Analysis Overview
SHA256
ed17dbedcec79e7074d6b23f1ee76a59e83af4654755fc37bc4ab41f955de091
Threat Level: Known bad
The file 342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 04:08
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 04:08
Reported
2024-06-02 04:11
Platform
win7-20240508-en
Max time kernel
147s
Max time network
118s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nfmmin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdakgibq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Coklgg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bokphdld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pabjem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aiedjneg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oenifh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oojknblb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ofbfdmeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pijbfj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgknheej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmoipopd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjlhneio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfkpdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oenifh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmlkpjpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cciemedf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ckdjbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dqlafm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epdkli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlhaqogk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nfkpdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ofbfdmeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pabjem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Coklgg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dqelenlc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bgknheej.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ddcdkl32.exe | C:\Windows\SysWOW64\Dnilobkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Chcphm32.dll | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Nejeco32.dll | C:\Windows\SysWOW64\Cpjiajeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Fglhobmg.dll | C:\Windows\SysWOW64\Dngoibmo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Facdeo32.exe | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| File created | C:\Windows\SysWOW64\Fealjk32.dll | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmlapp32.exe | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmlapp32.exe | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocjcidbb.dll | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjholl32.dll | C:\Windows\SysWOW64\Nfkpdn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmlkpjpj.exe | C:\Windows\SysWOW64\Oenifh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Feeiob32.exe | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| File created | C:\Windows\SysWOW64\Gicbeald.exe | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlcgeo32.exe | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpenlb32.dll | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lopekk32.dll | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| File created | C:\Windows\SysWOW64\Facdeo32.exe | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File created | C:\Windows\SysWOW64\Pijbfj32.exe | C:\Windows\SysWOW64\Pabjem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aiinen32.exe | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqelenlc.exe | C:\Windows\SysWOW64\Dngoibmo.exe | N/A |
| File created | C:\Windows\SysWOW64\Enkece32.exe | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gegfdb32.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bioggp32.dll | C:\Windows\SysWOW64\Ckdjbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnhgoq32.dll | C:\Windows\SysWOW64\Nfmmin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pienahqb.dll | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckdjbh32.exe | C:\Windows\SysWOW64\Cciemedf.exe | N/A |
| File created | C:\Windows\SysWOW64\Pafagk32.dll | C:\Windows\SysWOW64\Dqlafm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gobgcg32.exe | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkfofpak.dll | C:\Windows\SysWOW64\Ppmdbe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aiedjneg.exe | C:\Windows\SysWOW64\Pijbfj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dcknbh32.exe | C:\Windows\SysWOW64\Dqlafm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejbfhfaj.exe | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fjilieka.exe | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpknlk32.exe | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lponfjoo.dll | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlhaqogk.exe | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File created | C:\Windows\SysWOW64\Abmjii32.dll | C:\Windows\SysWOW64\Ofbfdmeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Plfamfpm.exe | C:\Windows\SysWOW64\Ppmdbe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dngoibmo.exe | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eflgccbp.exe | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcqgok32.dll | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpknlk32.exe | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ambcae32.dll | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ilknfn32.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ioijbj32.exe | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dflkdp32.exe | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dflkdp32.exe | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqlafm32.exe | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejbfhfaj.exe | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| File created | C:\Windows\SysWOW64\Flabbihl.exe | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| File created | C:\Windows\SysWOW64\Goddhg32.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebbjqa32.dll | C:\Windows\SysWOW64\Pabjem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbidmekh.dll | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gobgcg32.exe | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjlobf32.dll | C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqqapjnk.exe | C:\Windows\SysWOW64\Oojknblb.exe | N/A |
| File created | C:\Windows\SysWOW64\Kfqpfb32.dll | C:\Windows\SysWOW64\Pijbfj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgknheej.exe | C:\Windows\SysWOW64\Beehencq.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkkgcp32.dll | C:\Windows\SysWOW64\Beehencq.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ckdjbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" | C:\Windows\SysWOW64\Aiedjneg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beehencq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dcknbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ppmdbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Coklgg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmjii32.dll" | C:\Windows\SysWOW64\Ofbfdmeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ofbfdmeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpjiajeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hellne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmlkpjpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll" | C:\Windows\SysWOW64\Cndbcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" | C:\Windows\SysWOW64\Pmlkpjpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pijbfj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdakgibq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlobf32.dll" | C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hlhaqogk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nfmmin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnippoha.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dnilobkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" | C:\Windows\SysWOW64\Hlhaqogk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aiedjneg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dcknbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Admemg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" | C:\Windows\SysWOW64\Cngcjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nfmmin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlhaqogk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Nfkpdn32.exe
C:\Windows\system32\Nfkpdn32.exe
C:\Windows\SysWOW64\Nfmmin32.exe
C:\Windows\system32\Nfmmin32.exe
C:\Windows\SysWOW64\Ofbfdmeb.exe
C:\Windows\system32\Ofbfdmeb.exe
C:\Windows\SysWOW64\Oojknblb.exe
C:\Windows\system32\Oojknblb.exe
C:\Windows\SysWOW64\Oqqapjnk.exe
C:\Windows\system32\Oqqapjnk.exe
C:\Windows\SysWOW64\Oenifh32.exe
C:\Windows\system32\Oenifh32.exe
C:\Windows\SysWOW64\Pmlkpjpj.exe
C:\Windows\system32\Pmlkpjpj.exe
C:\Windows\SysWOW64\Ppmdbe32.exe
C:\Windows\system32\Ppmdbe32.exe
C:\Windows\SysWOW64\Plfamfpm.exe
C:\Windows\system32\Plfamfpm.exe
C:\Windows\SysWOW64\Pabjem32.exe
C:\Windows\system32\Pabjem32.exe
C:\Windows\SysWOW64\Pijbfj32.exe
C:\Windows\system32\Pijbfj32.exe
C:\Windows\SysWOW64\Aiedjneg.exe
C:\Windows\system32\Aiedjneg.exe
C:\Windows\SysWOW64\Admemg32.exe
C:\Windows\system32\Admemg32.exe
C:\Windows\SysWOW64\Aiinen32.exe
C:\Windows\system32\Aiinen32.exe
C:\Windows\SysWOW64\Bokphdld.exe
C:\Windows\system32\Bokphdld.exe
C:\Windows\SysWOW64\Beehencq.exe
C:\Windows\system32\Beehencq.exe
C:\Windows\SysWOW64\Bgknheej.exe
C:\Windows\system32\Bgknheej.exe
C:\Windows\SysWOW64\Bdooajdc.exe
C:\Windows\system32\Bdooajdc.exe
C:\Windows\SysWOW64\Cngcjo32.exe
C:\Windows\system32\Cngcjo32.exe
C:\Windows\SysWOW64\Cdakgibq.exe
C:\Windows\system32\Cdakgibq.exe
C:\Windows\SysWOW64\Cnippoha.exe
C:\Windows\system32\Cnippoha.exe
C:\Windows\SysWOW64\Coklgg32.exe
C:\Windows\system32\Coklgg32.exe
C:\Windows\SysWOW64\Cpjiajeb.exe
C:\Windows\system32\Cpjiajeb.exe
C:\Windows\SysWOW64\Cciemedf.exe
C:\Windows\system32\Cciemedf.exe
C:\Windows\SysWOW64\Ckdjbh32.exe
C:\Windows\system32\Ckdjbh32.exe
C:\Windows\SysWOW64\Cckace32.exe
C:\Windows\system32\Cckace32.exe
C:\Windows\SysWOW64\Cndbcc32.exe
C:\Windows\system32\Cndbcc32.exe
C:\Windows\SysWOW64\Dflkdp32.exe
C:\Windows\system32\Dflkdp32.exe
C:\Windows\SysWOW64\Dngoibmo.exe
C:\Windows\system32\Dngoibmo.exe
C:\Windows\SysWOW64\Dqelenlc.exe
C:\Windows\system32\Dqelenlc.exe
C:\Windows\SysWOW64\Dnilobkm.exe
C:\Windows\system32\Dnilobkm.exe
C:\Windows\SysWOW64\Ddcdkl32.exe
C:\Windows\system32\Ddcdkl32.exe
C:\Windows\SysWOW64\Dmoipopd.exe
C:\Windows\system32\Dmoipopd.exe
C:\Windows\SysWOW64\Ddeaalpg.exe
C:\Windows\system32\Ddeaalpg.exe
C:\Windows\SysWOW64\Dqlafm32.exe
C:\Windows\system32\Dqlafm32.exe
C:\Windows\SysWOW64\Dcknbh32.exe
C:\Windows\system32\Dcknbh32.exe
C:\Windows\SysWOW64\Eqonkmdh.exe
C:\Windows\system32\Eqonkmdh.exe
C:\Windows\SysWOW64\Eflgccbp.exe
C:\Windows\system32\Eflgccbp.exe
C:\Windows\SysWOW64\Epdkli32.exe
C:\Windows\system32\Epdkli32.exe
C:\Windows\SysWOW64\Efncicpm.exe
C:\Windows\system32\Efncicpm.exe
C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
C:\Windows\SysWOW64\Eecqjpee.exe
C:\Windows\system32\Eecqjpee.exe
C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
C:\Windows\SysWOW64\Eeempocb.exe
C:\Windows\system32\Eeempocb.exe
C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
C:\Windows\SysWOW64\Fjgoce32.exe
C:\Windows\system32\Fjgoce32.exe
C:\Windows\SysWOW64\Fhkpmjln.exe
C:\Windows\system32\Fhkpmjln.exe
C:\Windows\SysWOW64\Fjilieka.exe
C:\Windows\system32\Fjilieka.exe
C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
C:\Windows\SysWOW64\Fpfdalii.exe
C:\Windows\system32\Fpfdalii.exe
C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Feeiob32.exe
C:\Windows\system32\Feeiob32.exe
C:\Windows\SysWOW64\Fmlapp32.exe
C:\Windows\system32\Fmlapp32.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Goddhg32.exe
C:\Windows\system32\Goddhg32.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Gphmeo32.exe
C:\Windows\system32\Gphmeo32.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hlcgeo32.exe
C:\Windows\system32\Hlcgeo32.exe
C:\Windows\SysWOW64\Hellne32.exe
C:\Windows\system32\Hellne32.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hlhaqogk.exe
C:\Windows\system32\Hlhaqogk.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 140
Network
Files
memory/2980-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2980-6-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Nfkpdn32.exe
| MD5 | 8427659ea5f62869538a105b1a373b92 |
| SHA1 | 1312df87e866c43845c64074f16901f0cfa315de |
| SHA256 | df34f550f1f6f82558d2cbd6fd1f764a259cff7baeaf77c994023ddebb82a546 |
| SHA512 | df0144a8fb2d4ba92aafe8029bbb826e4a2068c564bb638623816c2a2502a04aaf7f6e1e166eded928584ddf86d0f40b4f3df197cf64fc190d9eb4eaa61eef4c |
\Windows\SysWOW64\Nfmmin32.exe
| MD5 | fd04d41a68f958ffae96cd6fdcfde225 |
| SHA1 | a9ed73f9296e947e18caf4ed8ea92b04244aa24b |
| SHA256 | 082a4e131073c49f4c887988547fe07717c985eff3631a42c0abfcc129498219 |
| SHA512 | daf4789142ff3230f5c7aa1b90c60dacf117839dfec9de6f48499a0cd0f48908d617f2e741c8c6784df21178ba51da3c5b6e74a5dbba2d3935b0a69d3607f840 |
memory/2108-26-0x0000000000400000-0x0000000000433000-memory.dmp
memory/544-20-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Ofbfdmeb.exe
| MD5 | fe4fb620a308840569ca57dc1b43d081 |
| SHA1 | f62f1e4ebc50d494fae23f50c38c69390eebc873 |
| SHA256 | b005d2a2eb0d145c876a68dac2bf9d1b1a1608823c003c87d4d6675f540d6984 |
| SHA512 | 85647da59746a26c64720c3f05223d48dbf2452140e6637594fde58db87e047b1788fa10fbd147eb7264be3adf2d13c11817443d84515156aa1aff0fbf2a5526 |
memory/2108-34-0x0000000000260000-0x0000000000293000-memory.dmp
memory/2736-45-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2636-53-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Oojknblb.exe
| MD5 | f1b02b0baf959904f28de04008261382 |
| SHA1 | 0a9919825a87476f7352a4237a95e2988cc131f1 |
| SHA256 | 2a3a97adfb216e098675bfeb896cd65a1edcd52a5192724232ea4d5dda153e97 |
| SHA512 | 620f7185d0590361c04bc0ccf01ede1e0ce6fc81916467689cbe19d12327f1109f3bba5d592defa5da811b1542edf22b0c1b53d3a2b66bf1df2cc1f6ef6efc69 |
\Windows\SysWOW64\Oqqapjnk.exe
| MD5 | a383c12d06a1793c3e35952ecbbbe1e5 |
| SHA1 | 4e481c17e58964aa77c22007af6c95ecb6127a2e |
| SHA256 | 47641d9304df93b7b3e7024a0c5f0f03c6c2453b1fcc8ed4f4abd25caa8201ac |
| SHA512 | 55e1994e5494285ae67ec61f209f6dd598945ac6aa97cf519402c05bc84a910f677c48399e75514ed9a58762b16cbaa6a16073c80f9433d52fc62fdb9a260f91 |
memory/2636-60-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Oenifh32.exe
| MD5 | 0052e8376cba2576ec108b292995fa53 |
| SHA1 | 77dd29a800892c0329d75877aa2c8d22bf195b26 |
| SHA256 | 3f958933d6cfc848481c2dac06d1180d3442d6c153b8792e47545cd9c2845361 |
| SHA512 | 46f54b970719bac62a3920492355586a7b93b2a197f3421f469f4f823e01af2de47b9ace2a1032da4e2ce67321a19cfd847a8c6ace448ee062ff067a71dfbe8f |
memory/1324-74-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1324-80-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2532-81-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Pmlkpjpj.exe
| MD5 | 06615681d30b7ddb52b2883335ab1dd5 |
| SHA1 | 6e838e5ddbe945c9133224d65a7c30ce5af29a1e |
| SHA256 | 437e2092e3115e97a616b2b5d627f91c5b3e96465c6b73f6e29bd080aea0ff7d |
| SHA512 | 03633e86537cfdc30badfb5ee29fd062de83370b274117f46766e9aed0a8e73c21f974295ab8a193b5bcec93e9f98e6bccc8e9741e959bd36c2f7c1ad82e16e6 |
memory/1756-95-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2532-94-0x0000000000290000-0x00000000002C3000-memory.dmp
C:\Windows\SysWOW64\Ppmdbe32.exe
| MD5 | e2099f0c121063ef693e70e31d51abd1 |
| SHA1 | 708b908ed4124f3d90b9a51ccc9d069aa8dc59eb |
| SHA256 | 7408bc4ec937841e459bf668751f899f4a6a239d2677ebf6a98bfa6b9874c509 |
| SHA512 | 94f080f1f821b7431a4be3376d4fd6d61d7e486f3b62ea8a27c61faddfa8d323830b201684bd5beb8f4af5dc8d7ba71f5048cc84be37e286e0f77a7ddd52ff45 |
memory/2868-109-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1756-108-0x0000000001F50000-0x0000000001F83000-memory.dmp
\Windows\SysWOW64\Plfamfpm.exe
| MD5 | a67330183a708089dd240d7fbab5d571 |
| SHA1 | 2830b06aa3eb4c9eda73e7d64f3f3b6253de59f7 |
| SHA256 | 2aeea0bf718eda48a20d85047472044084a5104b597adfa6f005ad747fe75fff |
| SHA512 | e2574ece65765895e6fcac58a94a674094d87c84c7bdf2fa4c24a4de884512d460258f9f69eea1006942104e8a3bfc06648b15d5083c69ba1b218b159635b273 |
memory/3048-123-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Pabjem32.exe
| MD5 | f4a82217c2a2794e4141c0ab59970735 |
| SHA1 | e49adf5f21ce7a080104b25ddebfbd19108114af |
| SHA256 | 21a92b5bf9f61802625bfd6138808ca69bf746f0bfd4cb0ce25b6976a2d09574 |
| SHA512 | 9e80741ec8a7e4d0a92577973dd4a17d2d94c64a2feee9a369cffafc2c615d6602b7037dbbdfb219b93716e5f2e8773d9138e021d019df51f02556affe6f4df7 |
memory/1668-138-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pijbfj32.exe
| MD5 | cd7276b34b576c1e723f100955bb9b0f |
| SHA1 | d78fbf51ea77701d0ba7e3a28d60661227aa643e |
| SHA256 | 30a4f4e8d41b556e825af786700cfbf7d91705575fcb03495bbab33c8a31afc6 |
| SHA512 | 82faf21906dab2cdfc1beb1f882082e60f6eecbd41e35b4aaed15de7429f6058dd8d7466969f35e0986c20e1ca2e710713a2e0dfe52b8c0420a32fda875c1124 |
memory/2904-151-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1668-150-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/3048-137-0x0000000000250000-0x0000000000283000-memory.dmp
memory/3048-136-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Aiedjneg.exe
| MD5 | a1ff4137bdbd8d36f4988bf2e1ca080c |
| SHA1 | 4f330ebcc71df6b51012149babd9347427d78d84 |
| SHA256 | 8dcac14f1e111a60f551b744b9006c3ce5d5e72b6641ab21e906ad7e5d45345f |
| SHA512 | 8e5eb55446d46045f7e3cbdc5e05cc333e4e80b8f2ff4f2b9d10f8d529ab0652a3c763e74f20ca7086b5473c4db65477cbf341917bd6f1d0d4899628c92143ab |
memory/1632-164-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Admemg32.exe
| MD5 | 80330b5ff311016306ce4d82b3891c66 |
| SHA1 | b25964dab8e3c8e861f13980bb1d3392066cefee |
| SHA256 | 5df714c1bf9d8bb448d318cc8f634219fdaa51a7708a7339bd471a6b5aca168a |
| SHA512 | 175b05905374621198d54dc9c71c672afb6a29d01ae88f620cb9526ff9d0d1a66bb390aac613871aee690bc5845620e91ba348626e646dbf29bae4ec2e9283ba |
memory/2116-178-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2500-190-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aiinen32.exe
| MD5 | 29ae90038fc7059f16537a8822cab0fd |
| SHA1 | cc23d612fdc7b53092e03c26c7816b639bb290ab |
| SHA256 | 8d8c510f2db627da9a2c20a95af1b3d489dac75eb99cd3a2f4e9149db6a04805 |
| SHA512 | 186b79f16a455a4517d173a85b9ad95253de5aa181cb4aa44483b186e7dfea6d928ab18c0eadc54834a718f4e0fb91c68e5338fa43c9cfe83fece3614e2a02b1 |
\Windows\SysWOW64\Bokphdld.exe
| MD5 | 7774605da66f56c17290fdfafc093852 |
| SHA1 | ffaa239227809adae59ef61b8fea8bd8b255d707 |
| SHA256 | 81dffea54bbcfcac44cb950f0c6bf49d855334217104114c371b4b5007353818 |
| SHA512 | 990642f948766d7ae154b8bfb66dddf42a4a4ffa5e827fdb506022c465aa1fffa2dd1bc192ff3e79a5d4c49a40c57e9e575b4fbda5bd9da8d96acce1ab6e5755 |
C:\Windows\SysWOW64\Beehencq.exe
| MD5 | cf3e7a3005a58c1b1be8d2a7ffd4ef18 |
| SHA1 | 55ac98368b448ffaba3c487134d475a624e9a360 |
| SHA256 | bd9831bce45a443e874f0af9da744721aad761df2d33cd34bf1e7acbcbaafa9d |
| SHA512 | 30af654ada09558af166592fbf379948c85694ce916327958cd2112ba779875d6eda1b97f7bfd811c51ae7afb7bd5685980165cca39d5799619551577c075198 |
memory/2500-215-0x0000000000260000-0x0000000000293000-memory.dmp
memory/320-221-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2848-216-0x0000000000400000-0x0000000000433000-memory.dmp
memory/320-227-0x0000000000290000-0x00000000002C3000-memory.dmp
C:\Windows\SysWOW64\Bgknheej.exe
| MD5 | 6ba261ad06e2b352e16db99fdf29694e |
| SHA1 | e4f4bc443bb01f679ce236848c15f760b94dc0d7 |
| SHA256 | bd36f6fa3194678e4187269e8e6c4d774bfa345d8b2e2b78add35848f48749db |
| SHA512 | 2916d843992f14d78678056b3b2b7efe7858e32c85334634d7b6c67b2534488ae651fee20faba1cf04a6f2444c52bc31660a0cbb9b48adeeac589f38747e664b |
memory/948-228-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bdooajdc.exe
| MD5 | 03f6434f52bd278aa5d7f0bae4937dd6 |
| SHA1 | 2676049ca94936bdb2f21e7ac6da11d2f20f3c6f |
| SHA256 | 32b0658df5f15dd7e94080519f589ecc6b594f72d7c391941c403338069ea1cb |
| SHA512 | 4e06884fbfd22d16f79f6d45f4572a1982d9d863f4c4236b3dbeb88a3d7fced857e29719e5d6e94c54974d8763adb797edb4f9fff2a84a7394de4af46ad4607f |
memory/2360-237-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cngcjo32.exe
| MD5 | c8f46a91bad2ddd835887893dae1af71 |
| SHA1 | a1a6e295591b6969a7ce253583e8f3eed42db7cf |
| SHA256 | d9532ff6d1ebacf3f8c8f03bd1a2182e35408fdf5ee183b8d7251543d77b83bc |
| SHA512 | ee3af5ca279a33a28e511c617e32156d872503a5bec798a202abca76779b1c0a8e98f54683863b6acd18a4bd3bf79783d6df48b27a0477c933a7e273d153b23a |
memory/2360-243-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2344-247-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cdakgibq.exe
| MD5 | cce35911923dd64cc0cd7ce902e1863d |
| SHA1 | 65cba7fa502e5f5f7c59e3c26a24a0eff2b678ab |
| SHA256 | b16330408d928b726f63dc56421874b0465f4f02faa2e6ca1767570f93f49e8c |
| SHA512 | d96dc98d4fdd252052785aba757bd18c0fd3a5a922802bea7e924d6791ca4825cf54b75b34df25ee1e794b03954ddbfaa3efd1f45898a6ebcdd8c13d170da9cc |
memory/1084-256-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cnippoha.exe
| MD5 | d16eea82420920cd4b18006d1720dd89 |
| SHA1 | e7ccad734251bda6ef4ee4d3f08b531201c25a8c |
| SHA256 | 4a657a58e2d0a541d3ef2e8bbe5c0b534cf72eaf5881b7a52db3a107d4c81eec |
| SHA512 | f48234232a53b05ff6527b75463bdf1ab97f48cc6775fe2b7069c3ea0d4c71a5919790fc14e4aa688d3c94cce00bcc47ae033c1200c07ce0188f3f134aeeebfb |
memory/1544-269-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1856-275-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1544-274-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Coklgg32.exe
| MD5 | 34f8d2b19cf9051f82a1d856bf77182d |
| SHA1 | 742f67a7729d75e80b8063ba6c3d4cc78d2a3e36 |
| SHA256 | d40de5540c799d0344950e95c8b7f6f52c31664ea0c34ef067aa67db585aa164 |
| SHA512 | 8e6341750aa841d4d1938109b25702d1b5fd53cffd832f47c2311c66b714c6d27a6d7418d64249ed6227341b7dd755280cc63c85d82dce88d311ab6539d01a58 |
C:\Windows\SysWOW64\Cpjiajeb.exe
| MD5 | 33cd5a5bc2c7559ee014ffb0fea055ee |
| SHA1 | 7d30e441d8cc5da082e30cf9135d36a330343d2b |
| SHA256 | b6906812f15c7703959bccd711d67f321309a885bc689a706cb6733d8867681b |
| SHA512 | b9271275fa3ba7199f2813608abb3e80e17d4f9f5b7594198005945fc4c5d0659b4bef405fd9aca93dd455d437c409550a06f46562eadc82f193397e87bc39ac |
memory/904-288-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cciemedf.exe
| MD5 | 59a8e17e1858905e67a89180fb189a24 |
| SHA1 | 9acba5fd6999cc0a23db0a3fe189bb625c6c14de |
| SHA256 | 9591aacb42c017d46e0d86b0f60cebd496c44b0bfb52c190767417cf57fa3004 |
| SHA512 | 31d24406e5b7953d5ab7f84d8cf428224785cc1f16afa785c44068673206ac8b74f813a9396dceae62a25a8146e6af3f8f01872a56816dfbac96d3d7adc48fe8 |
memory/904-290-0x0000000000250000-0x0000000000283000-memory.dmp
memory/904-294-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2932-295-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ckdjbh32.exe
| MD5 | a49ed2b8c87adae19e38cc911b71fef9 |
| SHA1 | 8161c23085c5208446dae11e0052943c3457f419 |
| SHA256 | 86293cb613bcaf857ff428edd01ee4e4b83538c8636dcb5a9cf841728cd5ab7b |
| SHA512 | 345a5692e40ddf0b745e743947ede20ea385a981c49dbb7abcb1f8995a1a9180c29d7facca16f2b89b28f45e210420510f1f4b8832444389a86df2cdf6f58436 |
memory/836-306-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2932-305-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2932-304-0x0000000000250000-0x0000000000283000-memory.dmp
memory/836-316-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/1384-317-0x0000000000400000-0x0000000000433000-memory.dmp
memory/836-315-0x00000000002F0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Cckace32.exe
| MD5 | f9aa463c6fa77125be1650b893293b4a |
| SHA1 | df3c099e7189479fe02e66003fac4717a69ab2d5 |
| SHA256 | 954abcd7a44c05085e9c3473f962eda75dbb9f5fa49acfcc1bf670cec9ae63bf |
| SHA512 | c3f833284081e3e41bb2e3a012aa9ce0011d225bd21ce89d8a4cd27729961f63fe61034843d8bd617c7eeb89e2a1fc19bf8de0ea3ea2775d8f194dcd31fceb07 |
C:\Windows\SysWOW64\Cndbcc32.exe
| MD5 | 5c53e7a9206cf36fef1e3a999117d17d |
| SHA1 | 1156de80972b0e8435f3fb006eee40a2eb1828da |
| SHA256 | 9bc0229625947110773856507392d62a685ecfc9a75cf76115022f6a22849d7f |
| SHA512 | 0bf0e9990d8d1d3170c3127584181e1d3571a9eada8902f0f772404453a6437fe3f66e47d71875c67aea7afd6ec859e2cc3787facee7e6685cffe3fa9143847e |
memory/1984-330-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1384-329-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/1984-336-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dflkdp32.exe
| MD5 | 65adf440125a721128496b4a68f89d6f |
| SHA1 | eb1905384a2c68c3540387eb663d08dff06d65c3 |
| SHA256 | e8a5a515fdb39592e7d12f09c17588af861f0bca7e244ec0d6967f758eb16c62 |
| SHA512 | f2dfc0cb3130b734abd0843000b60820d52c9a3544bf1cc7624c742e6faf319c4c05f149e8c8569f50c89376e465704753dcc9f6235983ee7b0e9cbab21ed397 |
memory/1720-337-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dngoibmo.exe
| MD5 | bc0485b8db913b99b5868344899a8f69 |
| SHA1 | c87b46cd2dbcd25b764b4aa2a02f96236039122a |
| SHA256 | 0bc63e225a5bc6aee75eab7a56cb193799b894b37790d0e00fda0fb4e1e29deb |
| SHA512 | 757291e2ab6fbfa352f3b91e68f919ef2eac2954107004c75611e2e4a1ba298cebba25ff035e5fe1ec24550579b83f5c2ad9d1268e1823515621eff8d8ea6268 |
memory/2288-352-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1720-351-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1720-350-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Dqelenlc.exe
| MD5 | deb9b600448ca297162701e03d54960f |
| SHA1 | b1611160ac3467ce28cf90aa599d99aa9f7f0ff1 |
| SHA256 | a18262876d26b105e1823bea2cffe49fadf680c84a6202b9393fbfa2fe22a73e |
| SHA512 | cdd12dabf5cfb269d51aa326dc495f0e8c059b38f10f8908aa5428e8d48ed10a0cb4dc30f98c966413f7f2a953351c323fe4ec6c8e8aa133d71b827b082cd9a2 |
memory/2100-359-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2288-358-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2288-357-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Dnilobkm.exe
| MD5 | 611b93aee378d1106a79477cc191ba61 |
| SHA1 | 77e103a209fc9146ca8c9a0f2e9bdc6676ffb681 |
| SHA256 | 743e37c9ef7563a2e0700b089c7a1dacbcd55611817803e99182f79694d59761 |
| SHA512 | d53cd4069fb7e9c7a6f20141b1296c08714d93f2ef140535a6678483225b7b2099d7cafe00fbc39db72d14aeb5ebf0838787ae560f5f9bfafb88cf80002f3d9d |
memory/2664-373-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2100-372-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Ddcdkl32.exe
| MD5 | c7312777ec5ab3d22c14c5590aefd938 |
| SHA1 | 92515ac03d6e20f37384dfb27993ce4ea1359c72 |
| SHA256 | 5b76919d55f121c7b8d903a8d4e38f019636f49c3d4270a4e097a6f49ddea879 |
| SHA512 | ded5f6c38d873cfce20318b6ed92279d048f3956f327e5b6f01074c2772a67c05a527d9709101f84c8ebef6ea7f16c88336496f9960d6495588c4a414cc88278 |
memory/2652-380-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2664-379-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2664-378-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2652-390-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2652-389-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dmoipopd.exe
| MD5 | 8eda2c7979a3c5885f2f622b2aeb4818 |
| SHA1 | fd12acf388d6337042b1cf100a5353d0367d7058 |
| SHA256 | a3cf8fd3461c82d50d2a71b138e2b5ac7adab11287e062279e64029d7fc8bce1 |
| SHA512 | 866c237af709d361bbdaf88a7e1701e12a3bf57f1d699fcecb73f70143cdc3cdd0f1e3e519028154ec5506259c6f44399b2474bbbcd8c29a34ad85926e6227ae |
memory/2640-401-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2692-400-0x0000000000290000-0x00000000002C3000-memory.dmp
C:\Windows\SysWOW64\Ddeaalpg.exe
| MD5 | 9e6bec7f769aaf9a2f897accdf49872b |
| SHA1 | 1a8c72944131730a84246bde28d62ec2c5fa21bf |
| SHA256 | a6ff91ba14403082892af0245d1f98e7be852923cc23eea4a82a044258dcdb0c |
| SHA512 | d787e653ab60c785454ce4522736123c8fb339478ffa8b6d577c8c4aab62108d9b05e01de2f6ddace4a4c2b32aa2bf726f02852905ff5fa070ee31898d12e35c |
memory/2692-395-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dqlafm32.exe
| MD5 | e54cb6adfe9d4d09ffb791749cabf426 |
| SHA1 | bd3961b5fecaeeefc874a07d6558c754266b08d3 |
| SHA256 | d1ac40aee8cd92006338669211d7c71854bf795b9faf6d76591c02b0628343a8 |
| SHA512 | 632b7ddbb96bee465e51d12a76822cae7140a5cb6edc8dd846f97cc14919d02d6797fbc7c9f2176e34f6cf7fd9ca3e296e0a880db2e3876805bad33ed4c050a6 |
memory/2640-411-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2640-410-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/3016-412-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2852-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3016-422-0x0000000000250000-0x0000000000283000-memory.dmp
memory/3016-421-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Dcknbh32.exe
| MD5 | c8bf926f703c0ca6ac210ef8ea1861ce |
| SHA1 | b2a0a1f03f7cba71b75572f8a168622340943727 |
| SHA256 | 138eeed89f4f57d20241ae2408f9419c4458a24c5fea7a93433217d45e7cd8ee |
| SHA512 | 6e7d470481aff8ac0035af66e3fad0a4e65f6e267e5ea2b269279732387fe88c72012cfed55ced7d0ad82febea982694f5b4728a4692cb064df2f4cdbfbc78ba |
memory/2852-429-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Eqonkmdh.exe
| MD5 | 5885e0eb7aaf0cd6443eac0fa41aa099 |
| SHA1 | e92e8bb71a2dea19b59c2f87bf88d1dcc6532c5e |
| SHA256 | f0581bb071d103cd4db7f4a589c295b0b80710bad05e9e0391ed4905b2e45406 |
| SHA512 | 8ad5f405e8e06d36a18c96687e121d4bb5072d7c7c23b768b9f576d557d9cd4c9c2f80562406d707b820774e40d48d4a81471b411f631cc792351d4d09c08f9e |
memory/1448-444-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3036-443-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Eflgccbp.exe
| MD5 | ce2d228fd4bf27d04cef1b5cac849c8e |
| SHA1 | 9e3ddba176488bd0b88027a3692cdbbce5a20c78 |
| SHA256 | 5616210460420b6f35ff02a741d8c99e286089e9e5159c4ab47ea5874900b439 |
| SHA512 | d1302c8c662d67b1fa1570b020b184aa773ebb106f446ccb30ff95c03ee62f9f33eb2638a9c8145595a903d62d43a11765f04ba504dd2a4e66df15f953f020d6 |
memory/3036-439-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2852-438-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1448-450-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Epdkli32.exe
| MD5 | 7fe476cb25187cc5a73735cac8ca7273 |
| SHA1 | fbbae033c20c8a4b046462d10c06cb471b415339 |
| SHA256 | f07071b73731b9d4bf684b9584d146af30e8e2110f4271842a0b9ea80f6aa138 |
| SHA512 | ff7c9e38d9e7f3e075f56f7f8c3ae2992caaf55aa242982a278df29fdbf0c06b160e4f9d113ed3a8389ea378ccfc41dbc524630f574c32adaadd6004b5f9ff9d |
memory/1448-454-0x0000000000250000-0x0000000000283000-memory.dmp
memory/808-460-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Efncicpm.exe
| MD5 | e8bbc399891d24b3b24166bfb610657e |
| SHA1 | 53e2ed6f4c1afcb79ec6181b1328892935f5c0a3 |
| SHA256 | fa8563fac8711c896bac898bb26305308e59d676a2758d37793ae85fb6e8e5a1 |
| SHA512 | ab03da34485e3e1f97d22ffc168d4045aff975b273896729ffa46d9d7ad667cc5ad2446eb71cff89ac525cd615b2de445b9cd4aea0ae1e54a97516b02bc95e13 |
memory/808-464-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/2896-466-0x0000000000400000-0x0000000000433000-memory.dmp
memory/808-465-0x00000000002F0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Epfhbign.exe
| MD5 | 65554c10107b57b6abb70db74b67ff3b |
| SHA1 | 05d1e671fc1e5fe51ea1eb4c44a0efb5a75f1616 |
| SHA256 | c698c42088e369cf4cbe55edde00f6c5ab4788cd5f7e0370a49d8ee2be2b478d |
| SHA512 | 03fc32d433bf5d8c871996f788432ae07cac07043b7c645254b0e4f664d663f3ae994909591c1d01ef39936a5b6c12df86a882b3bb8946f9dbc1d6789d78d770 |
memory/2896-476-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2896-475-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1248-480-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eecqjpee.exe
| MD5 | 35bed1f01d208ad5ae95828fb7b1e758 |
| SHA1 | 2258fe93cf98f8f868723ed09adb3d4ff5d8405a |
| SHA256 | a4df095f83b15f2aa86397f2375f179f98bf00b5fdfe9dd37187ae94154bbab0 |
| SHA512 | f242a8d369e0d62d5b2007f264a297dfb2426c86e07568f256ca3e37e6c9bb2317f72112eda2720a8d897dc732217e2dad15a0239676c9b87e944d28e9867c8c |
memory/1748-488-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1248-487-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1248-486-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1748-498-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1748-497-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Enkece32.exe
| MD5 | 19fc13773f58a5b1838da04638302109 |
| SHA1 | 7356acbea8531e8527692870254592ac3ff5e215 |
| SHA256 | ad8d84af8f88dafd5516ada1b54c085574cb9218ced682de8d76748539534883 |
| SHA512 | ae6d79f00deb7f31c78a5040225f30367a019c6322ba597a0224409c6192aec68bfbef511462ce447aa942d74aca1f1560cd85349823856c60f893b6c1a85d18 |
memory/1972-502-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eeempocb.exe
| MD5 | 9c4b800396aa6d20ec2677ed1620f713 |
| SHA1 | 3d02f119128c4230a26d8e5dfec3aa1de1a2a652 |
| SHA256 | e1c30d71a31813ce876c12520ac9e5a752798e4c1b5f387ccc1291917882099a |
| SHA512 | 4a46e144a9f011e3c3bf42b21285d7c6c1bb13385ce848225a6fbcecd49ca9637b2c98b44c06d830b3258ab634c27cb7dbc5625c3018825e55372cfea00f0ce7 |
memory/592-510-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1972-509-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2980-508-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ejbfhfaj.exe
| MD5 | 71503547714ec079d3dc04396b954cd7 |
| SHA1 | ce7219c82d55938389944a38b2d0ae6d44a863a1 |
| SHA256 | 0ec5e779453375c21cc7011498149f69d5d6a2d62ab4bf48ad2a1d2eb4ec1373 |
| SHA512 | df6e9758f92dfa16c11c2195fe03d483977da8757d4a14877a8baee7ff2e9b5672fe4246d4fa796b430e2a0a0d38b52bc6260c79157d7ad795aa9f69390410d1 |
memory/592-519-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Fckjalhj.exe
| MD5 | de892d4d2e41c7b4afdf613b8d0290af |
| SHA1 | 288fa7f82a03ae29bc9063985b366f87f57f8b31 |
| SHA256 | d82d948504736ea65f3dcd5456ca5a1305a49550b5a676b3f3f45c31d9b9ea0f |
| SHA512 | 352dc0119dbc87873e03e52b54d810c0233862243a2c06daab64687cc9f2bfca7a8b10cc10f41170da3fff67a434793005efca92647530cdacf89336dfdc3fda |
C:\Windows\SysWOW64\Flabbihl.exe
| MD5 | 618b8d06ca4b5a4bc08f2c2f573315fa |
| SHA1 | 9b1c0a8aceafe99be3c3df164a7eb48617967be2 |
| SHA256 | 51793f679121670b51a3f49f557b7cb245c6dd7888796ab3769348e1e1397723 |
| SHA512 | 55f5d78a80eec876045205a19af88520fccf99c9fa10092b304beb74de690bdf667d1687e106ad8ab312bbf33d4c22977edfc2e418ba365ffd3585c55f3244cb |
C:\Windows\SysWOW64\Fmcoja32.exe
| MD5 | cb6b92a562e1660fb619a02c7054ba7d |
| SHA1 | dc2ba799fd9a9576e081242ea35be1db155cf140 |
| SHA256 | 13579f6b583de0ca0f2e76e941060470bdd347ce9d5cf96ba1bb661c0c31157b |
| SHA512 | 1d9b4379d230f70f2f84393c797d7247bba88a043c48041fe92f5d96d272c3b1728efd2e0733ded21ddd6c43ae3fa6229aa3673971f8c38a32b4bc30aa980ea4 |
C:\Windows\SysWOW64\Fjgoce32.exe
| MD5 | 2c4a8f3094639990089625e9e927007c |
| SHA1 | c60366cb9be19f0472dd2dc56f4a1eec6a4fe134 |
| SHA256 | f1752e7f0d1a4c77be3677af5de46c6d83ac9003ba6e678d196700cb5c036ee4 |
| SHA512 | 9d25356c2d9b1119d434b889babe4f7b8443c315e16f1d8ea23075441c98983a3be5678b68d3cbdb9d9b5bfab6da5e77a9b797eeeb607d6baf5636c48c27fca0 |
C:\Windows\SysWOW64\Fhkpmjln.exe
| MD5 | c2303a1c25f91b79f499c1c1c95a7332 |
| SHA1 | 6bc8af37cd6fa5d6e529492d6fb3b1d87f0fe8c0 |
| SHA256 | e3b25411cfd70e136713a4565db3ae13a5e77c995b31082abc59f631a1feb7a0 |
| SHA512 | c88fb49c5dd8cf51e583f20bbb6fcba11c85ddb2c626ad6757921e06a15d613c793642e97334f25f5ed21ce00f440ab9f9a70c1e460460834ead0f1ffce6b52b |
C:\Windows\SysWOW64\Fjilieka.exe
| MD5 | 1a140a84449b0682af8fc5b1c4f1d0c8 |
| SHA1 | 9de42700e6b679855fc6424bff527bd2342c1975 |
| SHA256 | 125a416b599035187ee905d1c59401bce45cd3e6626b41f5f2e7530dce93b05e |
| SHA512 | a0942be63fb41754ec75f5d2b07bb39add320152f4fff6e634b41c08ae70b194893b0950064b6eb25abea33d1d9fd8b13d5bf5adfc16b5573f9d4fed74da3030 |
C:\Windows\SysWOW64\Facdeo32.exe
| MD5 | 979b36c74d5c935ad562525909da141f |
| SHA1 | 92a417fcabbe406ab2fb90c6918fb24aaf8d090c |
| SHA256 | b62b0bdf525086f65f9fe13446efe0b25c0a2b4f11a2aae5d604a6bf200bcb33 |
| SHA512 | 5040f41b06b9b189758f3f16c2210bdbb8d0f22f6dbe63981359a2e5d7e1fba77c389bc38165a0ac54f63a0047174fbf2f39d2e1f66e607b6ee7d00d6cb9ba21 |
C:\Windows\SysWOW64\Fpfdalii.exe
| MD5 | 14d8bbb97f94ef74b90b38ac03abb50b |
| SHA1 | 155b83aae2e7fc90f48e028553314647ef8f9731 |
| SHA256 | f2b6db31e5622736153a5b30fa7c79e5ffaf62244a18066073b873cf61fb73e7 |
| SHA512 | b2814b2ebdae7052a71d41bc7e4f2b35b03b4fdf9e7e22d9bf9d4728f62ae3a58c221b83538242b67a6b3d70c585ddde4cef323d0d74bd191c59aeaf14197af4 |
C:\Windows\SysWOW64\Fjlhneio.exe
| MD5 | 9e27f1691193e707939ff046b43877dd |
| SHA1 | ec38607f99ff40b7a48fe2f4261bd8dd30851f2d |
| SHA256 | d7720df9b1c2e570c566322fa3c1344e2422be6275f2139d8cf5c9a309a8a26f |
| SHA512 | 6d0d0e0197f6ca28befb2caaeda44d951c61de084b657ca5ee869b76a6469043b7f5996eb601a2e6f65e7f93598f6c77b946c0f5972f592ee571d71d4f059b5d |
C:\Windows\SysWOW64\Fddmgjpo.exe
| MD5 | b3c6e0f4b0149a28dbe606f895ffb85d |
| SHA1 | f08390f9fe55e473fe5ef7e80952e5bff773dd7c |
| SHA256 | ba216492f0c3a93ec341cdb0bd895a8ba171fcfed05f392c51106046e396b258 |
| SHA512 | 863a10e772a56acc3893362c971b95e96d7bda5384e6ab75acaa592e1f7f4066364b487a846f35fb1df9e3ed809a90f6d9100c48a2246380885cc2c89406d93f |
C:\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | 25f453fedeb40b73eed292589b6719b1 |
| SHA1 | c730e4a5c279a0df5fcc338b4e90e4bf73531cf7 |
| SHA256 | cbd28f9dfc8c18a874678e42313e82f41a3a2975fd404214d8ec3e15d6094ba7 |
| SHA512 | cb961e976f996ac52fb7e7ba54a094fd27e30f5317385c52ef0e51e28c26440ca3956d4419c9000c5bd2bfc5c09631f4d7e82881a7ee24f1989116467cdb5881 |
C:\Windows\SysWOW64\Feeiob32.exe
| MD5 | 9ca53859195233769cce7d1da3ab46f5 |
| SHA1 | 3bb39c98af08b9c9a8a5934cdf061ef88d980570 |
| SHA256 | 6889282177f4dd6208eca33cdb9eb321627418619d78deed5433dc57324d8bff |
| SHA512 | 04720dc5150cc0ad64ffb2c83f41a7dcf469dcbeed394411b913f2f979fe764579c79254ebf474b5130608e4f9d8a75c0d5e75a5bf6f48e63e68d5d41617359d |
C:\Windows\SysWOW64\Fmlapp32.exe
| MD5 | bec747afb2bff3f98c58aa638a7556d4 |
| SHA1 | e50b58d9960ac1968e4591e9c0f8677c13f595d1 |
| SHA256 | 2663a11aab26de26668b81a9ad199adc24076a7f07141a03ba9bcd648a602021 |
| SHA512 | 88dbd1f8418d63cb06408601f4ca6eeec47442a3b51ac77c8a772674cf3322bbdf5430e0418dc0dcf2e4cb1f4753a21c272179928106929a3d45c15b2583281c |
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | f6077bf0627f7e2389a076a47f42cb74 |
| SHA1 | b3f480831351f8333b3615b4aaaa59dd8309217f |
| SHA256 | b5f707abeaf84013b54ee514aa05d18b1de85653f4daabb2743eaa95568b9337 |
| SHA512 | 7a382ba9def33ed3ca88979a0298f0e1f380fa9ed37486238fcdc88b666aa70a8a3d0f22d99c01bf72c3f74149f0e4e49883a2d6432db849513d988addeee75b |
C:\Windows\SysWOW64\Gegfdb32.exe
| MD5 | a90fb4226225331fc8f7fcc9325bff5a |
| SHA1 | 22d23914668af9eaa148fd270a757dd907eecdf8 |
| SHA256 | 4d3948dfb6a2b4a6aba3b01b6b4a543beab68011bbe9cc19e844a390e0a65d83 |
| SHA512 | 45aefacd957bbbd226b86274c404d26d04b9a762a69750e2f0c2947577b678c153576d4a90d4ce51d1a16b93e1518daa2c4336b3f1baf6a09dfa8c8863999700 |
C:\Windows\SysWOW64\Gicbeald.exe
| MD5 | aad977ffb3cf8820618ed870e35a01c6 |
| SHA1 | 19c8067783c82a42a0fa330bd552fb9a27b2c095 |
| SHA256 | 840f415d88f4d221c20b3782281e284e52ee0023397b16b45336c441f3c9396e |
| SHA512 | cb7fd7e9d36dd3a04e1e6f2abbd9a4b40361bdf240ffbb349cd9371e8002a254f39892472bd0c595145bf8c51546c1f6701de66e43b1767ca358422f92b0ae2b |
C:\Windows\SysWOW64\Gejcjbah.exe
| MD5 | d5f524fd7c4a9454f7baebbc8b4efb12 |
| SHA1 | a4e00e3e754386e02646dcb1a857567a62cfa6ee |
| SHA256 | 8c55a65cac95a331193e4f7df9175faee11fd50c972c45fd951e4473957ffee0 |
| SHA512 | 2192b66216ba1d97bb2fe0a0270682d1ea3509752da8887e7925b082e759f19cc317b827e9dde3b4c47c18f12a52872fccc1c8f505b72b182f0cc8aaeb5d4a8c |
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 61bd41101e49d0007568830987d467f2 |
| SHA1 | 5f2b6626b777baab0e6514b90238d947e8f1c51c |
| SHA256 | f4080759a07632a1087147a432a89d83c03793ef94f316f6b8ce8950dab7f60f |
| SHA512 | d116e4eee904c823072392941e5c094b9a0dfd582a04b85b8f71ef48fa16140f7aab12a5b491056e0c25d08d6a5add954e823b1f40afe215bfcc8cbe68962f9f |
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | 320b77eaf94f073a4a2690de408a27e9 |
| SHA1 | 172cf0308dd80b085f83dd0b3b0593a0957ae5ae |
| SHA256 | 4c8c738289666b04d6a800de20092b3b743faf962798f6ed5ad1b7d4f3252541 |
| SHA512 | 3ae4f013b838f6da24bc866c9575df72f6e9f8070ae9d352af6a00d1faa38106b19b5501fcaca047db24d0e9cd8c2d123238b1ce0625ff6a0ae1f6835ed60bde |
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | 4d2252577db18c8fa69f9c1a9546acbc |
| SHA1 | 9c254f8f98022f75b6cdf5dd282db6ad07c4fecd |
| SHA256 | c642db22ab940890bea098e52ecb897249681e14750f628ff7c3a53118a21239 |
| SHA512 | 2eac29c9dac2c6e38a9c44e8904642ddda6fabff5283bdd15416138cc50c6d6e3a6bb893c9d19f19ddb0976f7fd780ccb093ecc14d8813cc109d881dd5307c18 |
C:\Windows\SysWOW64\Goddhg32.exe
| MD5 | 93c9a61751862fb75e812ed152e5c903 |
| SHA1 | f007255bc1149aab0fa98c6025b1f40de2df3546 |
| SHA256 | 552c84e8a50d3e10d541a2009412c0e5b44a89369f6386197483ccc6db6ee00c |
| SHA512 | d4b7eb57c6ef931909191c620a884cd0a3d673f614bf125f81c76d686d5090b6ceaf9bdd11c85ccc54c16d87057ceb769a713b709adb241314c1067f1ff23325 |
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | 47d35315b8df54ed857fb08b71fb251a |
| SHA1 | 605a3099203c161980d70d7e7d2eeb778954e3ea |
| SHA256 | f9a3530f532e96f413852af30c2e38f482c334961b341591be3b16cb948ca506 |
| SHA512 | 90a2f66f92e9c90c37ad9ba2b9fc2ec2bc9b6e9dfa564ab5321bc7a8ed0e437c2286890329ca64b0449f7f1a6d3554bfd350e9a98dba1f02e8d19a4bfc0b0874 |
C:\Windows\SysWOW64\Ghmiam32.exe
| MD5 | 3221287530fe55cc220782670d6c8bf5 |
| SHA1 | 494d311c72f360fc447c4359c4c7dea45162bfc2 |
| SHA256 | b1dfd75c820e2f940285980f7016da392cc807373b47a0e1ab59587de2242868 |
| SHA512 | 36219d2b488a0ecbbe750d75555019ba88f4dbfda45fe36eeb2c22e147fe54f73960ce013f59d8623863a801ec893b18a6e4e2ed3b12bbe7efb96fa66790c286 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | 3da3df74a7cf7f929d822696cfdcd1ab |
| SHA1 | 8a1f06301eb045bf1fe5306870af356d564a951c |
| SHA256 | ab4a6300dcec96191558aec79afad14b031186a742dfc2d1d0fd6e63f3a5464c |
| SHA512 | 32c1460e6a1924ab7a4a69bf54a41f410b879345fdd425ab48d2ccac48572940069c0e09f689e98602885e036dff19403fc4e9eb7f5bacd2b2992f8c03b5cc5b |
C:\Windows\SysWOW64\Gmjaic32.exe
| MD5 | b84ef8205e49192f02563440479cbc13 |
| SHA1 | 61a6192adea28414119316e3f59f64178045623e |
| SHA256 | ceb996ec1f600411069317a43150aed09b76b397b63e0fc3a93cdc0e1c783844 |
| SHA512 | d1b7eea2397c5aaeb221be7376a7e535c2509c0618952b7113687427f2f1029aeb35a2a197ff170a5b5606abe21dad6bc682fbea86b3e4adfdc678349e7d0451 |
C:\Windows\SysWOW64\Gphmeo32.exe
| MD5 | f21ee9a39854c3f319df2453b7072172 |
| SHA1 | ad7eaffcdd0e050215d6d149aabe43f996046944 |
| SHA256 | 7bc5c9405f0c9ff77673e164651cc21cbc34e94c7638122a69e0f801538f1eaf |
| SHA512 | 9bd8305b9875b63219c45dbb3bb8d8523639adfc3ec3c949f9cf259ffc31c860a149f3a1f2202c9c9edfa576b68e8e990c957fca27d8453cbe76774b238113db |
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | 6c73a22b049e325f07135c7a042e8137 |
| SHA1 | e57bcecd43f702aeb1de1f55eb90c75b164671d7 |
| SHA256 | c340216f67772cf3b3d6b99a696bd335315f2fafab1e92af9289011ad864109b |
| SHA512 | 79df9e7547a0303adfe06bd874aad84c024c0c3d669bd70d6f60e6df3ad2da3bd5fed6b868d97bf9a632fddb4bbd005dfbf82270bcea7b30d329af62f10c9a8f |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | 67e1160bd51bbd1b7cb10c649efe56ab |
| SHA1 | 515577a3915fed85a048473fa9967804998e1fc6 |
| SHA256 | d5b9decb31021fe71694ee1cb205f810ec5c5f9ee316f19f9ca4534a032ec95f |
| SHA512 | 0a5cccb23c29d54d73774c5a277f85351a92fb13d4dc72bbfd6fce61efcc073216cd35a82e1f210312d2b99a8a183fb55d12899de4a8597f9f76fbfc6e7e8904 |
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | 30becd40f11b779a52228314dbc2f1cb |
| SHA1 | 3fa9686194494bd1d70da8181726002b830aa3ef |
| SHA256 | dabe5edb8db5c0866c821a0848bf0d3cdcebaaf5988293bcbe3dcc3503cef2c0 |
| SHA512 | db5bdb5130de8a3714be5e14267662df0850405357ee1830cba8c97481c59ac8bf96b0969e7f5e636cab15bf6d31f50ada7175e939e6f4d6b07003be7c472e1b |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | 8284a01dbf13ba94d16ae6157a03e696 |
| SHA1 | 247f073e4e8ab65f87155a6ad4e949f94f55f39a |
| SHA256 | 1e77ae9d33c5eb10bc858b0974e95d16c6b1ff1297e5a98cb126f17a5588ba1a |
| SHA512 | a3e4d9c610e20906419bac862380a12b86e68b1b886358fb5f089581b6dc5f9edf08a99d42a8c4d07420cd2b27b8203ef8a936991435a24aa0f25a8a2596fd50 |
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | 1a830f0753ad7e734d40ce6e320c15fa |
| SHA1 | 6bb9e4a89c897ac0ee07db18032d7986d6a12338 |
| SHA256 | 110d5e202490607922568837ba012f96c87b23a36597522b43da2010014f3c64 |
| SHA512 | b33cc1d652e08b92aae3906409ea9f1db69d5f89156f067e49bf95a0d70ef8bd2db6ae297cac6e67dedcfa6c6dad66843463162b72ce348b940b1b0c6931cc0d |
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | 66548071f0c53d30c2c5e1b64f1ac9f8 |
| SHA1 | b704297580ccbbe93cf797644963777729bda5f9 |
| SHA256 | 417ebd08770432c87f5473042e958e3cb142b59e5c2a20130815cff3599e1038 |
| SHA512 | d1793a4fb1671ad641822d10f86fcf0bd2f7db3a589ce6582cf6e8c777391f8292a479264694569c2dbf64215e570c0d8459b5f6466c06965e789cac2c10d8d5 |
C:\Windows\SysWOW64\Hlcgeo32.exe
| MD5 | 0dad3a825434b875ed9c5c83284fbf5a |
| SHA1 | cb012822089e0e9aceb242c3e1a96a59815f7bf2 |
| SHA256 | ae6d152732d2239e05a744b0b9087e4354e680267edd2485b2cd6597852216a1 |
| SHA512 | 3099e9894f573837c3769fdea649ee255fd240d10429c2297bd7daccc0a66a2085b6eb5cf0d3ad473a655b2b90e1ee49761cb3705810024243594a60bdc66e00 |
C:\Windows\SysWOW64\Hellne32.exe
| MD5 | dcc5491956c8137288ea951986c7f2eb |
| SHA1 | dcf9b7adef2ed99aed9d51cd91a40a9b80c68632 |
| SHA256 | 992a7b952489a89d09702f39c9878c4e76bf581705a2e1d2a38d736d73302d96 |
| SHA512 | 91785e5a6e86fa8b80a1da16fd2c5df062f667d131aebd34019267b95d721dc31164a2c8e688ccce64a20084074d9d10d3e17ccffcdd0f1eb1bd2f640748cfea |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | a2c8de9ad44168519acf03171ec92b61 |
| SHA1 | 20c62468a78ad30cbca817ae981df01d861cc2d3 |
| SHA256 | 6c10eb4d49b7dad0344214204ed082f3b2bf88b9892d5ca399dd8df2f5923ad1 |
| SHA512 | 66c26aea6ebee5feebb6e0290771b69305188639511ecd455638a3c6e81ebd770b809b5cead178d5b4e430e1d985545d3eb0ae62b26367fa47d788d12ffae6b4 |
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | 54ef567187bb507d9757951cc92207c9 |
| SHA1 | 7acb314ea0584382cd2e32604dbefb883d517f7d |
| SHA256 | 8da2dee7a634907919a31cf8444b7c5a4449c2d676b4c7f36ddebdf890ca8c48 |
| SHA512 | f5106621322630e86b027297686e496eda87de255a6f14a7473a8139288a38084ab464193fc65f4cc760ce95135e940a2fc87cdeccef372ccc3f275b26ef614d |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 2ac7666c740b4fd5e05be4dba69bb8bb |
| SHA1 | 1981bc73987007acc50c728c0a436707216a117b |
| SHA256 | 8fa19a9aceeeb2e1a83c1e01e9f87b69abe4d67c9c0bfffead410dedda5ed424 |
| SHA512 | 5df6f4a7ada47bdbc34c8887ba42125acd29b43844c43df4d4fdffcfe59d794803fc40d177ac81c1293b55b2c57a67ad144b9805d9e20e91fca11c96c5150772 |
C:\Windows\SysWOW64\Hlhaqogk.exe
| MD5 | eb5b8bca5c2bffb7e27ddaadf6896a27 |
| SHA1 | 970dcded637e6220948c1285e336c277b0fb3b3b |
| SHA256 | ac8083f85489faa1f59eeaf85cf31ce38aa0f2346f0102bb8cc1bd7d09bc50ba |
| SHA512 | ebf8466b7af05e675f4aef76ba3e2604e44a185f6f9232c760406d0a8ca2f9ba418c7ce1d1d2b3a0e80ef960f3fc9974d5f8336fec14fc437da361888c7fd234 |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | f0a2eb316ac1a043cf6f06befaf52bcf |
| SHA1 | 25f9cb66b1bff42884253573fed66e252cceffbb |
| SHA256 | 6067d7cfdb13796013118de239f986e90e1ce3ae9659752ee1abec17fefd67a7 |
| SHA512 | 16ef5adc278d1ba477d71e973d3bc2a561f2adf198e2c9b67cd8720ce0f226d79a0ca1d46147d0c405f40c100478e0f415b0ddbb019fc2abc9c6a8bd283692c7 |
C:\Windows\SysWOW64\Ilknfn32.exe
| MD5 | 781c21f059db7cd2b1d853fb90deedd0 |
| SHA1 | 9c408d6f7ddf79453ad41de6f4ed400bf2a4dc74 |
| SHA256 | 5010dbe5d1784ed3a653dfd502e46b82a1f851c7a1d89187b307249181829466 |
| SHA512 | 09a6bc16530e3e1b9b5b6ebe14c62de868f0587555e2e0fbb1973c2d92fbd7231714e375094de1a17cc55a02efa884fadfbcfde68d6b9a21599b0ac8e61db5b9 |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | bfd30c7c72994c1f86162f9839a0d01d |
| SHA1 | dedd767cd2d9b204754104d3f0e283cb8cfb79e7 |
| SHA256 | 57a18f81d0a506a56b096d253f421ce8d2f6fba1db22f465582bb63d6b90e6d5 |
| SHA512 | 344b116a733d9ccd57a1eed5152025464ddd7b9f9cdca235d22e6da69cb6dc73397a72eb8068dbf4997447dc3964b0d70a758df2b3d9bb01ea5591f19aa02e1a |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | a366d5c9810517ac7900a64f138ee1fa |
| SHA1 | a33739d590a5d1cf7f9e842a7b6c5bae5a34abe2 |
| SHA256 | 001d1e37a44136959d2c678d8439ec0f7a7816c60a8ebe03b5f6a2596f349864 |
| SHA512 | 6b9c5216843e816dfc48bf8195c9591e44b32b1bd05d8d7f68b58ec45729cf4e0c1d7c724414cdc20b388f7d3bafa49c1891aee64aaafd6a75c80e1657683b65 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 04:08
Reported
2024-06-02 04:11
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lilanioo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Imgkql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fflaff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icgqggce.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mncmjfmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jdhine32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmklen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jaedgjjd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jagqlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fmapha32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmoliohh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hboagf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fflaff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpccnefa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcklgm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjmoibog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lgikfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcbiao32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gcidfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gjclbc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hmdedo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpihai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ijaida32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jkdnpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Habnjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lphfpbdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Mcnhmm32.exe | C:\Windows\SysWOW64\Mdkhapfj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ijfboafl.exe | C:\Windows\SysWOW64\Ifjfnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmegbjgn.exe | C:\Windows\SysWOW64\Jiikak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpcbnd32.dll | C:\Windows\SysWOW64\Kkpnlm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nngcpm32.dll | C:\Windows\SysWOW64\Lkgdml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbjhlfhb.exe | C:\Windows\SysWOW64\Gcggpj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgabcngj.dll | C:\Windows\SysWOW64\Hboagf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcqjfh32.exe | C:\Windows\SysWOW64\Habnjm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfdida32.exe | C:\Windows\SysWOW64\Jagqlj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbfiep32.exe | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pipagf32.dll | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oaehlf32.dll | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Paadnmaq.dll | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gimjhafg.exe | C:\Windows\SysWOW64\Gfnnlffc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkageheh.dll | C:\Windows\SysWOW64\Hadkpm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfkkgo32.dll | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgpagm32.exe | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njljefql.exe | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngedij32.exe | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dngdgf32.dll | C:\Windows\SysWOW64\Lpappc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lphfpbdi.exe | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekipni32.dll | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| File created | C:\Windows\SysWOW64\Adijolgl.dll | C:\Windows\SysWOW64\Gpnhekgl.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaljgidl.exe | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gncoccha.dll | C:\Windows\SysWOW64\Kmjqmi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbfiep32.exe | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nqmhbpba.exe | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmhfhp32.exe | C:\Windows\SysWOW64\Gimjhafg.exe | N/A |
| File created | C:\Windows\SysWOW64\Laefdf32.exe | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjhqjg32.exe | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pipfna32.dll | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcmofolg.exe | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndghmo32.exe | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcidfi32.exe | C:\Windows\SysWOW64\Gpnhekgl.exe | N/A |
| File created | C:\Windows\SysWOW64\Iffmccbi.exe | C:\Windows\SysWOW64\Icgqggce.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqnhjk32.dll | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Milgab32.dll | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imppcc32.dll | C:\Windows\SysWOW64\Kgfoan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpfijcfl.exe | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbledndp.dll | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ijhodq32.exe | C:\Windows\SysWOW64\Iiibkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnfipekh.exe | C:\Windows\SysWOW64\Mkgmcjld.exe | N/A |
| File created | C:\Windows\SysWOW64\Hibljoco.exe | C:\Windows\SysWOW64\Hjolnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmjqmi32.exe | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcifkp32.exe | C:\Windows\SysWOW64\Kdffocib.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcgqhjop.dll | C:\Windows\SysWOW64\Lgikfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibccic32.exe | C:\Windows\SysWOW64\Ipegmg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jigollag.exe | C:\Windows\SysWOW64\Jkdnpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncgkcl32.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcqjfh32.exe | C:\Windows\SysWOW64\Habnjm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgphpo32.exe | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| File created | C:\Windows\SysWOW64\Kphmie32.exe | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lmccchkn.exe | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Laciofpa.exe | C:\Windows\SysWOW64\Lilanioo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdkhapfj.exe | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebkdha32.dll | C:\Windows\SysWOW64\Iiibkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjobcj32.dll | C:\Windows\SysWOW64\Jbfpobpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jagqlj32.exe | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmegbjgn.exe | C:\Windows\SysWOW64\Jiikak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgfoan32.exe | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nddkgonp.exe | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngcgcjnc.exe | C:\Windows\SysWOW64\Ncgkcl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fcnejk32.exe | C:\Windows\SysWOW64\Ffjdqg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hibljoco.exe | C:\Windows\SysWOW64\Hjolnb32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Habnjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll" | C:\Windows\SysWOW64\Lilanioo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll" | C:\Windows\SysWOW64\Gfnnlffc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll" | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gfnnlffc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Imgkql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll" | C:\Windows\SysWOW64\Hmmhjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ipldfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Icljbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jpojcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hpihai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll" | C:\Windows\SysWOW64\Kmjqmi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ipegmg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hbhdmd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" | C:\Windows\SysWOW64\Iannfk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jpaghf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncgkcl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hadkpm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mnfipekh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll" | C:\Windows\SysWOW64\Hmfbjnbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kknafn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll" | C:\Windows\SysWOW64\Iakaql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mpkbebbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmapha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll" | C:\Windows\SysWOW64\Hibljoco.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll" | C:\Windows\SysWOW64\Ipqnahgf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" | C:\Windows\SysWOW64\Jpojcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Icgqggce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifjfnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jagqlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll" | C:\Windows\SysWOW64\Gpklpkio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjjbcbqj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gimjhafg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Fjnjqfij.exe
C:\Windows\system32\Fjnjqfij.exe
C:\Windows\SysWOW64\Fmmfmbhn.exe
C:\Windows\system32\Fmmfmbhn.exe
C:\Windows\SysWOW64\Fqkocpod.exe
C:\Windows\system32\Fqkocpod.exe
C:\Windows\SysWOW64\Fmapha32.exe
C:\Windows\system32\Fmapha32.exe
C:\Windows\SysWOW64\Fopldmcl.exe
C:\Windows\system32\Fopldmcl.exe
C:\Windows\SysWOW64\Ffjdqg32.exe
C:\Windows\system32\Ffjdqg32.exe
C:\Windows\SysWOW64\Fcnejk32.exe
C:\Windows\system32\Fcnejk32.exe
C:\Windows\SysWOW64\Fflaff32.exe
C:\Windows\system32\Fflaff32.exe
C:\Windows\SysWOW64\Gfnnlffc.exe
C:\Windows\system32\Gfnnlffc.exe
C:\Windows\SysWOW64\Gimjhafg.exe
C:\Windows\system32\Gimjhafg.exe
C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
C:\Windows\SysWOW64\Gfqjafdq.exe
C:\Windows\system32\Gfqjafdq.exe
C:\Windows\SysWOW64\Gqfooodg.exe
C:\Windows\system32\Gqfooodg.exe
C:\Windows\SysWOW64\Gcekkjcj.exe
C:\Windows\system32\Gcekkjcj.exe
C:\Windows\SysWOW64\Gmmocpjk.exe
C:\Windows\system32\Gmmocpjk.exe
C:\Windows\SysWOW64\Gpklpkio.exe
C:\Windows\system32\Gpklpkio.exe
C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
C:\Windows\SysWOW64\Gbjhlfhb.exe
C:\Windows\system32\Gbjhlfhb.exe
C:\Windows\SysWOW64\Gjapmdid.exe
C:\Windows\system32\Gjapmdid.exe
C:\Windows\SysWOW64\Gmoliohh.exe
C:\Windows\system32\Gmoliohh.exe
C:\Windows\SysWOW64\Gpnhekgl.exe
C:\Windows\system32\Gpnhekgl.exe
C:\Windows\SysWOW64\Gcidfi32.exe
C:\Windows\system32\Gcidfi32.exe
C:\Windows\SysWOW64\Gbldaffp.exe
C:\Windows\system32\Gbldaffp.exe
C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
C:\Windows\SysWOW64\Gmaioo32.exe
C:\Windows\system32\Gmaioo32.exe
C:\Windows\SysWOW64\Gameonno.exe
C:\Windows\system32\Gameonno.exe
C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
C:\Windows\SysWOW64\Hboagf32.exe
C:\Windows\system32\Hboagf32.exe
C:\Windows\SysWOW64\Hjfihc32.exe
C:\Windows\system32\Hjfihc32.exe
C:\Windows\SysWOW64\Hihicplj.exe
C:\Windows\system32\Hihicplj.exe
C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
C:\Windows\SysWOW64\Hcnnaikp.exe
C:\Windows\system32\Hcnnaikp.exe
C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
C:\Windows\SysWOW64\Hmfbjnbp.exe
C:\Windows\system32\Hmfbjnbp.exe
C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
C:\Windows\SysWOW64\Hcqjfh32.exe
C:\Windows\system32\Hcqjfh32.exe
C:\Windows\SysWOW64\Hjjbcbqj.exe
C:\Windows\system32\Hjjbcbqj.exe
C:\Windows\SysWOW64\Hmioonpn.exe
C:\Windows\system32\Hmioonpn.exe
C:\Windows\SysWOW64\Hadkpm32.exe
C:\Windows\system32\Hadkpm32.exe
C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
C:\Windows\SysWOW64\Hbeghene.exe
C:\Windows\system32\Hbeghene.exe
C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
C:\Windows\SysWOW64\Hippdo32.exe
C:\Windows\system32\Hippdo32.exe
C:\Windows\SysWOW64\Hmklen32.exe
C:\Windows\system32\Hmklen32.exe
C:\Windows\SysWOW64\Hpihai32.exe
C:\Windows\system32\Hpihai32.exe
C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
C:\Windows\SysWOW64\Hbhdmd32.exe
C:\Windows\system32\Hbhdmd32.exe
C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
C:\Windows\SysWOW64\Hmmhjm32.exe
C:\Windows\system32\Hmmhjm32.exe
C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
C:\Windows\SysWOW64\Iffmccbi.exe
C:\Windows\system32\Iffmccbi.exe
C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
C:\Windows\SysWOW64\Jpgdbg32.exe
C:\Windows\system32\Jpgdbg32.exe
C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6672 -ip 6672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4228-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4228-4-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Fjnjqfij.exe
| MD5 | f5f9da74ff1280de06b9c65816e2f0c3 |
| SHA1 | fb0e3f0a0f6ef2e720d426bf498dec15282cb033 |
| SHA256 | f1496fb0245e8c3b8f0c68d916fba483353c19ecc6d2563e5844accdc2dd00b9 |
| SHA512 | 5b6be04af317f5a567a1848b0e00c224fcdfe8faced3968c2809e5861cdc8ee8bc20feb3e03aeee36ebf8b9a3b78785f1f6c5aacd5b1e51987541f3032fdc827 |
memory/1052-13-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fmmfmbhn.exe
| MD5 | 682d1323169515d69e7486bb5591fab3 |
| SHA1 | 5d587f49a96694102be875872928053ba5748328 |
| SHA256 | df07d2a33b5af888762ab6eaa407eb5706306983652bbaa834be72cef3f18774 |
| SHA512 | a680a7c282709a0ae9a9e006e6aacf69511452c1753a16297dc2aefa6036d835cf9b3b82f685802bb889f6c247abf5875cc12ce2361b3d163adab7c463e0057c |
memory/4156-17-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fqkocpod.exe
| MD5 | 30b9baf52e379658164f6eadde81c479 |
| SHA1 | 158cfb9075493c868ace9a75510d75d2d491c599 |
| SHA256 | 9d3173a6715f63ce3ff6da6c3cc330d28fa837f9250f6d5a22b80011e99e7c0e |
| SHA512 | 780271214f813085204c417171beac8b1f70f5cadb3cd606e6239f297673a481d2d0e31689a2395e1aae6ee3ccf50bfe424712f719d45692ff72a32f685e5235 |
memory/4132-25-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fmapha32.exe
| MD5 | 17f4cab2f325adb3c0ddafed953b68c4 |
| SHA1 | 23d0b39494e274c1101228343fcc52445839d184 |
| SHA256 | c5848cb485a62d9dd742164357d0fd389a8be59ea98c07ba9999760d05296045 |
| SHA512 | 34facdb158d8f1de8ed03fd2c1b2c931a0d2dba269836221bba452b382dc40838e5ac77ea909d4ebcdf976eca001de429e7e9d14c095ff768fda9e684d879e16 |
memory/1000-36-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fopldmcl.exe
| MD5 | 67829d226e64088806e92ee886d77c56 |
| SHA1 | 937e59bc26d976cf7a669d5e6e067445a44f951f |
| SHA256 | 0fabccd9a27d8425f1501c1ca082a5843575dc462a6aabf1ae4ef13ea194fb55 |
| SHA512 | e8bf888b01a19611986b35c9af384f60e0dfbe4fd2f9c4c970ace568543b748bbfc675b762a539e22811d982ad5b62d5f139ce7909ffc2211b33f7e7c5a5fe4f |
memory/5000-40-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ffjdqg32.exe
| MD5 | ebfad6e657c7d764071f3a91b0e81f76 |
| SHA1 | 09dcb7861845fe35c10591af2607ce10c2e8796d |
| SHA256 | 73594db9a10a9b9e17b19ae89802ec66b4b5645f5804a6db469de0a607d0457c |
| SHA512 | 8980407526601ef194d2028a98120b647a3518dbc2feeeacbde1a7e97b569c5633855bd24ba98edd7723c2e28e339be043dd403a1905137b75322cdc9eb48ee9 |
memory/324-49-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fcnejk32.exe
| MD5 | 61e817fe485a435e8711349b49958949 |
| SHA1 | d65a1c4fbe7a9a5518fdaad29b22be9ef9fe39b9 |
| SHA256 | a8420d86d0d95495f211a5b2e21cf0b756fbc37eaa7bf08cee6ab6fa9206b613 |
| SHA512 | 903ae7c3d9f0c9ea86722f576eb2c8b54a6557be4d134bc6d352e4bf2226775bee06efe7bbdb24eddaae7ff447e3c8064a58f287a5507d82fcf472b12b71fc2d |
memory/1740-57-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fflaff32.exe
| MD5 | 4518dcd21949f038047bbb24f2181f8a |
| SHA1 | f5941c6c8c896833435f014e291aa1d9b902ca83 |
| SHA256 | 59cb35364f2117f22cda5552ec6b5ad750e362ad297502905d6aa53849fabfc2 |
| SHA512 | 14dc3dfba311ac07196a144bafef5dce2270ed7a08bab75099c202716b963977a13602540b0ad58d1159b5785b0a387c01338cd19fc3052b9b0ad0eecebf12b9 |
memory/3784-65-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gfnnlffc.exe
| MD5 | c7acf84429fc0980576e2dfa8bff048b |
| SHA1 | 347c1d626e058861e4859446a544e33ff61e1ecf |
| SHA256 | 5195c6af77c8c317b156dbce9c7a080c02b231cabbcd0a4f55a654a34835599a |
| SHA512 | 0edc5e7d40261c9554a5c7ebe22cbd055d08176f996312a14b0f835fa707b26d2685efa6d6d391bba82ee88a7a3fad6dd878d6c65a41d80c232056181c9c08fd |
C:\Windows\SysWOW64\Gimjhafg.exe
| MD5 | c538e2330aa8f4dc16f799348369d417 |
| SHA1 | 75a3a26ef8297fb91262a68fef2ea09595629a64 |
| SHA256 | 775291eadd0c05a81a6b2630f2b094229ee6109c44f9f1eec15a036a8a6de877 |
| SHA512 | 5275995b20ea39921e34144957e02f1ce0e14daac6ac2f766550976dbfda8075380312b3ff4f3e4528aa72ab5aefeb496958daade20af765d61fb34e0e99efed |
memory/2160-77-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gmhfhp32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4348-83-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gmhfhp32.exe
| MD5 | 463e7b1a802cb27a62c1cd8ae0ff12ff |
| SHA1 | d92bb46f23f77dd10acab5f877684c600854ccf4 |
| SHA256 | 113f630426437afd8dde38939c5079f6c3b6e1cf1564fa664bd73c5a26fdfead |
| SHA512 | 9ef5a2ad9e70846d7b8e8f852775d284b482133480f369f57ea42169142c215c241ce6e2d063b7ca689d675a1f146fc035ef3946ef1330a9e656491414914d1c |
memory/4580-89-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gqfooodg.exe
| MD5 | cd58890e325a3eef55ac3e5bb1af3572 |
| SHA1 | 79ab6f2d61431aabb368a152c92f45386966bf74 |
| SHA256 | 408c5fe6d86632fb130b120e82fd26ff84dee0890687427a38387d8e34208a86 |
| SHA512 | c2abcbd934677a3c0fb5c157a8f0fd4944a76c3530bb71e7f2607f754b50a7bd342a290deb222621c435be00354ebd9022d5d978b6a7b8aab98341657ee950bb |
memory/5012-101-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3916-109-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gfqjafdq.exe
| MD5 | d8c8e26439ef46aed742ed83aaf07a1d |
| SHA1 | 37fb2980debb1a0a1df4f515d8fac9f7488ab8ac |
| SHA256 | b879ed823b74c971cdaa6f8e3f332e9f664581841931cd5dec52fab42f7de0c4 |
| SHA512 | bc7e5fa3bc332f0c6b7883ecf4bb5cccf6dcc4d90df2e21e9aaf5a101e6e60943792bded0682de099f260ea8f1316a92a42136db14436790e19384a6acabd491 |
C:\Windows\SysWOW64\Gcekkjcj.exe
| MD5 | 84ffb89e7ac9b251b859747c18a11852 |
| SHA1 | 89ec39593811e1ac4089bd1af2ef01b30418b0b9 |
| SHA256 | 4f350084fc22fd615fadf9ff33760bd7a8cc3d4446fbb2f5c6888dc561e48d73 |
| SHA512 | ca6ea496cef57f17dc4a675fd56231ff4835ceeb849344029a6da3fe7c948b6efd39b03e4464f5128a60b7ae743c8f7648a43fedf89bc228ee1fd5ad17b62dd4 |
C:\Windows\SysWOW64\Gcggpj32.exe
| MD5 | dee061bf2960ecab0077940601ede1eb |
| SHA1 | 0a8ecd84229ecf3a3b87937e393af615bec4566b |
| SHA256 | 7bbbb731f4399fec103b60c737b46aabb3180e735ef53804d9aacd32e6d6e4a4 |
| SHA512 | 62a3c10967c5add7685f83fa3bae5ab67e9ea350ddc3be867d8d4902d6504e7eeb31ce73ab52f52e7c2468515c9efac4898b765060e79a264cbe6bd7107d4874 |
memory/1172-149-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4800-148-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gjapmdid.exe
| MD5 | f24882bfff7027f4d493977da75b7c4a |
| SHA1 | e70ccdc7d8d6ad27d1fa7738d95401304ee30786 |
| SHA256 | eb078b4b6b9baefe38b21f0eaab664615fcf3d201665f7bffa2d7da4a978ef8e |
| SHA512 | df92b0d72466520bc24be9af2e1c61590bf43ba7b7345ca413c8f2ccbd43b888c210fd4db33751a8730f272d66d03f79c019b758b83fa07518b52e98c97c1fc1 |
C:\Windows\SysWOW64\Gmoliohh.exe
| MD5 | 9907481a75a31e06dcf429c2c86407c5 |
| SHA1 | fb4f661bc0ea93c9943572de07688809840171df |
| SHA256 | 8d7aff63f3acf4a9245fb71c8f107948f498b8b0b1332597edee1d48d590ab52 |
| SHA512 | 98e36b071f5b7b8ab8c69a1bd847c471962b46b07e87b37ac0816987747566e161fe9d53b56985bd824f97c932afb735af7b57d054a84d755f28ed32f28d6580 |
C:\Windows\SysWOW64\Gbldaffp.exe
| MD5 | 27f2d3447694be1b9cae1b773ffbc8d4 |
| SHA1 | 225cd1f6fbeecfe341565944b89d3363f8544fc5 |
| SHA256 | 612672f43a172132c64b20182fafc24c745088a939902860ea54ae3253389587 |
| SHA512 | ed5436457d306c0a9aa3d86b3465ec9b8c8cc32451ce6bbc20d0e7f356ac568306f01c808f6890b42fc2c91bd09fb7d59b0d22e00a0d3df33e8599f9f1d089fd |
C:\Windows\SysWOW64\Gameonno.exe
| MD5 | d0105bbd5513b629da732419fd1e9e4a |
| SHA1 | 9ffb63f960acb542aa9c3b914dc61afe1dea06e6 |
| SHA256 | dd4a014e62f75518ed7fef61b2b8ad93d9740b8777783652e32dcaad1a35dbc7 |
| SHA512 | 0f29ffa2a18acf74e137f898b60acd969351657acaeb0de3f01b123a01ee3f766eafec1c910395ddb64a778a16e31530b26d026dfb5741266a9899a85c1ea8cf |
C:\Windows\SysWOW64\Hclakimb.exe
| MD5 | e6675c96c5ae53cc929015e1a47feb43 |
| SHA1 | b84568750aa5da996a9e3a7b2ce5bbd6b15309a7 |
| SHA256 | 83b9460db5f179877b007c7d0bacd05549608c99db1bc1465e811ee7a5b63069 |
| SHA512 | 4398a067e751e409704ecd43221e791bd30fc7c538f02241e704858ff94cbe3d3a92dc61c54de1ba19173cff8946b32e58c712524308af55aefc11673a0b0909 |
C:\Windows\SysWOW64\Hmdedo32.exe
| MD5 | 8e67174c6f963881a32cb4d6674efa9b |
| SHA1 | f570f2931a646337ac371db0ca0f882209336e41 |
| SHA256 | 52f4c8ef2aedd1e75d9eff86bb3b76c0b9bfd0481a6569677caf98d902981f96 |
| SHA512 | 0a2600d8ac41f9822558fd42ffee88373747a4a8ecddff12f13c7503d3a27c5b92772b3a0cd6a686d31fad9b4a0194407b38f946f81b49d66107915a0f6df3bc |
memory/3492-418-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3384-425-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1388-445-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4604-453-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3088-537-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1272-562-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Jdhine32.exe
| MD5 | d51027806fb4c1886890927f422fa187 |
| SHA1 | 4a5fa75cfccf0cfdbfb113f95f72a8897a427f9d |
| SHA256 | 9011a14a659198d2e9e5e30c6107e0f8ef16a597bfafd9bc55878e05f9fa630e |
| SHA512 | 4ee1323e0316c7acb2125b04b60a113cf2ef3fe00dd16e0e19d80a437932450b2bbf56f53ee17ddf408af1d49ba4f32bf1eb71677262d894210071bd4da4d8ad |
memory/4608-581-0x0000000000400000-0x0000000000433000-memory.dmp
memory/968-593-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Jpojcf32.exe
| MD5 | 007e0fd17004a49269bafcb42df13276 |
| SHA1 | 020eec7558d031568907fbfc05ff997f91e72af2 |
| SHA256 | 91635024fe017e8cd25b1f652b5ef0e304892895587f9f759334a564f21d7d8a |
| SHA512 | 898e0253cb0c9524629ace25811e91351b5c8536adc7b3b0e1954b8cb1e5109a2499610986f1e254d9780f4d4f8a1a5b6e51fd2425fc15680204ca1343629aa4 |
memory/3116-610-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Jangmibi.exe
| MD5 | 42d18e20699f476bce4e38ec85a4eccd |
| SHA1 | d47587d79cb4b153edec3b4fa8d133ba55902743 |
| SHA256 | 3ff5155a9fbd8ffcac26710fef4b26140a3f24b18989c4cd51b36bc277319d76 |
| SHA512 | 55ce68e8dd45068b6e3c60710cedc14e0315f1da9029f908f157c6833f6ae0cf01d7d6816737ad5e32afad692c3bdcebda4a8a08ff0d9bd81edee703777f7802 |
C:\Windows\SysWOW64\Kmjqmi32.exe
| MD5 | 52e5e0d1b3af41eea99021b53cc90eab |
| SHA1 | 3b872c5ef525b5809ad11a19a2f663a757cdc253 |
| SHA256 | 5798214f71c5e4be7cb3ae0c22ab6114825707344685bf4bee62ddf0341d6e8c |
| SHA512 | d781e31913157ec9bd59cb96b6c3a4b34e6da1f3727d6b4eab53e63b9fa8cfaf06ded52522fdf7e39b0865c6d0794ed02e2f5b4d93fe0178f730f6a6098f8ed2 |
C:\Windows\SysWOW64\Kaemnhla.exe
| MD5 | d61f8b99c2e9b3797740ab8c5e662510 |
| SHA1 | f77d0f6ae4facf8f04624b0ccceb934d7098ed1d |
| SHA256 | dbc249e1f2a4e740523f27089f5d327aa21af2d84cb5451d7c0b2ae7365fcf6c |
| SHA512 | b13b831695785cbb21246de740150971acdd9e8d999c40247d4f481521bec3f08c36dbcb6d75cf4344d18b651eceb3d2ab9cf913a79bd07864439a3d1526fb49 |
C:\Windows\SysWOW64\Kcifkp32.exe
| MD5 | c74ba9f24ea59ec8c93c34c801816199 |
| SHA1 | 7b08ae2b091296aaa479afbaebe3c62a07f71887 |
| SHA256 | 6530618d24a97893de87bbe13923c3bb15760723eb54b4c58b40b2557331c257 |
| SHA512 | b2e1f426fd22d26fe3465974050b0da8893603fc54cb024c8d2c0b90ab07b623e2ada95b15a89004e091e0f9b67077112f76d1ff83a9b80efffd15fb12afe908 |
C:\Windows\SysWOW64\Liekmj32.exe
| MD5 | 4ffdb87ca9a0f806d1dc36f01e53461c |
| SHA1 | b497010d6ecaa69cf5ab921292588343ed902304 |
| SHA256 | c6a1fae71480ea5883dd948f03613458f5087c98826d8083f8ee72df34d38155 |
| SHA512 | 118b1583bc28bedc8a89afd584486dd9961dee6f8a07b27e380ab930bfd71261f4e5cbaa6e72fec35e7e98506ac51ee7a19ea7564d0b22f5f95d89acef9fa238 |
C:\Windows\SysWOW64\Kdffocib.exe
| MD5 | 10fc9138c6522cc05dc4145b7749187c |
| SHA1 | 93646105dfb50314248ad6c6dbc81cd8bd6ce766 |
| SHA256 | 9acdcb538f5a9190d76643cc2f4598b068331b079cc74ba6df8597e72941be64 |
| SHA512 | fcd011b82e9761f60a8bd54852b0686645ac87f2f526f54fd44a52b34619791a3cfaaf86c688c550c3c74d4446e7a415efb7f558e63c599afc895cb4e969f2c0 |
C:\Windows\SysWOW64\Kmegbjgn.exe
| MD5 | 3c1ebf2e24e67e900b946e5b96130f10 |
| SHA1 | 71d4aac94c634bad5e087e8d8803dbe834e5a774 |
| SHA256 | 6c9635fbacad731e60f57a906398f16a2267830125ff85f443746ef2395f6f57 |
| SHA512 | 591cf3897c5e5347b003aa9a1272dad537fbf718dc78c891e192862d02a956c97ab8cf37a558d148d271cc1d509cc4785385b2a0256d33b81e7f233f2504e5ce |
memory/4660-632-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lpocjdld.exe
| MD5 | 7dd4b058dda1a2f62057c5f569fa5757 |
| SHA1 | fbaed60c683a4c913f37fb93b2576151d0136aa7 |
| SHA256 | 937151945263312e44b9ff049969a042c6388d57235ba60e5f071e60c03b53c0 |
| SHA512 | 195f3a5a964f500eff538152931f4900ec3853e6d24c659539da8bdf070e8e66cfa4751f54a3a0fe993b994d88b309e9422af4f6e575c07b59293535ee7572f3 |
memory/1028-623-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2320-617-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4292-611-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lmccchkn.exe
| MD5 | 828b5e3991784ef30e042550861ae797 |
| SHA1 | 662fba1db85053e66c45e85643aa53ce51ab98c4 |
| SHA256 | 0be5177ecb5794aa6ba26ff7a37341b8843e2d8ef84fe78202024f21120e823c |
| SHA512 | cce77243404ff42a19a7d561bc6d0246bc01347f5e0136ce27dbbd52a92de5f157b986876c83e6e97644fde14ab29ab2533f32e057924941b0f8e7c7047fae26 |
memory/3128-599-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3124-587-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lilanioo.exe
| MD5 | 12ee4b125241ed29715814fc1dda8389 |
| SHA1 | 028f015b58036d43087dce79bfa661dd857d1c92 |
| SHA256 | a797ea77ebfacc3222874fb08b4d946a1e5f87a582964b0f3c57fddc3567edfd |
| SHA512 | f5f640c3474de6be0c412dec3aed0c154db84b2d61e4ae3ad8c11459c13d9b534d5ffd918d016055ecd57fb3d673e27882335355d3f81739c0dfa62fc8c3aeca |
memory/2772-575-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Laciofpa.exe
| MD5 | a689687399f3493c5aa2d977fdce3da5 |
| SHA1 | 806f5816acd0bda592002c71b49d8871a6ff164c |
| SHA256 | b0fa8b3539bd10e3ac653ff832a3242fe02f7b09a76dde07cf8a81c03cbc39ab |
| SHA512 | 43d22fea20b54ae20b83c507934437baa0b38f7be6a2c8bdf9194cb8404a37ee0df4971411d422469c2998ffe9e3153c65a9e676808ebdf7fface16666bd99fa |
memory/440-569-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4248-563-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3368-552-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3420-548-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3288-539-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4724-538-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3940-521-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3828-520-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3772-519-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5104-518-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3320-517-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2556-516-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2808-515-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4668-514-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1496-513-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4948-512-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3432-511-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3724-510-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1604-509-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3436-508-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2340-507-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4308-470-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4076-469-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mpkbebbf.exe
| MD5 | 94785d10c21be62ac12cb0ff918b6c0f |
| SHA1 | 4c6979c1504a886886fbb43f6a124b293a91c2a3 |
| SHA256 | 1ff278506d2722078d9062eefcd6b8beb6b8cecd4db81a21f6189eac7c359976 |
| SHA512 | fe597f45ad6b1fc4b0a82b441349f1b4d42cd8e862763a49350898d64c463cea8e5bbccb659c47ec2b5dc3f8e332cbca58a36720573ccf5ef9bc5f061a8770e4 |
memory/3968-468-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4184-452-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4024-451-0x0000000000400000-0x0000000000433000-memory.dmp
memory/468-450-0x0000000000400000-0x0000000000433000-memory.dmp
memory/392-449-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2196-448-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1620-447-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2220-446-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3544-444-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3468-443-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3636-442-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2792-441-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3800-440-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1456-439-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2400-438-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1068-437-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3484-436-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3572-435-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4972-434-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3500-433-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2708-432-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1972-431-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4444-430-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4636-429-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1352-428-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3308-427-0x0000000000400000-0x0000000000433000-memory.dmp
memory/548-426-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mnocof32.exe
| MD5 | 351c384448f6ff5c09d2538cea506f9a |
| SHA1 | 6bbfbb6fee1ead78a4faecad66095144b089fe6e |
| SHA256 | 4c4656fd7b60dbe0767ef6cb81ce0214e49f6af1b800ddc0ffdb82f6aff16696 |
| SHA512 | daced94abd0d89a75c22fae6c023c85e1bb0755455d60b5e55ff956feff9e9cc5ca48d8647d3fd7809c886994c67efaccbe407bb3780326c8b3bfdc25a5bed2b |
memory/2680-424-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4056-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3296-422-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4968-421-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3132-420-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4600-417-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1320-416-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4648-415-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4768-413-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1800-412-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mcklgm32.exe
| MD5 | 375340ed488b668fc7879f643252f61d |
| SHA1 | 0d4b824ed3b64f7fb89e91f903ef5d44ca3f06ac |
| SHA256 | 9be03fbacc74cc8188314971cd29b2530bc12ee0272fc44ebd4590856b9757b6 |
| SHA512 | deb576268ed971768080cb3cdcc9fbf498cda7f7a521d270fa2554765eaba8e9aa8a88af47ed7dc3c2004fde525bc23f8ac8aff0929ffd434dba9758a8a119d1 |
C:\Windows\SysWOW64\Hpbaqj32.exe
| MD5 | 146f82f5566ead6418dda9d5d45d4274 |
| SHA1 | 20c5703dbd902db93fc872e37666bfe05728124d |
| SHA256 | 8f8ed5be26553575056e33a1708151f844d25ea7fd5f032540dfebe5cc79d78b |
| SHA512 | 27896b523ab8f591c392474eaaceb505e29dd5692254ad5a14df7991a0b98b39bcdba09eabc6ce34e2de91c3d3759a867c9446c20cd96da702b14bfc9c0bb752 |
C:\Windows\SysWOW64\Mnapdf32.exe
| MD5 | 2dd2e7cebb2f357c2f3f8df3aa39aa07 |
| SHA1 | 0390d53977dfaced54dea30208fe37b02c769146 |
| SHA256 | b32a5a661e224843481ebe90f4206332ec9d10925ef292a3c541441c51d24359 |
| SHA512 | 878a81dbbb77899c6bc9dad0cb0e4b7610c72ee658f2c684a7fd558519ca097d2ba5214e68650930f4508041e8474babb502cff22637b1f6bd90ad9aa8060b7c |
C:\Windows\SysWOW64\Hihicplj.exe
| MD5 | bea131d9976096aaf774637a3a56fb3c |
| SHA1 | 001d81b70fbabfe56cd6f542121c15f427720e03 |
| SHA256 | 6fac80727491dac2209f7da2a35bc67eab7601a9d7e9ecbb3312d7aa44415652 |
| SHA512 | 5806760fcd8cbf4ea662785ef0fcf7a2d7f32085bce005d1c2aaca71d73d35f85d7cd665d681de9f2ffbd37b51f4a92f4823ebbb43d8da79c8be7cae36dba26a |
C:\Windows\SysWOW64\Hjfihc32.exe
| MD5 | 7ac0b869b1c5445dbb67a8a20f082d08 |
| SHA1 | 3fa68344d49d8c59783913e28d93a4f2315479e4 |
| SHA256 | 27f4efb4a320e294497b896ae600bd3fa4c2c69be5007a2c21474b96c31938fb |
| SHA512 | e5a767a45d0753e26dd997f691d9b19e99d0563b4e8a060469a674d22b11df6e8b8d964e90eab70014aa4b722fbc6fea3aef2f1905fea8410d6680e5bf152675 |
C:\Windows\SysWOW64\Hboagf32.exe
| MD5 | 831c623a7b8d1bbf12e5ae7233e2c554 |
| SHA1 | eef971037151abf243006a6a3785e644075c31ce |
| SHA256 | 03143d14eb8f8aa496359dd94034e177bcc20dd97aa5b408d3dd7e9bc7855e07 |
| SHA512 | e8f3aada9af70d627173453ae98f9b83bb7cccbf786eef9933e4dc4e36870dca25b376344e5cdc89b2b95a75e18e2d7c0e0fd018dd345c08f707ff867e666224 |
C:\Windows\SysWOW64\Gmaioo32.exe
| MD5 | fd9d60b2dae5e12ff184d3d9fe5ac897 |
| SHA1 | 13ab635c29d321b2369e27707e23407d1eac8b83 |
| SHA256 | d149a61bfd2104096d6904b45af7fb493a98f7ac27e900308f6b014af773adeb |
| SHA512 | ae4f5dfc86a7610777feed09e055c4bfbbdab63e566a52bbb4976d6bb78f68f16778b0671d3e5abee43a10d2bf858c5c63b4fe47367350b89317edbc349077e8 |
C:\Windows\SysWOW64\Gjclbc32.exe
| MD5 | 28f09d9eef7ce526ac773a3290494ee5 |
| SHA1 | 3f612e2da36004c792af232ac2c6a1621d138c14 |
| SHA256 | 3b97bfc461353609cdc79110de40441145cc1c2a8b0fae8ac78c0d2aa7e8588d |
| SHA512 | 68a4af25f41e0801068493495f55ccc0618273f3b715d74d056e7e8df152262f18056c05465cb8b7cf9737590e0281fef0b4cfd263f5a268a2a93be27685ca68 |
C:\Windows\SysWOW64\Mcnhmm32.exe
| MD5 | 40b173826a15f631ffb5d4be37191f91 |
| SHA1 | 51919c73bdbae4de6fed1be4ce56194326490d5e |
| SHA256 | 741a99b7f152b9fa757ebcf3b1fb2562c94af5e9023386342e71fb3fe5210ec4 |
| SHA512 | 963e552c0fe688c07a5393d4d01a2df275ada528834f051cb2a52d3cd42318521b7875f46c8afb02ef59b5530d08ec4eeb04739609c96ef817ab1b9ab87a4c67 |
C:\Windows\SysWOW64\Gcidfi32.exe
| MD5 | ad498f61c802e43f242dd3f333dfef92 |
| SHA1 | 44164cb6e7620f9e23ca99ba11bf9f4d87160fa1 |
| SHA256 | 0a3a61dd33ce7c8483171968904c6487f17f7c9f31096dd35ad5b81a891b0554 |
| SHA512 | 8f681a756ea292ef82d6081c0c35bdfc39b44e41a262a9ec5786d80dc3f3df374c372319152d91459e02e274ba0ac5cf591c3b8d0ba8eb3448426e692863985b |
C:\Windows\SysWOW64\Gpnhekgl.exe
| MD5 | 04eb32c074741881da97857b8bbb3371 |
| SHA1 | 22bd7a4ad45ef3fa9181a96b234d1b604958ae89 |
| SHA256 | bd77c7df54639e6e4b67b5c91c5a53878e3bf992c4ca5ca05d40c8b526a30c41 |
| SHA512 | 559489eda5097d12f65dcd9c28b61a8cb950153b748ebf8c55f9e640c1a3338ec54a1390ab94b0ea58fad82e3b7ae3220dbdb9036f09a978ecb4dcf043cfbdfb |
C:\Windows\SysWOW64\Mncmjfmk.exe
| MD5 | d2eb76355dff12727ddcc0fcddf12419 |
| SHA1 | 332a59401db47a03cb3bc42cbf2ac931e9d5113d |
| SHA256 | e95e2aaafa7548bc8343dec44e0676643cf7c176c9f757c44cd0cb5bfaf3bece |
| SHA512 | 3ec030393f5a217d2f56b3c82ea48d6ced8da42b5454f524083fc91fbf68e9ddc9ad3cf6724a6db084b5caa5417adec4c27d23bfe2e3d7c34b7f724d86621bfa |
memory/1664-147-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gbjhlfhb.exe
| MD5 | 1957a0ff2e758458776364eb505c8538 |
| SHA1 | 34e431916222fe337178b1f9d1d8ec271421ce77 |
| SHA256 | 8ff4622dba53655409edde60c80da2824a45346d1668fbebe6e3c5f87d209df7 |
| SHA512 | 1f27374de5d4ebfd902e0302bd60877f5013ebab1cd04f108fca7ee1acf52f3bd3b065507cfd31d2499a09faf57b05888014900451e2d0ca1db3f6408c8338fa |
C:\Windows\SysWOW64\Gpklpkio.exe
| MD5 | d08dad03be3812e7a8644fb3fab9c213 |
| SHA1 | f3efaa9dfd51e5c03fdba27f01e802e96ae57ca6 |
| SHA256 | f881c65f612a6b2d6fadcc6bc0cdba0475fbc409590a704ffca5d513293121e9 |
| SHA512 | 109b8b4512c26585ba7f28ffd9a90af3d458e30d4252765876f90a4e81c751fc207b4a08f0f3c4e6fe30a5b777eff44db39b14e78dc8594452b77d0692cb3127 |
memory/1216-125-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2864-124-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gmmocpjk.exe
| MD5 | 4d6a5d724b5d3b8d1145e39ce5e1a5c6 |
| SHA1 | 4bd9acf82a8f7bc0ba1d47b9cf96cf1304516b06 |
| SHA256 | deaa5f647e4976520442cf323e2485213c085f706f1cfe4e9e19fedbb2d3009a |
| SHA512 | bec9cf3ddefafa06ae3d0a00a977d8db5cc3d6b0f51a22e9b8b9f286c1a22c92c472a04688f7a8d5abfb65431aaefa49387cd18bbffdb98cebf89f995f81d1df |
C:\Windows\SysWOW64\Mkgmcjld.exe
| MD5 | e2f76b02a85ecba68dba17ae7893d83d |
| SHA1 | ef357b78fd3c7c445d7d85149e357ad38b2e3025 |
| SHA256 | 7b0017713f833983dd978565bdfa69ba69f8d05d22027189d268d27d31c795cb |
| SHA512 | 45ac8f3ce26af5757ba98781ed8fdf0cd2fa88b8bc87f18362cf47f5c035c5a551d87c30d0adcc0a8bedb051a8861a91baf1b14a91c89475645e62b8955fed1c |
C:\Windows\SysWOW64\Mgnnhk32.exe
| MD5 | 2a6d8780b5a115edd1e48964252423e8 |
| SHA1 | 084f3b43f034fa3c7b00465a359267b7cd4104a1 |
| SHA256 | f9ab47b8dd1a5086574ccd20914b61b5a564942aabd4d3e4a773d5058367ac5c |
| SHA512 | 5805b58222ee622dcdec3fe8f99d0886954833797f6c4e372d7141b965d9bd312fa11327641ca222a3b96ccdc28c49a3ed25d88123439b81839d9aa5b63593e6 |
C:\Windows\SysWOW64\Nqfbaq32.exe
| MD5 | 413d1162f7daffd70d543c12f6b0393c |
| SHA1 | c1e6d1618b2627d9caadedc6029f8932e2c444eb |
| SHA256 | 7a4dba1cdb027eda116f9f759d6db445efd0c4776dd6e4f0215102f050459158 |
| SHA512 | 0920493c92c69c65ea1e5e80f079ce97e901c2b4ae428de7fa3a97a22f1b9e5dd8f5aa920b85a9e4ebcf54001f4da8b891ca17090130da2752e773187eb11f93 |
C:\Windows\SysWOW64\Nceonl32.exe
| MD5 | a424b8939ed422cc309b94c8fd80a2a3 |
| SHA1 | 0a9ae10109824bf3a14654e69c229ce73322029c |
| SHA256 | 9feeff2351197a36660ed041d8514aec28d96a925328d6dec00568d3ed8ca1ce |
| SHA512 | 221c32c79e998a042862acdf799672fdd7a558b3aec66ae9c3a7437d7270ebc790dd1364095d26dd91f9359c7a72aeacdc1c4b178b8ad8d22e410089f4d583ec |
C:\Windows\SysWOW64\Nafokcol.exe
| MD5 | 3c865130d968b6cfda4f38a86d3d75d5 |
| SHA1 | 46558c64f250d87d56f9df3279c6f43fbc7a77e3 |
| SHA256 | 99fe8d250df3795da9811281a0de12a939720e52b60c11a3724cc92171391607 |
| SHA512 | b86a90b2b828828510f13681c0b39480400cb6c66a79cba97d612edeb3ccd70fdb0a8514fdf040c977a13bc59c2c1af5233de842f4c30ec07c644b49aae8177c |
C:\Windows\SysWOW64\Nbhkac32.exe
| MD5 | 0428f8e5b57ee6b9cddfb979b17a5a70 |
| SHA1 | ab78c0cdd52e57f32ff612d3d8062d391a0d38ab |
| SHA256 | 69e4772deafb6b94aaf5742fb346dd4eaa778c906aa611fcd548f307fde196c2 |
| SHA512 | 78d2331382138fac6cf3c7dfea79eff77518a2397d9567f613ac540bce139c1d4c716f51027c39b1cc806a72c32b42406896b677c8db2b4142ce15c27b8e8f08 |
C:\Windows\SysWOW64\Nkqpjidj.exe
| MD5 | 6071f70d7d4a7bf3dad829739a210def |
| SHA1 | 7d9f0ddb5ad201c1ff58c5846d64b3520a22f6df |
| SHA256 | 796f1006d1020709841a7429f3889e729ff83b9e4cb77776afe110961fd59dda |
| SHA512 | b22fae68d6b3ca5c9b679a4a41b3336f2b00a141f1744c3b1f45dcfc4e919b700fa53891a42677fb2504595dae8d6cc4ec38d71d49d88b5c05b8d40034349e54 |
C:\Windows\SysWOW64\Nqmhbpba.exe
| MD5 | 35ffe23a07be81bdb1bacc6f0015b488 |
| SHA1 | 37bd25298fa1a93ea2386f9f99228ca56cd6b39b |
| SHA256 | 2d8002982497a5be8fb3b74e29f984071cc6d278998ceaa0ee1287556f24b218 |
| SHA512 | 94bc77ca94d373f608ce3cb153802d9283b61522839f3eab2835093645cc95bf35aa92842b3f8cd92b81c1622d551633d12d97bcf0652f0314aa98bb446cd769 |
C:\Windows\SysWOW64\Ncldnkae.exe
| MD5 | 407c02b5649cc7571f4cd1ecb64bad04 |
| SHA1 | 2bbb5cf52e9a0a7637d86ad98976a118014e013d |
| SHA256 | 6e1d772d98edd772be98b19a8e83419e2b2c558f98b3b0c67803a52bbf8291a7 |
| SHA512 | b2b0767741d59c050657ad3a3c7ba9304793d31cfb23f3ea7c6ef3d1c33b962cb64ac06b243be6d778b2d76d98883ee56150690ab07bcef31496b0183ca358ae |
memory/5208-1270-0x0000000000400000-0x0000000000433000-memory.dmp