Analysis Overview
SHA256
fd845b7fe9aa1c8d6e2c3f3d315a88aff5ba878847d4d749ad8b6fd1873b2457
Threat Level: Known bad
The file 0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 23:18
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 23:18
Reported
2024-06-01 23:20
Platform
win7-20240215-en
Max time kernel
146s
Max time network
123s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfgmhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apajlhka.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afkbib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckdjbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecmkghcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkodhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chemfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afkbib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amndem32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apcfahio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdjefj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdlnkmha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmekoalh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnpmipql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdooajdc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aalmklfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fcmgfkeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amndem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgbdhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Dgfjbgmh.exe | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ebinic32.exe | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhpdae32.dll | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndejjf32.dll | C:\Windows\SysWOW64\Amndem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlcdphdj.dll | C:\Windows\SysWOW64\Chemfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlbodgap.dll | C:\Windows\SysWOW64\Ckdjbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkaggelk.dll | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqonkmdh.exe | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokeef32.dll | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahchbf32.exe | C:\Windows\SysWOW64\Aplpai32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afkbib32.exe | C:\Windows\SysWOW64\Apajlhka.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgdmmgpj.exe | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfgmhd32.exe | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmekoalh.exe | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gobgcg32.exe | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Qoflni32.dll | C:\Windows\SysWOW64\Cgbdhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fglhobmg.dll | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Emeopn32.exe | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| File created | C:\Windows\SysWOW64\Eeqdep32.exe | C:\Windows\SysWOW64\Ebbgid32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eiomkn32.exe | C:\Windows\SysWOW64\Efppoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejbfhfaj.exe | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnnhje32.dll | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjhhocjj.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgmglh32.exe | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnlidb32.exe | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojhcelga.dll | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aalmklfi.exe | C:\Windows\SysWOW64\Ahchbf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fcmgfkeg.exe | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddgkcd32.dll | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djnpnc32.exe | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecmkghcl.exe | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpmjak32.exe | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkodhe32.exe | C:\Windows\SysWOW64\Apcfahio.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdjefj32.exe | C:\Windows\SysWOW64\Bnpmipql.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epieghdk.exe | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpapln32.exe | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bopicc32.exe | C:\Windows\SysWOW64\Bdjefj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Coklgg32.exe | C:\Windows\SysWOW64\Cljcelan.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjjddchg.exe | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eeqdep32.exe | C:\Windows\SysWOW64\Ebbgid32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebedndfa.exe | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pheafa32.dll | C:\Windows\SysWOW64\Cbkeib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlnkmha.exe | C:\Windows\SysWOW64\Ckdjbh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apajlhka.exe | C:\Windows\SysWOW64\Aalmklfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkodhe32.exe | C:\Windows\SysWOW64\Apcfahio.exe | N/A |
| File created | C:\Windows\SysWOW64\Iklgpmjo.dll | C:\Windows\SysWOW64\Bdooajdc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpdhmlbj.dll | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fckjalhj.exe | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbkgnfbd.exe | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qbbfopeg.exe | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipghqomc.dll | C:\Windows\SysWOW64\Afdlhchf.exe | N/A |
| File created | C:\Windows\SysWOW64\Jondlhmp.dll | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbijhg32.exe | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chemfl32.exe | C:\Windows\SysWOW64\Cbkeib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Globlmmj.exe | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfgmhd32.exe | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Efppoc32.exe | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Elmigj32.exe | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| File created | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Enkece32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" | C:\Windows\SysWOW64\Ahchbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afkbib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheafa32.dll" | C:\Windows\SysWOW64\Cbkeib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" | C:\Windows\SysWOW64\Ecmkghcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" | C:\Windows\SysWOW64\Bhcdaibd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll" | C:\Windows\SysWOW64\Doobajme.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afkbib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qbbfopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aplpai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmekoalh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" | C:\Windows\SysWOW64\Amndem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amndem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdooajdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Clcflkic.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" | C:\Windows\SysWOW64\Afdlhchf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" | C:\Windows\SysWOW64\Fmekoalh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" | C:\Windows\SysWOW64\Ebpkce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgbdhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhmcfkme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfgmhd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Qbbfopeg.exe
C:\Windows\system32\Qbbfopeg.exe
C:\Windows\SysWOW64\Qmlgonbe.exe
C:\Windows\system32\Qmlgonbe.exe
C:\Windows\SysWOW64\Afdlhchf.exe
C:\Windows\system32\Afdlhchf.exe
C:\Windows\SysWOW64\Amndem32.exe
C:\Windows\system32\Amndem32.exe
C:\Windows\SysWOW64\Aplpai32.exe
C:\Windows\system32\Aplpai32.exe
C:\Windows\SysWOW64\Ahchbf32.exe
C:\Windows\system32\Ahchbf32.exe
C:\Windows\SysWOW64\Aalmklfi.exe
C:\Windows\system32\Aalmklfi.exe
C:\Windows\SysWOW64\Apajlhka.exe
C:\Windows\system32\Apajlhka.exe
C:\Windows\SysWOW64\Afkbib32.exe
C:\Windows\system32\Afkbib32.exe
C:\Windows\SysWOW64\Apcfahio.exe
C:\Windows\system32\Apcfahio.exe
C:\Windows\SysWOW64\Bkodhe32.exe
C:\Windows\system32\Bkodhe32.exe
C:\Windows\SysWOW64\Bhcdaibd.exe
C:\Windows\system32\Bhcdaibd.exe
C:\Windows\SysWOW64\Bnpmipql.exe
C:\Windows\system32\Bnpmipql.exe
C:\Windows\SysWOW64\Bdjefj32.exe
C:\Windows\system32\Bdjefj32.exe
C:\Windows\SysWOW64\Bopicc32.exe
C:\Windows\system32\Bopicc32.exe
C:\Windows\SysWOW64\Bdooajdc.exe
C:\Windows\system32\Bdooajdc.exe
C:\Windows\SysWOW64\Cngcjo32.exe
C:\Windows\system32\Cngcjo32.exe
C:\Windows\SysWOW64\Cljcelan.exe
C:\Windows\system32\Cljcelan.exe
C:\Windows\SysWOW64\Coklgg32.exe
C:\Windows\system32\Coklgg32.exe
C:\Windows\SysWOW64\Cgbdhd32.exe
C:\Windows\system32\Cgbdhd32.exe
C:\Windows\SysWOW64\Cbkeib32.exe
C:\Windows\system32\Cbkeib32.exe
C:\Windows\SysWOW64\Chemfl32.exe
C:\Windows\system32\Chemfl32.exe
C:\Windows\SysWOW64\Ckdjbh32.exe
C:\Windows\system32\Ckdjbh32.exe
C:\Windows\SysWOW64\Cdlnkmha.exe
C:\Windows\system32\Cdlnkmha.exe
C:\Windows\SysWOW64\Clcflkic.exe
C:\Windows\system32\Clcflkic.exe
C:\Windows\SysWOW64\Dflkdp32.exe
C:\Windows\system32\Dflkdp32.exe
C:\Windows\SysWOW64\Dgmglh32.exe
C:\Windows\system32\Dgmglh32.exe
C:\Windows\SysWOW64\Dqelenlc.exe
C:\Windows\system32\Dqelenlc.exe
C:\Windows\SysWOW64\Dhmcfkme.exe
C:\Windows\system32\Dhmcfkme.exe
C:\Windows\SysWOW64\Dgodbh32.exe
C:\Windows\system32\Dgodbh32.exe
C:\Windows\SysWOW64\Djnpnc32.exe
C:\Windows\system32\Djnpnc32.exe
C:\Windows\SysWOW64\Dbehoa32.exe
C:\Windows\system32\Dbehoa32.exe
C:\Windows\SysWOW64\Ddcdkl32.exe
C:\Windows\system32\Ddcdkl32.exe
C:\Windows\SysWOW64\Dnlidb32.exe
C:\Windows\system32\Dnlidb32.exe
C:\Windows\SysWOW64\Ddeaalpg.exe
C:\Windows\system32\Ddeaalpg.exe
C:\Windows\SysWOW64\Dgdmmgpj.exe
C:\Windows\system32\Dgdmmgpj.exe
C:\Windows\SysWOW64\Dfgmhd32.exe
C:\Windows\system32\Dfgmhd32.exe
C:\Windows\SysWOW64\Doobajme.exe
C:\Windows\system32\Doobajme.exe
C:\Windows\SysWOW64\Dgfjbgmh.exe
C:\Windows\system32\Dgfjbgmh.exe
C:\Windows\SysWOW64\Eqonkmdh.exe
C:\Windows\system32\Eqonkmdh.exe
C:\Windows\SysWOW64\Ecmkghcl.exe
C:\Windows\system32\Ecmkghcl.exe
C:\Windows\SysWOW64\Ebpkce32.exe
C:\Windows\system32\Ebpkce32.exe
C:\Windows\SysWOW64\Eijcpoac.exe
C:\Windows\system32\Eijcpoac.exe
C:\Windows\SysWOW64\Emeopn32.exe
C:\Windows\system32\Emeopn32.exe
C:\Windows\SysWOW64\Epdkli32.exe
C:\Windows\system32\Epdkli32.exe
C:\Windows\SysWOW64\Ebbgid32.exe
C:\Windows\system32\Ebbgid32.exe
C:\Windows\SysWOW64\Eeqdep32.exe
C:\Windows\system32\Eeqdep32.exe
C:\Windows\SysWOW64\Ekklaj32.exe
C:\Windows\system32\Ekklaj32.exe
C:\Windows\SysWOW64\Ebedndfa.exe
C:\Windows\system32\Ebedndfa.exe
C:\Windows\SysWOW64\Efppoc32.exe
C:\Windows\system32\Efppoc32.exe
C:\Windows\SysWOW64\Eiomkn32.exe
C:\Windows\system32\Eiomkn32.exe
C:\Windows\SysWOW64\Egamfkdh.exe
C:\Windows\system32\Egamfkdh.exe
C:\Windows\SysWOW64\Elmigj32.exe
C:\Windows\system32\Elmigj32.exe
C:\Windows\SysWOW64\Epieghdk.exe
C:\Windows\system32\Epieghdk.exe
C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
C:\Windows\SysWOW64\Eeempocb.exe
C:\Windows\system32\Eeempocb.exe
C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
C:\Windows\SysWOW64\Fcmgfkeg.exe
C:\Windows\system32\Fcmgfkeg.exe
C:\Windows\SysWOW64\Fjgoce32.exe
C:\Windows\system32\Fjgoce32.exe
C:\Windows\SysWOW64\Fmekoalh.exe
C:\Windows\system32\Fmekoalh.exe
C:\Windows\SysWOW64\Fpdhklkl.exe
C:\Windows\system32\Fpdhklkl.exe
C:\Windows\SysWOW64\Fhkpmjln.exe
C:\Windows\system32\Fhkpmjln.exe
C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
C:\Windows\SysWOW64\Fioija32.exe
C:\Windows\system32\Fioija32.exe
C:\Windows\SysWOW64\Fphafl32.exe
C:\Windows\system32\Fphafl32.exe
C:\Windows\SysWOW64\Fbgmbg32.exe
C:\Windows\system32\Fbgmbg32.exe
C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
C:\Windows\SysWOW64\Ghfbqn32.exe
C:\Windows\system32\Ghfbqn32.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Gogangdc.exe
C:\Windows\system32\Gogangdc.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Hgbebiao.exe
C:\Windows\system32\Hgbebiao.exe
C:\Windows\SysWOW64\Hdfflm32.exe
C:\Windows\system32\Hdfflm32.exe
C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 140
Network
Files
memory/2484-0-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Qbbfopeg.exe
| MD5 | 674fddc98e79f3891427fd78d608cad4 |
| SHA1 | b10ea40980c6f90ae08d32565993924a2c37a19c |
| SHA256 | 1879e4586a231f818477dd8ad6d7988e8e312ef49815043e3fa8d6bea986d0ac |
| SHA512 | 56402ba06e2efb04fe0f6ee647221348f393b51cbe605768069ab240231a30233f21ea8c89e15fc3d50a501224d5ea4ac7ce3bcee028d7bf84e607987233904f |
memory/2484-6-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2484-13-0x0000000000440000-0x0000000000473000-memory.dmp
\Windows\SysWOW64\Qmlgonbe.exe
| MD5 | 49956f9593def930e2780f3ffa6730b7 |
| SHA1 | 878819a3961af493f0e1d4080d8d007c6c42aaae |
| SHA256 | 93d7c6257009d525117a27f0bf7899a733c39bc53ae06f993db821eea5d8454e |
| SHA512 | e1b5ba6092faf12657cd60d7c342e0b4702f2183af263c060cf8ed4035751e99fd6d84141552e6f4f7322e0ed670bade1f0b9c5f3e81965f8bd079e6b278d4b3 |
memory/2724-26-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2612-28-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2724-27-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Amndem32.exe
| MD5 | 9329fcd4c04560d36770aa72db479d58 |
| SHA1 | f7cea5852ee8a373246698c801ecb4796248ccc4 |
| SHA256 | 055a50e3f3a9ca1d3987e5276c48cd25b50ab6c94f983a5d62fcad6806a1b3a7 |
| SHA512 | d55d9b8b96926b24ee82968009d233107531145d555e0e457528862fed70213115e6cd90415aeac9eb3a7da4e73bc8176e9cb181f1150d6fc53fd54ba02f655c |
C:\Windows\SysWOW64\Aplpai32.exe
| MD5 | 2ecc0eb650ef9f64bd3dcd9fffb63df2 |
| SHA1 | 643213f49d53c3e8bca582ecc2820fd2e6732834 |
| SHA256 | 028b201f56f5e81612338936877846fb1963c997db49518042dce289a3998a52 |
| SHA512 | 24438c9756f82a5a8fd0f60e4ca4360ef7f9cd99e53f3ec2196fb2c48f479a2ed4c0462b920c82ea92c82399ba80ce4b6c6261253206365cec1fd09422a5df4c |
C:\Windows\SysWOW64\Ahchbf32.exe
| MD5 | a3eb50ee36547a03999c183573a8c792 |
| SHA1 | 73ae18cdd6f9018a3b6694d0d0a40dc07feef34a |
| SHA256 | 008061c0c44d364545f3c135c48d94c9f9f0041429c9afba67460ada30d22938 |
| SHA512 | d7c9a3eeb6285fa1d72cb1319fb9a73c5ea20f040ecd657fefca56594433c74c6b78d1624a5d859c16078f18394ef67395b052c853f474a65aacf28653175b92 |
memory/2460-94-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2640-100-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aalmklfi.exe
| MD5 | f4c202df7b472fd81c5e8e15d51ecb00 |
| SHA1 | a7633e2282d471e99c88d900534aba31fd152ba1 |
| SHA256 | f2a51122f1908dd6aead8893a0c3085413c274b367c0ba68f1ae66c6d89f54ac |
| SHA512 | 4c845e6a471260fbadc723b7949638b978e06ee2441fd2a8962ed467395963c309f527e47dfa103c6ed227a8a9908ccdae0d083da4cfc1c255c22ab941039f53 |
memory/2772-114-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Apajlhka.exe
| MD5 | 018e29d91013801bfce6ea58fc41250d |
| SHA1 | 8d1648145084337d9f558157ebf6e1f6f9f642d8 |
| SHA256 | d70c881c378300eb5951da764d3ff02d154b73518b6f8e762c660dfc8ec2528e |
| SHA512 | 1685b5abd2cbeed3c676d70c8c1170c0875b31c66de2247b647f15e91902d505185bc2718fd747568f8f09927204fc568ea11d30d03a29bd36520e39d964a8c5 |
\Windows\SysWOW64\Afkbib32.exe
| MD5 | 0bcb5880250f19c01a6bc42aa0db38b1 |
| SHA1 | 4f85684bb3b5f9346ef4391f2ddb36193107cad2 |
| SHA256 | c5e3d0cc5221853af2b84ae1a76209fa2f2c3ddf8997675f0a21bbaef52986ee |
| SHA512 | ea5f803389bc453913ff9589db2996b7579027eac60cb28f8b50780d21380bf03919f156f1a3548d073b98006870ca2e4041dcc9d3f1466a8508e0f208470da4 |
\Windows\SysWOW64\Apcfahio.exe
| MD5 | b3c0f20d46247e11eb330b3d33fb55ee |
| SHA1 | 70adb78abc5655249898e7afb66272cdfcc966d9 |
| SHA256 | eb1e78f91eda5132fe13c84ff8519e2a383b9bbf1f658db2f4e3aafd20be1b1c |
| SHA512 | d2ae407526314e0ac8a7f6028ba7947395196566275e026a0478f4aa62f7f489f57f4a9a154cdfd8f69a3f1de0c693c231209c872eb402f1167984989fa0e7ed |
memory/2372-143-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1876-142-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1876-141-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1876-133-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2772-127-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Bkodhe32.exe
| MD5 | c51a0f194d6e7b76c396b2d20f26c3d7 |
| SHA1 | 9a90fb22e9eab02cf8f438f95bbf0d599c7fd9b3 |
| SHA256 | 27a90db5bc1199ec2bdc2e2a9b097235e086718493aca8a39b352d6365595cb7 |
| SHA512 | 6b709fce8071f43fb25db26635e6b6a3218862c5da0ab4087f2bc08390cb1ba9604bd5b94bc51680d41d8a27174a1d77efde00a5fe9b7706fdaa6a12eb2cf39c |
C:\Windows\SysWOW64\Bhcdaibd.exe
| MD5 | 261591f3dcd6b319385ba81130051526 |
| SHA1 | ce768a9b56fe6f88e57f17ac0a4ea6143a1552e1 |
| SHA256 | 535ff05fbecf47cd717d084361840fb49a497f4bcc1dcaa5881c381d6193e086 |
| SHA512 | 5fecaad1ecfe99cb7d9a4d074a5cb38d56723a0a6ca84f4d6ca96e98813d1adde17ba367c859450dee6d4fc889e51149fd7aa91582285dba6222bf63cd89c582 |
memory/2288-189-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bdjefj32.exe
| MD5 | e64b6bf3ae7b8cc1cd3e98f711f3fafb |
| SHA1 | 7b00e6102e01a8f9dee230889679d2d221354061 |
| SHA256 | 2998ac85bb73572d2297e73ab4b0c05d773c1b514f0fb48593916bd9e2bf2ed7 |
| SHA512 | 8427c9638913cf7196dc13cbe372773bb6230ed9459ddf5dace1544ed34af4e72ad1985ea97e3cf618709efc957e036a86361ded74bdba465b55d3cf09a6722d |
memory/536-200-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Bopicc32.exe
| MD5 | 77a5782e3000d20256b91d82f9b37bfd |
| SHA1 | 184e594d4830582c1a798cb896f207532f75dc82 |
| SHA256 | ee7a19e0f64fb4362276aa88d2bd1542e0ad141444b7ad606bd7a3b7d409a17b |
| SHA512 | 4bff21797d12192d709803416027b44b5ba018b244421dfb2c7f63882e1fcf98c041c6fd5e0624fa3cefceb7dbc92c6924e0eff56881845047997db8d4927167 |
memory/2924-228-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cngcjo32.exe
| MD5 | 2fbe00201a55d39d14b58465a3c46508 |
| SHA1 | ce045aaf3e797cca5b37d192b87dcaa0451032bc |
| SHA256 | ca44fc9a6187de3f2a21ef3bd87b4b4f5dac9c1e5fdbbbd132078fa357ae9a5a |
| SHA512 | f887636431e40539c59f4cd7b1eac422eba25d88a4eb455219d4b028a62f79dff22ea2269e5c281a5fa357e0972a0b539f923d93de501f76009449049f4b1ee3 |
C:\Windows\SysWOW64\Cljcelan.exe
| MD5 | c93a28868c5a48573c04300c1dbc7780 |
| SHA1 | 12deecd0521e34d490ce0f1cbb7886707b92424c |
| SHA256 | 72bd6bca46e4b53cd4be380c52199b09e8f6692c9d086a23516ba7573e14e036 |
| SHA512 | dc4b298f581a597d2c339c4e3a471dcb9ff740f401fbc4a6d61eaada2145e7da8d46ce30a99ea9b91e25ad25fa16711ddcf17b6235db1e51afb76ef06dfdac6e |
memory/3028-249-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1228-248-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Coklgg32.exe
| MD5 | af4d0a0dcc6d5390ba7762a633cb2fd8 |
| SHA1 | 9104481bf3e0ec736fd086ada61d0eaae1421d6d |
| SHA256 | b0a8e66979f5865ecd83aad52d48b42ee084bc398c0dac8a43d72808713b50ff |
| SHA512 | b642268dd38e94b699f511c2a13d77bf34e28d4873ca8ea6f74b9e18944897a9b6f487631e8a4c2d2c456bbdd73e0499febc80f2d3bf6ed4e9ab614ea68d31ae |
memory/1816-269-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1716-268-0x00000000002E0000-0x0000000000313000-memory.dmp
C:\Windows\SysWOW64\Cgbdhd32.exe
| MD5 | 1c6289ff0534af745ffb8c5da26d16ad |
| SHA1 | 380ead3f9eafb7646d0d0638db0c17c955047d6f |
| SHA256 | 1ff058e64a07af70779ddff0037b3cfc8039b3489533efe5a0e73c2ce18c436e |
| SHA512 | 89f43b7bc36d7cb2fd20bda115e869a1001a58e9af948e9617a3e5c5cc190a2c7e4da509886021215f5ba3703e8b17042e91e727b884a0856cb542f583876b2b |
memory/712-289-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1900-300-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1900-314-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1744-315-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2212-343-0x00000000002E0000-0x0000000000313000-memory.dmp
C:\Windows\SysWOW64\Dgodbh32.exe
| MD5 | 0d3116525f8f34b8a08149cb208e1dee |
| SHA1 | 50cdc20510764f8c355bd2ec655e50de5fa6826e |
| SHA256 | 6b3a1d971a16d5cfd8ab7adf1213b9921d7238b6dae0a3b72462672527b992bd |
| SHA512 | 486f9c5a310ffd71e7bbe958e2fc00b2b6d07c8c8124bf11f2684ba46f7489256b44ff7f187a4906e8fa70f3873292999ea5019ea7b3b5ec0644c3324213e99f |
C:\Windows\SysWOW64\Dbehoa32.exe
| MD5 | a418504e7933d856f13ed902b260ce4d |
| SHA1 | 6197610c544facb98c4a52e2e293d49e567b4239 |
| SHA256 | 03c536f2fd22a860dfb524afeab4aaac2cb24fa9ed912adc5deb916280f0a37c |
| SHA512 | 0a3ed5af3743cd3a51b3a6c033dd08616010041e3e57658cd112ea095defd858189158040aa3a39cc4dff9cc3b58f718ffa1f1a41fd8f548aa06ff5456a78938 |
C:\Windows\SysWOW64\Ddcdkl32.exe
| MD5 | 44d0dc2e0c02aae5a2321df5ae02fe0d |
| SHA1 | 0b3e844ba15760769f6d990dd3497ae848ffda95 |
| SHA256 | 57094dcbf39ea85fa78f96e66049c91520fc22bdbf5bf450a3269febc099e3d4 |
| SHA512 | a4933694c6ae2873839cc9c0f844a59b9f00778d1463a21ececbfc659e219967541c2d6e619b96059bf3da6751d57c42e32c4d598ceea5778c25059c5195e164 |
memory/1868-406-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1388-417-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2036-441-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2708-440-0x0000000000260000-0x0000000000293000-memory.dmp
memory/2708-439-0x0000000000260000-0x0000000000293000-memory.dmp
C:\Windows\SysWOW64\Dfgmhd32.exe
| MD5 | b2a9b47b11456d5168d64336bd5ad2f6 |
| SHA1 | 3840a27c1f96d998c661393ddc5b41af2d7350d9 |
| SHA256 | d3cc7859e40433bb3dafd4a5f5eb0fda27aefc948fa55c23eeedadd2d333e577 |
| SHA512 | 6c83569d44cdb3f93b5d6eadc777de7f206d61e9683ff9f9f0593789c07014e313cc8dbcec2d4197f94e051f91327cbdb08c0634ad99935ed9eeb56265b3f781 |
memory/2500-459-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2500-468-0x0000000000300000-0x0000000000333000-memory.dmp
memory/1740-479-0x0000000000280000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Ebpkce32.exe
| MD5 | b4a022b665d699826943f7333d2fc79e |
| SHA1 | 698e8c020868ef9c39aa75ceb8365f8a9864e256 |
| SHA256 | a7f724c90f620c3eff2b97270f33ed60ed2f054981ee911c8765c0e37adbbbcb |
| SHA512 | 5f717370100656cd731c04b7d0c6702efcb9268de581ee48144adea9d2eb25c228e70492923e681437c1025485aba6690d6b98db84a5c4aa2ddc306f75b91807 |
C:\Windows\SysWOW64\Eeqdep32.exe
| MD5 | 0f7efe1c61be2598e67d7b80492d909b |
| SHA1 | fdf228fd9f6ac94bffbd79489376223fec272ed4 |
| SHA256 | 46f8b5bf242940f9979d83ba818dca07872dd71f14b556b1a2c416fadf160398 |
| SHA512 | 926023f9c7c4621311f4f4805031f2c5413530ae861236e160c8c2e97b77009935e443ab47dc301c3fb13d6eae96758a4cd5c5b8c27442d7d5d9cc79202952fd |
C:\Windows\SysWOW64\Ekklaj32.exe
| MD5 | e5336d88cec95eff5064b33f43027e80 |
| SHA1 | ecce589df1fd46fdac55ada9921a0e5cf080cb4d |
| SHA256 | 1e2f62314046cb82ff5fd0e054a98a0a1799a9ccaad9a809591f396be0318f22 |
| SHA512 | 3ef3d40fe29ae1121498830acc0d7c76bc1d25d3f0424945b2249a37402495f8ba133375246358a1b9b7e61d7d6c1129b348f3a310c2ec2fe110f2c5998e0ca4 |
C:\Windows\SysWOW64\Efppoc32.exe
| MD5 | eb8df208f75320c1c1fab3c6a6038898 |
| SHA1 | 8c3d7e3cf9aa823dfca724ead25f0df89b72530e |
| SHA256 | 0cbd314de0df65b28e51140b017bac5f4068e4e9c5be73d50fd588e428408514 |
| SHA512 | 967260ee49ec8d60528e5f2c6f6d16070ab711295f63107c6d3bda7ad31b82dd04705478a9f513b045506d22683c52602b6c4ea639d39a84e3ad45c5405bbb0b |
C:\Windows\SysWOW64\Elmigj32.exe
| MD5 | 17d3fa988de3e806c1a25fea6c1a7d52 |
| SHA1 | e04c17f6fb709206f7afb68723954526b694c492 |
| SHA256 | b5831b8c64f8d749c6393c2a0f266b68892f608d2364d8e516838b64e5071591 |
| SHA512 | f0e65c382f231397b81e5dc2b59dc874828e1734d15951b49d8208a24a2c16180ea1c69ac67a8ea03ecf0a34120a17d7b2c935f67d8c064acc8793ce68f6fcbd |
C:\Windows\SysWOW64\Fckjalhj.exe
| MD5 | cf7bf3726e0b20906a2057d12879a9ce |
| SHA1 | 85e0371ee6d2a621b593313a7c31f3c95f6b32c9 |
| SHA256 | ea8381c875abb2fb8091d9a1f52c74425d7614dc37aa7c5d76ea4b9aabaffe44 |
| SHA512 | 3d359ec14c81527d84990fbc72afbc14860da6fa8d003b951294c5ed914e16bf37924fc72206da874fd2004303f66cec768b2568387cf5b7378ad6922678b846 |
C:\Windows\SysWOW64\Flabbihl.exe
| MD5 | 0a350fbbefae1c6847a5a8e8ec26461c |
| SHA1 | 11b70c1b35469db67afc7017461957068323fd0f |
| SHA256 | ffd128d5a7a104589865a4d01f1c5dd426f87d2fc8e11630b2cb876a7613d0a4 |
| SHA512 | 242af93b5e38d65b95328cb2613692787b1d55e72ea61e71ed3700bb8e6ae6a45723772cb6a974cffe1510a66ec00e9616a23ded1b825b59d4f5f52a68eaab0d |
C:\Windows\SysWOW64\Fnpnndgp.exe
| MD5 | 7f1c86a58efa7c6257b8506590aeda99 |
| SHA1 | bfcb7763db9635710c3c410e60fc13564ca3a530 |
| SHA256 | 2f4a024e62058c0245eba55e295c48b225e85d662fe184229ec330879e345c14 |
| SHA512 | 12c5b78164faebcb0a703b4a3fcdaf47a5abad88a1f562fd6448a7dfc37ecf47db44d20d011c9cc6b51c91bc84914a75ed6d37a17adb009e3e8914de6356b171 |
C:\Windows\SysWOW64\Fcmgfkeg.exe
| MD5 | 45a08efece758ca3dd300ee4d09e842f |
| SHA1 | e7ab20969cf52bd9ebcdfc57eb8d7b689c4f46a4 |
| SHA256 | e1bd4f4b9c0fea45fa339261252c89f5344650a864672d9e4b6510d882898463 |
| SHA512 | 54938953cc1bf84c0002ff561b31a0b4a94068b193db0e08d15bafa039943df7db2b5195f742c8bf8ef35fb8a50f886e1d3f087106083664485537f4f0c800e3 |
C:\Windows\SysWOW64\Fpdhklkl.exe
| MD5 | 454a8e62590d4516ea64ea11cdfa1e03 |
| SHA1 | aa6bf2d6166d1776981d2e6a504de25b8198000a |
| SHA256 | 016cb5292848e33b18994c322621135bdc82817ab0e3c3d3f7df7d308daed239 |
| SHA512 | cf8ed70b3a6adc528f4fcff88d49c71626cc685df2d112067454c74140b1e03679f5190a3567652f4d7e915919567607834852736d115e95c6c20a810855315c |
C:\Windows\SysWOW64\Fhkpmjln.exe
| MD5 | b46bfc319cf085a4d9860e22ff5a4630 |
| SHA1 | f2f001ce52024ae0244278243d739252dbe23f8f |
| SHA256 | f01b4fe241ffd7600c0cb5077e63e655d170b2ba20c69fcf1bb3fdfaf5b8216e |
| SHA512 | b7dff26d22731d42ef9c8f2368240625189b60a34af92e66b599e15ba535dc71699d0ff674dac9416774784a395cceacd4263dc015b00ca1df8a139330870635 |
C:\Windows\SysWOW64\Facdeo32.exe
| MD5 | 9c7a01f3ce6211000c651ae9c63b202f |
| SHA1 | 5ae1095076b0c58862e60171726cf5ae084d1437 |
| SHA256 | a1fac3b785bbb53d8ac505c871bbc75c2f37effc83257e1c44709669d3b858e9 |
| SHA512 | 599e9efbac8f4d64064d6ca65d4e2fc7dae6c90eb15662b5dd5a9729f6802e7fee5c31f607fe65a326a0b3c0d53d059e243c1e69b8d06dd443caedd72aee77f2 |
C:\Windows\SysWOW64\Fioija32.exe
| MD5 | fa42d85a19445d5ccdcf57d0a60257f9 |
| SHA1 | 2fa0e36e2565f78d60969e902746020193c183a3 |
| SHA256 | a721fd081b052a09b6a5ecef161106c2cec6c5e293415462621b6d256a80c0b6 |
| SHA512 | aaba701afedb72955819dde6f85015964d519627d44b79120e61a4365f4944ea179d0d8fefb4ba5d4191f3198f0d81ebf4a7afa7f5a99962d3f23d229094e5ef |
C:\Windows\SysWOW64\Fbgmbg32.exe
| MD5 | fd70a67cfd9875dd92b70c9d8a32e336 |
| SHA1 | 460eeb71b9668694bca27da0671982ed5e60720d |
| SHA256 | ce39b5c4ea37c7d45305ea7c9e87d1e0bbcc74f442c1ab9f6e87af2d19ccde40 |
| SHA512 | 76074aff6a0476a02c72cb4aa23b0f3cbe19b7644e53b84267d33f18ba834d9d0be16ecb8b46bbe464756f68076ca1a832ee8d7fe44f7493ad06daa17627deb7 |
C:\Windows\SysWOW64\Globlmmj.exe
| MD5 | 065791a0659e0efe78d6fc232076a0b7 |
| SHA1 | d4853e6e4ed5cb6eda55ca24ee5f39c72afcf95f |
| SHA256 | 06b6e41e3ffb203d914bf48fc16e6cda34d569f9b1fd2a4f1670f4fc8fbec53f |
| SHA512 | c8606e0193473636198fd506d3d7b53a0675c9e3ab7d6358c823b674c7bac40ac36efe3916a16472cd3dfd8c76ae1d1fae2a7de0daab06c43d1e9fa4b3212423 |
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | e60c40fd8304be018d78ddbce5a5a39d |
| SHA1 | e2f47cb089725a418c304759c8fa5dcb65872e58 |
| SHA256 | e3922bb8d020c3cc41436204feae42531610dfc1b82082e18ecbbd5fe4060f08 |
| SHA512 | 2d48d3d9e553fb1569ac295321e4d61c4daa8e650dfc1c55d05362186f73a56463d8fe93394080e92e3162cdf17aae019aad01be7147c24460d6e89900cf4d28 |
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | f4b8648da2070a3f9e5a8df5bd63db54 |
| SHA1 | ec243d65323eaf1a96b0992985a4840228ca775a |
| SHA256 | 9bf05310dd12b5c28f90e50a5725454255e133bcd0fdd271417729fc2f5d92f1 |
| SHA512 | d5c82931c4c73613e0e4da574af19cfdcf8bb7f752c769105343ea370a3baf13a58c3955f0651b5ad7b45682293b7566e577f89a27d36c7da8acb294ac1ad03f |
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 053136a2b2f7c15fdb606e94b25b19e1 |
| SHA1 | cf51a4e03cd87d65c32aac7753ffcbf207a2c2bd |
| SHA256 | a878c4b4e53658d812db68ee6a314176b7f9759280df865445a987d3feacb833 |
| SHA512 | c295720f085fa323e0a8cdf7513955bdcbfe09424c7335fd7d7b23d1b1a0ad17ce603d04278b9245a92e4eb97fb80e3ed91f23f7d44aabd5a46b6756c516c682 |
C:\Windows\SysWOW64\Gelppaof.exe
| MD5 | d235f6508ec1dffacb074e765ad2d29c |
| SHA1 | 254fbae711f1f70ff79f65f1a4afe91b4948c897 |
| SHA256 | 10d80f9028b4c714564e412d06b7810128b9d3db436a964aed37a30a0b2a1563 |
| SHA512 | 8e35928a234812c36d090b97c39db00dc6a8ccbdf2f4d32107427b89ba6b0b1798bc767f6c76a91179c394dc25cc426bfd4f68e92d92e08cb9b92c59d2040109 |
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | 2c577e50d7b5f9b2d6b9cd5de20e0cce |
| SHA1 | abaa9d138fd08f3ee0e79e36723b601b79f7156e |
| SHA256 | ade04a5c7d6471f94a3c8e0c4c1f5d5a8554fe73a13612b3b761387dd8fd79f7 |
| SHA512 | 23ceaffadc45059eedd524777c00e35df791b959b709bc83346a8305d5c05a19282eff131f71cce47a5dae29b47061540ae9fb6149e6c6548b588a2ebdbba6dc |
C:\Windows\SysWOW64\Hgbebiao.exe
| MD5 | 8ee589812cc90a45d59848da33112ebf |
| SHA1 | 6e3f854add3c335c5ba1835a608ff5aa468ac225 |
| SHA256 | b7abaed3a97d0a83a7fdaf32175e3d668f6cbd475b1b4fbca3d2a1c122fa2be2 |
| SHA512 | ef3da4cf98c578f437702a7b1472f6d99b5d3035ad6531134569fbd3601b84441100af4cd0e90c46d6cae4165c72ecac282b68e3aede96fb5062a599b9b8a037 |
C:\Windows\SysWOW64\Hkpnhgge.exe
| MD5 | bd575dfefe08c8c3acc65da2ab7cf537 |
| SHA1 | a970a3516e1c312dfe0bc3572b5a68001afbadd3 |
| SHA256 | 12ed9ad620e4311236059b8e94194ee8f58901a48c502a25c099198dbc14e9f1 |
| SHA512 | a60fecbca57a0d1914b0328a9d25d3a2ca9d0d34f6d145f375c26925129c9a0b23817ce3983fc78617329196f26473bd877628a818bf56e9c4249818bb5a6d39 |
C:\Windows\SysWOW64\Hnagjbdf.exe
| MD5 | 7044626bb00006b37814c0aed760c3bf |
| SHA1 | 0b29d09d081e381fd259c2427edb30b1f11a79fa |
| SHA256 | 59069cf89baf6b93ab55111673cf7fac1c486eb23d0694294364d64d05e899ea |
| SHA512 | 4e79f1fc535f48f16777a2755fed8d884479a046e1f3c89f6d270b6c399d5f62b4d305c8bd9282113caad1775cab2bd04faf4abf6aa7236c084635fd2f1b154f |
C:\Windows\SysWOW64\Hjhhocjj.exe
| MD5 | 4ac0229556d3c33341932da3c4f069d8 |
| SHA1 | e98b934dd370c49f034eb300acc5f8c1189932c0 |
| SHA256 | 583fe202e524de984cabe9222f41ca93c3d528fe9e41b2d88a52087a8ad43c45 |
| SHA512 | 68de86b39ff41cc87801ccdeec6c93b0deb774fec30a98c24962a2d67ee266009a905fdf833759d34f584e66de4c12fb38df94003a0a9172769c47d5615008b4 |
C:\Windows\SysWOW64\Hpapln32.exe
| MD5 | ac715aa95d033dd157a5bc4f3b235fcc |
| SHA1 | 0501404b500c246c88b891ce604d21084a9626cb |
| SHA256 | a3d0c960f78f52f0d2d36654714adc0521fe544eee175692fb8590bc0bdcf241 |
| SHA512 | 2e67bef39e22cc20c7cf5f7e03526c3d2fde9051eea24bbef9e0ee861412202420733415838cde7fa982049c80929ad5f65120b5de42a3709925d0e0630725c1 |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 8fdabc7efc1da5abafbc9a342b535de6 |
| SHA1 | d608d1bc2fb2e06604fde5c38982a7198e33bfb4 |
| SHA256 | 88d8016b40ac088fbb0adeeccd793fa0ceb1aad2a36fa61c232145bb0d92cc5d |
| SHA512 | 0fe62c53fd1a8ec444a4072f3829d25eb531bfe6c287032c62fc026cfc7f5c684abc310c1590e7dea0f79d3277da7b14843e35e2d66ca91ac7147abd1697f7d8 |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 0b077f769fd44bf771b9cdee8a9effae |
| SHA1 | 749d9e061278ba8da956895ff584bbb60c812da5 |
| SHA256 | 56a63d5d5f8b95b5feb7f15b14038a77eb82c29ecd1d563794d84fad6e1309c5 |
| SHA512 | 8282452571bfacacf20a7bb7dd308c165dee51292fdb2362f57e4a5c8122b16e6c20a3ac2bcedf085c0b055751ca4c97908c56b6dd9e6294e79481dfedcae1c8 |
C:\Windows\SysWOW64\Hogmmjfo.exe
| MD5 | 796ea8a37490e5a6bbe6115955d2abde |
| SHA1 | 13c95e1470c5dadd9914d43abf601649e71fc845 |
| SHA256 | d137d4a8f8d377faacb36afeed887612e9b75149aa85d4ee5bc646f2814a067d |
| SHA512 | 89874ad6178a5f0ba257d67a3a14a57eff460863306be3d89682ff91db66037348c8e90e3c2d058c5c7d3d73a390572718aca8a5c91be886d870f5bc4c0bd609 |
C:\Windows\SysWOW64\Ieqeidnl.exe
| MD5 | 0350dc51d6dabf91f48701684ee71729 |
| SHA1 | ff6d09f992dfed1839922392632de055f224f710 |
| SHA256 | 104e5ac8cce8b0d1274309ed49d42ef31726490c63d2be23616617b5133cdfa1 |
| SHA512 | 916eddd682e8ecc407e1974be7e00a302d73c7dec0cb13f8745fc487ade0cf1ddfa875c40f3ffc1afec9dc60d6b0180197f836e76a822ac333f94c064771a032 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 63437973be9c8ec67bcd1542072b1b07 |
| SHA1 | 635bd51e921696b84ab9174f74146620028b73ef |
| SHA256 | f6fbd82e0ba3314345a1d35339dcc2da440b5bb1ae4bcf6d22006b80948d3612 |
| SHA512 | aba902581484be521411e229e865fe39fb1278a0a35a639032c45c89ac361668e62c0f56d9b9ad7a063e2ff66a48c582f058ef3a4b8e1e0e648bdff81d01e4dd |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | 50f5c53d3f70f4b3c0bba80ef1e3472c |
| SHA1 | f79affd679e8e21ab85b5564072c7fbdfb09c9fb |
| SHA256 | 36757e452feb3d8bce6b72ad376ae36927a1b69864d7394a8ece10d98f92004e |
| SHA512 | 9fc9ac26ed1b4a704908d2f57d904b5bfb1bd0c08f4eee56042dc3d020dc9173c7b6defa2ed12639d30719c04ead7e69d0389c3f3cd78289b5bc8be513106cee |
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | 2b0189b760680a8978282ddc133f4b74 |
| SHA1 | bab9684601b9d67fd102732d8034815f777a09b5 |
| SHA256 | e3d6fa35296de0a334b37cf820b31ddaf1ddc8bdf4e10e6d70922fc0080929b3 |
| SHA512 | 2b8e5d41af2e5e5db1c64e9424e8d2316367fde41aa12e53db080e69f341e199135d9c4d3e2290eb4b72a33cfd90feb6dfbfd7ff73f2a2496367243f7ef990c4 |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | d916f5ad9a76a11e6192daba2e47513a |
| SHA1 | 119c9b5572f50e84337a5162142e9a3b723e7ba4 |
| SHA256 | 61284220914c77fd9f26c675193419692e6156a4a5c758569aea552bcd08e455 |
| SHA512 | edfc4b10537fc0aea5a7048826b79bbc8859ffe547f96af66087c807c9d231cce9ce6373d2bd8e93837fc4376fba39f47f861a095a6cd4357f6b47771c62e4d4 |
C:\Windows\SysWOW64\Hobcak32.exe
| MD5 | aee22f3ca9bb6d84eac02f3a9c76021a |
| SHA1 | b4fabac9b69087576b4f0419986247b34faa74de |
| SHA256 | 0aee6a876b9593923ba08f9b60bc9f667d565ee459f2df02f2c81cee4ca944e3 |
| SHA512 | 542f8e6c36250ac885af7ab0c331016ae725413629319dd2d12d4a6fe497092c87bd5e829a38881d6dc79367e54f86665ec2f71257039fb2cf2a4fe5d38473d0 |
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | 905504126a948622e15ce05e5fbedd90 |
| SHA1 | ef4f44749369b3579ec7e259e7d718f495e7c290 |
| SHA256 | e4e6b823375cfabd3a472261fbb4da10e97da7bb168fc1e5e6528eb0bba49029 |
| SHA512 | fea651ed7d5d0afc5a554c32e0a910c26e4b18e9ab270dacbb4eae78f2eb67ca5fdd36b627d15ae7136bab23d323a9d29436c0541da9ff7d6b15df4bb27bda14 |
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | b818182eac4b80d39b29a02922059e39 |
| SHA1 | b4f7e3819356efea43a1b70054a24ccebf7a53b7 |
| SHA256 | 047fa4cc6cf2fc57cc4c69dcf5cfc793d0d14102b51e8fa18e41fc109ffc48f9 |
| SHA512 | 33430cee6eb5075d208253b8d426053959142ea114b76fbc894311cc19afff717af030fac5eab9ad2a541841b4b2d186f555f5db09aa1e093ed9b3a04b897fb0 |
C:\Windows\SysWOW64\Hnojdcfi.exe
| MD5 | e25b25ac44edab2d2e354fe635d24476 |
| SHA1 | f7ddc514f584cdca4c6b51be48f8fd7ac2d15d20 |
| SHA256 | 23674b341c56ad8fb3e0326c18887ad230a622084e16bc6dd41a629561759759 |
| SHA512 | 0d8c8d4306322a2cfd792d481e334600509c131dbb457bc7863d4b236bdbdb58c57e125b20892f10d6143f3888fce2a050c746e9c25afd3f809c8c94121764c7 |
C:\Windows\SysWOW64\Hdfflm32.exe
| MD5 | ef5e81e7ab37b61f29bd205118f11c06 |
| SHA1 | 64c00b46f2a871ddbaa74cca4dded1b190471493 |
| SHA256 | b205cd2eacb24faf28851a1ff681b9b106469d3d327bb5c5050b51f9818070cf |
| SHA512 | 7e856d55046d221b2698344c7881ccfa1dd330584f921c29c7ad9a425794ed86ec1f0eeab47f6e81e11fcc7edb4464226c241c32c949a0c628baffa3d97569e3 |
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | 7138f5eafa32907985cab00f6803caa1 |
| SHA1 | 19a7f7ca2021f1539906cdede0230a91702f8306 |
| SHA256 | 9ae965882dfdc2062b62d7fae1aba692d489667f5e310f9815cb88f73d17bbd0 |
| SHA512 | 5049efe850d1a019e034c806249e3ba2701fd4d3afc54f5616a3257b66756fdba2699a3d182f8adeb01659bbb1cda3c135f5d8b2a22d48e83d263a2149e5e4fd |
C:\Windows\SysWOW64\Gogangdc.exe
| MD5 | c84645177e9326756eabb13099cb0e00 |
| SHA1 | 522bfe30e5c665fe938f8102a655657d1570201f |
| SHA256 | 5b95bbd6c12a1be5f49ca759689bbca808219e709afd6b65bf10615e8058c8d6 |
| SHA512 | b606a028b821a3aa2ae2f55f8f20ba640e00be3cf8170c9a138683cf4d9b8371c5789792a849c69984fb324dff5f3baafc9ed7e26ff73c9be72fa0fa66269b8e |
C:\Windows\SysWOW64\Ghmiam32.exe
| MD5 | 083449dae3ae68bdab00771c5fbabae6 |
| SHA1 | af410ec78c5b5305e55dfd9b699cf7231abbabad |
| SHA256 | fa35214c9ef83c71b4a6c92b08b48c0ccaa7079358dbbf30a59ba8c37ff29557 |
| SHA512 | 012de661988667a2dd2a652d1e6977b958a55e6fe72fca56ebc95a5fe8e30ec5357dc47f15968cc34a5b69f27cf2194a0763d48aef72f75b9a6f243b9935fadd |
C:\Windows\SysWOW64\Gdamqndn.exe
| MD5 | 004a937d2ec1fcad09e40a70fed6a5ed |
| SHA1 | 0cac5b0c23ebceb8f009df90242a6b233f198a33 |
| SHA256 | 9260d772cbe2821bb46d4072700b41631c75226747067c7fb0b47747d4ec2981 |
| SHA512 | d3b4860c2bf173fb7b2e76cd669536d1d7e690ec74929b2bb70884e405b3e1963056529031f0f81462c01bdc0d27be7202172bb266b3fa15b1d3a2005d3cdca9 |
C:\Windows\SysWOW64\Ghfbqn32.exe
| MD5 | 18f6f93e8a905bf87d0b48bc3cc95cf1 |
| SHA1 | 21d006207e2cfbdd7685f61cee5729bbae062327 |
| SHA256 | 547d4afe140e6d5603875334f8e3ac2a642b0453bc3c37d6eb989ad4ca3812aa |
| SHA512 | 4dfbb655e29cad450c49041e405233a60c074c30a015bef5eaaf7ba0c1ce101c0cb908002b83516b7568271bc919eebcfb77e147340ee1b129ea538cf30c1b6f |
C:\Windows\SysWOW64\Gbijhg32.exe
| MD5 | dc29b5e01ba44c206eb8bb65ecddaac0 |
| SHA1 | 77634201edb4e7c788e0464615f6bdf6d344a917 |
| SHA256 | 17597a4274c67d730d2b275021e8f97f62d4e863cd685929220b8f4672eceef6 |
| SHA512 | 425f86c7bdcbe025e05d2662de06d8bf92117f7ad8d347c260656b88f9ab4004098383f6246ddf62c64758455a99c73cd76909cf297343d329063612183403b4 |
C:\Windows\SysWOW64\Fiaeoang.exe
| MD5 | 58f560070e2c0bd7fc870e3e18838b81 |
| SHA1 | afa77a3187af0f04748121726b85214411bde64e |
| SHA256 | 6b72e09dbe7631a482102072682f8020592582b06738c070ec61f470922f8e25 |
| SHA512 | 8b9d28a6f8bf2139e5c60601f7a2eee30a9f730ea41ffdf094c304a2cf9bd622b172debedce92cda9ec03a582cdff82a7914d58ae720facc4285dc1607729cb7 |
C:\Windows\SysWOW64\Fphafl32.exe
| MD5 | d9be9b98afded983f05b0923df7dd774 |
| SHA1 | 9e3cc9da58cde70241dc19968a974bf7e9c18e5e |
| SHA256 | a52a3a748f8ec161ff8145be74e5d9d1a3500dd1771ccf7da1deb653a7966ad8 |
| SHA512 | d5f93b861fb7c75a0a15d11e3cd86b7d34136538f19334832abc22796d32b30182ac446c5c1d2c5006fbdd9825c6132a097bb33c42e383e1bcdd460c4817cf96 |
C:\Windows\SysWOW64\Fmekoalh.exe
| MD5 | 495958c64de3dc1db454552646ff1bab |
| SHA1 | b59cc2980e0c65cd29017106d2229539fe65dc5e |
| SHA256 | 81d04d37e6cf28dc946d565b6bb5d41b30e80ba45dd2db0d6875715bc33af9b0 |
| SHA512 | 795758a6ebfa601efc11e705373ba04547b682087ac8cdfe85abefb127af4b3a33b6925344b1e7bdd312b80faa112ad061681b4590855919a7e700323a8f3397 |
C:\Windows\SysWOW64\Fjgoce32.exe
| MD5 | 7b63f74b8d61a2f3b3928e68cbdf9972 |
| SHA1 | 2db765184562f0da10fca4da7b04748e0fedebdc |
| SHA256 | a52c858f90a1a0e3a812f6838486bc56c18f3790e246c3bfc925466a2821e740 |
| SHA512 | 88e646e2c10898d3ef81cce107e77ec0b0392e19228db8fd44decd10fda7fe760ec2c0bb2db8fa64637f44f387e968375c16502a9c552429ba6b55559f086346 |
C:\Windows\SysWOW64\Ebinic32.exe
| MD5 | 8164fee6ffa6a1f64a40664f3097becd |
| SHA1 | c484fc8a01c0bf19375a3e20a285417b3971b956 |
| SHA256 | a1628a94337a2926336338b7a34243547351e5733e7847f76815567a683042cd |
| SHA512 | 99b91e503c68bcdf65bbb7b8763f3eb3062179aa2ccc36f3769491dfc37dfc3abcb694fa0455dffda2f3db67d038d0fca3c3d1e3d46dc686d26e0d5d8819c4e3 |
C:\Windows\SysWOW64\Ejbfhfaj.exe
| MD5 | 342465a7c8b36da8ef8ee9343e938a22 |
| SHA1 | 507c0a7b690050a12e142da57ff91e8ae073f1e2 |
| SHA256 | 16532ec2353a2980fbc938481486b0310804bd68ee52648f7a7132e6ba5a3f8d |
| SHA512 | 1c1752cb2e09cd6f30be1364579faef8547dc3ab5af97dbbd8dc366e8554cb45343d4d280a5f5da790783949c5c2623a0fcf3be02afcf918af51023aa63091d8 |
C:\Windows\SysWOW64\Eloemi32.exe
| MD5 | aebff92dcd2955df397653f14ffb35b0 |
| SHA1 | 484322a82c8880187be7e19e234b0f5bee2559d7 |
| SHA256 | ad54524a3dc50d4853e84dff410736dd87cb7b1614b51b76cfcce829b4a74eb7 |
| SHA512 | 6e95ff1e2004c17eb54108687a87bb2803ca307660ac2b14d4c3c0b6dfb984a505bb4957e7368852ed9c5e1043f5fc2ecda68d6d2ad75d48fcb99cb5d01c61ab |
C:\Windows\SysWOW64\Eeempocb.exe
| MD5 | 3ba891a7b45dfe5dda64052a7d1241fc |
| SHA1 | 46231f23cef50ad1e9729d3f5f2b5f7e82f1eae1 |
| SHA256 | 2e6bf388fcc41605e3777cfd9f349fb2f75e0a7f7f020868a87faf407d1b75a5 |
| SHA512 | ecdf89981720293b6185e00452cb839f5dd0bcbbd95d703f63d1e522221963a35138dfc236b68ecffdd9bfefef9e00f90d239a4a3865bdccac52c7ec8a65d37a |
C:\Windows\SysWOW64\Eajaoq32.exe
| MD5 | 22ad53c24e7c2593df1140a7c23a7c3e |
| SHA1 | 987015e6dcb018055fb39c76b59b4ac355f65e61 |
| SHA256 | 218bc8393201326655e1c36b1f98df293018e56b6913ed04803b2b1d9b986a09 |
| SHA512 | 6493f99a955770c0fda4bc0e81520a5b40ffb3c2be318c0b0f62b72a5368d8f6df46eef18aa2d0b327d915ca4f8d52f1bd603646b9c2d9733abac9e412ed2fdf |
C:\Windows\SysWOW64\Enkece32.exe
| MD5 | 408706a6b5c2a325906bc9eab2053d96 |
| SHA1 | a558a819c64cb0bc833e56ae3932dca1c9bc4198 |
| SHA256 | 1c7e78d6fd4b262c3d7057b05c4db5f83edec0ab1631036e15455ce77dc14171 |
| SHA512 | c5479d14d9c274d63de5c4fa99968bdbbfa1c2b3f6da390c548d8a795cfa949d028380c3e9ced4b5fc4e552edaf508a8958175334f60dae20eed5c5434ede068 |
C:\Windows\SysWOW64\Epieghdk.exe
| MD5 | 971d5408ce162162ea8a87c77d899fe0 |
| SHA1 | 1531c76681f19b2fb509d3ef927ca3bd2a511a80 |
| SHA256 | 51013cae88389043a8c7bb23589a3872bcbf705c8d4384c79c0a2c95d30e103e |
| SHA512 | 3417c730e5a3c294457eb9c422fdfef6f735a30de212c7c9beb51aba13be753e4695cb133e60973ae716b536b5268e5a65ad7056ae243c2562620aeb7fb12708 |
C:\Windows\SysWOW64\Egamfkdh.exe
| MD5 | d13610e9f50af4195042e2a7508fea18 |
| SHA1 | 08829a9a89eeb0c3bf613fce1a82ca6eafb3adfd |
| SHA256 | a498f382ebe74605780e50e13ee04d9922d0a60a8690b454116ad283b97a874a |
| SHA512 | 0cd5f877ca057d6533cdacf1edb1a55d260a98cc4542e6f8066d41f361e195f95f4c09b4cdd9ff3b7afb1d6b916c81a1f83c484587159042ff2733e15546e007 |
C:\Windows\SysWOW64\Eiomkn32.exe
| MD5 | a1a75246458ef3769ab8ae410322b5f5 |
| SHA1 | b9117e3bde7583ec93953671ec28bcd878c61814 |
| SHA256 | c12be20cf2729d48af5ce55867c0a5d2e5e8709a98a3d1d60a7ae62c94af2be2 |
| SHA512 | e3f41c1f318a7e2b3d6df2520a32445c6168656c55a6232f3a42dd5a17870588cb4caf272ae8cd847e63243942b1667a324ce05d6c80ad372c373ff97f2f3b54 |
C:\Windows\SysWOW64\Ebedndfa.exe
| MD5 | 2e1d5549ddd866a4dace7ebe576e0869 |
| SHA1 | 57d30b98ab2ee973724da54a5c4d05b769e5efac |
| SHA256 | b11b2623132b70f155e1d52da6c2f52a138d3758155593481a971aa18f88f3dc |
| SHA512 | 043aafb553bf18cdc611b3c3431320d0e1a2859fe70294fa142dc7fcbb255a2666f88f6ae34274b7f200a47b86eb59c7c39aea8a243faa15d7e881ee4b432e84 |
C:\Windows\SysWOW64\Ebbgid32.exe
| MD5 | d64379e70e5e050f81f92859aa1be641 |
| SHA1 | 2237fa51f3c21bda5c415072c6d01a60c9418b1c |
| SHA256 | 2c7abe43916e144d86da98870f481231c8121b9bec8213382a02e3f20d72d242 |
| SHA512 | 93bc877d1b4a2a0e3621688202035274bbd941e91be67b698c2a714222684eb37f777544e8e64773f9d9fba656edd2c24579beb52152dd1de706d0d2e10746ae |
C:\Windows\SysWOW64\Epdkli32.exe
| MD5 | 2ed4d89a3973282ea136d1ca929f1287 |
| SHA1 | b263dee40050487e37685cdb6fbfff330e93e416 |
| SHA256 | 736d34c5f8bdb4c76ab64e1988b5f0002f2762407e3f01de6c34679c90a893a8 |
| SHA512 | cd8046a62b7568d8f8b4ac976f7ac7f7c81b7eda3dbcb77fc0766c6d38ecb79ba57f20d7a34f6e8d4ec35b8782d65c26beca8b8a6d6a5dcda2c74e39dd8c5a74 |
C:\Windows\SysWOW64\Emeopn32.exe
| MD5 | 2586bc86e73b682fd887c0caadc68216 |
| SHA1 | cd619e976149f8f2824d9cefd4ab9b03a515eddf |
| SHA256 | 9b8b4659168f8933fb395038bbe90365e592baea81265348f471d60562f07d11 |
| SHA512 | d2dc85848eb5f1e916fe417352b542c0cda686efac1849e27d6d2c7c0cdc7215e2da610ef322d45936483a333e215d0651a3aa97ce07cbb6b36679a7bcee4e7b |
C:\Windows\SysWOW64\Eijcpoac.exe
| MD5 | ac7b4bcf10e44b861075f2dc95eaa952 |
| SHA1 | 76cb44b5811af3d70b0d1bd6de1b5d386fca2c01 |
| SHA256 | bcb4e8a6bcf09d393687fa2986d8e72e2a807e9be1a0138c72f76b18df48b4dc |
| SHA512 | 758813268f1bfd62c8070ed0687d5f565c63d75991be9932a90a11b681a56e95bd9abf521bad76e0e317700c770156a138528afe976ef93410c726281c74d884 |
C:\Windows\SysWOW64\Ecmkghcl.exe
| MD5 | cb46487d6af5f81fbcc6548625814b4c |
| SHA1 | be2beb8915bc7ea7b9ef98b70f1610fd9b103560 |
| SHA256 | b612894b228afbda19af0fc9785c4b5211139e86e54aeee4b32d3473334d2b2b |
| SHA512 | 77af282d995af78dc20483dce041a74fe5c7aeaf3f69af08181aad3e7b4635415221a7545badbe5f7c81c3f211a5d20bdc199eefe2b03c60ab54f83139c0f2ba |
C:\Windows\SysWOW64\Eqonkmdh.exe
| MD5 | abe6d42d5cb906ef26801f17030a726b |
| SHA1 | 5500eb09fdf943348703393b5e207566a31887ae |
| SHA256 | 5a30580ccf970145a19658f49d5349c10b5592b321b6ff39bce3d6ad01ba0e59 |
| SHA512 | bb756c56806e83beef61ee6fcc6be6ab5f2f0a3d4f446f2b3705a73f992c0d0a1e6b36879046c5b1b1a243a0488bf2cc48cd1fd4816809db4ae4b59d82bfc3c3 |
memory/2500-469-0x0000000000300000-0x0000000000333000-memory.dmp
memory/1740-470-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dgfjbgmh.exe
| MD5 | bb548a4cd8e823e4af91bdcd0d585562 |
| SHA1 | 506e673f8e3f94b604c92f63ee0a3d576d7396a0 |
| SHA256 | c5e552dcb39d97c87d3f44fc2e35ed47412a5a844a58fb57126399cb427dd604 |
| SHA512 | d31173a571df8bd71763c41404820dd594ffb7a840ed11d19beb104604c4c1ef9bdc3745287db92f91b9fd5bc3ce64376503fd5ed5b9484dc8ed522226e523ac |
memory/2440-458-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2440-453-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2036-452-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Doobajme.exe
| MD5 | af3efd29ce5d09ce9c619c2c942a88ed |
| SHA1 | 31c4391b769b2a2620113048b19e166c37d80679 |
| SHA256 | f1078cc7454664c7a5c4c6fef5d94524e1a8dd517b15f6197de55f30c2bcbd65 |
| SHA512 | f7e818d58e5653598418d05eb2b78a791917248c5929d819da4fb5de2bd1fcc0d75595fcde106ef8ab4c06153f4a1701078b1b1abbef249abdaa3ea695608e7d |
memory/2036-451-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Dgdmmgpj.exe
| MD5 | 919669cc10f253ad938024dd5c0de3d3 |
| SHA1 | fc01edee2c167c0216f6c45d5e7245ef0aa14e98 |
| SHA256 | 8b7cd3a55d401e300927325408e58a174cc735b1aa79d7e07c5c035b3afcccc7 |
| SHA512 | ba229ecb9a99e937263c5e2d654490e48824a47e8a33334dc370222d3ae02bcbede20315beffade686049844fb06046163190a83af3bb753f4d18921c831116b |
memory/2708-431-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1388-427-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Ddeaalpg.exe
| MD5 | ff7eb0a8805f751053dca46d076a3d2b |
| SHA1 | 16bfbf80d78d2d3f0855dd1b0df031024c76880c |
| SHA256 | c202fad2f77615f0ccfd6854d700cd7082d6d1b84260b22a535d227a0af8c3d2 |
| SHA512 | 04d401c835f027cf7f572b3e33040059d2dee844f52f80acc93f70c5911910e37d644ea3431342731e3c5d75283b2a7544edd2d68b23750beb5948cb3b947de5 |
memory/1868-416-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1868-415-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dnlidb32.exe
| MD5 | bde51f31f173f6ba1cf186df71a99a72 |
| SHA1 | 27ad8578d0471226a90b5d5dfb31ac152103de68 |
| SHA256 | ae556995bd71457798a32f59bbf181b91b2d8ccf8d9997adc538e5973395c65e |
| SHA512 | 0c40fe5fbba9e6adc229c020b7b2cb49b69674473e3ad6610a33b5d2613719b86fe7d04bbe92e9e9251b3027761fff85dcc21f4825b05d0371f44bc59f98f652 |
memory/2552-405-0x0000000000300000-0x0000000000333000-memory.dmp
memory/2552-401-0x0000000000300000-0x0000000000333000-memory.dmp
memory/2552-398-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2616-390-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2572-389-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2572-387-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Djnpnc32.exe
| MD5 | 9737d6e95ba5e234ee2216b838601abf |
| SHA1 | 1c31e289730e490b9ba1c7d5a688c26f4eea07a0 |
| SHA256 | 849d7089e573e6283ec6f2d150bcb70f359a62175e1be7d5f4b0d96b9a073a9b |
| SHA512 | bde531a6f91d6a4f84d81548afee0f9c65656a43d24426f6780dc728dc23faeeaecaff6a301fad81ce7b1d267aefd51fbb3a3ca211bc130db7db8b7b1b2356fc |
memory/2572-379-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2436-378-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2436-377-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2436-365-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2512-363-0x0000000000270000-0x00000000002A3000-memory.dmp
memory/2512-362-0x0000000000270000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Dhmcfkme.exe
| MD5 | 631ef59d29a39178b2fc03182764487c |
| SHA1 | ec0337720e1a4d11a6b6a24baf3e8fdf2de41f5a |
| SHA256 | 4117733a4d5b3751c7278cd24657112c64c81f5b46402b1532d91d00f00aafe2 |
| SHA512 | 5c6e3b51fb0fcc245fcc5b7c8f5674e56f06a9afac95ce79daf561faccb82ae9d65fffd882e9a0d39a0d6e810a3a941c29cdbea677ef0b42908752ac5d02fa55 |
memory/2512-357-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3000-356-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Dqelenlc.exe
| MD5 | bb864acb29d0f63ed388c1815b79526d |
| SHA1 | 18f0183d2227af5a68d9e68854388a41a9796243 |
| SHA256 | 793fb12ecdbd664e8e5c17b4b870f9c4e770cb39c8a476293b4088c18b1df53d |
| SHA512 | 49a9d9581eb1708b63cf04ce195c20a00fc348766482236d05c71127973aee002873d16545f6b945897b223d697ca1c5d18ea7445a5b44150d0b3ddb6ce5b0dd |
C:\Windows\SysWOW64\Dgmglh32.exe
| MD5 | 59286403d7fd922186444bfa3a79963b |
| SHA1 | b273a3cb4bec694415165b950a3bef24a527471c |
| SHA256 | fd3d99b4172ff56cc1b540db79581f870080502e7f61f4952145daca7046ab6f |
| SHA512 | 069267e2cc1355f701e79cfc27e735f2c6ae04e2e63b02a27d1b9b9f7a2a7e37d8bd05551fd568f323d3e5f8b35f04f89767e6e75a64b862b71aae4f7d5e5e52 |
memory/2212-339-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/2212-333-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2316-332-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2316-331-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dflkdp32.exe
| MD5 | 915ba99412a1c623d16776a169e2937e |
| SHA1 | cdad60b41003faead39d5d90545222bad749449d |
| SHA256 | 457ddbfa86943aaee8a6c057f6aa4110c39447f2cb9e55b8b7941d308bb1b8c8 |
| SHA512 | fc3da21ff0d05c543514ce4a0982cb74f4efb1fae267dcc762fcf3ad5174505a3d5a01256281f4a5555cd69b06c3ee1a9013baf89357652ddfb963df32a0c388 |
memory/2316-324-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1744-321-0x0000000000300000-0x0000000000333000-memory.dmp
memory/1744-320-0x0000000000300000-0x0000000000333000-memory.dmp
C:\Windows\SysWOW64\Clcflkic.exe
| MD5 | 2935b42f2d4d9bdb3ff4a19aa893992e |
| SHA1 | b548b8b554550acd675ab5796beac77f0bc4b6f8 |
| SHA256 | 37a546b4cbeaf4f00c47527d3dcaee53c8992b8b0ac35cb432b5afcb97818333 |
| SHA512 | c1128b9f85bf37315681dd981318fc5f2708067b688d82983aa6fdb0e1b14b3124e388f63c0cf63e4f85757c4dca01a987c13b1f7b5b01c8a464fc66d542791a |
memory/1900-313-0x00000000002E0000-0x0000000000313000-memory.dmp
C:\Windows\SysWOW64\Cdlnkmha.exe
| MD5 | 080898b3ccf8b7d77ef7183c8129b825 |
| SHA1 | 8b0d144cebecc68cc23afdb33acf6180f6a8aa14 |
| SHA256 | cb82b52f1ca64202fe2eb6639759d5d467a61456a0b66ff6c930f402448d0cc7 |
| SHA512 | 58f5b8bb7c1043731089ac49de40e6bba83bee91d969857b473039327bc4fe221d11c73f0aab567277ea3f117c39b407d3a9b290073124ac913c3219c8a615ba |
memory/712-299-0x0000000000250000-0x0000000000283000-memory.dmp
memory/712-298-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Ckdjbh32.exe
| MD5 | c231426e9a4ebeaea7aa145f08fcb543 |
| SHA1 | e1004b7b990929109b02997fc7b9e874e33a9944 |
| SHA256 | 5cefa655cafc53b6b1ae8ba675aa459c8e7781587f91ebb3ac79eaf44620ff22 |
| SHA512 | 81b90eb7a580e7dc7f0e457eea1e798d9ea41aebadaefb14bd85696e408a5335dd41a6fe2d546530128a3c79338378fbae6edcead30fce4af37197290b9fea20 |
memory/816-288-0x0000000000260000-0x0000000000293000-memory.dmp
C:\Windows\SysWOW64\Chemfl32.exe
| MD5 | 519b97841757607e907dcc0af44ac239 |
| SHA1 | 8619b0845a7073db1f5c292038ce0e86439cacc5 |
| SHA256 | f9e636085199ebd051f22122a2075a53b8bc42253562b912419c09a0df1b233e |
| SHA512 | f4b8ebb180f731b860f4756d9794a630bfd1c852ccb21845296833b07dc08b57567c938f8a6139dd8eb0c0bbb4f9a1ec3025413fb059203f33dc3dfb97eb0ead |
memory/816-280-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1816-278-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Cbkeib32.exe
| MD5 | a6c78b42c4dc000ff2b9ce857ff84206 |
| SHA1 | 6d43cf96de6646ab4f331bd2199e37bcea3956a8 |
| SHA256 | 404ffbd2ebdd0fa6875d8285cec6b96ed180ae6c45a6a0bc05db3c3c1e458551 |
| SHA512 | 1ae0ef819b4238187925decb36cedd7ba653fe5d61a8f9d1e1261f7fc3b3bc027265ba3af1cff53b3ec68671b6e7c4fd4e371955961cb8f7ca4e0cd8235a6b20 |
memory/1716-263-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3028-255-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1228-244-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1228-241-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bdooajdc.exe
| MD5 | 64157e02bcf59c3d5347c7403c8244e6 |
| SHA1 | e7011b1d01cf23e68bd3a473520705f64b49643d |
| SHA256 | 676b50514bf24f5eaa8395a56f8b3979035a41d6bba16db45693e4effb600916 |
| SHA512 | 64c6f1f102e5f07f9585a547f3d97642d23882a8b93e95f2c4e9dc566ee92f9b0d0e045fdd58e3618cf2cb9b9f213c24383ae800d116f3cddc5f9dac968da41d |
memory/600-220-0x0000000000400000-0x0000000000433000-memory.dmp
memory/600-222-0x00000000005D0000-0x0000000000603000-memory.dmp
memory/536-218-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2288-198-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2288-197-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Bdjefj32.exe
| MD5 | f0605e399f1793e32118af032d39a4a1 |
| SHA1 | 4aa67ac78b4163b2913217fbaf6f7a382ea6e3b5 |
| SHA256 | 3ba085a776c3ccea0420c1ab607623ad9141d5ef8a79915420997538e1d5bc0a |
| SHA512 | 8f487bced6ee43d310997d05ec2a1b125f478391ea1aec4859c613918d6d05fc89cd2bd72974a76f29f8190e81d7fc865209501561251350549fcd14543b5a12 |
C:\Windows\SysWOW64\Bnpmipql.exe
| MD5 | a3b990116e39586923c899d523613660 |
| SHA1 | 832f6811e89e5d363b024e368dcc75be9b382415 |
| SHA256 | 335d8474ee843743335d4d4d5dae9ae951ba1948b54951c9daacde33deb72c62 |
| SHA512 | ab594fb1ea2db23d239069fc53a39c95368bbc4d0f79f0ba10325775527577ff1e4ac5d7d0c7221dbe806797276417502dde28c9c815b6281eade63af832da71 |
memory/2888-179-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2888-175-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1284-169-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Bhcdaibd.exe
| MD5 | 8b30ffce7f5bfd8db43fa471e0620290 |
| SHA1 | f583626f78a67878c134ac61f86e45432996acff |
| SHA256 | 2369737409b387d65e9dba317dabef3d9677f354dc43524cfc47e2a589636e05 |
| SHA512 | a7cb751d2813c79fd3eb5c48b30ec4fdde3071e1812d6cf60091dc6f3d3487300715eb9a91fc0b91e83ed90c5c8660bd4e5da89fc554c9d4c6a8ff9ed78b5dac |
memory/1284-161-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2372-151-0x0000000001F60000-0x0000000001F93000-memory.dmp
memory/2640-113-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2460-86-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2396-84-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2396-83-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2396-71-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2792-70-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2792-69-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2792-56-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3032-55-0x0000000000250000-0x0000000000283000-memory.dmp
memory/3032-47-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2612-46-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Afdlhchf.exe
| MD5 | bdfbf66b02e786fe4d7a2152d9dea0d9 |
| SHA1 | 31a9139b8e6467b83c39a915e41803fcab354b8d |
| SHA256 | c321bcafd338aa263e3a01ab91dc0be92ed2ff14484206a8ceecb4dcce6e65de |
| SHA512 | 0f75ca89994e572e3f08267422cbbb0a09ce200faad9d0ccea692e80ad5f8f2a18b195137e8ea2873ee2f9f36b14684e3eaadfdfe2ea1343970c2e7c262aad36 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 23:18
Reported
2024-06-01 23:20
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laalifad.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Lnhmng32.exe | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkepnjng.exe | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlnpomfk.dll | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkqpjidj.exe | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbhkac32.exe | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnolfdcn.exe | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncldnkae.exe | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndidbn32.exe | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Liggbi32.exe | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Laalifad.exe | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpfijcfl.exe | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Maaepd32.exe | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bebboiqi.dll | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lifenaok.dll | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mglack32.exe | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| File created | C:\Windows\SysWOW64\Nddkgonp.exe | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkncdifl.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnolfdcn.exe | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnjbke32.exe | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkncdifl.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkeang32.dll | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Liggbi32.exe | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdemcacc.dll | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mbaohn32.dll | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Maaepd32.exe | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nklfoi32.exe | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjeddggd.exe | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mglack32.exe | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogpnaafp.dll | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngedij32.exe | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Laalifad.exe | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkiqbl32.exe | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| File created | C:\Windows\SysWOW64\Lelgbkio.dll | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fibjjh32.dll | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnjbke32.exe | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mciobn32.exe | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Opbnic32.dll | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnibdpde.dll | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbkhfc32.exe | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcgqhjop.dll | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekiidlll.dll | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnhmng32.exe | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mciobn32.exe | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnhfee32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndidbn32.exe | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lkiqbl32.exe | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lpfijcfl.exe | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcbahlip.exe | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnhfee32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndghmo32.exe | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcldhk32.dll | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| File created | C:\Windows\SysWOW64\Oaehlf32.dll | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlmobp32.dll | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjblifaf.dll | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkepnjng.exe | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmalco32.dll | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cknpkhch.dll | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkfbjdpq.dll | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncldnkae.exe | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkcmohbg.exe | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcbahlip.exe | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nklfoi32.exe | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nddkgonp.exe | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngedij32.exe | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll" | C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" | C:\Windows\SysWOW64\Nnjbke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll" | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0980c79f054f5681e404736dcae59090_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/1468-5-0x0000000000431000-0x0000000000432000-memory.dmp
memory/1468-2-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Liggbi32.exe
| MD5 | f590316a0f7915a3be73e930fe4c5ce1 |
| SHA1 | 96ed54324661c1307eb1d76145928638ed3ad3bf |
| SHA256 | 8a3a52431a4c5b04991576b6276af05e8fb7eb462c1664d0fe922126ed47ea65 |
| SHA512 | 00fce62b648fae20395ddb6368c76d3412cb16db6cf1698ef3ad27c3fd6bf1f5dcd9209911208bf2171c53f082ce0c311f1e0b27aef82ec4c71043d6d82f2631 |
memory/4504-8-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Laalifad.exe
| MD5 | 3c31932bd782f9723b829fc0d3f77ab9 |
| SHA1 | 5bb6542acfb84e874f395087ff33cf9a5a1402a3 |
| SHA256 | cf94f4e63eb11017fccaae795fc5425c363d010dc34183dd2e13b7f3c6c3f79a |
| SHA512 | ff0362e09bf26374cd852ea616d6ffaecc9ca404052fad656fadc80250df4f635879975e5a3c580251a403eb018fb439befc177b60f018132610825ca8984fd1 |
memory/1268-16-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lkiqbl32.exe
| MD5 | 7b37aa8a520617140a1c9c1812c24d87 |
| SHA1 | 46f4511e7dab41da7f4b3d27e9391e508bbe2cfa |
| SHA256 | d09a9762a2c2e71feea21287059f0adf3ebf0aa8c73b3a4f3a3d972f2209dd8b |
| SHA512 | 07a068ea0f094f9422a287228256236b2d37fc2bac7bff00d4c91691a7bb308ff46bcd947b29c9d65ccd9a42d5aa6233357a9bfa729c31b09b2acfa8844818ee |
memory/2216-29-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lnhmng32.exe
| MD5 | 8ffd4f2536b2a5bd737d952c0a9c2549 |
| SHA1 | 2a76255ead787290111e3edf31c3c5a58559ee1f |
| SHA256 | 1769748b43a0bc28b7be1dbbd012336d99e71ccfabe5bd5fc66861758533c462 |
| SHA512 | 9390eecd7376bb3368b885158b98fbe4f34962074fc9e0e02a417e4dfd1c94829ce0d6efa5514e12c73e4c94dadbd19ec3f82d48e85340d29475b968400d7f02 |
C:\Windows\SysWOW64\Lpfijcfl.exe
| MD5 | db9a96f5715cca603a4e94c92e4cec55 |
| SHA1 | 797b80efc09f00e666797e98e9b473d76696292c |
| SHA256 | 6d6d13845caf689444bb16b43f0391f9069bdb5a1127fb255441381f3f2425b6 |
| SHA512 | 6ff22609da282e26af21d75ccf6bf5ab815143cc1f658a7d09f7364d427ec862e7a7d1e6f1dca1f5dec31213231b6c25d9bbd762c9226c1e85808d49b59a6a31 |
memory/1276-41-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2344-37-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mciobn32.exe
| MD5 | 01eff9ad5ebb6fa8db3b0aa436071e99 |
| SHA1 | 382a28cc56469f08490bd6dd65291fcecf5054dd |
| SHA256 | 48a646f59487a8889ec6b291ac5713091218a732f0af98b475580084822eab2c |
| SHA512 | 2a287c961d20a043331f3a671c933165a72aa1c657b4f5f10a72797bdc785a7c69c5e9bb7d594c6152be4183f945b5c74fdaa5d5984ec48bd1762e73239593a2 |
memory/4844-49-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mjeddggd.exe
| MD5 | 0effe23fa00efbc5cd68d72cbf356e9e |
| SHA1 | 685eba06922bd0bcb513c2d52839abd225e80cc8 |
| SHA256 | 923647e4cb3e2db4b09d6a33f61a0f0f09171da3738f3eb5ec77a2c5eda79ab2 |
| SHA512 | ef1cba34ae919845b832873f73ee50cf31156adbecce1b82584cee6126849937166159c9e963db1d3e20d48d6db9d00d18aed9bcdb6eb9c8739bac8468568e8a |
memory/4968-56-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mkepnjng.exe
| MD5 | d8976aef1da8cab0e4bb1c8cef8cf66a |
| SHA1 | 0f9d305f1d7515ab153d150dc97a4defadc8c42b |
| SHA256 | 925343b7452e360afcc3ff0e1f66e34849e04ac5919f002969f5d2f693fa7d21 |
| SHA512 | eae89a76f598abf1b9ccff8ab31c552b20e3c267c18aedda69e298b4ec79b19b0e8f41047059fb4ae15c89da7a2553ed998aa6836bfadacc9fab33538f22cbc8 |
memory/3676-65-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mglack32.exe
| MD5 | 3bac0fa979c942eeeb8172b03fc41bc1 |
| SHA1 | f121b434e4b6e9e83b3b04100e7fb70e70fd8c58 |
| SHA256 | 09e6309618fe4b387bef2055fe873f977785f5bce52a3498da7a9a6c084279a6 |
| SHA512 | b495a790d54ff21d3f7baf88bb286cec8792771d4d1f4d28a7188968160625dbae03dd5fc8560f7e42206b05d899c04b7b7cc8a64884dd22466df1edc82ae7da |
memory/868-73-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Maaepd32.exe
| MD5 | 9f7ca3fd964ef491123290d2e6c97da6 |
| SHA1 | 24d420b66e0130c0fbd9552123cbfd7c8f46d177 |
| SHA256 | 2e61cab514950dd560c6736284bac0968097d0cc7d6d322f3727dc440c8e94af |
| SHA512 | 4c0ca707345c1a6c1446ea9636b7c74a7dcefc5c10e527dbbde53c264d387b8a6a2f49abb935f253f1447621321982506ea0dfcadc603c00131cfe26dba92d54 |
memory/1900-81-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mcbahlip.exe
| MD5 | 3c524fa02ce17c0b6bc8b03df0d8a989 |
| SHA1 | 809ed32dc45106781697fd9cfe237e70725ba21e |
| SHA256 | 90ea67d03304031da06c9e7693dce1f4c7eb21d8f3096ffef7334aa422e1cc26 |
| SHA512 | f06b79ceaa1862e70567f98796fc4367a1355757b50380075bc72825b22b266c1c0b28de611902076d1f7b1344281d2613b53b9fec6436dc51c03e733798755b |
memory/1540-94-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nnhfee32.exe
| MD5 | 52b8928624f6571cd6671e3771914ceb |
| SHA1 | 145f81555814da01c41f283415d7d44caa4b55b7 |
| SHA256 | 778e3e7c5441145db896dce0ce692972e9ddbcd6c4b442b436eeed19345e72ef |
| SHA512 | 54b6ed50bd5113aec9cbbf494bc79f17f64669018b47c68dbc751d7106866a1bc62be9e173fa30770f0e4b2390df3f169e227a5eb1f6544902227067d5c8d79b |
memory/948-97-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nklfoi32.exe
| MD5 | 03bd06f47c4213c6975be82e821a41bc |
| SHA1 | 8b81fade30ac57a283d527c114f4c3dcb71c5bb9 |
| SHA256 | cebd316f508a6ecc128bba141d78a69d2397130cd7aee54d9057b61eda2007b2 |
| SHA512 | cdc78c2c32f484685b8e610feb6107a2d1373b8615ae6fa5df101ea2d8406de82195424cc7550b33cd6b6243688ec5215fd7dc9d64a95b325651a200686f4177 |
C:\Windows\SysWOW64\Nnjbke32.exe
| MD5 | caf91a26e55c564d633f295cb3489242 |
| SHA1 | 03adc2c48cfed67ce406bfc8e19a4d299f119d18 |
| SHA256 | 10e79b13c718697d83dea2ca346b77a5f5bfcb5d7219df35c52d895f48f99e03 |
| SHA512 | fbca761d8503497a770a2366d108308d964689fdf0dca44cabccd0a434bee45c868c5fcf455eb8f4dda0dd4c6f08806361341c3c4767ae4a09eae67cb86f673b |
C:\Windows\SysWOW64\Nddkgonp.exe
| MD5 | 1b94ff9c263f422b82742f1998a481e0 |
| SHA1 | a9cb6cf55e853b05fe269bf0db7a36a35b46e154 |
| SHA256 | d2c6108d43a113e1270c61bfab2070f63cedc2283fe8607d409d2517102cfb1f |
| SHA512 | e0f2c4591602b27cdf32b3fd42a89ee654896c8649afc298dfc4b6a76f79650b49e3f54252ed4d3ed4a7cdc86b4182fa1634e0aa5c5130e6526c7640f2123ace |
C:\Windows\SysWOW64\Nkncdifl.exe
| MD5 | 8132036c5548f06e6ef9ed3bf472807c |
| SHA1 | fa3f72043547571a302f951c3e0325997bc74bd8 |
| SHA256 | cdd0b0ad7cecce9be3c7222f2b59688fd08a9e79ffe7f6dc242cfd6c169e5952 |
| SHA512 | 7361b1b95398e7c14f72cb7aba5b84d058b4205e62022b1d828f8d20a3c58d561adc17857c9cda7a1d5e461b287e1b7ec9b4a9779a98e98bb877f102298fb5e4 |
C:\Windows\SysWOW64\Ndghmo32.exe
| MD5 | 73eb075999980ee6cad8abe11d44a7dd |
| SHA1 | 21bb5e112ea5f9faf1294093c79445ab598c387e |
| SHA256 | 8efe4a58f0beff58549ba72fc301bbdc3943ed1e684a6d2f97cafc3860e062e0 |
| SHA512 | f9dfb17f137b52079f7939f27801ee0332d1d65b483dd3bc984fb20ddcf458806f280f39f0659bbc119c7326f1eeb123c9f04c91233adf77b3e2a4d804d26dde |
C:\Windows\SysWOW64\Nkqpjidj.exe
| MD5 | ea8bbadb272ade35f8b0f36e11529254 |
| SHA1 | faab84ec6d091abcf76feab8a01a629544f0aeaf |
| SHA256 | 33d884ff8db335e4545d2e5ec9603c63448400deed5c4e42498c431b1fb58254 |
| SHA512 | 2d57474e0c333b296b2d1acf3a3b490134c8aa30d90f029e0fde6c23bfeaf96a1fb059536cddfa3b3ab64659b3230b43d0ffb8b9f9ad8b735686b7f9f862ec96 |
C:\Windows\SysWOW64\Nbkhfc32.exe
| MD5 | 0d75049eb7b8f284f333d6f799aac9a3 |
| SHA1 | 05dec32b1ca99128ff62855ee50c992f1f263f15 |
| SHA256 | 54a6ccbb6711a71da16969f6d8b9bdc9d5a85327bac89ed5390f89ead38bb283 |
| SHA512 | a248f24792691efb2e4d9608cc6177988c4b0c6116f49aa8a34109db94ce100c19c14ccee6ee157d68cc161b3e4c09c12039f91a1661a5d785c461a7c51b3975 |
C:\Windows\SysWOW64\Nkcmohbg.exe
| MD5 | ef30b1c25caa3b72752308af0d6d38db |
| SHA1 | b2206ef09ff0e291011ae29f31f06c712825f650 |
| SHA256 | ecbed464db25c8be935dc825e7d6989a2ddc10b3751521a40318d103532483a2 |
| SHA512 | 2966dcf17f7d08b23f84c912454ab68ab965176944f42de80da92be5b606d473f3c6dc29823cd330c8522590f6f17e65633536fdc221f57b3de7f2e1e9eb6511 |
C:\Windows\SysWOW64\Ncldnkae.exe
| MD5 | 34247876e52e31416d18ac33fcbc5d5d |
| SHA1 | aeb7d26fbdcdbb64879e10f1fe1fdac1a646495d |
| SHA256 | a81775004bbc1131df722997746fc4d6afa034e5e91d997b48f867be4e652c43 |
| SHA512 | 4471fdc4acb6d861529c0f3ce4c9b8715f1ff1b3c1b03a622abe4c99bf8d8970cc51305bbae66a8d1d1280ba7018ee59732154e5a5e20b00e98d505e8804cc0b |
C:\Windows\SysWOW64\Ndidbn32.exe
| MD5 | 20e61612dbd2e7f3efd15e2b87e0eb5c |
| SHA1 | 6ca1faca838399066a7cef134e6fb628344f5d82 |
| SHA256 | 581691cb98209dd513fbde313987223b0dfc75e5371126db5eb172f8eb3f5455 |
| SHA512 | 09dcc2661b1c4f123f8babb1505c55e8a059be0677cecdd97e80dd4bf23a0bcd8be8832dd7a21d6bc5cb02cec8211e5186fd1a2801650c8080570835932c65e4 |
memory/868-221-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1468-237-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4504-235-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1268-233-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1276-229-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4844-227-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4968-225-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3676-223-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1900-219-0x0000000000400000-0x0000000000433000-memory.dmp
memory/948-216-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1644-209-0x0000000000400000-0x0000000000433000-memory.dmp
memory/444-207-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2876-205-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4488-203-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2244-201-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2052-199-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3056-197-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1876-195-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nnolfdcn.exe
| MD5 | eb95cb2b1f2d5c99ecfbeb9416c00c1b |
| SHA1 | 53abd2c8e5abd19559973b485a0f898304212fed |
| SHA256 | cf56932e0150a6b5218ec44e97a58f2d0d5d9e269a064a200cc2ff7501bb835c |
| SHA512 | e2658a2f5e4ac0dc26e009f2f24050ce900b87f4d6f25075aff1e0bef684a1f307b3a148b15948e80dcd12e952586c0039eb839f356fc35978536eed9bb5cd4b |
C:\Windows\SysWOW64\Ngedij32.exe
| MD5 | 7a885308c85c6fa18c3d738b13af2a50 |
| SHA1 | 2992e0cdad4373696b62eeab66f0827b8622a495 |
| SHA256 | 9c8fdc31fb6fe7973566652921130c974c17062665ccd902b67d7bc604644ccc |
| SHA512 | 808d5b4f214c4e2bdd3a3368b4d98b65b5b25a89c771a958084f3de7b542fa2777e10d24af77ce46884f6d4731934e83e50c087fa6b18938427d8aceabceeb22 |
memory/1808-141-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1116-140-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nbhkac32.exe
| MD5 | 723b0920da76f2331502100f98a45edf |
| SHA1 | e0dbbfc8545b830f6093dbfc31c77b7b8027708a |
| SHA256 | 953880b4f65763701c8b2cd5d6ab023fc1e3fcbc2ffe8d87ac410fe97da9afb0 |
| SHA512 | 957f356cedd380b109fd0a54b0d1dece2de00906c30bbc0e70b24dda540a0bfbd20b888b9fe2002c351265ef83203d97b25884e858027590627f7da7030db5b5 |
memory/860-126-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1212-118-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3344-117-0x0000000000400000-0x0000000000433000-memory.dmp