Malware Analysis Report

2024-10-16 04:32

Sample ID 240602-aqmkjscg84
Target 13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe
SHA256 6d7304c0699b412ddd483f4ae5e1c2c16bc10970ad4065da837d9f8006bf4165
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d7304c0699b412ddd483f4ae5e1c2c16bc10970ad4065da837d9f8006bf4165

Threat Level: Known bad

The file 13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 00:25

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 00:25

Reported

2024-06-02 00:27

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebinic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eecqjpee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqjepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gldkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eloemi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eecqjpee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpapln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fbdqmghm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmjejphb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilknfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgmglh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeempocb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gddifnbk.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ckffgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecqjpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdhklkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbdqmghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gonnhhln.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Glaoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gopkmhjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmgdddmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Geolea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghmiam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gogangdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghoegl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckffgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckffgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgmglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmmhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqjepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbgid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecqjpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecqjpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Kjnifgah.dll C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Dfijnd32.exe N/A
File created C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Fpdhklkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Ooghhh32.dll C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Hghmjpap.dll C:\Windows\SysWOW64\Gonnhhln.exe N/A
File created C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File created C:\Windows\SysWOW64\Cgcmfjnn.dll C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Glaoalkh.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Dchali32.exe N/A
File created C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gogangdc.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Djnpnc32.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeempocb.exe C:\Windows\SysWOW64\Eajaoq32.exe N/A
File created C:\Windows\SysWOW64\Pfabenjd.dll C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Fenhecef.dll C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Elmigj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Hmlnoc32.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hdfflm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File created C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dkmmhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eecqjpee.exe N/A
File created C:\Windows\SysWOW64\Qdcbfq32.dll C:\Windows\SysWOW64\Fmcoja32.exe N/A
File created C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Phofkg32.dll C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Gpekfank.dll C:\Windows\SysWOW64\Gddifnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dgmglh32.exe N/A
File created C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File created C:\Windows\SysWOW64\Alogkm32.dll C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Amammd32.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Anapbp32.dll C:\Windows\SysWOW64\Djnpnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Dfijnd32.exe N/A
File created C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eecqjpee.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fejgko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Dodonf32.exe N/A
File created C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Fmcoja32.exe N/A
File created C:\Windows\SysWOW64\Pnnclg32.dll C:\Windows\SysWOW64\Gieojq32.exe N/A
File created C:\Windows\SysWOW64\Hlakpp32.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Lbidmekh.dll C:\Windows\SysWOW64\Elmigj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hknach32.exe C:\Windows\SysWOW64\Ghoegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Clphjpmh.dll C:\Windows\SysWOW64\Fmhheqje.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fbdqmghm.exe N/A
File created C:\Windows\SysWOW64\Gcaciakh.dll C:\Windows\SysWOW64\Gogangdc.exe N/A
File created C:\Windows\SysWOW64\Jnmgmhmc.dll C:\Windows\SysWOW64\Fmjejphb.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe C:\Windows\SysWOW64\Goddhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hggomh32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dqjepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" C:\Windows\SysWOW64\Dqjepm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eecqjpee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gldkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll" C:\Windows\SysWOW64\Dchali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gieojq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ebbgid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dchali32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eflgccbp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeempocb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmjejphb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" C:\Windows\SysWOW64\Ebinic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fmcoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkmmhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dbbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Geolea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" C:\Windows\SysWOW64\Fmlapp32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Ckffgg32.exe
PID 1040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Ckffgg32.exe
PID 1040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Ckffgg32.exe
PID 1040 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Ckffgg32.exe
PID 2924 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ckffgg32.exe C:\Windows\SysWOW64\Dgmglh32.exe
PID 2924 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ckffgg32.exe C:\Windows\SysWOW64\Dgmglh32.exe
PID 2924 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ckffgg32.exe C:\Windows\SysWOW64\Dgmglh32.exe
PID 2924 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Ckffgg32.exe C:\Windows\SysWOW64\Dgmglh32.exe
PID 2516 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2516 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2516 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2516 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Dgmglh32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2396 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2396 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2396 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2396 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dbbkja32.exe
PID 2640 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2640 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2640 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2640 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Dbbkja32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 1692 wrote to memory of 472 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 1692 wrote to memory of 472 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 1692 wrote to memory of 472 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 1692 wrote to memory of 472 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 472 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 472 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 472 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 472 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dkmmhf32.exe
PID 2424 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 2424 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 2424 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 2424 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Dkmmhf32.exe C:\Windows\SysWOW64\Dqjepm32.exe
PID 1800 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 1800 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 1800 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 1800 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Dqjepm32.exe C:\Windows\SysWOW64\Dchali32.exe
PID 2136 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 2136 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 2136 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 2136 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 1596 wrote to memory of 544 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1596 wrote to memory of 544 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1596 wrote to memory of 544 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1596 wrote to memory of 544 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 544 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 544 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 544 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 544 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Eqonkmdh.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eflgccbp.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 3028 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Ejgcdb32.exe
PID 2204 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2204 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2204 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe
PID 2204 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Emeopn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Ckffgg32.exe

C:\Windows\system32\Ckffgg32.exe

C:\Windows\SysWOW64\Dgmglh32.exe

C:\Windows\system32\Dgmglh32.exe

C:\Windows\SysWOW64\Dkhcmgnl.exe

C:\Windows\system32\Dkhcmgnl.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Dbbkja32.exe

C:\Windows\system32\Dbbkja32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dkmmhf32.exe

C:\Windows\system32\Dkmmhf32.exe

C:\Windows\SysWOW64\Dqjepm32.exe

C:\Windows\system32\Dqjepm32.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Ebbgid32.exe

C:\Windows\system32\Ebbgid32.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Eecqjpee.exe

C:\Windows\system32\Eecqjpee.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fpdhklkl.exe

C:\Windows\system32\Fpdhklkl.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fbdqmghm.exe

C:\Windows\system32\Fbdqmghm.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gonnhhln.exe

C:\Windows\system32\Gonnhhln.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Glaoalkh.exe

C:\Windows\system32\Glaoalkh.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 140

Network

N/A

Files

memory/1040-0-0x0000000000400000-0x0000000000447000-memory.dmp

\Windows\SysWOW64\Ckffgg32.exe

MD5 2fc5f928030c7b6b59cb290f17355493
SHA1 b3e5761cb1c16202b14c0bd4cafe26f7449ababa
SHA256 b78a7d7964c76f0b52775733463bb46452a24db251e7a3a48cc0b0d1650723e7
SHA512 6f33235fefb769b0b3c7645ff99ea72264d5e8ad9ed8a3b12d1e43e33f238e2ccea70eed1fac796b4e8ce7870a1684f0fa4efbb2fcc3eeda1d8a011e2065f400

memory/1040-6-0x00000000002E0000-0x0000000000327000-memory.dmp

C:\Windows\SysWOW64\Dkhcmgnl.exe

MD5 5bb8ca83e4ba99aaf10946dda09891c7
SHA1 db576023bfdd7cb880c180a724e3fc3b51b01182
SHA256 7beaca3713af4c4e362ce8ee9aaeac20b4b1bec7275de3933af66769f69da99f
SHA512 026a17545fed4c089a7f09df399f1e5a70b1b492d707a662ec6849ee99ee3b1aa7b794c4bd9d9fb962d64551abbef9b3fb39a9eb24929e50e1124d2b6df5cc28

\Windows\SysWOW64\Dbbkja32.exe

MD5 074eeb5707506480f0c4e49fe015a703
SHA1 7d94879cac897740457997ef7bc8c3c45786c4b1
SHA256 c943f6fd2696644dcb78eefa8a55436faaad18465a05611aa4e6acf86b262cd2
SHA512 36380fd6b0c69ac70a3768655b680d25608b51214b96780eee688d3ccd3ffb417435ad80649c90a1961d26e7655fc3be73a2b741c71ee38ec1d407a42cc571eb

memory/2396-61-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2396-58-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Pkjapnke.dll

MD5 f15cd40ab40b5705e9e918e07578c50f
SHA1 f0e94c4a5c35cebbfd8ad9fecadefa0ea30cf9c3
SHA256 d52f349ec6a892562d196469b6c02b5484fc2543f52cd0cdeb873759888d8457
SHA512 b8fe1ae7520dddee39e2830a1b84b5676a3725637e2023af7695bbfe421a98b76aa594a8b871070b847ed393bfa140ec5b5c7d8c25666ee215cbf0048efe0bec

C:\Windows\SysWOW64\Dodonf32.exe

MD5 f4339edc2187990328d24fc29a350f06
SHA1 4432c9fc0a35835089eda9248b2f6c6e5d77d91d
SHA256 37def8a96f0b6e8cb8c41fd07579cb960529dfd23740d17ad8a1b7adf23d1af3
SHA512 b4bb4db5504de84274d015d80230316dc182a90914dcd91ad7f40d610e545468c489ef91a24030dad8425e0353a1caaf6adcced2b3f0b632d7c3283f99afa262

memory/2640-70-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 907c738c756386ee8103d3a73f3103c9
SHA1 4be963815bd4237d5219295f58e2a6c27a0fdf33
SHA256 cdacf2a1e4ab499a57bbae30ed0060e9a508f2e2e89897ece3ba7737e778bcb2
SHA512 014a6a20827d8f15a92b498ca50e46478848481bb156e799b3322805df7e18e3f4a3f55721b6fda8e28e675da3adfc2b0e60e5d006cb2c4577708eeaadc6d1de

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 edf6b70627c0ef691cb75c984fc7342c
SHA1 82a0d4681dbfa174e2a0cd0a1f06019db78e5ca1
SHA256 752b87b76ebce6a61039a3b708168468ef3ce49dfa88499e5febe2a3becf1a3c
SHA512 7de0994dec392ea09fbcd89f5dad13161a44d2e19b28481c717baecdf1ee3beda31cd018b2a16117e8d42f6cb04a9db36f4d76ef1197aeb0553721058e378e39

memory/472-95-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dkmmhf32.exe

MD5 adda3801f53bacc6299390ef3171ce3d
SHA1 f7301e460b02e558e0d2edb86db0f0fcd96bc9c0
SHA256 94e85a3c4a699e7915d8c7eb217a4798e1b2ef198f1aeeb73f0ceb922f5b5640
SHA512 35a060336a2df224b8af0341c9f37b623b1fac0e5d0961ba8bc0428e1570e7bb34fe32db4b51f42e92cc2465cd79ce848ba864b9b766ebb5f258cef0ade0199e

memory/1800-128-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2424-127-0x0000000000350000-0x0000000000397000-memory.dmp

C:\Windows\SysWOW64\Dqjepm32.exe

MD5 ea8415479ac01abf07ee9dffef75215b
SHA1 a96d59a82e68fd4600d5310593ad19c91207490a
SHA256 e8af689e4bd5d1cde8f4d2b691597e1277f70fbc486a8898e9306e30fde78e7c
SHA512 0568c98e50d3dd94b566f039ef80d1c896cbd82a37dc6c0f1a4a5c53f6be6ab5b7ddffef1af7b48fa2350441fc9a01131250639d3a8c258fd64ad79b1d5c816a

\Windows\SysWOW64\Dchali32.exe

MD5 12fe2d43102f3f7f41f3d5b03bf14405
SHA1 ab675b5ee76c57d09ded1e9278f2780f93769868
SHA256 4d75d693bdec9c8094a149e4a4bee8788c505d753816738d3c6b198b0c51fd93
SHA512 70faff1b7e33dc4bb2ee05bf3f4d2329270413ae5a942d6925e1b1fa64d41b7297ec1c4ad2a6ea16be89908529be5ab6ff674125e79537648e7fe41b7162a817

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 f07bb42742232849778a3a74c6b3dfce
SHA1 578a7ef9120cd2ea951e1b9b3730f4a5c26068b8
SHA256 bd18d4262be05cb78fce0668bdfed1186e25f2294c653ebc0db23f50798dbcbd
SHA512 0818112ea59a35a21768c02f7842428f620331eaae46779df9ada9ec64b54c5f0af3d75cbb313c864a1e2dc40258e544949848502d2153aab850c549c3cc13d0

\Windows\SysWOW64\Eqonkmdh.exe

MD5 03cafa251b677e9b6ff965e10f41bec0
SHA1 28dc04b9d650484cafc394c393f7f96463e68a95
SHA256 15ec6ee6fcdcacf6c464a11c57c3b24cb98cabdc253aac4255e251742d56da53
SHA512 ce5ee022f3333800a069dc1758798f8cc18e1d7644adc60dddde52d58b5021c83fb53bb396dd7382e38522455f662a9db63c1b0c7c570f8c3a770df6beed6ba0

\Windows\SysWOW64\Eflgccbp.exe

MD5 09f3232a26191cd4333d7614a599544b
SHA1 4b58962abf17fb0c1ccc8551794fe056baf3a7de
SHA256 8434201e610aa6953456a8940c2f471dc74c1a8d9b09a420e480f1ceb9567b3a
SHA512 c293a6ea405de5ad94e1acdc77a655285af554d610fa816d4d25f2336f68cba8e670b1b51d9605809a72c4168005f9b068772e5e480d4f72b93f60868ee0bcd9

memory/3028-205-0x0000000000450000-0x0000000000497000-memory.dmp

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 0e221a9fe614fbbe6325b992bd44718f
SHA1 d55d5312b5f39879cfbb18fc3f119c7ecf749ca7
SHA256 f9b5074fbb3563a62fd57233964ff56d4480a459f5369c0fcf7ace46c23c31a6
SHA512 b581a12c7ffdc93e51750b96d30d5a1047d9a65d890c976936a60f4c9bf0ecb40de1a8b4215cbc3b9a2af742d9992a029a421b9af391dbeea732f969119f6561

\Windows\SysWOW64\Emeopn32.exe

MD5 fc5308bec8681c65309a92001326c967
SHA1 ec760869ddb37b9523e43241781d6ae229441a46
SHA256 4255fcac559a84e15500358c4d5e8239eaba584e7a68c05e1861e14a20611634
SHA512 e950a5eee954b3b71c2beec021557b4c0333ebb96c8d09bddb793efa74ea5bd2ab45a27da84f26b76a3497c8439a8d8826e864b75d9e2b3b4a8a094cc9499dd8

memory/1420-222-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ebbgid32.exe

MD5 e04cb04fd8e66ba2ce883a35367d162e
SHA1 91b8e3308cf0c65eb65cc3e7fd7d50d7fb6c375b
SHA256 35f1fd4b4799abce2e6ca741d37654e0fe1667b7961a28ce01475c2b92254b40
SHA512 489ff1b49e3d135dbca8016538ee17f86bab4865ae09856be00770fb8f7b85c01b38980d3520ad7d5782baa177e2f1e59acb77b87da2aa364fb0f7ff315ed6bc

memory/2680-230-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1604-241-0x0000000000400000-0x0000000000447000-memory.dmp

memory/936-252-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 a44e13dcac038949ce1c69aea140b5ee
SHA1 c7658e8bd495d610ba539487424a941e87f4fed1
SHA256 a699b6f8fe864bf9e7dc2269e4cc175d5304bafae60b9a268417482bca8d24d8
SHA512 ba7194d33132d19dc139610d34406f62183e623480462fabf179fb078744dfa937f8ff8968b6ee309e71d58fbc574aeef25a3ac741dd66d2edbde0dbfafd919c

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 a99addcf5ee7e989b09036b8095a33dc
SHA1 6b79d695e03503fc0a38c6416708883578453894
SHA256 1e4163c2684ca27a7e0d1774695f42ea29a5f777a4599db8c189348f7c4f484c
SHA512 d256bc2aba0b44be526280f3a121189d3e884f6868118bb780239c700353007f8757bd35efd6094ca1df2944ea2d02c1cf33dd525c42cc8fed944430ea5469e6

memory/2980-295-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Eeempocb.exe

MD5 d5edda17bf1e19397672042c0afcabef
SHA1 5976903f66c783bf2f22b4ca2b66a490d47973ee
SHA256 eef1a9fb751932fb8ee818eeb481855aafd2af5e145ea9f5d7a4dbc94c104884
SHA512 959816a92d3efe789d6a487c90f5a0deb73d1d730e376e04d45fd0e47c5a05a48875cd76a32e0a9c05eb645cb19c76ef12e366c342d85b44ed6d243b23ed199d

C:\Windows\SysWOW64\Ebinic32.exe

MD5 46d305adcd160a92f8cbb9c0b9ee01a4
SHA1 68457d987a123dc2e6d29cf9ad625937c3131d7a
SHA256 76559cfdadbbf79d08b6a131b1c9ae63d68dc0cec1695561406c38dcc94639c2
SHA512 cf46cf8f4c0d44bc168c94df9cf9c924801105948dd49650ac62d7cba2eb3e8f34edd67026abd18c3f67db913b5df49e1603bb277bc4238bad682fbfae77422c

memory/2288-311-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2980-310-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2288-315-0x0000000000350000-0x0000000000397000-memory.dmp

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 c38df79130decfdcee0255c22522493a
SHA1 9a9332411826f5395f0a4d6a1f374403c2143a43
SHA256 bb093fe514db6865a2560e8822432d330ab5516b8bff726a044c374a623b977b
SHA512 eb787df58a0e687c765e9ee3901b01b1e2a98a78e9cd054baec551770611861b684f266d0cf085dec68ef53e250c84f265a0095b526313bcb2c23d5fa60f1ee5

memory/2728-347-0x00000000002E0000-0x0000000000327000-memory.dmp

memory/2724-359-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2356-385-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Fpdhklkl.exe

MD5 3b2d418d204e3d2bc167b438f1fa205d
SHA1 413fffdc19095fead1af6818b441b8299709ab26
SHA256 620128703d5fef2036f4f1f44fa14428ada29f246b812b437cf8743dbc2bc9c0
SHA512 fae35236606a97196a2b2a88c22606f0af99c1eb94007233d0b639025327447ed2c71ec787ce22d52a274c9d3dc71312eef0c9c77129b35e0f73cb1713e2c704

memory/2356-391-0x0000000000280000-0x00000000002C7000-memory.dmp

memory/2432-405-0x00000000002A0000-0x00000000002E7000-memory.dmp

memory/2608-418-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1568-436-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2668-435-0x0000000000380000-0x00000000003C7000-memory.dmp

memory/2668-434-0x0000000000380000-0x00000000003C7000-memory.dmp

memory/380-472-0x0000000001FD0000-0x0000000002017000-memory.dmp

memory/688-479-0x0000000000320000-0x0000000000367000-memory.dmp

C:\Windows\SysWOW64\Feeiob32.exe

MD5 236c66a8db5cf46b02fda084f38b7965
SHA1 7841355760f4ecaf31518a1aac8c66fd0e04bcc6
SHA256 ac2c5283d8b80a592ec6e1a3197cabaf9e9bcbdaa97d0810314eb302fd41588e
SHA512 6cc3fb5bf621952230ebe52224ea3e2a3653e12dd5761432ab1e7726c997e08a689f7d6a3845767f91c7d32b42767a40216fea291272060f65494710f6e4c24a

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 ff0c01bd6ea5f8424cac6589b85f8578
SHA1 39d99d097411404c86b6b908550cc477152038c8
SHA256 eed92ae52276d69792e6b1acd6248e331c02e3d83e9609b3a4d6874152fdc427
SHA512 aaaba0fbc32d44eddff4a3ecb5d2a3ccf642ac64d9557a3f833a53bd06822e515ed0c84ee5310b82f1d546058a1e7317e8c5e5145f01c7b4cb8545ae3b7c6ab3

C:\Windows\SysWOW64\Gicbeald.exe

MD5 d4b85eb5b2bb6aabbad07997643e9532
SHA1 9d93b57e57c8d975f992f92d460750067daf87b7
SHA256 cbe58d99483ae56cb363e62d8c3621a8290346264f41679e6cad934196aa0370
SHA512 1c0b37784c58e09a6fdd652af8f359e05aeb712be77f75ed5c87df2213c78194abe58ca03c2516eccf843bd669ac3fee0693dfb9389e11e0018a324e865fc25d

C:\Windows\SysWOW64\Glaoalkh.exe

MD5 948281f056fca64de82ccb84e01f6500
SHA1 3c77fab966e6f725ce3608854d6b8dbbc525b104
SHA256 bfd3415d1c8c4165e208e2b6786badd095c1c016a8476e776952427db723fd05
SHA512 d01fb4fdba20dab8ea6d2cbb0894883c5eed9944da9ea25f422b7b0931a24272c6123f5fccfb6c8cdb00dbe924c06b8b5d62eb28e7e196aecd19642a7feec29b

C:\Windows\SysWOW64\Gangic32.exe

MD5 fe1b50d93f040580ceb864bd7cc3abc3
SHA1 8086427f4068bb66c4c1b53c195925a40270bb63
SHA256 be63f4b7fe324d2ce0e3a3ced131375dc26f2921fda0c9623e0d65badb16309b
SHA512 6146c33b700f805bbae3f3f91e17ec269c187a5ef976876950473eb8d48c0fef9510be749757d462b48a3ade05bb344d96348df2599004c86c947a288e3e96e1

C:\Windows\SysWOW64\Gieojq32.exe

MD5 4f814e575d09649f671b2a2c6c92fd74
SHA1 768940d7c65a58c8ab4f6ed4e8084d8995553671
SHA256 99af378e88c11009593b7f699b46fd8cb09e9a2d6cfbc26277573e2ac02fda58
SHA512 d0871cbba355044445f643d13e0abab1b1b1a359c2b1b96ddf18e3e1ba573f4d7ff9085feac8b9311fd0a48b0846fd040d1306039cda7c321c425ef7c1a3abaa

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 b99a5647d2f286d8916df07e9c98aa5d
SHA1 15e7fda90d87b3eba674446345deb39b908b7e80
SHA256 cd11061d7437b84efe6b1d37ddb5176637898169561f9ac8e847c5ccd499b91f
SHA512 b90191d9c34ca50497799a720c743db6c3710d7a27fe90cfb29bf97ca0c582c5c3e41476cd45e81e7a761c722356aa9d80d985f618e59d6a1554d0796401b15c

C:\Windows\SysWOW64\Glfhll32.exe

MD5 01e93607df9109ea48da7e9f42bffb73
SHA1 d0c283febf39b22b80f3b891a32be49f95294213
SHA256 27504adaf6be19a2da18fb931f3d2f6882e0ce7a517d2f62b9c96be55ec34c94
SHA512 d8d247ba0ae28d62f3802273cd9eecba78df1b50083b487adcd905c5ba883b54a602b82fe47aac1640bebf2dbc0315b4438068bd7ef0bb5c2c1eda43fcc11c90

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 ef753573c4bd512474a0e68ab6714728
SHA1 7305863abba17a90f3e281e475fc37c69d0ebabc
SHA256 5fe871fd545e704bdb53239c7f404cf553a48bb2c3e63f984a6f821b14f12dad
SHA512 c9590e5e047fc3618599a2c2ba7b449510013d0e341ed1aeeb9180ea838a6505baba497d6ecff1f6a000c2c093bde9a3b7fd18b6830b33a57e0579c1a55bb909

C:\Windows\SysWOW64\Gogangdc.exe

MD5 e0766af3ffc69a290bbf6bd8bdd61eec
SHA1 ebb47d8d24394802e72b85e4ac546bb3e7ce219e
SHA256 1f1e1f7731c1a7d7033e7186ffe0303db50894cfeda51e51153ea34d391f3d33
SHA512 848e89044689ff0fbcc11d3207cbc99a10d1933f5fd456ce5824f9d04596026c2c227f242a2007910c9f1860eb08c80fe9797895cc1a6bc2c66bcd4df591453f

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 a55cdd4e7889aeeb7ed5469ee747c2d6
SHA1 00a7f6b7a4f822535cf8455bef93225c3548f346
SHA256 b4089560a792a224cb98605fef5751a1e59f39e3cf873d9382a90455256b2ea0
SHA512 9bfbc351b3e6d0b77d74cdd3423def38cab0d62490c56b1cba68649e49de6dc82e50c69beb02cc6cdc2d2bddf16c04d9390ab7c96361315c2359c7d0b068e1a1

C:\Windows\SysWOW64\Hknach32.exe

MD5 9c65d576099fa6939c9b30347c3341ac
SHA1 06804a00b95b12d1fd7be2ee608e5e18c6735b64
SHA256 63b67202a778594276b45c95411d310ac5b2306ebffb12998c5481225e866053
SHA512 75fa79a6beeb6dc2eaf3994c3bb759652cbee42171ed65f925558ed1da7924cdc3cd2d1f1f9d876ff928bed441aeea72087dfeb58b701fd7065932b5ba043e10

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 6986d40ca576b53becf4c6cf5af37a77
SHA1 140df72250c4f9131d9a83bc7abc33659d06ac9e
SHA256 21f106a3ddf4be530814af200b21971548efb11fb4e3e842059ae2ef4d9b444a
SHA512 8cc70dae30a6cc562114223c8ff06995a1f33c6c314cc44782b51c95bcecbf702b42c8e2d6558a03b1bbc7abfb80e6243975b5bfd3e78781d77a7f0b895296c7

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 7feea644d3b0e5432f2fb249f94e0677
SHA1 b98600de375e0df282d9f7a2fbbfd9566a941e08
SHA256 8e931eda7a7f1a7a6bb392e3de6d842dcb3ab0af596038c0adff7c62ebc96afe
SHA512 e66907405462e57dc112465b58f5576631124a44218e34c6966cc62c458f43c9abeb686a4628b267d0d2be610f69dad1be2cafe750912b873bf067f316e106b1

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 af48e3d542e4a12e6439cc5233ea6e66
SHA1 9e2de578afa18425867b648965de21dbb1c0dca3
SHA256 c2d0551c523d801c551bc8a984f6b12b5f072ca4c329beb63626595318f5a4ec
SHA512 9bb409ee1431a8c582e7af008865be79af873764b4c937e96168307b53c5b91afac255f77f72f361d5234ee4c8363bfe29c150ef6da7f32857ed6036ed91553a

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 8f997f18e292ecb2d86d4687e7ff171d
SHA1 44c828f84e9b19701961f44744c50ef99a80c792
SHA256 cda685abcfc5042e726f2ce281e0a9cffd8b55b16b3ade27ede52aa6a92aba3e
SHA512 32d9e05f20b60b2296bd0f1e4b6c54aa49b8ac3c2a7f8b5d71b6f0826db07fd50c043d80c8e8b4ada41b9b7b59bf43ec5fd80f8699ddad76285e62ac884023fa

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 f670d31a780f5bd9b998436e2acf7304
SHA1 33da9f9fdf112ae48acffeab67fa8318e797e1e6
SHA256 f00ed80e48affa138ab87fa983c78821bfaeb209c37961ca24196b6017cd3cbc
SHA512 760dcc2d98843c61b149033634a30b214c06e201afb9a343e71bc41fe033432989c51aae9ee9fff35ba6ed9c0d70effabff8021220017b17b024ecbfab2585cc

C:\Windows\SysWOW64\Hpapln32.exe

MD5 8b24c8e5879775eff0db2657e89a92a6
SHA1 115e77ff106fa042b0a8450bf319118a721ad60e
SHA256 18bd74043d971c2020428de3904bdc81955fe7b9de8531bbf3f36a18a6a8fdeb
SHA512 7631384fd7544104453ea15cec42f518e9910a2a18d3f6fe2eccb47a555292017e3da36d6ea31ad99588325636fcbfe6d10af94658ec7918b70690f3d5ff8c70

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 b9599fee8467e22b443872dd09792afc
SHA1 017a0727cfa7e0e1f2764eb922aa0701d54f03b8
SHA256 44eeb433ded53d17e4edfa11f1e22bf5f53cb7c1ebd9906aa7da6124c565743c
SHA512 453e97146bc39e1e5a4b519a8465c962c9fae9ddf57d6f7b344e8b00845cb159a4467bc88a7dcba74fcd18170f5eaf7dc2c85faa9f87d28d405629e3c3dc890d

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 4a6334122e54d1b915d7ad5549d03452
SHA1 eb6c247178f1a03ffa6418b4cf682dfdbdb897e1
SHA256 fe1ff11ca967a3fce8d18577af92f6b6b6c05a96f617c070090d178b1921f24e
SHA512 e6da868a74c1371974e838f8437edac70507b115ba4265b8cff5c81a54de58f4b878f8f1dba21296336517cbf0e5e5868615ded3816de9c26fdcca086271d737

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 cfd05a5b6f22227dcbb0fe13beed7534
SHA1 843b0b29b32245c50e931d4dd74a4b7d34dcdff4
SHA256 c62d1376a51cd5b6b4ac4a40f34be66778fc4218de4f19950be90b30ceab3617
SHA512 984130811cd397efa821d6dcdee5f6dee2852d9170ab44c9bca2d00c5da811c49d996be3c4ffa8b40ba7517fe19eb59d606a0d79f79a852b7033e2212ff5d7f7

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 8a3ca04938f9f83c1c96df5a7a8ad2b4
SHA1 f6525bdcb0597242f97227be482849e08bf43390
SHA256 e047dc4b9a68610367a6bf73f21c85148cab5e433bdbd66de85267c0c1ab9d44
SHA512 4694703f649014cb2269ede6627aa669f445c0e402503a95bbd7cb8f85469ddd70eb8e581c6f3ae5df7d31ae9e63d573907792f829b411256414a7a5d0ca2e86

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 3cf5c1d0aeadf7171fafa3f34e5d972a
SHA1 3faea8ad46317a1baae50f3d49b65e4535cbc63c
SHA256 9e21096445a547c7997b8506fea82d337502f5387e46e31cf37dfcaa2e348c20
SHA512 bba8ea8480a05996d797466d32de336f10043573f6b20fdd7286cb670a5715894773679f4b99bde27ccdeae1fd4c5d7378ab3b7394530a8db4e8c3c8b819aa63

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 01f2efa6d21d10cd04ef1e174a167e16
SHA1 d1d63617556d582ca328d5ab95be8f05b204ba60
SHA256 71fcb458eca2953b7fc8948babb29208dde69bac0320c4bc7402b66442a59bae
SHA512 701a8efd1174059f70924988d7f3ce05977666ccefb03a0ccb921554b5b6da85bbf29b767ff4f7ad573739fb575cb8acc585de604a593dcb03a1233e547dc4b5

C:\Windows\SysWOW64\Idceea32.exe

MD5 4fb65e9840f7a48430a217608b8065c1
SHA1 761c6bd5e652244b0e53818c6bf929d3314a37ec
SHA256 4a0f8719dae980318a4b93fd12950e15d2b17a4ca18645f2b8b1b6df3dde360f
SHA512 93077ff78a096228a647eb2060b43e7e1bc2f3f466f101b2abcd502fa5acf123fdc805a1bb9b4116373090ddf09a3790e2fe12b62ec88a87bb5f032494a5c0a0

C:\Windows\SysWOW64\Icbimi32.exe

MD5 fa326a393fdfc0229636b5e5df73b8f8
SHA1 062d92f7284e64f22e1f731bb7e7d36dc0ddbb50
SHA256 b6c49e0bebe67789b8335b8841c7ccb8c6dde7c05de8b2a5724e2218174f0d6f
SHA512 bd87d76f3d7404076cb427d52a0cec13085bf46545ee5b20939706900fd6240b8231c13c31948fcb7f03395d09b451e0815b591e52fd58263350cd837dd8160e

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 a781228f0532ddd7045ccc38fb937e9a
SHA1 2d000a2fdfd955366a2b36433ea0c33dc567a5b1
SHA256 6bdd3fd1a469984d272a25b72b2251e8c4ec92fb535802ec781e70819b5f482a
SHA512 1d8276a320b28bf557425a4d8248b8193a0313074dec353311ffc07ec53bf4cff86bec248f8ed02f79dcff9f6420ab4022db5c2d62b8545f17f2515178099a5e

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 bca003f9eb4c9ac9b8818e2fd2203120
SHA1 2cb027bc6e7d3fba70b8ad5a11a9042a6c18c18f
SHA256 9524504f48109c6063fc391623a5009698302242f1ffd3fc6f1f4324666234eb
SHA512 c9c03f9455cc1b099221666e9c8d49ff1205f8e39b1490841a220dba9509678c98fc07860921b69579d355858a92234c8abb50e94f6f6aa08f5f4d1fca33cb3b

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 dcdd5306318ff247cca0544e4f63eeb2
SHA1 bd3b6537c7e6b233dbb0f61c737adf5b19e98384
SHA256 4ae46aeff840c1bf53aadf0e344a199ef05c0b3c9ac943607d8cbcdbaa712078
SHA512 8318a45de0fd16179e8db48a0641a095c679e1bb36a1413fb073ded826b5f6c7ec5ceb26651209f30b208e3cfb30ba05b7592757b175ce6bf3a9c86cac04ad0c

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 845e6c6ec42d440f21187a5696bd9c23
SHA1 05fb5c7ceafb92801af2b23488fb7cc1a020cdf8
SHA256 e0a5ace099b516a5e027d7d77b9efc02eabe292408fe0883beaf90957e1cee2d
SHA512 cfecfba813717fdfdf017c54ea592d9498cca81d2350bf76750675c6ce6b152f34b5eea56112cf69c0a9f92f0910f83b552c8fb771698a9c7b58f2f1af173915

C:\Windows\SysWOW64\Hobcak32.exe

MD5 dd7fef59d0567205c2965358719b1e2a
SHA1 33e3bc2f2efd5c9f555a1a0ee38c4b8fe456a533
SHA256 8ea27185a6a1966d7154ca104e81fd82878e87823023d9779a81d9621a77bb3e
SHA512 779a3d2bac924a73c9846890083f92478e31ef7e88f7565c3d8ed46743c1b5bcfd96568745a563c495be6c9a8351c0b9452b2472c6777579a0732732b2753adf

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 ed230100af67d869173fc545c3ca5f87
SHA1 5c2ed0a535868912117b7be275896d25bfba2946
SHA256 bcce989f0f2ef31b5718afc5c286ccd5d61e5ee3c4ca0713fbd252c949818b24
SHA512 50b4c5922758d5880a30cc8e04605a444cfc2a0a504ae08fce92649c584c371aeac0b80c5369da26e312c7903047cca313ea23ed722c99b079de44f465202088

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 36344dae790e4918fc8b1d0be3acfbcf
SHA1 5aeb1ba66725b81a99a1a1167f4bc65fd983d9b0
SHA256 bc6c448ccfab8281fda048b9cc2311da0731119a3fea4d7b14748361ec1ec526
SHA512 d21bb010fdc04c41b5faee1ea36ce4e179f4b424a56c6cc57753a71f9e266fc19309ed94bd781075f0a17f9e620afa95ee7a53018c064c0759aae8de6367b4ab

C:\Windows\SysWOW64\Hggomh32.exe

MD5 c0965f0caa8445275bab475a5192629c
SHA1 7857795433da7e814377797b3319645959b5c49e
SHA256 7c5cf522e2022c8088f42857f60359714e04077a7172c8ca310f7b2269e812a0
SHA512 bbb25728c3805c7ffde91fea6e3bddb41ede6ca7e2dbf904493abe92b34a5620c9b6cbdfa1d2dec14205ba7f48156e23e1c1f96bd88d922bedcf7346d9f886bf

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 2f42bc5a85d2b51a35e6041da69776df
SHA1 e2ab2f98f5e19faa24da9905b73cd68539e36ad8
SHA256 72c70b0754097caea200af5dec49e120a5c5a2552f39eda87f3c8611b4b04032
SHA512 936bb8e5a47ee7005833b90819bb610b92b95e183d09badffd5cf15223072168a0897323ec2d79d2f8612560d550e4996d1a5a8f75116f06940c5db87fa64061

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 4c391f9efe8235ba2122c1a414ab6e71
SHA1 76bfbee7c44932e2d1e49b46b725192735a5fc28
SHA256 6b26c12220b4d3eaa422e6e1d06f7c5a2c71f874e1ec656d83d998b080ddb67b
SHA512 22789c84b8ea012b27b5a82c0e9814c028d15837a3f1d3e5f3962bff762c19b363f0b3e61edde5f74acb8a4657954f02f45b8651991c1df0320e0f4747ad73ba

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 332f2a092d7f793b0e3fce29af270475
SHA1 71e662b8a222e41335ec512f9240388bbdb11a89
SHA256 284d3109c3b08ef7f3cad8794a2b1cd3b78947e0d11b5eda967ad71526bbac87
SHA512 46aa07d18876700b949592858da2061859668e4c03dd05211f08046ead1648ead4b6f30cfe6fe54aea2ba6cc1b8f2ef87877aaf7267772707cc4571a44342f97

C:\Windows\SysWOW64\Hicodd32.exe

MD5 177a21138daff6ed4ad86c6cd12a887b
SHA1 7ddc7ec981e5fb95215513f81a5c96c570077230
SHA256 65e87a527b29b136aa8705d639d73942dba17b03ace8485540586bf237c0e908
SHA512 3dd0df4d69847c9baa2dc3759e7102031a3afd68cef57d5ec8fd30db497e6b3933a27551661271ea760194731909bcf02730cb4fc0ed20783ee32782fde6cf00

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 01c18e0ab7ed2e87c55a34b0357496c6
SHA1 e3dc4e1c93ed75614664839d77b5558b6e0e1514
SHA256 357f04d31cc2b012d35a0f77ab2b333300c01fe75338a14192c895295fce2487
SHA512 3e2c25572da2d025ac052fe5c501901b4fab407b943e1148cdb684fb8f4ad31b7bc008bee5eb09ee920c0af55637022550105e85bfdeec9388709b8ce438fdc6

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 8765f90fecfdc3235359313ddfb0a228
SHA1 643a0d0fa9464c803471d36de974243ea91e8360
SHA256 c8d7f4138bd95b62d138e5c307268149f0516eda52692389f212854987709626
SHA512 b813b8bf8d29da60b9ae8a75f34d6484b2dc34ee9d859777c627c506023086985924babb82e3945996ba94c0e48f2f2be50af168ffdd853b33d3a8fb28381a7b

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 67842771215839232218f6c7a23ec476
SHA1 14fdf458d5316a342875abd516ab58a3ddd65aaf
SHA256 107122f41d8d2ba650b6b923887ddb6a4c0a063ac797c9a6399ef8073d642120
SHA512 b3a9c1174aaeca83d545d70a0333398c6031aa1fbca33f69b2c6359f6c715519d52453f79ed4897e3f3df5fbea9581ce29f901d53d691051f1fd9fdebbe324fe

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 38c52c17836dff3df7bbc93500a3de37
SHA1 2a15c01f14b470c3d2ffcec2ef76841585bae3a5
SHA256 a5363a2839e23cdd6c4a8f5fc75872800891c7375cdb6254eb94ac6f6c311b7f
SHA512 b28aa1bfc7698871acf6919d4146afc50a17a6bb19f920cfaf8a6b76f1a1a287f1dc7eb29fd1ff367261c532ed6b5ad5243107a2d9d3ffe976d944c86d678d37

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 d091424e944468a16416b721a7639e31
SHA1 8fb95e376fd633887a5dd5afee4ac99f4bb64cf2
SHA256 cb933def64f0a0324c61d46109ea56e0f7815da8b10c80fed9d818ecf489bf29
SHA512 4b73f4022d1f098834c8e73deb18dd288ddab5d42879d4aafc0eff50ac0337c7ab1eef83643117c1f6fa13542e972550d613987dd26f11623a53a4626d7e80d0

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 28e8fd04181cb284fa0465310f66cc17
SHA1 93f3b1cea5a4d6a04d9b6bb20393b14740f7b72b
SHA256 3a04552ed1914c625eabceecbe6a486b6f538f67ab47f521e1becf3cac548297
SHA512 759ae1efe3b7ecbf08902bba91f425100e62f2be79be720251a2856630c296a661eddf10af8f0e40e5f2966ea63e31e6bbf2696e8de7b73a4d3cd00a26f0517f

C:\Windows\SysWOW64\Geolea32.exe

MD5 949b634b605c293e1c0b42c6b0150472
SHA1 6ca23dd08380e4e572ff0ecf4e1f1721e9bdf101
SHA256 bc74b5c659400a8ff3c4840203d62fcc368ca7cab34c82303857843a071f9d09
SHA512 4720d8c16274f1474d1a6a10072fc4f65de237ea4928fb4a7724fb44ec78f589b7bb58a5eb177112bc9c2cb235cc62e1409ebef0425fa30495441434803fab77

C:\Windows\SysWOW64\Goddhg32.exe

MD5 925586679d3aad2e510af63578efb7a3
SHA1 e81ab49627814d09bc769282d4c3b28f89bbeeee
SHA256 f05d352d3ded28b8ae70a24dfa8c5296e046b0092ce5aba3647660b1886c6ef3
SHA512 d7e433c83363e2af342ff3d8f6726b7dd5581cb4c46ea75c16ba6dd69ccc555c0c5326dea019ae74eed4a8fdb27ba3a20c652b42e590ae7d5c3636c9b4937daa

C:\Windows\SysWOW64\Gelppaof.exe

MD5 c63b007caed8377351d23a8311b02e8d
SHA1 19927e9b34722d3e3e7c2a48281957c888e4f77a
SHA256 782bc86e126df63ab0783df0681fdce2d743f0dc28ee58ac4c3015e187c63b8b
SHA512 809b636f657ebe51748d755fdbd9fc165ffbe3367b14c105d2fe858bd5cfc8e36e3ca530425bcca84541e1477565be060f7536260be1e6df60bcf03edad46935

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 f7dd638d5c36e39606c9752719e2e9fc
SHA1 aedb4e41f00a28e31cc95371d3c8d0375c3e941b
SHA256 e1377de432d7f2ecc3d18da6ec80051a6490be80e00fc6e69079db0ff6a552d1
SHA512 a82f8abcd07de95f149f0b0ba09666c603b6348108433e4ac8697c5a977f531dc60daff77bf214c3b1ef228e7a4e63e1320a7bb631f692328fcb9602048cfc6f

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 7db22cf54d07a5a2c52e2fc9b29eac3b
SHA1 6ec10995b44f90a8500ba6f49d710399bf1b0e51
SHA256 f5623598baaca1c9a05d13a97a2133cab738aa8a7ad3a6e1bd8688cd0ca7cb1f
SHA512 83366c4c365f60e385b26f31154bb66abd35cc050fa4ab706f95c73174ae97042f1af0484d925f9954546f81d0ae2ce54c1c4929ba878d134c471f4cb68e8cd0

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 16f6ab1ea1f06bbb19e31ca3a74dd85d
SHA1 0bccc8e329ed9488896c67f60d18116b946b80b3
SHA256 c69bcdac9ef63c540faf4bed31594c3cc321a1bee52feb2a5e13f8c547dff84f
SHA512 e244ef134896e6f179bac0b93199223b3e0998423df0cbf695cf4479349901d20af9d57e9b651cce4b2db4d43ff29176af00f3a412e19ff56d4551ec8fa764d5

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 c33f12ede210f79670122e663b66a34e
SHA1 092f200bacf284b22e42ed4dc8d34f5c28a91be9
SHA256 c9ce49a97dd0f66745ae3934e67d4a023be049a645ef16cb627aa6fae49c15c7
SHA512 a9ee1103eb9726e775cf72e8b4f4ead6d7d4761223c783473935ab8e3021535086eb0466c0bf6f56e326ca3dd80afde51d5634f2003c2fb6e73c4ce0b4019274

C:\Windows\SysWOW64\Gonnhhln.exe

MD5 27d325af469abef7be2a4425d50ebec2
SHA1 82eee32986e4403a0f09be237eab026df3167ad5
SHA256 00a63e43509bd9e566807de159f09b5fe3acf750fd73982cbf976025ff4788b4
SHA512 d28cc5d1d92b1eb74cd94dfd208fee41353d2e75e1b840919bf7fdf51bf3e481230459405818793c8766b8f7fce415fdadec4977543c1af07500d23daeed89dd

memory/688-478-0x0000000000320000-0x0000000000367000-memory.dmp

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 cf9cd5cde709cc2e0443132328eb61c4
SHA1 5b8ee29f39b3ada82eaf98129c38caaf26cc4d0e
SHA256 fa31095e1fd47a0e5f5570210d6b31dd221effefb0cb39225e362e1b166a09c2
SHA512 5c77abb418b5c7288122cc80354adc96e007fa5b327585be6fbc2b2dd39ba776ff91fea889d50e111e9c0c907f53b554c977146d49552dbb7189c6b86ce0075c

memory/688-473-0x0000000000400000-0x0000000000447000-memory.dmp

memory/380-467-0x0000000001FD0000-0x0000000002017000-memory.dmp

memory/380-466-0x0000000000400000-0x0000000000447000-memory.dmp

memory/860-465-0x0000000000250000-0x0000000000297000-memory.dmp

memory/860-464-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 78ffb2a69a38a6308608ab69981dd8a1
SHA1 5ad07ece3a362ceb302bbdd7882a412a117df377
SHA256 031ed7a08d43b160bb144ab0a3c1ae6b237ecff17b99c4ffb42aa37f820283f1
SHA512 676d3ebf28b2bbab6c31928dc267529e3160ece5d33647de5f3391794c31c892782266d74855d1a9d0fb47c11864d48abc57b720ff7efb2247d487ecd02a48ea

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 ec827dfbeadffc31cf9997ede32facf9
SHA1 25b45e9a38525a7589272064b523049902bebc4e
SHA256 f39143c3580c14e8f168ece8473d5895ecf3b3ec2d215ac09de9353a3ccf482c
SHA512 9b2dc7e52104b2f26bafc910f88b6b3538b821451fb5987d2fb7a874a52bfec8e9f4b9a9cdff209c877dfd76fee0bd486dbf2601cc6aeb2014523a51593b4364

memory/860-447-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1568-446-0x00000000002E0000-0x0000000000327000-memory.dmp

memory/1568-445-0x00000000002E0000-0x0000000000327000-memory.dmp

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 838213b80c770c0be759861dca417f21
SHA1 d54f0b856096c627a44f841510efca664010318e
SHA256 29d3c43056d89ae40f6ba73fbf2f554a81bd27453b096db702405fc331c1c0d1
SHA512 2309b431adeb83cdbd0471813af85349ed09abea37fa13a6c358f1b5d306782f4c7817e33d3a7da72ac4c1e4e51d0b666c2da816e78fcf75fd1c1b87c5cd8124

C:\Windows\SysWOW64\Fbdqmghm.exe

MD5 0c79cbf8cac6f6c5ffda3e257e51479f
SHA1 26ba299831f663f7ea638da2bdd14299ac97196a
SHA256 411f8aa80072e465ddae0d6462488b3876cbb0c89e333637773fc3a20a3991f2
SHA512 87ef4d97e0ca785852f195fe1fce86961000ad102a3c411e6bad60f1dec9592a4e492fb8ea5e538404ddac209ae31c7ffb75e01c51c9234259b6b53cb26978c2

memory/2668-425-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2608-424-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2608-423-0x0000000000450000-0x0000000000497000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 bee50feffe3b7e40d0d3a09be307b850
SHA1 8fb7745fc760d2d0771eb96e65bf014dc3b1c2fd
SHA256 21350f421e4e3a0d57bc7e503dd8dc7e550e7b8d58a6384793fe36b8ff61f0e2
SHA512 f5f92b599a565f9d4bb6522d7818357094f06903af3aff1c9ef06ba1f61c028ecb76ae8657f78f3d97fbce79b8c68fcdd7304eaf1d62959d71143e8547a31683

memory/2244-417-0x0000000000360000-0x00000000003A7000-memory.dmp

memory/2244-416-0x0000000000360000-0x00000000003A7000-memory.dmp

C:\Windows\SysWOW64\Filldb32.exe

MD5 0778e8ccb8bd1b08735032dbc5d570e5
SHA1 3ae68a53b501fa9185b1ddf53fbe6397c9b30b8f
SHA256 4e719b38700b444b6a93f4816dfba3c631c0e996b9639ec4c649d71fd54ea5cd
SHA512 0bdd1a62c13425168dfcd2f03d3e7b702c5090686f8c090808f664a479bb4d39a294bf4e5ba5f5a94e4f0036295d74765eaeab182a7ec1928945cfaeb1a8f412

memory/2244-407-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2432-406-0x00000000002A0000-0x00000000002E7000-memory.dmp

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 ae74bf519d340bfe409954952ea5f569
SHA1 a0edbb97f7be920c196d1a0fad3c8bbf5c9d66f8
SHA256 ed44ebe69cd7fc040752838269e4089ccd628bd14925e1f99c978ff30eb3ee9a
SHA512 365bcb05847f173f25240ac588683b64dd32c1a3640ef5b528ebc4341113cd5688acfca95dbd9e85273e211a8608c0cb527a856a65c22e3c90c1ec703c5bd50e

memory/2432-392-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2356-390-0x0000000000280000-0x00000000002C7000-memory.dmp

memory/2852-383-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2852-379-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 5f4cf96e558198f00a80d2309fd7c7f4
SHA1 d9d1afa1d7819c6333bb91e6726e0d151524b149
SHA256 501906aa70cd7726eb4e4f021ef4af3fafeb1dc6c09583cf9f9e43c5d1c81c41
SHA512 96b904fbdc42bfc537c930d21db8ff54ebf6a63a64644e374666b87cdd2c8e055f9f979b205b9c1cf9cd3a3a11bbe4c8bbfa0915645782d86c34fd89d7f13e3b

memory/2852-374-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2724-373-0x0000000000350000-0x0000000000397000-memory.dmp

memory/2724-372-0x0000000000350000-0x0000000000397000-memory.dmp

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 8046b9e096660ab67d7c58a2ebc67777
SHA1 935f8d96d2e7fddfc08d419900bfee24f3cf7a78
SHA256 2a8b3cf78b70c9b0353cf2a502bf1eb0d37cfcd366038b6d511380f1a85296d1
SHA512 6ca19305645cd59cf6b78ee9d7306dcb6c4fc912767c561faadb41f0c711c06f8bb020ac04875ed63cb13478cf3e9e5d424ec1ea835842d22f8d1cbb0b23883d

memory/2384-358-0x00000000002D0000-0x0000000000317000-memory.dmp

memory/2384-357-0x00000000002D0000-0x0000000000317000-memory.dmp

C:\Windows\SysWOW64\Fejgko32.exe

MD5 4989c2522ac5b4c3f149c99ba2fed53a
SHA1 412152a08dac96b660b484a57d6dc3a8c1e0cf89
SHA256 057cb9e26b1c28ee82c015b74fff477d69b57d5b647de63e213aae5afc41b729
SHA512 6a808f645360a253e947e7066d12058a36e5bdd6236aa05a6e7e87ad805aacccb3f029c6b63894f5a6f032521a14db058e0d27be44f246a0650bda5cc4965f60

memory/2384-352-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2728-346-0x00000000002E0000-0x0000000000327000-memory.dmp

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 96cf0d12f848a702f6742c8a293a6e39
SHA1 0dbb3aca94070355c9027f832acdfd1da100fb57
SHA256 4448e7675110c10e0e9e096700e4e221a90a8155e37512be86e01b18a23bf57b
SHA512 2149c6e45436c36ccbd52374c7a5571b990ae4129e2bc1c4f583596ab597083af5e7160988e79781e1f28f6ce2b6f3a0ab3223a67dac4c1f3015a1ba9b06f562

memory/2728-341-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1984-340-0x0000000000350000-0x0000000000397000-memory.dmp

memory/1984-331-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2708-330-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 4da6b3ed45c0083eb858c9cfd57e1766
SHA1 cabd6ac1b32b261f573867726c713e047d58de81
SHA256 40667fdf045cac074e0e93b93cac58aba5bfccead878d8a30b9c77cc17fe2a41
SHA512 61dbafa546e972c9321608457c7893bc9a5057bcc563f553be8300b9601700ec9344c9bf1e59a2ec35df8d2659a0d0229b96912af3163ef9f70e8c03add2b90e

memory/2708-318-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2288-316-0x0000000000350000-0x0000000000397000-memory.dmp

memory/2980-308-0x0000000000250000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Eloemi32.exe

MD5 a1736d39ac513d38fcf7575c4515f3b0
SHA1 2d66cf3344234db7b7835ab3e8348b9ef44a3aab
SHA256 5094d0a94881db9b270d08369b1c62df8cd54fcf2cd25672471f7ae7c0fd7788
SHA512 9219cac39e66d6b0b937174247c87b7e25198f9acba75484e6ffb2aaa0d79ae9857900d130b03d93428ec116fab3ab56f970220ca6a634b5140da2950153cf05

memory/1464-291-0x00000000003B0000-0x00000000003F7000-memory.dmp

memory/1464-289-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1260-288-0x0000000000450000-0x0000000000497000-memory.dmp

memory/1260-287-0x0000000000450000-0x0000000000497000-memory.dmp

memory/1260-278-0x0000000000400000-0x0000000000447000-memory.dmp

memory/620-277-0x0000000000300000-0x0000000000347000-memory.dmp

memory/620-276-0x0000000000300000-0x0000000000347000-memory.dmp

memory/620-263-0x0000000000400000-0x0000000000447000-memory.dmp

memory/936-262-0x0000000000290000-0x00000000002D7000-memory.dmp

memory/936-261-0x0000000000290000-0x00000000002D7000-memory.dmp

C:\Windows\SysWOW64\Elmigj32.exe

MD5 e191d5d0bfaef33eff32d1d28239b05d
SHA1 39725f5190b43e5198a2ab9324b2fcd56a22688b
SHA256 5326b0c6661417b566685ee5343e7715765e0e3e25ca84d3ca1c23ec6ded1a64
SHA512 a4536f7f4d76d9102fba996cb0262030b78d8ec347544733816a055d27b2929a29382c0fd68edc4a0bc86337f1c0092f0109f7f86998ff45be64607142f99529

memory/1604-251-0x00000000002F0000-0x0000000000337000-memory.dmp

memory/1604-250-0x00000000002F0000-0x0000000000337000-memory.dmp

C:\Windows\SysWOW64\Eecqjpee.exe

MD5 55ed28caab4cbb2fd9024a2ad9e90689
SHA1 8c909cd14b6b169ff7a84966d9ee41471430191e
SHA256 79c76b161dcf0d7554971050509bca477f522e7c3f6b02e096da8cf879eff664
SHA512 1af955fb58988e53b7ec34b279fd874be6bd780bacdd701e97ecb90fd16cadcfbc5289fc5afc640c38aa894a1dda5c00511121e685e87b70c786d205db60db44

memory/2680-240-0x00000000003B0000-0x00000000003F7000-memory.dmp

memory/2680-239-0x00000000003B0000-0x00000000003F7000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 d70dc7af395035904e17811f661acd6d
SHA1 d3a34c40251ac5a54f687806d60ab6b7bafb09c9
SHA256 c619b25cadfb89f168cc5339558736d511eb407041fa9dfc1dcd0068b1475be9
SHA512 2562f2247fdecbde6bdd65348e969f270b56c5ca671e013091d17db44ae9c7e88c53971490cf2a253fe640717094152c605351f9236eb72cb8c0be9ae3cc56f4

memory/1420-229-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2204-218-0x0000000000260000-0x00000000002A7000-memory.dmp

memory/2204-217-0x0000000000260000-0x00000000002A7000-memory.dmp

memory/3028-203-0x0000000000450000-0x0000000000497000-memory.dmp

memory/2204-202-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3028-201-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2688-193-0x0000000000250000-0x0000000000297000-memory.dmp

memory/2688-175-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 17daa121036cf57888c76c800a5ce6ef
SHA1 647dc47111bbfd5f6e61a619fc7c7cd4c8213ea9
SHA256 27fb35ef4248998df3a45fa0bfcf9238803654c9e2f8753f295e6fbe87ac7a9d
SHA512 13eb838b407eb74da1b0c3e85e0e552714b5f4fc3edcd85b4f65d0b4e543767f52a2bb4c92c33fa5536e6ebdf85fe26fdfd0ce2e4d0a0c4f620f373a510ee661

memory/544-162-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1596-154-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2136-141-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2424-109-0x0000000000400000-0x0000000000447000-memory.dmp

memory/472-108-0x00000000002E0000-0x0000000000327000-memory.dmp

memory/1692-89-0x00000000003A0000-0x00000000003E7000-memory.dmp

memory/1692-85-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2640-75-0x00000000003B0000-0x00000000003F7000-memory.dmp

memory/2568-47-0x0000000000310000-0x0000000000357000-memory.dmp

memory/2568-39-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2516-31-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2924-30-0x00000000003B0000-0x00000000003F7000-memory.dmp

C:\Windows\SysWOW64\Dgmglh32.exe

MD5 3194a04449cfb3faf44e0a1b87297b9f
SHA1 4aa03cf8083f67af7066a9abeff10be65904f59e
SHA256 719deb06684a83ebe46699102ac401a33ac4c66fcd5f2d2330386c8604f99357
SHA512 1a8fafb7c0252e3dce1dc15bd30cdeab6f88ca92e5e881c618483564b6c0b3e551118608d5d05d64735f66fbe6d1fad2ae4c8dee59c64aabe8a405f87e06ea66

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 00:25

Reported

2024-06-02 00:27

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Opqofe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bahdob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhbebj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afcmfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iogopi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncqlkemc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phonha32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihkjno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmmlla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ncchae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhphmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ghojbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qmdblp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbknebqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnnnfalp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mogcihaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Adfgdpmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ebdlangb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hnnljj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpbjfjci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omalpc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcedmkmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hjaioe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ncnofeof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebfign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ilkoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iefphb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bmbnnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fnalmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fgqgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gclafmej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oakbehfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ebfign32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpegkj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ockdmmoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcgdhkem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fcbnpnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lkqgno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpnakk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjjfdfbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epffbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhplpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jnnnfalp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjgkab32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enopghee.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdkoef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Heegad32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mqhfoebo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqaiecjd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojnfihmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Piocecgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmdblp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klddlckd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekajec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppdbgncl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ampaho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ggepalof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jaemilci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Klddlckd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adfgdpmi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebdlangb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhhdnf32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mogcihaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaabq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcngpjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnofeof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncqlkemc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncchae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojomcopk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oakbehfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Opqofe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocohmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phonha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnkbkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmeigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aogbfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfgdpmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Apodoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfkpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bahdob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cggimh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Caojpaij.exe N/A
N/A N/A C:\Windows\SysWOW64\Caageq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgqlcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhphmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhbebj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnajppda.exe N/A
N/A N/A C:\Windows\SysWOW64\Doagjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhgod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebdlangb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebfign32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekajec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Figgdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqeioiam.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgbnkfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Galoohke.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkaclqkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnblnlhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gijmad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghojbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahokfag.exe N/A
N/A N/A C:\Windows\SysWOW64\Heegad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnnljj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhimhobl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihkjno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iogopi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilkoim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iefphb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpnakk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaajhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpbjfjci.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpegkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhplpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klndfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kheekkjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Keifdpif.exe N/A
N/A N/A C:\Windows\SysWOW64\Kifojnol.exe N/A
N/A N/A C:\Windows\SysWOW64\Kofdhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhqefjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lchfib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljbnfleo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpochfji.exe N/A
N/A N/A C:\Windows\SysWOW64\Modpib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcdeeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqhfoebo.exe N/A
N/A N/A C:\Windows\SysWOW64\Momcpa32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Iholohii.exe C:\Windows\SysWOW64\Infhebbh.exe N/A
File created C:\Windows\SysWOW64\Mpolbbim.dll C:\Windows\SysWOW64\Mjcngpjh.exe N/A
File created C:\Windows\SysWOW64\Daeifj32.exe C:\Windows\SysWOW64\Dgpeha32.exe N/A
File created C:\Windows\SysWOW64\Gmkock32.dll C:\Windows\SysWOW64\Gdknpp32.exe N/A
File created C:\Windows\SysWOW64\Pmmlla32.exe C:\Windows\SysWOW64\Piocecgj.exe N/A
File created C:\Windows\SysWOW64\Lhaiafem.dll C:\Windows\SysWOW64\Ecbeip32.exe N/A
File created C:\Windows\SysWOW64\Fjohgj32.dll C:\Windows\SysWOW64\Keifdpif.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Bfaigclq.exe N/A
File created C:\Windows\SysWOW64\Epffbd32.exe C:\Windows\SysWOW64\Ecbeip32.exe N/A
File opened for modification C:\Windows\SysWOW64\Galoohke.exe C:\Windows\SysWOW64\Fbgbnkfm.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjfbjdnd.exe C:\Windows\SysWOW64\Hbknebqi.exe N/A
File created C:\Windows\SysWOW64\Celipg32.dll C:\Windows\SysWOW64\Hjfbjdnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Pnkbkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqeioiam.exe C:\Windows\SysWOW64\Figgdg32.exe N/A
File created C:\Windows\SysWOW64\Lpcgahca.dll C:\Windows\SysWOW64\Ccblbb32.exe N/A
File created C:\Windows\SysWOW64\Pakdbp32.exe C:\Windows\SysWOW64\Pcgdhkem.exe N/A
File created C:\Windows\SysWOW64\Mjbaohka.dll C:\Windows\SysWOW64\Daeifj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Loemnnhe.exe C:\Windows\SysWOW64\Klddlckd.exe N/A
File created C:\Windows\SysWOW64\Ampillfk.dll C:\Windows\SysWOW64\Apodoq32.exe N/A
File created C:\Windows\SysWOW64\Cggimh32.exe C:\Windows\SysWOW64\Bahdob32.exe N/A
File created C:\Windows\SysWOW64\Modpib32.exe C:\Windows\SysWOW64\Lpochfji.exe N/A
File created C:\Windows\SysWOW64\Figgdg32.exe C:\Windows\SysWOW64\Ekajec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afcmfe32.exe C:\Windows\SysWOW64\Ajmladbl.exe N/A
File created C:\Windows\SysWOW64\Dfaadk32.dll C:\Windows\SysWOW64\Ihaidhgf.exe N/A
File created C:\Windows\SysWOW64\Mogcihaj.exe C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Obqhpfck.dll C:\Windows\SysWOW64\Mjaabq32.exe N/A
File created C:\Windows\SysWOW64\Aepjgm32.dll C:\Windows\SysWOW64\Ncchae32.exe N/A
File created C:\Windows\SysWOW64\Leoejh32.exe C:\Windows\SysWOW64\Loemnnhe.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncchae32.exe C:\Windows\SysWOW64\Ncqlkemc.exe N/A
File created C:\Windows\SysWOW64\Bpcgpihi.exe C:\Windows\SysWOW64\Bmbnnn32.exe N/A
File created C:\Windows\SysWOW64\Ddklbd32.exe C:\Windows\SysWOW64\Dckoia32.exe N/A
File created C:\Windows\SysWOW64\Ocgjojai.dll C:\Windows\SysWOW64\Nmhijd32.exe N/A
File created C:\Windows\SysWOW64\Ojgljk32.dll C:\Windows\SysWOW64\Pjjfdfbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajmladbl.exe C:\Windows\SysWOW64\Ajjokd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkbkmqed.exe C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Phonha32.exe C:\Windows\SysWOW64\Ocohmc32.exe N/A
File created C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Aogbfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jaajhb32.exe C:\Windows\SysWOW64\Jpnakk32.exe N/A
File created C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Babcil32.exe N/A
File created C:\Windows\SysWOW64\Hcedmkmp.exe C:\Windows\SysWOW64\Hkjohi32.exe N/A
File created C:\Windows\SysWOW64\Qfmjjmdm.dll C:\Windows\SysWOW64\Hcedmkmp.exe N/A
File created C:\Windows\SysWOW64\Apodoq32.exe C:\Windows\SysWOW64\Adfgdpmi.exe N/A
File created C:\Windows\SysWOW64\Klndfj32.exe C:\Windows\SysWOW64\Jhplpl32.exe N/A
File created C:\Windows\SysWOW64\Gpdbcaok.dll C:\Windows\SysWOW64\Klndfj32.exe N/A
File created C:\Windows\SysWOW64\Obqanjdb.exe C:\Windows\SysWOW64\Oihmedma.exe N/A
File created C:\Windows\SysWOW64\Kqkplq32.dll C:\Windows\SysWOW64\Ppdbgncl.exe N/A
File created C:\Windows\SysWOW64\Hjaioe32.exe C:\Windows\SysWOW64\Hcedmkmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjgkab32.exe C:\Windows\SysWOW64\Jnpjlajn.exe N/A
File created C:\Windows\SysWOW64\Gkaclqkk.exe C:\Windows\SysWOW64\Galoohke.exe N/A
File created C:\Windows\SysWOW64\Fbbnpn32.dll C:\Windows\SysWOW64\Modpib32.exe N/A
File created C:\Windows\SysWOW64\Cnaqob32.dll C:\Windows\SysWOW64\Nhegig32.exe N/A
File created C:\Windows\SysWOW64\Ejahec32.dll C:\Windows\SysWOW64\Hbknebqi.exe N/A
File created C:\Windows\SysWOW64\Dnajppda.exe C:\Windows\SysWOW64\Dhbebj32.exe N/A
File created C:\Windows\SysWOW64\Pfgbakef.dll C:\Windows\SysWOW64\Piocecgj.exe N/A
File created C:\Windows\SysWOW64\Eahobg32.exe C:\Windows\SysWOW64\Egbken32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eahobg32.exe C:\Windows\SysWOW64\Egbken32.exe N/A
File created C:\Windows\SysWOW64\Ekheml32.dll C:\Windows\SysWOW64\Klmnkdal.exe N/A
File created C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Mjaabq32.exe N/A
File created C:\Windows\SysWOW64\Bpfkpp32.exe C:\Windows\SysWOW64\Apodoq32.exe N/A
File created C:\Windows\SysWOW64\Kofdhd32.exe C:\Windows\SysWOW64\Kifojnol.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjjfdfbb.exe C:\Windows\SysWOW64\Ppdbgncl.exe N/A
File opened for modification C:\Windows\SysWOW64\Jnpjlajn.exe C:\Windows\SysWOW64\Jnnnfalp.exe N/A
File created C:\Windows\SysWOW64\Nnahhegq.dll C:\Windows\SysWOW64\Opqofe32.exe N/A
File created C:\Windows\SysWOW64\Fbgdmb32.dll C:\Windows\SysWOW64\Doagjc32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ldikgdpe.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll" C:\Windows\SysWOW64\Dnajppda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enopghee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Edihdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdknpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll" C:\Windows\SysWOW64\Hgeihiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll" C:\Windows\SysWOW64\Hjfbjdnd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ncqlkemc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obqanjdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Figgdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcdeeq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jpegkj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gnmlhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oakbehfe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Modpib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll" C:\Windows\SysWOW64\Afcmfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnpjlajn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dhphmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hjfbjdnd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ilkoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmmlla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll" C:\Windows\SysWOW64\Enopghee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ieeimlep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll" C:\Windows\SysWOW64\Jaemilci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" C:\Windows\SysWOW64\Mogcihaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cggimh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhacomg.dll" C:\Windows\SysWOW64\Ajjokd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajmladbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecbeip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gglfbkin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahec32.dll" C:\Windows\SysWOW64\Hbknebqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll" C:\Windows\SysWOW64\Fqeioiam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll" C:\Windows\SysWOW64\Eahobg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mjaabq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajmladbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ecbeip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ojomcopk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Enopghee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" C:\Windows\SysWOW64\Jnpjlajn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Klmnkdal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aogbfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll" C:\Windows\SysWOW64\Dhphmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cpogkhnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll" C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnajppda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebdlangb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gkaclqkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmdblp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" C:\Windows\SysWOW64\Bmidnm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ncnofeof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" C:\Windows\SysWOW64\Ojomcopk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Opqofe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iefphb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkqgno32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ebdlangb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Klddlckd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ncchae32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Adfgdpmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" C:\Windows\SysWOW64\Nhegig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Padnaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" C:\Windows\SysWOW64\Leabphmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bahdob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" C:\Windows\SysWOW64\Padnaq32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Mogcihaj.exe
PID 392 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Mogcihaj.exe
PID 392 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe C:\Windows\SysWOW64\Mogcihaj.exe
PID 1516 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Mogcihaj.exe C:\Windows\SysWOW64\Mjaabq32.exe
PID 1516 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Mogcihaj.exe C:\Windows\SysWOW64\Mjaabq32.exe
PID 1516 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Mogcihaj.exe C:\Windows\SysWOW64\Mjaabq32.exe
PID 2452 wrote to memory of 3580 N/A C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mjcngpjh.exe
PID 2452 wrote to memory of 3580 N/A C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mjcngpjh.exe
PID 2452 wrote to memory of 3580 N/A C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mjcngpjh.exe
PID 3580 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Ncnofeof.exe
PID 3580 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Ncnofeof.exe
PID 3580 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Ncnofeof.exe
PID 1384 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Ncqlkemc.exe
PID 1384 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Ncqlkemc.exe
PID 1384 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Ncqlkemc.exe
PID 4108 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ncqlkemc.exe C:\Windows\SysWOW64\Ncchae32.exe
PID 4108 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ncqlkemc.exe C:\Windows\SysWOW64\Ncchae32.exe
PID 4108 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Ncqlkemc.exe C:\Windows\SysWOW64\Ncchae32.exe
PID 1356 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ncchae32.exe C:\Windows\SysWOW64\Ojomcopk.exe
PID 1356 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ncchae32.exe C:\Windows\SysWOW64\Ojomcopk.exe
PID 1356 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Ncchae32.exe C:\Windows\SysWOW64\Ojomcopk.exe
PID 2424 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Oakbehfe.exe
PID 2424 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Oakbehfe.exe
PID 2424 wrote to memory of 1268 N/A C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Oakbehfe.exe
PID 1268 wrote to memory of 3476 N/A C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Opqofe32.exe
PID 1268 wrote to memory of 3476 N/A C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Opqofe32.exe
PID 1268 wrote to memory of 3476 N/A C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Opqofe32.exe
PID 3476 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Opqofe32.exe C:\Windows\SysWOW64\Ocohmc32.exe
PID 3476 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Opqofe32.exe C:\Windows\SysWOW64\Ocohmc32.exe
PID 3476 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Opqofe32.exe C:\Windows\SysWOW64\Ocohmc32.exe
PID 2220 wrote to memory of 684 N/A C:\Windows\SysWOW64\Ocohmc32.exe C:\Windows\SysWOW64\Phonha32.exe
PID 2220 wrote to memory of 684 N/A C:\Windows\SysWOW64\Ocohmc32.exe C:\Windows\SysWOW64\Phonha32.exe
PID 2220 wrote to memory of 684 N/A C:\Windows\SysWOW64\Ocohmc32.exe C:\Windows\SysWOW64\Phonha32.exe
PID 684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Phonha32.exe C:\Windows\SysWOW64\Pnkbkk32.exe
PID 684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Phonha32.exe C:\Windows\SysWOW64\Pnkbkk32.exe
PID 684 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Phonha32.exe C:\Windows\SysWOW64\Pnkbkk32.exe
PID 1708 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Pnkbkk32.exe C:\Windows\SysWOW64\Qmeigg32.exe
PID 1708 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Pnkbkk32.exe C:\Windows\SysWOW64\Qmeigg32.exe
PID 1708 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Pnkbkk32.exe C:\Windows\SysWOW64\Qmeigg32.exe
PID 2056 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Aogbfi32.exe
PID 2056 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Aogbfi32.exe
PID 2056 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Aogbfi32.exe
PID 3504 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Aogbfi32.exe C:\Windows\SysWOW64\Adfgdpmi.exe
PID 3504 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Aogbfi32.exe C:\Windows\SysWOW64\Adfgdpmi.exe
PID 3504 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Aogbfi32.exe C:\Windows\SysWOW64\Adfgdpmi.exe
PID 3588 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Apodoq32.exe
PID 3588 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Apodoq32.exe
PID 3588 wrote to memory of 4988 N/A C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Apodoq32.exe
PID 4988 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Apodoq32.exe C:\Windows\SysWOW64\Bpfkpp32.exe
PID 4988 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Apodoq32.exe C:\Windows\SysWOW64\Bpfkpp32.exe
PID 4988 wrote to memory of 2212 N/A C:\Windows\SysWOW64\Apodoq32.exe C:\Windows\SysWOW64\Bpfkpp32.exe
PID 2212 wrote to memory of 4532 N/A C:\Windows\SysWOW64\Bpfkpp32.exe C:\Windows\SysWOW64\Bahdob32.exe
PID 2212 wrote to memory of 4532 N/A C:\Windows\SysWOW64\Bpfkpp32.exe C:\Windows\SysWOW64\Bahdob32.exe
PID 2212 wrote to memory of 4532 N/A C:\Windows\SysWOW64\Bpfkpp32.exe C:\Windows\SysWOW64\Bahdob32.exe
PID 4532 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Bahdob32.exe C:\Windows\SysWOW64\Cggimh32.exe
PID 4532 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Bahdob32.exe C:\Windows\SysWOW64\Cggimh32.exe
PID 4532 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Bahdob32.exe C:\Windows\SysWOW64\Cggimh32.exe
PID 2696 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Cggimh32.exe C:\Windows\SysWOW64\Caojpaij.exe
PID 2696 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Cggimh32.exe C:\Windows\SysWOW64\Caojpaij.exe
PID 2696 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Cggimh32.exe C:\Windows\SysWOW64\Caojpaij.exe
PID 2104 wrote to memory of 4516 N/A C:\Windows\SysWOW64\Caojpaij.exe C:\Windows\SysWOW64\Caageq32.exe
PID 2104 wrote to memory of 4516 N/A C:\Windows\SysWOW64\Caojpaij.exe C:\Windows\SysWOW64\Caageq32.exe
PID 2104 wrote to memory of 4516 N/A C:\Windows\SysWOW64\Caojpaij.exe C:\Windows\SysWOW64\Caageq32.exe
PID 4516 wrote to memory of 680 N/A C:\Windows\SysWOW64\Caageq32.exe C:\Windows\SysWOW64\Cgqlcg32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mjaabq32.exe

C:\Windows\system32\Mjaabq32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Opqofe32.exe

C:\Windows\system32\Opqofe32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Bpfkpp32.exe

C:\Windows\system32\Bpfkpp32.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dnajppda.exe

C:\Windows\system32\Dnajppda.exe

C:\Windows\SysWOW64\Doagjc32.exe

C:\Windows\system32\Doagjc32.exe

C:\Windows\SysWOW64\Dkhgod32.exe

C:\Windows\system32\Dkhgod32.exe

C:\Windows\SysWOW64\Ebdlangb.exe

C:\Windows\system32\Ebdlangb.exe

C:\Windows\SysWOW64\Ebfign32.exe

C:\Windows\system32\Ebfign32.exe

C:\Windows\SysWOW64\Ekajec32.exe

C:\Windows\system32\Ekajec32.exe

C:\Windows\SysWOW64\Figgdg32.exe

C:\Windows\system32\Figgdg32.exe

C:\Windows\SysWOW64\Fqeioiam.exe

C:\Windows\system32\Fqeioiam.exe

C:\Windows\SysWOW64\Fbgbnkfm.exe

C:\Windows\system32\Fbgbnkfm.exe

C:\Windows\SysWOW64\Galoohke.exe

C:\Windows\system32\Galoohke.exe

C:\Windows\SysWOW64\Gkaclqkk.exe

C:\Windows\system32\Gkaclqkk.exe

C:\Windows\SysWOW64\Gnblnlhl.exe

C:\Windows\system32\Gnblnlhl.exe

C:\Windows\SysWOW64\Gijmad32.exe

C:\Windows\system32\Gijmad32.exe

C:\Windows\SysWOW64\Ghojbq32.exe

C:\Windows\system32\Ghojbq32.exe

C:\Windows\SysWOW64\Hahokfag.exe

C:\Windows\system32\Hahokfag.exe

C:\Windows\SysWOW64\Heegad32.exe

C:\Windows\system32\Heegad32.exe

C:\Windows\SysWOW64\Hnnljj32.exe

C:\Windows\system32\Hnnljj32.exe

C:\Windows\SysWOW64\Hhimhobl.exe

C:\Windows\system32\Hhimhobl.exe

C:\Windows\SysWOW64\Ihkjno32.exe

C:\Windows\system32\Ihkjno32.exe

C:\Windows\SysWOW64\Iogopi32.exe

C:\Windows\system32\Iogopi32.exe

C:\Windows\SysWOW64\Ilkoim32.exe

C:\Windows\system32\Ilkoim32.exe

C:\Windows\SysWOW64\Iefphb32.exe

C:\Windows\system32\Iefphb32.exe

C:\Windows\SysWOW64\Jpnakk32.exe

C:\Windows\system32\Jpnakk32.exe

C:\Windows\SysWOW64\Jaajhb32.exe

C:\Windows\system32\Jaajhb32.exe

C:\Windows\SysWOW64\Jpbjfjci.exe

C:\Windows\system32\Jpbjfjci.exe

C:\Windows\SysWOW64\Jpegkj32.exe

C:\Windows\system32\Jpegkj32.exe

C:\Windows\SysWOW64\Jhplpl32.exe

C:\Windows\system32\Jhplpl32.exe

C:\Windows\SysWOW64\Klndfj32.exe

C:\Windows\system32\Klndfj32.exe

C:\Windows\SysWOW64\Kheekkjl.exe

C:\Windows\system32\Kheekkjl.exe

C:\Windows\SysWOW64\Keifdpif.exe

C:\Windows\system32\Keifdpif.exe

C:\Windows\SysWOW64\Kifojnol.exe

C:\Windows\system32\Kifojnol.exe

C:\Windows\SysWOW64\Kofdhd32.exe

C:\Windows\system32\Kofdhd32.exe

C:\Windows\SysWOW64\Lhqefjpo.exe

C:\Windows\system32\Lhqefjpo.exe

C:\Windows\SysWOW64\Lchfib32.exe

C:\Windows\system32\Lchfib32.exe

C:\Windows\SysWOW64\Ljbnfleo.exe

C:\Windows\system32\Ljbnfleo.exe

C:\Windows\SysWOW64\Lpochfji.exe

C:\Windows\system32\Lpochfji.exe

C:\Windows\SysWOW64\Modpib32.exe

C:\Windows\system32\Modpib32.exe

C:\Windows\SysWOW64\Mcdeeq32.exe

C:\Windows\system32\Mcdeeq32.exe

C:\Windows\SysWOW64\Mqhfoebo.exe

C:\Windows\system32\Mqhfoebo.exe

C:\Windows\SysWOW64\Momcpa32.exe

C:\Windows\system32\Momcpa32.exe

C:\Windows\SysWOW64\Nhegig32.exe

C:\Windows\system32\Nhegig32.exe

C:\Windows\SysWOW64\Nhhdnf32.exe

C:\Windows\system32\Nhhdnf32.exe

C:\Windows\SysWOW64\Nbphglbe.exe

C:\Windows\system32\Nbphglbe.exe

C:\Windows\SysWOW64\Nqaiecjd.exe

C:\Windows\system32\Nqaiecjd.exe

C:\Windows\SysWOW64\Nmhijd32.exe

C:\Windows\system32\Nmhijd32.exe

C:\Windows\SysWOW64\Nmjfodne.exe

C:\Windows\system32\Nmjfodne.exe

C:\Windows\SysWOW64\Ojnfihmo.exe

C:\Windows\system32\Ojnfihmo.exe

C:\Windows\SysWOW64\Ojqcnhkl.exe

C:\Windows\system32\Ojqcnhkl.exe

C:\Windows\SysWOW64\Omalpc32.exe

C:\Windows\system32\Omalpc32.exe

C:\Windows\SysWOW64\Ockdmmoj.exe

C:\Windows\system32\Ockdmmoj.exe

C:\Windows\SysWOW64\Oihmedma.exe

C:\Windows\system32\Oihmedma.exe

C:\Windows\SysWOW64\Obqanjdb.exe

C:\Windows\system32\Obqanjdb.exe

C:\Windows\SysWOW64\Ppdbgncl.exe

C:\Windows\system32\Ppdbgncl.exe

C:\Windows\SysWOW64\Pjjfdfbb.exe

C:\Windows\system32\Pjjfdfbb.exe

C:\Windows\SysWOW64\Padnaq32.exe

C:\Windows\system32\Padnaq32.exe

C:\Windows\SysWOW64\Piocecgj.exe

C:\Windows\system32\Piocecgj.exe

C:\Windows\SysWOW64\Pmmlla32.exe

C:\Windows\system32\Pmmlla32.exe

C:\Windows\SysWOW64\Pcgdhkem.exe

C:\Windows\system32\Pcgdhkem.exe

C:\Windows\SysWOW64\Pakdbp32.exe

C:\Windows\system32\Pakdbp32.exe

C:\Windows\SysWOW64\Qmdblp32.exe

C:\Windows\system32\Qmdblp32.exe

C:\Windows\SysWOW64\Qbajeg32.exe

C:\Windows\system32\Qbajeg32.exe

C:\Windows\SysWOW64\Ajjokd32.exe

C:\Windows\system32\Ajjokd32.exe

C:\Windows\SysWOW64\Ajmladbl.exe

C:\Windows\system32\Ajmladbl.exe

C:\Windows\SysWOW64\Afcmfe32.exe

C:\Windows\system32\Afcmfe32.exe

C:\Windows\SysWOW64\Ampaho32.exe

C:\Windows\system32\Ampaho32.exe

C:\Windows\SysWOW64\Afhfaddk.exe

C:\Windows\system32\Afhfaddk.exe

C:\Windows\SysWOW64\Bmbnnn32.exe

C:\Windows\system32\Bmbnnn32.exe

C:\Windows\SysWOW64\Bpcgpihi.exe

C:\Windows\system32\Bpcgpihi.exe

C:\Windows\SysWOW64\Babcil32.exe

C:\Windows\system32\Babcil32.exe

C:\Windows\SysWOW64\Bfolacnc.exe

C:\Windows\system32\Bfolacnc.exe

C:\Windows\SysWOW64\Bmidnm32.exe

C:\Windows\system32\Bmidnm32.exe

C:\Windows\SysWOW64\Bfaigclq.exe

C:\Windows\system32\Bfaigclq.exe

C:\Windows\SysWOW64\Cgfbbb32.exe

C:\Windows\system32\Cgfbbb32.exe

C:\Windows\SysWOW64\Cpogkhnl.exe

C:\Windows\system32\Cpogkhnl.exe

C:\Windows\SysWOW64\Caqpkjcl.exe

C:\Windows\system32\Caqpkjcl.exe

C:\Windows\SysWOW64\Ccblbb32.exe

C:\Windows\system32\Ccblbb32.exe

C:\Windows\SysWOW64\Dgpeha32.exe

C:\Windows\system32\Dgpeha32.exe

C:\Windows\SysWOW64\Daeifj32.exe

C:\Windows\system32\Daeifj32.exe

C:\Windows\SysWOW64\Dnljkk32.exe

C:\Windows\system32\Dnljkk32.exe

C:\Windows\SysWOW64\Dckoia32.exe

C:\Windows\system32\Dckoia32.exe

C:\Windows\SysWOW64\Ddklbd32.exe

C:\Windows\system32\Ddklbd32.exe

C:\Windows\SysWOW64\Ecbeip32.exe

C:\Windows\system32\Ecbeip32.exe

C:\Windows\SysWOW64\Epffbd32.exe

C:\Windows\system32\Epffbd32.exe

C:\Windows\SysWOW64\Ejojljqa.exe

C:\Windows\system32\Ejojljqa.exe

C:\Windows\SysWOW64\Ephbhd32.exe

C:\Windows\system32\Ephbhd32.exe

C:\Windows\SysWOW64\Egbken32.exe

C:\Windows\system32\Egbken32.exe

C:\Windows\SysWOW64\Eahobg32.exe

C:\Windows\system32\Eahobg32.exe

C:\Windows\SysWOW64\Enopghee.exe

C:\Windows\system32\Enopghee.exe

C:\Windows\SysWOW64\Edihdb32.exe

C:\Windows\system32\Edihdb32.exe

C:\Windows\SysWOW64\Fnalmh32.exe

C:\Windows\system32\Fnalmh32.exe

C:\Windows\SysWOW64\Fkemfl32.exe

C:\Windows\system32\Fkemfl32.exe

C:\Windows\SysWOW64\Fdmaoahm.exe

C:\Windows\system32\Fdmaoahm.exe

C:\Windows\SysWOW64\Fcbnpnme.exe

C:\Windows\system32\Fcbnpnme.exe

C:\Windows\SysWOW64\Fgqgfl32.exe

C:\Windows\system32\Fgqgfl32.exe

C:\Windows\SysWOW64\Gnmlhf32.exe

C:\Windows\system32\Gnmlhf32.exe

C:\Windows\SysWOW64\Ggepalof.exe

C:\Windows\system32\Ggepalof.exe

C:\Windows\SysWOW64\Gclafmej.exe

C:\Windows\system32\Gclafmej.exe

C:\Windows\SysWOW64\Gdknpp32.exe

C:\Windows\system32\Gdknpp32.exe

C:\Windows\SysWOW64\Gqbneq32.exe

C:\Windows\system32\Gqbneq32.exe

C:\Windows\SysWOW64\Gglfbkin.exe

C:\Windows\system32\Gglfbkin.exe

C:\Windows\SysWOW64\Hkjohi32.exe

C:\Windows\system32\Hkjohi32.exe

C:\Windows\SysWOW64\Hcedmkmp.exe

C:\Windows\system32\Hcedmkmp.exe

C:\Windows\SysWOW64\Hjaioe32.exe

C:\Windows\system32\Hjaioe32.exe

C:\Windows\SysWOW64\Hgeihiac.exe

C:\Windows\system32\Hgeihiac.exe

C:\Windows\SysWOW64\Hbknebqi.exe

C:\Windows\system32\Hbknebqi.exe

C:\Windows\SysWOW64\Hjfbjdnd.exe

C:\Windows\system32\Hjfbjdnd.exe

C:\Windows\SysWOW64\Icogcjde.exe

C:\Windows\system32\Icogcjde.exe

C:\Windows\SysWOW64\Iencmm32.exe

C:\Windows\system32\Iencmm32.exe

C:\Windows\SysWOW64\Infhebbh.exe

C:\Windows\system32\Infhebbh.exe

C:\Windows\SysWOW64\Iholohii.exe

C:\Windows\system32\Iholohii.exe

C:\Windows\SysWOW64\Ihaidhgf.exe

C:\Windows\system32\Ihaidhgf.exe

C:\Windows\SysWOW64\Ieeimlep.exe

C:\Windows\system32\Ieeimlep.exe

C:\Windows\SysWOW64\Jnnnfalp.exe

C:\Windows\system32\Jnnnfalp.exe

C:\Windows\SysWOW64\Jnpjlajn.exe

C:\Windows\system32\Jnpjlajn.exe

C:\Windows\SysWOW64\Jjgkab32.exe

C:\Windows\system32\Jjgkab32.exe

C:\Windows\SysWOW64\Jhkljfok.exe

C:\Windows\system32\Jhkljfok.exe

C:\Windows\SysWOW64\Jacpcl32.exe

C:\Windows\system32\Jacpcl32.exe

C:\Windows\SysWOW64\Jaemilci.exe

C:\Windows\system32\Jaemilci.exe

C:\Windows\SysWOW64\Jlkafdco.exe

C:\Windows\system32\Jlkafdco.exe

C:\Windows\SysWOW64\Klmnkdal.exe

C:\Windows\system32\Klmnkdal.exe

C:\Windows\SysWOW64\Kbgfhnhi.exe

C:\Windows\system32\Kbgfhnhi.exe

C:\Windows\SysWOW64\Kkbkmqed.exe

C:\Windows\system32\Kkbkmqed.exe

C:\Windows\SysWOW64\Kdkoef32.exe

C:\Windows\system32\Kdkoef32.exe

C:\Windows\SysWOW64\Klddlckd.exe

C:\Windows\system32\Klddlckd.exe

C:\Windows\SysWOW64\Loemnnhe.exe

C:\Windows\system32\Loemnnhe.exe

C:\Windows\SysWOW64\Leoejh32.exe

C:\Windows\system32\Leoejh32.exe

C:\Windows\SysWOW64\Leabphmp.exe

C:\Windows\system32\Leabphmp.exe

C:\Windows\SysWOW64\Ledoegkm.exe

C:\Windows\system32\Ledoegkm.exe

C:\Windows\SysWOW64\Lkqgno32.exe

C:\Windows\system32\Lkqgno32.exe

C:\Windows\SysWOW64\Ldikgdpe.exe

C:\Windows\system32\Ldikgdpe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6556 -ip 6556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/392-0-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Mogcihaj.exe

MD5 d5ce80b36930f6a94ad498871606eac6
SHA1 591397d7c70e27e3330d7fe8dfdd5c1b11b6acc7
SHA256 b506807c8ba9a20e9f19bab42739dcf72e4483161cb280e7620460a9f6e5813c
SHA512 1974a2e93ca912d40b2921738fdfa6d97573290bbd9e13cf67d1f3b0d9b3aa09c09f37da5d4d00ca13cc87f528d5d40db9f8b8af2f63da2f1eb06527ee950381

memory/1516-7-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Mjaabq32.exe

MD5 6a458d5c3a702f3d40a62f7cadae4f35
SHA1 2158c873463522ecad36bf19162d63d1c7c18f2f
SHA256 f117fd33ffb9b72f498c41ffb2a75dfd7564e5feee90756cd6ab8e7ac0d754d0
SHA512 7727fccf1237b8e27a2bcc865eec821e0212255e791abb4aa2cf4b144afc53a2fabf80cfcdeea572924a9c5b871fb4faec70d6e36c10583d46e3f12d727fc87f

memory/2452-15-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Mjcngpjh.exe

MD5 2f98008d077f1f660349e34492b6730b
SHA1 62f4202a46bc90eccdeca90864721d82f95f84a9
SHA256 ba68a8871f9dcd18454df514195772200bee2e64d1a10c7a64cf5ace524278ad
SHA512 3d2e9dccae8d4e01f01f3848054ea15c69586b07f0b30347a48aca99bcb3541c6c594b62f6e5676b012b50b1a232c88d50eed9f1b504832f96498f65b24a5c8d

memory/3580-24-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ncnofeof.exe

MD5 02bc35af71e3fc06f285e71bc933bde5
SHA1 a8165acfb70d961501237b616bb8376872e99426
SHA256 e93ec0a3577b1c157dc3a8e53e71eeb07bbebfcd2dd0252e9b4b1558502f4f7d
SHA512 eafae61bb39c5cda83afaf56bea06c733405f1aba08de1da4641faf6ed8aadd65897684fe6e0518dbfc731414427f127e15635ccb1742aa2f6dc178171d737c6

memory/1384-31-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Binlfp32.dll

MD5 b821cd88a9a7f13936e117e1896ba489
SHA1 04fc763c5ce2cf0604649cd9bc6b74a87b753433
SHA256 cdb548b420f56b677a2ef18bc3a4beb576cd427d4798b6e203f3c072111194ba
SHA512 67c1b00d396a3b6111dfc761832568efc5e5e693a0f51520df36d5ecdb328390e2cd856a1f250a0c95821060db1e7823a99262a3df1a0442330520e9167274a5

C:\Windows\SysWOW64\Ncqlkemc.exe

MD5 0a6280796619ec86a6b02cd86ac8a4e0
SHA1 0b8a2967eb38ef6e0ff10b1aa9230c3aea63eec8
SHA256 35798426c7106ca61fecb33aaa28829027696f0fe2c5b74e496e5425758c89d9
SHA512 e9fac890bf66f2007991967242b6057451a28c22c04937948dd2c084e0dd673a278aff0b3971f429b74506fd113169172ec5907bbaf91ddc5b5bb8432d9fe588

memory/4108-39-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ncchae32.exe

MD5 83b61d408e18930d3d9ba5bad7cc974a
SHA1 18c84862ee815aa0f531f91e0b7dc0669ec04335
SHA256 9b88827e55495bc54686a4b7ade78cc1e27742a358b973dce3db70171ccbb0ec
SHA512 ae1310ffa6d0d57d0281e4c7354b4bd97b1d23f9814a14c38cd6453cfdf7809d01a684745ce75e42b308ba5d5bdcd1d7632b8e914670bdfb92a8a994acfb8565

memory/1356-47-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ojomcopk.exe

MD5 0e926a65813ec75a0cfc6e0429cdca4a
SHA1 84711d79cbbb2811a4507a939617c113f17361ed
SHA256 46edd0b61d65d65864919a1dcee8ed37a5d78676bdd6ca572f29569dc6f62580
SHA512 371980c0898d613621ef36074dc4287a483f379eb3d2601c573c05f6ff0e24f74d9e13cbb05432eaa0ac3b156f11723b2da46d721b59024e8c35070521e54f7d

memory/2424-55-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Oakbehfe.exe

MD5 a7787d4cbfd223cce3c917d1ec6970e6
SHA1 f8fe5a0f7f30e052d09084f7bb8c4b19f4e5efa6
SHA256 bcd161df27de91c3f6dc810410baa84b690f33cdc985fa94c0f8ba8568d49c24
SHA512 dba69d7434899c81c2542919e28356629e422309da1a2a6f69c1bd7438c532fc52ac17c761a5ea856359865180cf73ad79de87a8720f3b70c2935b3eaf642270

C:\Windows\SysWOW64\Oakbehfe.exe

MD5 3ef25ab577a4c47af84bcd2d5c790c84
SHA1 f7c5ae70f10d7103741fc6f416002976e2f34af3
SHA256 ce1ccde3b695a5c9643c280a37c970b9a28d4d19856d8e6113c134ea235cda2f
SHA512 5ec977b98a5ed7ce9aa9fd9e762a2739119241e571f36667e9fd36a40399e2618c73714b57f433dd782fa9075c4a4c2b3ebf7823c10a16a1d48300a13c2eb53b

memory/1268-63-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Opqofe32.exe

MD5 3f4985d1fddee060d9441b7668be95d4
SHA1 7156eb2002e1cb2c74d8311b18844d0b5f37e31f
SHA256 dc4e4d47db021b5fad4703ad176a32246494c4eef60ab16ce3ca91e924c6f70d
SHA512 f25c94292ae740a0fee0b425666ee653b89deead4eae85a67307892329b20a59414e7b1fb873225d10e9cc5b2072d8a34b1d35bedceabc2cfb1f27be2a73fc49

memory/3476-72-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ocohmc32.exe

MD5 a3bba0188a8d04370aa903dad155021c
SHA1 6fc2ba8c56b7fb593930cb9fb90361b2766cbd52
SHA256 0b4a678443342d2d7ffae6fab94038047734bb60375fdcafac9a42bbca8bd295
SHA512 333bba82cc5e500739d381ef9e07f4a365733bdc235fee018817f03c74934fccd06957d837864109f58142ddab6973f2cbe159f0b773a5abf6f1a0a18f9e8b7e

memory/2220-79-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Phonha32.exe

MD5 62d65e340a3b96bec6cf6e27df05d67b
SHA1 ce16f6afcb75c87d380ee1192c5b0d63ae0d6092
SHA256 8ae3f44389a397770ed1c6fa8b9af4587bf3e742ece53b2a9f30eee6042f85e4
SHA512 227417a1aaa3e46343d492d49f1fec4feceb31145aa15ab6894cb5489ed5a209e3ec2192aa89c027bea02d70379483d53c13e7ba353b5b3990685712c6d136d8

memory/684-88-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Pnkbkk32.exe

MD5 cc8b6ca586a93a5ff590440b4f5a03b1
SHA1 9e08f5abfe0ed3c833bf371912e5c1bfd44b6ce1
SHA256 452189c35abbae98a2cb84f7c572eda9b174d7023858a66d53e9d3db6464ee4c
SHA512 287e5db79d0ec7b19c1850aeb6957374e3e47420b659a1893e18b07aa1c35dae2ac07ef35c94cabed9ccd4ea8bd042eac0cd8a89d45ce3b173945ed802c32c20

memory/1708-95-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Qmeigg32.exe

MD5 e282854b79c03b6691d51c34844b8886
SHA1 9062b302c1d8e68bced57591ebab7dd03e68d2cc
SHA256 82d0522bc4223a600711db24cfa4af72cd51ac2ed9d56bb1ce08d3ddbe3dd0bc
SHA512 e75445f787d754ee012a127614776034b8ad29746cc58e790b92857cfaeca3d45a9eefcc935864b25c03bad0a9553742d8701ebb5c02fb7e07f5c1dc714fadbf

memory/2056-104-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Aogbfi32.exe

MD5 1f7090911f58cab2fac8e0e4e100c7f8
SHA1 0d48fea7533b3271b6a77e133c76b930e3d4ab50
SHA256 b4476dd5fd37ca74a750c653969845cfef630bdc92f16316f90ffd730f7f7c30
SHA512 59c3314610d730099d5d74c47683b259a7ed885535f23ec81735a74e2d64ccf82462850ec530e2221f991ab53cc3d267b30234ab01f6999c760789a9980057f2

memory/3504-111-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Adfgdpmi.exe

MD5 f08317d5ce0b3980801b02c8e1c4442a
SHA1 b00d05d3d1dbdc1abbf936551e65641de8a59e6e
SHA256 6f7df16d488cb3919be9a1c2021b7aedb0dacea51f7efaa185334f75e1e0bfe0
SHA512 7fd84ce9c3053ed075e91ea542dbd6bb58197c09f535230454db88ac482805d5b4fe902abab082dc1dd2e250e3a24f45b050034650ce92dc5703d997a53d2a0c

memory/3588-119-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Apodoq32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Apodoq32.exe

MD5 ccfe1a9ef231e83b684316e7c8dab5a2
SHA1 5d126e45e15c90e25c914703a7ffbf5d8ac892da
SHA256 c0df69300a81591c9db709eed80478a7de330a0144b0f747ec5d7a7f35b8ccd0
SHA512 7638b7fa3a6e0b546b183b6428b6d42a5f6092904eb171a7d5d158c49aea261e7f5b76759cddc98fe20c5fdad360ff332101b6049fef50e13327b7f6b12f6032

memory/4988-127-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Bpfkpp32.exe

MD5 139526ee29eb41616152cd9fc6ca8e3d
SHA1 267c9a1ab98b18368f1a30f145f1c024af169cb4
SHA256 0a123cd12d82e282782036ac5ee309112969784afeef6ba8946c3fddf9deb407
SHA512 b56c307a91dde30d85ff4e0d767a1297295ca813cb779c7d03c3dc7cf4d24070232787433b544f6b68dde2073c90517d0d2529f3df8c4dd80805a170b4a52836

memory/2212-135-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Bahdob32.exe

MD5 6d4d4466ce4a11ad37b49a0354854d40
SHA1 fbe959a2d3c8f97fbc39063e68dbee0ced747480
SHA256 ed1f548cceaf1e18500cef7a788ca8d7fd7d535d45630a8aeff0d622241a3fd4
SHA512 9f757378e57c22ac29074d612f754afaceea902e3019a4e0b60f3a7b62fa0d3139a10f98fafbb21c4f02a9b6c4f65e1518dca2f8b90c2e8b2abe56b0e7ebb180

C:\Windows\SysWOW64\Bahdob32.exe

MD5 bc34c5cb6bcb1ab24a391a357a03b728
SHA1 c4c435c05f7ffd9dfac6e57d262b3e4b6b5adc09
SHA256 45484a73e9c36cb4fd4219b317a0b26b8065405ad6444630f54572fad42f655c
SHA512 3095d6489d29b6b89498d0246587a1530ee8b740fa2d94fa154c8f10ad25b0c25492e24c2a98123f654c51024326c22509d59366eb32ee805c7e80e0db6fd5d6

memory/4532-143-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Cggimh32.exe

MD5 bfa87fe4328bb3503af34634147b347f
SHA1 cb4ceb980599e5da609954f695b692616fcb5758
SHA256 a784ae62cec6a541ffe142a5035582f0848d79616e0244faa844d1204e21992a
SHA512 d64f1bf26495a7ecd51e31aa0341b413ac011c6babe8e19ceebd08592cf323f1cdfa700f447305996cfa8e51ee0d2aae1b2f7b5f4b3e4b393a3edd0e78fdd7a5

memory/2696-151-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Caojpaij.exe

MD5 a287f4ea9470f552d91a6f710e63fdeb
SHA1 c20173b4036be2b2e9338b69a931ef2f9721332c
SHA256 de62744056ff16ed1b67944b726e446e2bd998d66f823bc39bd4bf03c64fb669
SHA512 adb2c7929af1c438a5675112604aae5f10da946d1bdedb2a16f1b0f7643039fcd108fb9112c1805e05852aaffef4247166d763739b3f33e484d7d44978503702

memory/2104-159-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Caageq32.exe

MD5 143873ba484b26a2be2040a671592d75
SHA1 15c10aeb1fa94672a203b3ad1510557d6fb0da34
SHA256 45f29cd05266e2e1d95a27baf99c2e3a7deaaf1e6a9fe444c9c4bd6f5b06981f
SHA512 88d06d2ed8a4481d240e2903c1f272ae9cad9c2fd68f6633d454683567ef40319f9f7c11d846a283958ee84b60026c053096a0cd44b8687b1f18b1e913493391

memory/4516-168-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Cgqlcg32.exe

MD5 f98f61fe536bc0460371c30cc9fe005c
SHA1 ec6aab6bd9cb67a848a85a082372efc31abfbdc4
SHA256 1a160a855a1d2d76b10722ef0cbeb2f90118caa463f326898758818b40010379
SHA512 5c21cbd1f4516320d13229a730392f401852c2e48f7c99928d60566b21b9f21aba8da66557c472a34b851d400fd870314c73afe5b7bf1181b8bb6b2b09eb895d

memory/680-176-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 fce037cc9b96decd34b0a689e9de9b0c
SHA1 3a44e103c2cbddc86524ff0914cf870fd0a667fa
SHA256 af2223b2d969f613e141c3c63048b0c9abc3411c75b5b45aca1a10664a8d020e
SHA512 04c60ac02ec8b6ef062a6c58ce8fb09b152a26735de764768ca03b5e6b645116971e1b2f78443606b0f199243ddc63a2a67bd977dced5256d3283673a9b896b0

memory/4800-184-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dhbebj32.exe

MD5 e983abc0c39ed3c1d93fa73b95c1b153
SHA1 a5a73f06ce3767af92f67757eaca1cd2e6874057
SHA256 3c05dbef0f13445fb0633d3695c4f010fef19abf5ad825850f58d7a0b403e86b
SHA512 7596c6bced050e46f06df7db000fae1824de655debeb486c2597d0818518f629a0e69ac34002ce0650eda8435cf53c49c3af06694ea8810388ecd8a1181de907

memory/1388-192-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dnajppda.exe

MD5 e7e50a5bbc0e75451e9fdeaad35d4716
SHA1 e51e04a7e2d645a312714097f6dc1d11566ccd57
SHA256 f8a11cefa0b5e7b75c8e1414b6000eca529a41b7c10cd82083fa1e600222f21b
SHA512 08d94887fc5eb16f35bb28a10a642e969afa8aa6dca7081cc00a2dc716d114ff1349afe230948a100580f68dc507eb10d63b6b3c53bde72835488789119c697d

C:\Windows\SysWOW64\Doagjc32.exe

MD5 9fce8e34451b181b6f2ae470bd1babf8
SHA1 2b1205c3872dc71750f35eaaace7dffaaebfd05e
SHA256 7f4f23b9d658fe7992a10a3781c99baaaf59f9e7a7e3d99ce63c1613087a00f6
SHA512 a8a959679331d61daabc5f2909e919fb2195bca1ae77694cc6097468bb4bd621a3e44a1ac301e58eac453598a9f2677d3fef9c3ff771efe8aaf5e3b601b799b0

memory/1476-205-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1884-208-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Dkhgod32.exe

MD5 69e6b6d79cefe4c8b279389fe2c374d0
SHA1 d3654948d1bd1442f1c44eea2ded7b46d4c48e93
SHA256 431796f36e41e782846d946690847dfb3f3c5a2c0a74c40af031b1959d15f098
SHA512 e021bd974ccb22b0c485c820a1fbbbf921c5768c931b92abefb5c0aa3003a46dc04bc9923dada1e10ae6b845563812d4c4979198372e36944d9e86a94d880ce2

memory/4380-216-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ebdlangb.exe

MD5 9b7644c8cc4ac34d8948b28825c61408
SHA1 73eb77fc0f7c00a33ebc26fadea7f6cd7aef24df
SHA256 9dd5e08e05221b60f65a2c48580b0b608eaf11725bf7999c8a6aa5ecef1191bf
SHA512 143f0215aa59fbe5b80ba10b3c1d85aad04c416c22b5ee082f0a5ad5a2be0fade21a87a8814a5f948ab71169f4fb6665331c68d85e1e34c80537e2bd4432eab2

memory/1880-224-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ebfign32.exe

MD5 3f0640c165c5ee6f569cfefc78776ad9
SHA1 4379c9d2ad5f815a88bfd9fda4ac1da0582d253d
SHA256 3f039deafcc44f7f8a6e9cf9713560a26bcedfdf2775ab21891b4e7ad52a260e
SHA512 4cd1aa8ccff7c0c22768c7f34f462f1bf471577560de6a29fa0358a2000bd45d5d5b16a2b7936cf04cc9961c7b9f749dc279e4436299ea12a31b865da2a8c92a

memory/212-231-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ekajec32.exe

MD5 1c8da5538e69b56a54accded9de6de3a
SHA1 ff340fcb928af42a17eeceecf68eb5a198f657c1
SHA256 7ec68f3b5fcd46a6426705454ca7194dbb05935a3566358d1d90633ecfff0c1f
SHA512 cfa539f622e5a5834b22e686c3164454c5106acf44daab514abeb08916809486722a7c66ff287a6419b4e754c9a9ed3ba1239567630feb38b9b55eac0f7c052b

memory/4928-239-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Figgdg32.exe

MD5 3bb15bf1861fa3818696a790271858c5
SHA1 995d012c5bd5d5c26cb20913a97e48eef595c9a3
SHA256 34465d0c043c54ac6689d0686a3c21c59051d6578ff4523e9943f360e1eee854
SHA512 d07ca062d78e9912ff884db8994e92917aeb3c17b94244d53cd89534408abce88cd3c4a161347bd861c6013cf4d96300bd5eb22813d72f76ae0c41db1c2dd40f

memory/3500-247-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Fqeioiam.exe

MD5 6c49ca3e1b23b32c7a05dcb9870972ad
SHA1 1fc9ca072431c6ca2e6e8d84a9636dc74a4b7221
SHA256 616dcc21c7d6265fe397bc727a53dffc3f1fb1b56bbefef1e3c2f8427bdd0447
SHA512 9bf0f22cbae469c1ca1920952de39ae4e8aa5aa08e619e295f43201f5a2613db3002103bafe88ccd7f91a754db883d6efe7e3d47ee78e85e63520ea1813d8e5c

memory/1812-255-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2500-262-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3876-272-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4528-274-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Gnblnlhl.exe

MD5 2bf566b91f1dc091684c65b790683ac8
SHA1 f915ed0c015bc343f01f3b3f3a1b360578143d05
SHA256 c737426f61e6bf9e9da5a8ee5a6a88df8e48fc0fd72bed31471e42d1283290eb
SHA512 553e0d31744630c45669e49b2f6bd1a2916fd419c29ab91ad2c4b22318478ea977698cb5b8a1378692375404d6efc7345bae3a08a84669bcba355fcec6c5041c

memory/1532-280-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1760-286-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ghojbq32.exe

MD5 197ea3527c33024b98935a73a21789c9
SHA1 001d0fa5278096c1e1a31ef37cf6654e180c4c2c
SHA256 5478f1a85c771e135c1b248d77d073fa47e8ed2d1d95fc5efea2432dc6231771
SHA512 e8bab222ff1069b9290ace6a3c360b9a0c4a970cf2e5bcb1ab8550d0705265dda8f67378ce25a82f3be0ad441a4bd3da3d15862c95672f57468d97331c082715

memory/3620-292-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4592-298-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3804-304-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1176-310-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5092-316-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ihkjno32.exe

MD5 3d61e4c044ab4dafe82ce089700419e9
SHA1 de3ff2883d60e6c69b1b157498d3704ded055809
SHA256 692c8637d62b15f0838152612347bd10353fbc620cd62d6e2fa4f18c6dafc70f
SHA512 04789217f5509d087cab65d214b2a4168ad3b746b405592213b8b0f99cefabfdf62d61199325b6742d1b312447c61c0d9c24faabb60d1679ac7b4cebd2d9f41c

memory/4600-322-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1512-328-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5084-334-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Iefphb32.exe

MD5 e6d67348afb1c0022bf8563c6cb6a161
SHA1 d3e05eaf0c0d47f4e98425a009fb6aeb4360fd62
SHA256 137162dd1b98d88375e52c64d8eb3208e2144116a1e9681099d2ee2d6e1b20e1
SHA512 d62d57a5753fea600ad1de9cfe58e367874aec19a4971d28abdc86578d419f306b772c75b5f94153299fb296fb77bec263efab63caf7cdded58eea2adf637630

memory/2256-340-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1956-346-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1392-352-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2216-358-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3720-364-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5104-370-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2672-376-0x0000000000400000-0x0000000000447000-memory.dmp

memory/400-382-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3256-388-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Kifojnol.exe

MD5 9d34926916d0999200319191176aa37e
SHA1 823349c71dc09b8b889a2b9d5f0b2f702ed29afd
SHA256 b3439ee3d6153f056e36b02068e7ff99749892355a608256d31109f36934962b
SHA512 c0512ba5821b9846421225d447bf710d97dac643989175b71e8b0e639829656da02dd448932c339c85bc5a85bf2aa0eca32fc592df5859a10bcfaf37eb7df24b

memory/1136-394-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3996-400-0x0000000000400000-0x0000000000447000-memory.dmp

memory/688-406-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1632-412-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3352-418-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2744-424-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1096-430-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Mcdeeq32.exe

MD5 94c6fbb75b33b3c55a4a18cffde4e05b
SHA1 ebd319046f9af5e799449cc809762898ba82878f
SHA256 87c4be270654f8a68b8b4209de0758693d59eeab68bd3a7196a283d7d5500fd2
SHA512 9947dc83fbe9c14fe1dd360ecbf05a0171143c8a63fb1375c9dfd5b46c651eefc6db856edbfec5764a3686a12a4d37cdcd13d64a23c2d7510f6d8e8c162305f0

memory/4812-436-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4668-442-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2448-448-0x0000000000400000-0x0000000000447000-memory.dmp

memory/700-454-0x0000000000400000-0x0000000000447000-memory.dmp

memory/64-464-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1480-466-0x0000000000400000-0x0000000000447000-memory.dmp

memory/640-472-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3528-479-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3772-484-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3972-490-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1976-496-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3308-502-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5136-508-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5220-518-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5276-520-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5348-529-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5392-532-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5432-544-0x0000000000400000-0x0000000000447000-memory.dmp

memory/392-542-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5472-545-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5524-552-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1516-551-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5568-559-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2452-558-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5628-566-0x0000000000400000-0x0000000000447000-memory.dmp

memory/3580-565-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1384-572-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5672-573-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5716-580-0x0000000000400000-0x0000000000447000-memory.dmp

memory/4108-579-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5760-587-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1356-586-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ajmladbl.exe

MD5 6b187fd9780248cda23e13b30ce10e38
SHA1 d31170bf8a8f7749ed188581d288385667c6c32a
SHA256 190cda316cf82c270d5901572a257c93d4e7ffc6e070d1951df14d6256d354f4
SHA512 49b333249111d6f60cb103377225075fd35d81e5fa5ad5507aa46ace04fec81eab44bc73b97b1f5fc488c6c24665d78de1354a3447e0e10a2121caccd5e78929

memory/2424-593-0x0000000000400000-0x0000000000447000-memory.dmp

memory/5808-594-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Windows\SysWOW64\Ampaho32.exe

MD5 802a842661b13e086d45bba3e896474f
SHA1 cf241007652cfa711211cbdc7155c5589334fba2
SHA256 9bc4838fa5b38dff701d255f44db83c939eb89e97c2b7cba5e692fb3ab829695
SHA512 fe3f271ace2f797138482abd778b39a902810a4aa291d5ea74cbb2e4f52c25bc582bd3c206696107a8adc3424f4dc96140208825217a412db52c714a6e526126

C:\Windows\SysWOW64\Cpogkhnl.exe

MD5 666323a64cfcb6992a1f56f9b007c32d
SHA1 1db8256426a86334c7a6ac4af9d9826fe9c0530a
SHA256 28862145a3b2eff06ab4148dfc6f1d43cd55b183d2f20f4c2779ad7ae0659eb6
SHA512 78f0fe0b671eb3ddfefbb6124d49741f25ca7d9d9da6745f81840ed2d74fc00b941be7d755b1ebc88881ef19e24cacd807cfecc4f2753873b04d0a6da3cad8f6

C:\Windows\SysWOW64\Dnljkk32.exe

MD5 7487e9a355cd0bba029482b0c8a1adeb
SHA1 3b843737a47980e0832f4a4fbbd7a532acb5c87a
SHA256 dd96ce8bcb20099372a4648ced13dd82c42a07f7f27f2b13ff12e5090ddbf8e8
SHA512 d257d0df71559bd90cff7348672836b7e3ae36a3db2810398802c5d2ac62be0df5cdb2cc825ccc0e5b2e679ce941bc21598a673388e63f94d7fb0275ba4d9e65

C:\Windows\SysWOW64\Eahobg32.exe

MD5 d169505f39affbdbab10ab45570497c4
SHA1 7ab0c10cb0f8c4b517d35f67e6639204463fe274
SHA256 0bf4f862b989aecc1bf6ee536c0bec6f98a3609f3114118b558379d3a459e22d
SHA512 6e48b432906bbea3b056b821505f7da6bc2c5b5911f80fcb7c68cc7033f9277aad5dfb92538db92614da3b8381557706852103f82b10ac327fb5bdcc24a3d937

C:\Windows\SysWOW64\Fdmaoahm.exe

MD5 5629c9bc12c1d1845c77e11824a2e402
SHA1 c73c6fd9e1f456d8d780752303c0a06c4afa1e47
SHA256 5c5dd71894e9b07e9ee95a81a5fb5d77d527e1f6b25754ab015eb635a37c7c46
SHA512 e8a94e27721d11ee1e18c5ddf7559d59a208402f91e5b92a0917592f4ca1cb3ff822ad9da031837af99d0139f35e699cef9694cc61ed820751205dbc134d7502

C:\Windows\SysWOW64\Fgqgfl32.exe

MD5 7e989f59689bd73e3c53915a462957cb
SHA1 fd77e863833667b750c8a565498538ac4273b937
SHA256 7bfe2f942b8e0b9d64d72156d57d0a4d7fe75f27cb4466ab9321b34774f4f8e9
SHA512 5d33c18b7c38e5f756d396515d76940370894c926e31b67df3851f030af3d470f62de255d704d65f7e52a3d06f6b40d77aceb409f0cd356cbfc33b34918ec71f

C:\Windows\SysWOW64\Hjaioe32.exe

MD5 673ea0cd987e39c9d7629b0bdb3f4da6
SHA1 8c7ebc0b3b5d809f1e006428b2baa5b6f10bd576
SHA256 f6225b8a418085c8535b8b548ec39936a8f6bed64186e00af2727cc349f4225d
SHA512 b10987319b58ae03f92974500335e06fe43ce61c31c41679743cd01b45b009b78fd4828717857faaa07ea0b2026bc52657bdf5a3e4fa2378cad1420ab0099617

C:\Windows\SysWOW64\Jlkafdco.exe

MD5 08bef4c2604048225e5c35297419df89
SHA1 846260c619fa87a776673ea640557f7b6ea04f6e
SHA256 bcc8d3b5ee9481d410fd946f51562a5deb03cabeda10027bc952b7e7135baf4f
SHA512 eecaa354de1f7013388c757cae3ef59d07ec0208dd9a38fcafb8436f5a78941dd56efa750cd49c48bd620d04c0e21d3ac7979b453054809dc5c1afb427bebb6c

C:\Windows\SysWOW64\Klddlckd.exe

MD5 c7432410a22ad81734c08bc12660f6f3
SHA1 21256caf4192b457d4f3565d9abbdff756336008
SHA256 05a226afa660053d52d1620a2c5705d88e9a2da8c50628d37d43c10519dc493f
SHA512 896e13f74896a457ac036c75f584776f174c81d2c3790d3cbc1c81aaac90ea13ae9a1a6e3081dbb5d3586684ea483ee1116a36240a37c072073a11f7b938ef75

C:\Windows\SysWOW64\Leabphmp.exe

MD5 a3a43dedeacf483f750bc9f55fdee092
SHA1 ea605d9217160d84fb4de1987fc566c418e2f565
SHA256 cba191140cc9ab3efd3622a1d5ab19018aa8ae3e758faac8b0ea8a7651877a2c
SHA512 f0194427561521229d5cd7a2aa0fe27891b9600b16c4c3fd943488628bc621be33d1de41d4706b4b1eadc945da6a0dce6eb1c067d34a0cc24758d9a1a80be649

C:\Windows\SysWOW64\Ldikgdpe.exe

MD5 ef8481b7e2cfc18275a22fa1f4182df3
SHA1 bd5e5ff3b7392fee6693df7ee5002f2873699338
SHA256 858b3d05abdd99676445317093b408cd72f16c45a09a4b16a15765b89a4171ab
SHA512 e8a2e8b31fd937ff98115bdfce5cb2e0a2f54223d02d34a904ef388e49966d100f03a3a1be69b4074d2b1ade57b21dbc70921585a8b0800ccd40b028e11c7234