417b3971b956
SHA256 a1628a94337a2926336338b7a34243547351e5733e7847f76815567a683042cd
SHA512 99b91e503c68bcdf65bbb7b8763f3eb3062179aa2ccc36f3769491dfc37dfc3abcb694fa0455dffda2f3db67d038d0fca3c3d1e3d46dc686d26e0d5d8819c4e3

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 342465a7c8b36da8ef8ee9343e938a22
SHA1 507c0a7b690050a12e142da57ff91e8ae073f1e2
SHA256 16532ec2353a2980fbc938481486b0310804bd68ee52648f7a7132e6ba5a3f8d
SHA512 1c1752cb2e09cd6f30be1364579faef8547dc3ab5af97dbbd8dc366e8554cb45343d4d280a5f5da790783949c5c2623a0fcf3be02afcf918af51023aa63091d8

C:\Windows\SysWOW64\Eloemi32.exe

MD5 aebff92dcd2955df397653f14ffb35b0
SHA1 484322a82c8880187be7e19e234b0f5bee2559d7
SHA256 ad54524a3dc50d4853e84dff410736dd87cb7b1614b51b76cfcce829b4a74eb7
SHA512 6e95ff1e2004c17eb54108687a87bb2803ca307660ac2b14d4c3c0b6dfb984a505bb4957e7368852ed9c5e1043f5fc2ecda68d6d2ad75d48fcb99cb5d01c61ab

C:\Windows\SysWOW64\Eeempocb.exe

MD5 3ba891a7b45dfe5dda64052a7d1241fc
SHA1 46231f23cef50ad1e9729d3f5f2b5f7e82f1eae1
SHA256 2e6bf388fcc41605e3777cfd9f349fb2f75e0a7f7f020868a87faf407d1b75a5
SHA512 ecdf89981720293b6185e00452cb839f5dd0bcbbd95d703f63d1e522221963a35138dfc236b68ecffdd9bfefef9e00f90d239a4a3865bdccac52c7ec8a65d37a

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 22ad53c24e7c2593df1140a7c23a7c3e
SHA1 987015e6dcb018055fb39c76b59b4ac355f65e61
SHA256 218bc8393201326655e1c36b1f98df293018e56b6913ed04803b2b1d9b986a09
SHA512 6493f99a955770c0fda4bc0e81520a5b40ffb3c2be318c0b0f62b72a5368d8f6df46eef18aa2d0b327d915ca4f8d52f1bd603646b9c2d9733abac9e412ed2fdf

C:\Windows\SysWOW64\Enkece32.exe

MD5 408706a6b5c2a325906bc9eab2053d96
SHA1 a558a819c64cb0bc833e56ae3932dca1c9bc4198
SHA256 1c7e78d6fd4b262c3d7057b05c4db5f83edec0ab1631036e15455ce77dc14171
SHA512 c5479d14d9c274d63de5c4fa99968bdbbfa1c2b3f6da390c548d8a795cfa949d028380c3e9ced4b5fc4e552edaf508a8958175334f60dae20eed5c5434ede068

C:\Windows\SysWOW64\Epieghdk.exe

MD5 971d5408ce162162ea8a87c77d899fe0
SHA1 1531c76681f19b2fb509d3ef927ca3bd2a511a80
SHA256 51013cae88389043a8c7bb23589a3872bcbf705c8d4384c79c0a2c95d30e103e
SHA512 3417c730e5a3c294457eb9c422fdfef6f735a30de212c7c9beb51aba13be753e4695cb133e60973ae716b536b5268e5a65ad7056ae243c2562620aeb7fb12708

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 d13610e9f50af4195042e2a7508fea18
SHA1 08829a9a89eeb0c3bf613fce1a82ca6eafb3adfd
SHA256 a498f382ebe74605780e50e13ee04d9922d0a60a8690b454116ad283b97a874a
SHA512 0cd5f877ca057d6533cdacf1edb1a55d260a98cc4542e6f8066d41f361e195f95f4c09b4cdd9ff3b7afb1d6b916c81a1f83c484587159042ff2733e15546e007

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 a1a75246458ef3769ab8ae410322b5f5
SHA1 b9117e3bde7583ec93953671ec28bcd878c61814
SHA256 c12be20cf2729d48af5ce55867c0a5d2e5e8709a98a3d1d60a7ae62c94af2be2
SHA512 e3f41c1f318a7e2b3d6df2520a32445c6168656c55a6232f3a42dd5a17870588cb4caf272ae8cd847e63243942b1667a324ce05d6c80ad372c373ff97f2f3b54

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 2e1d5549ddd866a4dace7ebe576e0869
SHA1 57d30b98ab2ee973724da54a5c4d05b769e5efac
SHA256 b11b2623132b70f155e1d52da6c2f52a138d3758155593481a971aa18f88f3dc
SHA512 043aafb553bf18cdc611b3c3431320d0e1a2859fe70294fa142dc7fcbb255a2666f88f6ae34274b7f200a47b86eb59c7c39aea8a243faa15d7e881ee4b432e84

C:\Windows\SysWOW64\Ebbgid32.exe

MD5 d64379e70e5e050f81f92859aa1be641
SHA1 2237fa51f3c21bda5c415072c6d01a60c9418b1c
SHA256 2c7abe43916e144d86da98870f481231c8121b9bec8213382a02e3f20d72d242
SHA512 93bc877d1b4a2a0e3621688202035274bbd941e91be67b698c2a714222684eb37f777544e8e64773f9d9fba656edd2c24579beb52152dd1de706d0d2e10746ae

C:\Windows\SysWOW64\Epdkli32.exe

MD5 2ed4d89a3973282ea136d1ca929f1287
SHA1 b263dee40050487e37685cdb6fbfff330e93e416
SHA256 736d34c5f8bdb4c76ab64e1988b5f0002f2762407e3f01de6c34679c90a893a8
SHA512 cd8046a62b7568d8f8b4ac976f7ac7f7c81b7eda3dbcb77fc0766c6d38ecb79ba57f20d7a34f6e8d4ec35b8782d65c26beca8b8a6d6a5dcda2c74e39dd8c5a74

C:\Windows\SysWOW64\Emeopn32.exe

MD5 2586bc86e73b682fd887c0caadc68216
SHA1 cd619e976149f8f2824d9cefd4ab9b03a515eddf
SHA256 9b8b4659168f8933fb395038bbe90365e592baea81265348f471d60562f07d11
SHA512 d2dc85848eb5f1e916fe417352b542c0cda686efac1849e27d6d2c7c0cdc7215e2da610ef322d45936483a333e215d0651a3aa97ce07cbb6b36679a7bcee4e7b

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 ac7b4bcf10e44b861075f2dc95eaa952
SHA1 76cb44b5811af3d70b0d1bd6de1b5d386fca2c01
SHA256 bcb4e8a6bcf09d393687fa2986d8e72e2a807e9be1a0138c72f76b18df48b4dc
SHA512 758813268f1bfd62c8070ed0687d5f565c63d75991be9932a90a11b681a56e95bd9abf521bad76e0e317700c770156a138528afe976ef93410c726281c74d884

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 cb46487d6af5f81fbcc6548625814b4c
SHA1 be2beb8915bc7ea7b9ef98b70f1610fd9b103560
SHA256 b612894b228afbda19af0fc9785c4b5211139e86e54aeee4b32d3473334d2b2b
SHA512 77af282d995af78dc20483dce041a74fe5c7aeaf3f69af08181aad3e7b4635415221a7545badbe5f7c81c3f211a5d20bdc199eefe2b03c60ab54f83139c0f2ba

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 abe6d42d5cb906ef26801f17030a726b
SHA1 5500eb09fdf943348703393b5e207566a31887ae
SHA256 5a30580ccf970145a19658f49d5349c10b5592b321b6ff39bce3d6ad01ba0e59
SHA512 bb756c56806e83beef61ee6fcc6be6ab5f2f0a3d4f446f2b3705a73f992c0d0a1e6b36879046c5b1b1a243a0488bf2cc48cd1fd4816809db4ae4b59d82bfc3c3

memory/2500-469-0x0000000000300000-0x0000000000333000-memory.dmp

memory/1740-470-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dgfjbgmh.exe

MD5 bb548a4cd8e823e4af91bdcd0d585562
SHA1 506e673f8e3f94b604c92f63ee0a3d576d7396a0
SHA256 c5e552dcb39d97c87d3f44fc2e35ed47412a5a844a58fb57126399cb427dd604
SHA512 d31173a571df8bd71763c41404820dd594ffb7a840ed11d19beb104604c4c1ef9bdc3745287db92f91b9fd5bc3ce64376503fd5ed5b9484dc8ed522226e523ac

memory/2440-458-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2440-453-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2036-452-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Doobajme.exe

MD5 af3efd29ce5d09ce9c619c2c942a88ed
SHA1 31c4391b769b2a2620113048b19e166c37d80679
SHA256 f1078cc7454664c7a5c4c6fef5d94524e1a8dd517b15f6197de55f30c2bcbd65
SHA512 f7e818d58e5653598418d05eb2b78a791917248c5929d819da4fb5de2bd1fcc0d75595fcde106ef8ab4c06153f4a1701078b1b1abbef249abdaa3ea695608e7d

memory/2036-451-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Dgdmmgpj.exe

MD5 919669cc10f253ad938024dd5c0de3d3
SHA1 fc01edee2c167c0216f6c45d5e7245ef0aa14e98
SHA256 8b7cd3a55d401e300927325408e58a174cc735b1aa79d7e07c5c035b3afcccc7
SHA512 ba229ecb9a99e937263c5e2d654490e48824a47e8a33334dc370222d3ae02bcbede20315beffade686049844fb06046163190a83af3bb753f4d18921c831116b

memory/2708-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1388-427-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 ff7eb0a8805f751053dca46d076a3d2b
SHA1 16bfbf80d78d2d3f0855dd1b0df031024c76880c
SHA256 c202fad2f77615f0ccfd6854d700cd7082d6d1b84260b22a535d227a0af8c3d2
SHA512 04d401c835f027cf7f572b3e33040059d2dee844f52f80acc93f70c5911910e37d644ea3431342731e3c5d75283b2a7544edd2d68b23750beb5948cb3b947de5

memory/1868-416-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1868-415-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 bde51f31f173f6ba1cf186df71a99a72
SHA1 27ad8578d0471226a90b5d5dfb31ac152103de68
SHA256 ae556995bd71457798a32f59bbf181b91b2d8ccf8d9997adc538e5973395c65e
SHA512 0c40fe5fbba9e6adc229c020b7b2cb49b69674473e3ad6610a33b5d2613719b86fe7d04bbe92e9e9251b3027761fff85dcc21f4825b05d0371f44bc59f98f652

memory/2552-405-0x0000000000300000-0x0000000000333000-memory.dmp

memory/2552-401-0x0000000000300000-0x0000000000333000-memory.dmp

memory/2552-398-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2616-390-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2572-389-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2572-387-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 9737d6e95ba5e234ee2216b838601abf
SHA1 1c31e289730e490b9ba1c7d5a688c26f4eea07a0
SHA256 849d7089e573e6283ec6f2d150bcb70f359a62175e1be7d5f4b0d96b9a073a9b
SHA512 bde531a6f91d6a4f84d81548afee0f9c65656a43d24426f6780dc728dc23faeeaecaff6a301fad81ce7b1d267aefd51fbb3a3ca211bc130db7db8b7b1b2356fc

memory/2572-379-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2436-378-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2436-377-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2436-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2512-363-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2512-362-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Dhmcfkme.exe

MD5 631ef59d29a39178b2fc03182764487c
SHA1 ec0337720e1a4d11a6b6a24baf3e8fdf2de41f5a
SHA256 4117733a4d5b3751c7278cd24657112c64c81f5b46402b1532d91d00f00aafe2
SHA512 5c6e3b51fb0fcc245fcc5b7c8f5674e56f06a9afac95ce79daf561faccb82ae9d65fffd882e9a0d39a0d6e810a3a941c29cdbea677ef0b42908752ac5d02fa55

memory/2512-357-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3000-356-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Dqelenlc.exe

MD5 bb864acb29d0f63ed388c1815b79526d
SHA1 18f0183d2227af5a68d9e68854388a41a9796243
SHA256 793fb12ecdbd664e8e5c17b4b870f9c4e770cb39c8a476293b4088c18b1df53d
SHA512 49a9d9581eb1708b63cf04ce195c20a00fc348766482236d05c71127973aee002873d16545f6b945897b223d697ca1c5d18ea7445a5b44150d0b3ddb6ce5b0dd

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 59286403d7fd922186444bfa3a79963b
SHA1 b273a3cb4bec694415165b950a3bef24a527471c
SHA256 fd3d99b4172ff56cc1b540db79581f870080502e7f61f4952145daca7046ab6f
SHA512 069267e2cc1355f701e79cfc27e735f2c6ae04e2e63b02a27d1b9b9f7a2a7e37d8bd05551fd568f323d3e5f8b35f04f89767e6e75a64b862b71aae4f7d5e5e52

memory/2212-339-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2212-333-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2316-332-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2316-331-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dflkdp32.exe

MD5 915ba99412a1c623d16776a169e2937e
SHA1 cdad60b41003faead39d5d90545222bad749449d
SHA256 457ddbfa86943aaee8a6c057f6aa4110c39447f2cb9e55b8b7941d308bb1b8c8
SHA512 fc3da21ff0d05c543514ce4a0982cb74f4efb1fae267dcc762fcf3ad5174505a3d5a01256281f4a5555cd69b06c3ee1a9013baf89357652ddfb963df32a0c388

memory/2316-324-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1744-321-0x0000000000300000-0x0000000000333000-memory.dmp

memory/1744-320-0x0000000000300000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Clcflkic.exe

MD5 2935b42f2d4d9bdb3ff4a19aa893992e
SHA1 b548b8b554550acd675ab5796beac77f0bc4b6f8
SHA256 37a546b4cbeaf4f00c47527d3dcaee53c8992b8b0ac35cb432b5afcb97818333
SHA512 c1128b9f85bf37315681dd981318fc5f2708067b688d82983aa6fdb0e1b14b3124e388f63c0cf63e4f85757c4dca01a987c13b1f7b5b01c8a464fc66d542791a

memory/1900-313-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Cdlnkmha.exe

MD5 080898b3ccf8b7d77ef7183c8129b825
SHA1 8b0d144cebecc68cc23afdb33acf6180f6a8aa14
SHA256 cb82b52f1ca64202fe2eb6639759d5d467a61456a0b66ff6c930f402448d0cc7
SHA512 58f5b8bb7c1043731089ac49de40e6bba83bee91d969857b473039327bc4fe221d11c73f0aab567277ea3f117c39b407d3a9b290073124ac913c3219c8a615ba

memory/712-299-0x0000000000250000-0x0000000000283000-memory.dmp

memory/712-298-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ckdjbh32.exe

MD5 c231426e9a4ebeaea7aa145f08fcb543
SHA1 e1004b7b990929109b02997fc7b9e874e33a9944
SHA256 5cefa655cafc53b6b1ae8ba675aa459c8e7781587f91ebb3ac79eaf44620ff22
SHA512 81b90eb7a580e7dc7f0e457eea1e798d9ea41aebadaefb14bd85696e408a5335dd41a6fe2d546530128a3c79338378fbae6edcead30fce4af37197290b9fea20

memory/816-288-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Chemfl32.exe

MD5 519b97841757607e907dcc0af44ac239
SHA1 8619b0845a7073db1f5c292038ce0e86439cacc5
SHA256 f9e636085199ebd051f22122a2075a53b8bc42253562b912419c09a0df1b233e
SHA512 f4b8ebb180f731b860f4756d9794a630bfd1c852ccb21845296833b07dc08b57567c938f8a6139dd8eb0c0bbb4f9a1ec3025413fb059203f33dc3dfb97eb0ead

memory/816-280-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1816-278-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Cbkeib32.exe

MD5 a6c78b42c4dc000ff2b9ce857ff84206
SHA1 6d43cf96de6646ab4f331bd2199e37bcea3956a8
SHA256 404ffbd2ebdd0fa6875d8285cec6b96ed180ae6c45a6a0bc05db3c3c1e458551
SHA512 1ae0ef819b4238187925decb36cedd7ba653fe5d61a8f9d1e1261f7fc3b3bc027265ba3af1cff53b3ec68671b6e7c4fd4e371955961cb8f7ca4e0cd8235a6b20

memory/1716-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-255-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1228-244-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1228-241-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bdooajdc.exe

MD5 64157e02bcf59c3d5347c7403c8244e6
SHA1 e7011b1d01cf23e68bd3a473520705f64b49643d
SHA256 676b50514bf24f5eaa8395a56f8b3979035a41d6bba16db45693e4effb600916
SHA512 64c6f1f102e5f07f9585a547f3d97642d23882a8b93e95f2c4e9dc566ee92f9b0d0e045fdd58e3618cf2cb9b9f213c24383ae800d116f3cddc5f9dac968da41d

memory/600-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/600-222-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/536-218-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2288-198-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2288-197-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Bdjefj32.exe

MD5 f0605e399f1793e32118af032d39a4a1
SHA1 4aa67ac78b4163b2913217fbaf6f7a382ea6e3b5
SHA256 3ba085a776c3ccea0420c1ab607623ad9141d5ef8a79915420997538e1d5bc0a
SHA512 8f487bced6ee43d310997d05ec2a1b125f478391ea1aec4859c613918d6d05fc89cd2bd72974a76f29f8190e81d7fc865209501561251350549fcd14543b5a12

C:\Windows\SysWOW64\Bnpmipql.exe

MD5 a3b990116e39586923c899d523613660
SHA1 832f6811e89e5d363b024e368dcc75be9b382415
SHA256 335d8474ee843743335d4d4d5dae9ae951ba1948b54951c9daacde33deb72c62
SHA512 ab594fb1ea2db23d239069fc53a39c95368bbc4d0f79f0ba10325775527577ff1e4ac5d7d0c7221dbe806797276417502dde28c9c815b6281eade63af832da71

memory/2888-179-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2888-175-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1284-169-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Bhcdaibd.exe

MD5 8b30ffce7f5bfd8db43fa471e0620290
SHA1 f583626f78a67878c134ac61f86e45432996acff
SHA256 2369737409b387d65e9dba317dabef3d9677f354dc43524cfc47e2a589636e05
SHA512 a7cb751d2813c79fd3eb5c48b30ec4fdde3071e1812d6cf60091dc6f3d3487300715eb9a91fc0b91e83ed90c5c8660bd4e5da89fc554c9d4c6a8ff9ed78b5dac

memory/1284-161-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2372-151-0x0000000001F60000-0x0000000001F93000-memory.dmp

memory/2640-113-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2460-86-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2396-84-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2396-83-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2396-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2792-70-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2792-69-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2792-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3032-55-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3032-47-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2612-46-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Afdlhchf.exe

MD5 bdfbf66b02e786fe4d7a2152d9dea0d9
SHA1 31a9139b8e6467b83c39a915e41803fcab354b8d
SHA256 c321bcafd338aa263e3a01ab91dc0be92ed2ff14484206a8ceecb4dcce6e65de
SHA512 0f75ca89994e572e3f08267422cbbb0a09ce200faad9d0ccea692e80ad5f8f2a18b195137e8ea2873ee2f9f36b14684e3eaadfdfe2ea1343970c2e7c262aad36

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 23:18

Reported

2024-06-01 23:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngedij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maaepd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnjbke32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laalifad.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Jlnpomfk.dll C:\Windows\SysWOW64\Nnjbke32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Ngedij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Nkncdifl.exe N/A
File created C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Ncldnkae.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Liggbi32.exe C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Lpfijcfl.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Bebboiqi.dll C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Lifenaok.dll C:\Windows\SysWOW64\Lpfijcfl.exe N/A
File created C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mkepnjng.exe N/A
File created C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nnjbke32.exe N/A
File created C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Jkeang32.dll C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Liggbi32.exe C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mdemcacc.dll C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Mbaohn32.dll C:\Windows\SysWOW64\Lnhmng32.exe N/A
File created C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mciobn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mkepnjng.exe N/A
File created C:\Windows\SysWOW64\Ogpnaafp.dll C:\Windows\SysWOW64\Ngedij32.exe N/A
File created C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Laalifad.exe N/A
File created C:\Windows\SysWOW64\Lelgbkio.dll C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Fibjjh32.dll C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nklfoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Lpfijcfl.exe N/A
File created C:\Windows\SysWOW64\Opbnic32.dll C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ncldnkae.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File created C:\Windows\SysWOW64\Gcgqhjop.dll C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ekiidlll.dll C:\Windows\SysWOW64\Laalifad.exe N/A
File created C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File created C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Lpfijcfl.exe N/A
File created C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Laalifad.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpfijcfl.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Qcldhk32.dll C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Oaehlf32.dll C:\Windows\SysWOW64\Mkepnjng.exe N/A
File created C:\Windows\SysWOW64\Hlmobp32.dll C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Jjblifaf.dll C:\Windows\SysWOW64\Mciobn32.exe N/A
File created C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Kmalco32.dll C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Cknpkhch.dll C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Lkfbjdpq.dll C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ncldnkae.exe N/A
File created C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nnjbke32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngedij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" C:\Windows\SysWOW64\Nnjbke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" C:\Windows\SysWOW64\Lnhmng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" C:\Windows\SysWOW64\Ngedij32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 1468 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 1468 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe C:\Windows\SysWOW64\Liggbi32.exe
PID 4504 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Laalifad.exe
PID 4504 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Laalifad.exe
PID 4504 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Liggbi32.exe C:\Windows\SysWOW64\Laalifad.exe
PID 1268 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 1268 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 1268 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 2216 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 2216 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 2216 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 2344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lpfijcfl.exe
PID 2344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lpfijcfl.exe
PID 2344 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lpfijcfl.exe
PID 1276 wrote to memory of 4844 N/A C:\Windows\SysWOW64\Lpfijcfl.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 1276 wrote to memory of 4844 N/A C:\Windows\SysWOW64\Lpfijcfl.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 1276 wrote to memory of 4844 N/A C:\Windows\SysWOW64\Lpfijcfl.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 4844 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 4844 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 4844 wrote to memory of 4968 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 4968 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkepnjng.exe
PID 4968 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkepnjng.exe
PID 4968 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkepnjng.exe
PID 3676 wrote to memory of 868 N/A C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mglack32.exe
PID 3676 wrote to memory of 868 N/A C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mglack32.exe
PID 3676 wrote to memory of 868 N/A C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mglack32.exe
PID 868 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Maaepd32.exe
PID 868 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Maaepd32.exe
PID 868 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Maaepd32.exe
PID 1900 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 1900 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 1900 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Maaepd32.exe C:\Windows\SysWOW64\Mcbahlip.exe
PID 1540 wrote to memory of 948 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 1540 wrote to memory of 948 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 1540 wrote to memory of 948 N/A C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 948 wrote to memory of 3344 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nklfoi32.exe
PID 948 wrote to memory of 3344 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nklfoi32.exe
PID 948 wrote to memory of 3344 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nklfoi32.exe
PID 3344 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nnjbke32.exe
PID 3344 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nnjbke32.exe
PID 3344 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Nklfoi32.exe C:\Windows\SysWOW64\Nnjbke32.exe
PID 1212 wrote to memory of 860 N/A C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 1212 wrote to memory of 860 N/A C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 1212 wrote to memory of 860 N/A C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nddkgonp.exe
PID 860 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nkncdifl.exe
PID 860 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nkncdifl.exe
PID 860 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nkncdifl.exe
PID 1116 wrote to memory of 1808 N/A C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 1116 wrote to memory of 1808 N/A C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 1116 wrote to memory of 1808 N/A C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 1808 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 1808 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 1808 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 1644 wrote to memory of 444 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 1644 wrote to memory of 444 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 1644 wrote to memory of 444 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Ngedij32.exe
PID 444 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 444 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 444 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 2876 wrote to memory of 4488 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 2876 wrote to memory of 4488 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 2876 wrote to memory of 4488 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 4488 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nbkhfc32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/1468-5-0x0000000000431000-0x0000000000432000-memory.dmp

memory/1468-2-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Liggbi32.exe

MD5 f590316a0f7915a3be73e930fe4c5ce1
SHA1 96ed54324661c1307eb1d76145928638ed3ad3bf
SHA256 8a3a52431a4c5b04991576b6276af05e8fb7eb462c1664d0fe922126ed47ea65
SHA512 00fce62b648fae20395ddb6368c76d3412cb16db6cf1698ef3ad27c3fd6bf1f5dcd9209911208bf2171c53f082ce0c311f1e0b27aef82ec4c71043d6d82f2631

memory/4504-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Laalifad.exe

MD5 3c31932bd782f9723b829fc0d3f77ab9
SHA1 5bb6542acfb84e874f395087ff33cf9a5a1402a3
SHA256 cf94f4e63eb11017fccaae795fc5425c363d010dc34183dd2e13b7f3c6c3f79a
SHA512 ff0362e09bf26374cd852ea616d6ffaecc9ca404052fad656fadc80250df4f635879975e5a3c580251a403eb018fb439befc177b60f018132610825ca8984fd1

memory/1268-16-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lkiqbl32.exe

MD5 7b37aa8a520617140a1c9c1812c24d87
SHA1 46f4511e7dab41da7f4b3d27e9391e508bbe2cfa
SHA256 d09a9762a2c2e71feea21287059f0adf3ebf0aa8c73b3a4f3a3d972f2209dd8b
SHA512 07a068ea0f094f9422a287228256236b2d37fc2bac7bff00d4c91691a7bb308ff46bcd947b29c9d65ccd9a42d5aa6233357a9bfa729c31b09b2acfa8844818ee

memory/2216-29-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lnhmng32.exe

MD5 8ffd4f2536b2a5bd737d952c0a9c2549
SHA1 2a76255ead787290111e3edf31c3c5a58559ee1f
SHA256 1769748b43a0bc28b7be1dbbd012336d99e71ccfabe5bd5fc66861758533c462
SHA512 9390eecd7376bb3368b885158b98fbe4f34962074fc9e0e02a417e4dfd1c94829ce0d6efa5514e12c73e4c94dadbd19ec3f82d48e85340d29475b968400d7f02

C:\Windows\SysWOW64\Lpfijcfl.exe

MD5 db9a96f5715cca603a4e94c92e4cec55
SHA1 797b80efc09f00e666797e98e9b473d76696292c
SHA256 6d6d13845caf689444bb16b43f0391f9069bdb5a1127fb255441381f3f2425b6
SHA512 6ff22609da282e26af21d75ccf6bf5ab815143cc1f658a7d09f7364d427ec862e7a7d1e6f1dca1f5dec31213231b6c25d9bbd762c9226c1e85808d49b59a6a31

memory/1276-41-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2344-37-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mciobn32.exe

MD5 01eff9ad5ebb6fa8db3b0aa436071e99
SHA1 382a28cc56469f08490bd6dd65291fcecf5054dd
SHA256 48a646f59487a8889ec6b291ac5713091218a732f0af98b475580084822eab2c
SHA512 2a287c961d20a043331f3a671c933165a72aa1c657b4f5f10a72797bdc785a7c69c5e9bb7d594c6152be4183f945b5c74fdaa5d5984ec48bd1762e73239593a2

memory/4844-49-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mjeddggd.exe

MD5 0effe23fa00efbc5cd68d72cbf356e9e
SHA1 685eba06922bd0bcb513c2d52839abd225e80cc8
SHA256 923647e4cb3e2db4b09d6a33f61a0f0f09171da3738f3eb5ec77a2c5eda79ab2
SHA512 ef1cba34ae919845b832873f73ee50cf31156adbecce1b82584cee6126849937166159c9e963db1d3e20d48d6db9d00d18aed9bcdb6eb9c8739bac8468568e8a

memory/4968-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mkepnjng.exe

MD5 d8976aef1da8cab0e4bb1c8cef8cf66a
SHA1 0f9d305f1d7515ab153d150dc97a4defadc8c42b
SHA256 925343b7452e360afcc3ff0e1f66e34849e04ac5919f002969f5d2f693fa7d21
SHA512 eae89a76f598abf1b9ccff8ab31c552b20e3c267c18aedda69e298b4ec79b19b0e8f41047059fb4ae15c89da7a2553ed998aa6836bfadacc9fab33538f22cbc8

memory/3676-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mglack32.exe

MD5 3bac0fa979c942eeeb8172b03fc41bc1
SHA1 f121b434e4b6e9e83b3b04100e7fb70e70fd8c58
SHA256 09e6309618fe4b387bef2055fe873f977785f5bce52a3498da7a9a6c084279a6
SHA512 b495a790d54ff21d3f7baf88bb286cec8792771d4d1f4d28a7188968160625dbae03dd5fc8560f7e42206b05d899c04b7b7cc8a64884dd22466df1edc82ae7da

memory/868-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Maaepd32.exe

MD5 9f7ca3fd964ef491123290d2e6c97da6
SHA1 24d420b66e0130c0fbd9552123cbfd7c8f46d177
SHA256 2e61cab514950dd560c6736284bac0968097d0cc7d6d322f3727dc440c8e94af
SHA512 4c0ca707345c1a6c1446ea9636b7c74a7dcefc5c10e527dbbde53c264d387b8a6a2f49abb935f253f1447621321982506ea0dfcadc603c00131cfe26dba92d54

memory/1900-81-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mcbahlip.exe

MD5 3c524fa02ce17c0b6bc8b03df0d8a989
SHA1 809ed32dc45106781697fd9cfe237e70725ba21e
SHA256 90ea67d03304031da06c9e7693dce1f4c7eb21d8f3096ffef7334aa422e1cc26
SHA512 f06b79ceaa1862e70567f98796fc4367a1355757b50380075bc72825b22b266c1c0b28de611902076d1f7b1344281d2613b53b9fec6436dc51c03e733798755b

memory/1540-94-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nnhfee32.exe

MD5 52b8928624f6571cd6671e3771914ceb
SHA1 145f81555814da01c41f283415d7d44caa4b55b7
SHA256 778e3e7c5441145db896dce0ce692972e9ddbcd6c4b442b436eeed19345e72ef
SHA512 54b6ed50bd5113aec9cbbf494bc79f17f64669018b47c68dbc751d7106866a1bc62be9e173fa30770f0e4b2390df3f169e227a5eb1f6544902227067d5c8d79b

memory/948-97-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nklfoi32.exe

MD5 03bd06f47c4213c6975be82e821a41bc
SHA1 8b81fade30ac57a283d527c114f4c3dcb71c5bb9
SHA256 cebd316f508a6ecc128bba141d78a69d2397130cd7aee54d9057b61eda2007b2
SHA512 cdc78c2c32f484685b8e610feb6107a2d1373b8615ae6fa5df101ea2d8406de82195424cc7550b33cd6b6243688ec5215fd7dc9d64a95b325651a200686f4177

C:\Windows\SysWOW64\Nnjbke32.exe

MD5 caf91a26e55c564d633f295cb3489242
SHA1 03adc2c48cfed67ce406bfc8e19a4d299f119d18
SHA256 10e79b13c718697d83dea2ca346b77a5f5bfcb5d7219df35c52d895f48f99e03
SHA512 fbca761d8503497a770a2366d108308d964689fdf0dca44cabccd0a434bee45c868c5fcf455eb8f4dda0dd4c6f08806361341c3c4767ae4a09eae67cb86f673b

C:\Windows\SysWOW64\Nddkgonp.exe

MD5 1b94ff9c263f422b82742f1998a481e0
SHA1 a9cb6cf55e853b05fe269bf0db7a36a35b46e154
SHA256 d2c6108d43a113e1270c61bfab2070f63cedc2283fe8607d409d2517102cfb1f
SHA512 e0f2c4591602b27cdf32b3fd42a89ee654896c8649afc298dfc4b6a76f79650b49e3f54252ed4d3ed4a7cdc86b4182fa1634e0aa5c5130e6526c7640f2123ace

C:\Windows\SysWOW64\Nkncdifl.exe

MD5 8132036c5548f06e6ef9ed3bf472807c
SHA1 fa3f72043547571a302f951c3e0325997bc74bd8
SHA256 cdd0b0ad7cecce9be3c7222f2b59688fd08a9e79ffe7f6dc242cfd6c169e5952
SHA512 7361b1b95398e7c14f72cb7aba5b84d058b4205e62022b1d828f8d20a3c58d561adc17857c9cda7a1d5e461b287e1b7ec9b4a9779a98e98bb877f102298fb5e4

C:\Windows\SysWOW64\Ndghmo32.exe

MD5 73eb075999980ee6cad8abe11d44a7dd
SHA1 21bb5e112ea5f9faf1294093c79445ab598c387e
SHA256 8efe4a58f0beff58549ba72fc301bbdc3943ed1e684a6d2f97cafc3860e062e0
SHA512 f9dfb17f137b52079f7939f27801ee0332d1d65b483dd3bc984fb20ddcf458806f280f39f0659bbc119c7326f1eeb123c9f04c91233adf77b3e2a4d804d26dde

C:\Windows\SysWOW64\Nkqpjidj.exe

MD5 ea8bbadb272ade35f8b0f36e11529254
SHA1 faab84ec6d091abcf76feab8a01a629544f0aeaf
SHA256 33d884ff8db335e4545d2e5ec9603c63448400deed5c4e42498c431b1fb58254
SHA512 2d57474e0c333b296b2d1acf3a3b490134c8aa30d90f029e0fde6c23bfeaf96a1fb059536cddfa3b3ab64659b3230b43d0ffb8b9f9ad8b735686b7f9f862ec96

C:\Windows\SysWOW64\Nbkhfc32.exe

MD5 0d75049eb7b8f284f333d6f799aac9a3
SHA1 05dec32b1ca99128ff62855ee50c992f1f263f15
SHA256 54a6ccbb6711a71da16969f6d8b9bdc9d5a85327bac89ed5390f89ead38bb283
SHA512 a248f24792691efb2e4d9608cc6177988c4b0c6116f49aa8a34109db94ce100c19c14ccee6ee157d68cc161b3e4c09c12039f91a1661a5d785c461a7c51b3975

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 ef30b1c25caa3b72752308af0d6d38db
SHA1 b2206ef09ff0e291011ae29f31f06c712825f650
SHA256 ecbed464db25c8be935dc825e7d6989a2ddc10b3751521a40318d103532483a2
SHA512 2966dcf17f7d08b23f84c912454ab68ab965176944f42de80da92be5b606d473f3c6dc29823cd330c8522590f6f17e65633536fdc221f57b3de7f2e1e9eb6511

C:\Windows\SysWOW64\Ncldnkae.exe

MD5 34247876e52e31416d18ac33fcbc5d5d
SHA1 aeb7d26fbdcdbb64879e10f1fe1fdac1a646495d
SHA256 a81775004bbc1131df722997746fc4d6afa034e5e91d997b48f867be4e652c43
SHA512 4471fdc4acb6d861529c0f3ce4c9b8715f1ff1b3c1b03a622abe4c99bf8d8970cc51305bbae66a8d1d1280ba7018ee59732154e5a5e20b00e98d505e8804cc0b

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 20e61612dbd2e7f3efd15e2b87e0eb5c
SHA1 6ca1faca838399066a7cef134e6fb628344f5d82
SHA256 581691cb98209dd513fbde313987223b0dfc75e5371126db5eb172f8eb3f5455
SHA512 09dcc2661b1c4f123f8babb1505c55e8a059be0677cecdd97e80dd4bf23a0bcd8be8832dd7a21d6bc5cb02cec8211e5186fd1a2801650c8080570835932c65e4

memory/868-221-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1468-237-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4504-235-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1268-233-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1276-229-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4844-227-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4968-225-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3676-223-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1900-219-0x0000000000400000-0x0000000000433000-memory.dmp

memory/948-216-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1644-209-0x0000000000400000-0x0000000000433000-memory.dmp

memory/444-207-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-205-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-203-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2244-201-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2052-199-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3056-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1876-195-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nnolfdcn.exe

MD5 eb95cb2b1f2d5c99ecfbeb9416c00c1b
SHA1 53abd2c8e5abd19559973b485a0f898304212fed
SHA256 cf56932e0150a6b5218ec44e97a58f2d0d5d9e269a064a200cc2ff7501bb835c
SHA512 e2658a2f5e4ac0dc26e009f2f24050ce900b87f4d6f25075aff1e0bef684a1f307b3a148b15948e80dcd12e952586c0039eb839f356fc35978536eed9bb5cd4b

C:\Windows\SysWOW64\Ngedij32.exe

MD5 7a885308c85c6fa18c3d738b13af2a50
SHA1 2992e0cdad4373696b62eeab66f0827b8622a495
SHA256 9c8fdc31fb6fe7973566652921130c974c17062665ccd902b67d7bc604644ccc
SHA512 808d5b4f214c4e2bdd3a3368b4d98b65b5b25a89c771a958084f3de7b542fa2777e10d24af77ce46884f6d4731934e83e50c087fa6b18938427d8aceabceeb22

memory/1808-141-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1116-140-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 723b0920da76f2331502100f98a45edf
SHA1 e0dbbfc8545b830f6093dbfc31c77b7b8027708a
SHA256 953880b4f65763701c8b2cd5d6ab023fc1e3fcbc2ffe8d87ac410fe97da9afb0
SHA512 957f356cedd380b109fd0a54b0d1dece2de00906c30bbc0e70b24dda540a0bfbd20b888b9fe2002c351265ef83203d97b25884e858027590627f7da7030db5b5

memory/860-126-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1212-118-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3344-117-0x0000000000400000-0x0000000000433000-memory.dmp