Malware Analysis Report

2024-10-16 04:44

Sample ID 240602-eqmb1aae3w
Target 342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe
SHA256 ed17dbedcec79e7074d6b23f1ee76a59e83af4654755fc37bc4ab41f955de091
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed17dbedcec79e7074d6b23f1ee76a59e83af4654755fc37bc4ab41f955de091

Threat Level: Known bad

The file 342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:08

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:08

Reported

2024-06-02 04:11

Platform

win7-20240508-en

Max time kernel

147s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfmmin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdakgibq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coklgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjgoce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bokphdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epfhbign.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeempocb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pabjem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aiedjneg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dflkdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oenifh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnippoha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oojknblb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eecqjpee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmgdddmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pijbfj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgknheej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfkpdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Admemg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efncicpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oenifh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cciemedf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gejcjbah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dqlafm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epdkli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfkpdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pabjem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coklgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dqelenlc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgknheej.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nfkpdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfmmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oojknblb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijbfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiinen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqlafm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflgccbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Epdkli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecqjpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeempocb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfkpdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfkpdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfmmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfmmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oojknblb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oojknblb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqqapjnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenifh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmdbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Plfamfpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabjem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijbfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pijbfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiedjneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Admemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiinen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aiinen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokphdld.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Beehencq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgknheej.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdooajdc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdakgibq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnippoha.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coklgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckdjbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cckace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndbcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqelenlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dnilobkm.exe N/A
File created C:\Windows\SysWOW64\Chcphm32.dll C:\Windows\SysWOW64\Efncicpm.exe N/A
File created C:\Windows\SysWOW64\Nejeco32.dll C:\Windows\SysWOW64\Cpjiajeb.exe N/A
File created C:\Windows\SysWOW64\Fglhobmg.dll C:\Windows\SysWOW64\Dngoibmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Fjilieka.exe N/A
File created C:\Windows\SysWOW64\Fealjk32.dll C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Fmlapp32.exe C:\Windows\SysWOW64\Feeiob32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Ocjcidbb.dll C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Pjholl32.dll C:\Windows\SysWOW64\Nfkpdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmlkpjpj.exe C:\Windows\SysWOW64\Oenifh32.exe N/A
File created C:\Windows\SysWOW64\Feeiob32.exe C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File created C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gegfdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File created C:\Windows\SysWOW64\Hpenlb32.dll C:\Windows\SysWOW64\Cckace32.exe N/A
File created C:\Windows\SysWOW64\Lopekk32.dll C:\Windows\SysWOW64\Epfhbign.exe N/A
File created C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Fjilieka.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Pabjem32.exe N/A
File created C:\Windows\SysWOW64\Aiinen32.exe C:\Windows\SysWOW64\Admemg32.exe N/A
File created C:\Windows\SysWOW64\Dqelenlc.exe C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Eecqjpee.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Gegfdb32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Bioggp32.dll C:\Windows\SysWOW64\Ckdjbh32.exe N/A
File created C:\Windows\SysWOW64\Bnhgoq32.dll C:\Windows\SysWOW64\Nfmmin32.exe N/A
File created C:\Windows\SysWOW64\Pienahqb.dll C:\Windows\SysWOW64\Admemg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckdjbh32.exe C:\Windows\SysWOW64\Cciemedf.exe N/A
File created C:\Windows\SysWOW64\Pafagk32.dll C:\Windows\SysWOW64\Dqlafm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gejcjbah.exe N/A
File created C:\Windows\SysWOW64\Kkfofpak.dll C:\Windows\SysWOW64\Ppmdbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Pijbfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dqlafm32.exe N/A
File created C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjilieka.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Fmlapp32.exe N/A
File created C:\Windows\SysWOW64\Lponfjoo.dll C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe C:\Windows\SysWOW64\Hjjddchg.exe N/A
File created C:\Windows\SysWOW64\Abmjii32.dll C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Ppmdbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dflkdp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Bcqgok32.dll C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Gpknlk32.exe C:\Windows\SysWOW64\Fmlapp32.exe N/A
File created C:\Windows\SysWOW64\Ambcae32.dll C:\Windows\SysWOW64\Eeempocb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe C:\Windows\SysWOW64\Ilknfn32.exe N/A
File created C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Cndbcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Cndbcc32.exe N/A
File created C:\Windows\SysWOW64\Dqlafm32.exe C:\Windows\SysWOW64\Ddeaalpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Eeempocb.exe N/A
File created C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Fckjalhj.exe N/A
File created C:\Windows\SysWOW64\Goddhg32.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Ebbjqa32.dll C:\Windows\SysWOW64\Pabjem32.exe N/A
File created C:\Windows\SysWOW64\Lbidmekh.dll C:\Windows\SysWOW64\Eecqjpee.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ghmiam32.exe N/A
File created C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gejcjbah.exe N/A
File created C:\Windows\SysWOW64\Hjlobf32.dll C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Oojknblb.exe N/A
File created C:\Windows\SysWOW64\Kfqpfb32.dll C:\Windows\SysWOW64\Pijbfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgknheej.exe C:\Windows\SysWOW64\Beehencq.exe N/A
File created C:\Windows\SysWOW64\Gkkgcp32.dll C:\Windows\SysWOW64\Beehencq.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckdjbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" C:\Windows\SysWOW64\Aiedjneg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eflgccbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beehencq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cngcjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ppmdbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Coklgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmjii32.dll" C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofbfdmeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpjiajeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hellne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll" C:\Windows\SysWOW64\Cndbcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" C:\Windows\SysWOW64\Pmlkpjpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pijbfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeempocb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdakgibq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cckace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlobf32.dll" C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" C:\Windows\SysWOW64\Ilknfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfmmin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnippoha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnilobkm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aiedjneg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcknbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Admemg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiciogbn.dll" C:\Windows\SysWOW64\Cngcjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nfmmin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlhaqogk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" C:\Windows\SysWOW64\Fjgoce32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Nfkpdn32.exe
PID 2980 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Nfkpdn32.exe
PID 2980 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Nfkpdn32.exe
PID 2980 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Nfkpdn32.exe
PID 544 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Nfkpdn32.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 544 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Nfkpdn32.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 544 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Nfkpdn32.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 544 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Nfkpdn32.exe C:\Windows\SysWOW64\Nfmmin32.exe
PID 2108 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Ofbfdmeb.exe
PID 2108 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Ofbfdmeb.exe
PID 2108 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Ofbfdmeb.exe
PID 2108 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Nfmmin32.exe C:\Windows\SysWOW64\Ofbfdmeb.exe
PID 2736 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ofbfdmeb.exe C:\Windows\SysWOW64\Oojknblb.exe
PID 2736 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ofbfdmeb.exe C:\Windows\SysWOW64\Oojknblb.exe
PID 2736 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ofbfdmeb.exe C:\Windows\SysWOW64\Oojknblb.exe
PID 2736 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ofbfdmeb.exe C:\Windows\SysWOW64\Oojknblb.exe
PID 2636 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Oojknblb.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 2636 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Oojknblb.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 2636 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Oojknblb.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 2636 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Oojknblb.exe C:\Windows\SysWOW64\Oqqapjnk.exe
PID 1324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 1324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Oqqapjnk.exe C:\Windows\SysWOW64\Oenifh32.exe
PID 2532 wrote to memory of 1756 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Pmlkpjpj.exe
PID 2532 wrote to memory of 1756 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Pmlkpjpj.exe
PID 2532 wrote to memory of 1756 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Pmlkpjpj.exe
PID 2532 wrote to memory of 1756 N/A C:\Windows\SysWOW64\Oenifh32.exe C:\Windows\SysWOW64\Pmlkpjpj.exe
PID 1756 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Pmlkpjpj.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 1756 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Pmlkpjpj.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 1756 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Pmlkpjpj.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 1756 wrote to memory of 2868 N/A C:\Windows\SysWOW64\Pmlkpjpj.exe C:\Windows\SysWOW64\Ppmdbe32.exe
PID 2868 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 2868 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 2868 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 2868 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ppmdbe32.exe C:\Windows\SysWOW64\Plfamfpm.exe
PID 3048 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Pabjem32.exe
PID 3048 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Pabjem32.exe
PID 3048 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Pabjem32.exe
PID 3048 wrote to memory of 1668 N/A C:\Windows\SysWOW64\Plfamfpm.exe C:\Windows\SysWOW64\Pabjem32.exe
PID 1668 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Pabjem32.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 1668 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Pabjem32.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 1668 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Pabjem32.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 1668 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Pabjem32.exe C:\Windows\SysWOW64\Pijbfj32.exe
PID 2904 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2904 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2904 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 2904 wrote to memory of 1632 N/A C:\Windows\SysWOW64\Pijbfj32.exe C:\Windows\SysWOW64\Aiedjneg.exe
PID 1632 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Admemg32.exe
PID 1632 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Admemg32.exe
PID 1632 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Admemg32.exe
PID 1632 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aiedjneg.exe C:\Windows\SysWOW64\Admemg32.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aiinen32.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aiinen32.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aiinen32.exe
PID 2116 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Admemg32.exe C:\Windows\SysWOW64\Aiinen32.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Aiinen32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Aiinen32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Aiinen32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Aiinen32.exe C:\Windows\SysWOW64\Bokphdld.exe
PID 2848 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2848 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2848 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Beehencq.exe
PID 2848 wrote to memory of 320 N/A C:\Windows\SysWOW64\Bokphdld.exe C:\Windows\SysWOW64\Beehencq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Nfkpdn32.exe

C:\Windows\system32\Nfkpdn32.exe

C:\Windows\SysWOW64\Nfmmin32.exe

C:\Windows\system32\Nfmmin32.exe

C:\Windows\SysWOW64\Ofbfdmeb.exe

C:\Windows\system32\Ofbfdmeb.exe

C:\Windows\SysWOW64\Oojknblb.exe

C:\Windows\system32\Oojknblb.exe

C:\Windows\SysWOW64\Oqqapjnk.exe

C:\Windows\system32\Oqqapjnk.exe

C:\Windows\SysWOW64\Oenifh32.exe

C:\Windows\system32\Oenifh32.exe

C:\Windows\SysWOW64\Pmlkpjpj.exe

C:\Windows\system32\Pmlkpjpj.exe

C:\Windows\SysWOW64\Ppmdbe32.exe

C:\Windows\system32\Ppmdbe32.exe

C:\Windows\SysWOW64\Plfamfpm.exe

C:\Windows\system32\Plfamfpm.exe

C:\Windows\SysWOW64\Pabjem32.exe

C:\Windows\system32\Pabjem32.exe

C:\Windows\SysWOW64\Pijbfj32.exe

C:\Windows\system32\Pijbfj32.exe

C:\Windows\SysWOW64\Aiedjneg.exe

C:\Windows\system32\Aiedjneg.exe

C:\Windows\SysWOW64\Admemg32.exe

C:\Windows\system32\Admemg32.exe

C:\Windows\SysWOW64\Aiinen32.exe

C:\Windows\system32\Aiinen32.exe

C:\Windows\SysWOW64\Bokphdld.exe

C:\Windows\system32\Bokphdld.exe

C:\Windows\SysWOW64\Beehencq.exe

C:\Windows\system32\Beehencq.exe

C:\Windows\SysWOW64\Bgknheej.exe

C:\Windows\system32\Bgknheej.exe

C:\Windows\SysWOW64\Bdooajdc.exe

C:\Windows\system32\Bdooajdc.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Cdakgibq.exe

C:\Windows\system32\Cdakgibq.exe

C:\Windows\SysWOW64\Cnippoha.exe

C:\Windows\system32\Cnippoha.exe

C:\Windows\SysWOW64\Coklgg32.exe

C:\Windows\system32\Coklgg32.exe

C:\Windows\SysWOW64\Cpjiajeb.exe

C:\Windows\system32\Cpjiajeb.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Ckdjbh32.exe

C:\Windows\system32\Ckdjbh32.exe

C:\Windows\SysWOW64\Cckace32.exe

C:\Windows\system32\Cckace32.exe

C:\Windows\SysWOW64\Cndbcc32.exe

C:\Windows\system32\Cndbcc32.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dqelenlc.exe

C:\Windows\system32\Dqelenlc.exe

C:\Windows\SysWOW64\Dnilobkm.exe

C:\Windows\system32\Dnilobkm.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dqlafm32.exe

C:\Windows\system32\Dqlafm32.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Eflgccbp.exe

C:\Windows\system32\Eflgccbp.exe

C:\Windows\SysWOW64\Epdkli32.exe

C:\Windows\system32\Epdkli32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Eecqjpee.exe

C:\Windows\system32\Eecqjpee.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eeempocb.exe

C:\Windows\system32\Eeempocb.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hlhaqogk.exe

C:\Windows\system32\Hlhaqogk.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Ilknfn32.exe

C:\Windows\system32\Ilknfn32.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 140

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2980-6-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Nfkpdn32.exe

MD5 8427659ea5f62869538a105b1a373b92
SHA1 1312df87e866c43845c64074f16901f0cfa315de
SHA256 df34f550f1f6f82558d2cbd6fd1f764a259cff7baeaf77c994023ddebb82a546
SHA512 df0144a8fb2d4ba92aafe8029bbb826e4a2068c564bb638623816c2a2502a04aaf7f6e1e166eded928584ddf86d0f40b4f3df197cf64fc190d9eb4eaa61eef4c

\Windows\SysWOW64\Nfmmin32.exe

MD5 fd04d41a68f958ffae96cd6fdcfde225
SHA1 a9ed73f9296e947e18caf4ed8ea92b04244aa24b
SHA256 082a4e131073c49f4c887988547fe07717c985eff3631a42c0abfcc129498219
SHA512 daf4789142ff3230f5c7aa1b90c60dacf117839dfec9de6f48499a0cd0f48908d617f2e741c8c6784df21178ba51da3c5b6e74a5dbba2d3935b0a69d3607f840

memory/2108-26-0x0000000000400000-0x0000000000433000-memory.dmp

memory/544-20-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Ofbfdmeb.exe

MD5 fe4fb620a308840569ca57dc1b43d081
SHA1 f62f1e4ebc50d494fae23f50c38c69390eebc873
SHA256 b005d2a2eb0d145c876a68dac2bf9d1b1a1608823c003c87d4d6675f540d6984
SHA512 85647da59746a26c64720c3f05223d48dbf2452140e6637594fde58db87e047b1788fa10fbd147eb7264be3adf2d13c11817443d84515156aa1aff0fbf2a5526

memory/2108-34-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2736-45-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2636-53-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oojknblb.exe

MD5 f1b02b0baf959904f28de04008261382
SHA1 0a9919825a87476f7352a4237a95e2988cc131f1
SHA256 2a3a97adfb216e098675bfeb896cd65a1edcd52a5192724232ea4d5dda153e97
SHA512 620f7185d0590361c04bc0ccf01ede1e0ce6fc81916467689cbe19d12327f1109f3bba5d592defa5da811b1542edf22b0c1b53d3a2b66bf1df2cc1f6ef6efc69

\Windows\SysWOW64\Oqqapjnk.exe

MD5 a383c12d06a1793c3e35952ecbbbe1e5
SHA1 4e481c17e58964aa77c22007af6c95ecb6127a2e
SHA256 47641d9304df93b7b3e7024a0c5f0f03c6c2453b1fcc8ed4f4abd25caa8201ac
SHA512 55e1994e5494285ae67ec61f209f6dd598945ac6aa97cf519402c05bc84a910f677c48399e75514ed9a58762b16cbaa6a16073c80f9433d52fc62fdb9a260f91

memory/2636-60-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Oenifh32.exe

MD5 0052e8376cba2576ec108b292995fa53
SHA1 77dd29a800892c0329d75877aa2c8d22bf195b26
SHA256 3f958933d6cfc848481c2dac06d1180d3442d6c153b8792e47545cd9c2845361
SHA512 46f54b970719bac62a3920492355586a7b93b2a197f3421f469f4f823e01af2de47b9ace2a1032da4e2ce67321a19cfd847a8c6ace448ee062ff067a71dfbe8f

memory/1324-74-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1324-80-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2532-81-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Pmlkpjpj.exe

MD5 06615681d30b7ddb52b2883335ab1dd5
SHA1 6e838e5ddbe945c9133224d65a7c30ce5af29a1e
SHA256 437e2092e3115e97a616b2b5d627f91c5b3e96465c6b73f6e29bd080aea0ff7d
SHA512 03633e86537cfdc30badfb5ee29fd062de83370b274117f46766e9aed0a8e73c21f974295ab8a193b5bcec93e9f98e6bccc8e9741e959bd36c2f7c1ad82e16e6

memory/1756-95-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2532-94-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Ppmdbe32.exe

MD5 e2099f0c121063ef693e70e31d51abd1
SHA1 708b908ed4124f3d90b9a51ccc9d069aa8dc59eb
SHA256 7408bc4ec937841e459bf668751f899f4a6a239d2677ebf6a98bfa6b9874c509
SHA512 94f080f1f821b7431a4be3376d4fd6d61d7e486f3b62ea8a27c61faddfa8d323830b201684bd5beb8f4af5dc8d7ba71f5048cc84be37e286e0f77a7ddd52ff45

memory/2868-109-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1756-108-0x0000000001F50000-0x0000000001F83000-memory.dmp

\Windows\SysWOW64\Plfamfpm.exe

MD5 a67330183a708089dd240d7fbab5d571
SHA1 2830b06aa3eb4c9eda73e7d64f3f3b6253de59f7
SHA256 2aeea0bf718eda48a20d85047472044084a5104b597adfa6f005ad747fe75fff
SHA512 e2574ece65765895e6fcac58a94a674094d87c84c7bdf2fa4c24a4de884512d460258f9f69eea1006942104e8a3bfc06648b15d5083c69ba1b218b159635b273

memory/3048-123-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Pabjem32.exe

MD5 f4a82217c2a2794e4141c0ab59970735
SHA1 e49adf5f21ce7a080104b25ddebfbd19108114af
SHA256 21a92b5bf9f61802625bfd6138808ca69bf746f0bfd4cb0ce25b6976a2d09574
SHA512 9e80741ec8a7e4d0a92577973dd4a17d2d94c64a2feee9a369cffafc2c615d6602b7037dbbdfb219b93716e5f2e8773d9138e021d019df51f02556affe6f4df7

memory/1668-138-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pijbfj32.exe

MD5 cd7276b34b576c1e723f100955bb9b0f
SHA1 d78fbf51ea77701d0ba7e3a28d60661227aa643e
SHA256 30a4f4e8d41b556e825af786700cfbf7d91705575fcb03495bbab33c8a31afc6
SHA512 82faf21906dab2cdfc1beb1f882082e60f6eecbd41e35b4aaed15de7429f6058dd8d7466969f35e0986c20e1ca2e710713a2e0dfe52b8c0420a32fda875c1124

memory/2904-151-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1668-150-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/3048-137-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3048-136-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Aiedjneg.exe

MD5 a1ff4137bdbd8d36f4988bf2e1ca080c
SHA1 4f330ebcc71df6b51012149babd9347427d78d84
SHA256 8dcac14f1e111a60f551b744b9006c3ce5d5e72b6641ab21e906ad7e5d45345f
SHA512 8e5eb55446d46045f7e3cbdc5e05cc333e4e80b8f2ff4f2b9d10f8d529ab0652a3c763e74f20ca7086b5473c4db65477cbf341917bd6f1d0d4899628c92143ab

memory/1632-164-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Admemg32.exe

MD5 80330b5ff311016306ce4d82b3891c66
SHA1 b25964dab8e3c8e861f13980bb1d3392066cefee
SHA256 5df714c1bf9d8bb448d318cc8f634219fdaa51a7708a7339bd471a6b5aca168a
SHA512 175b05905374621198d54dc9c71c672afb6a29d01ae88f620cb9526ff9d0d1a66bb390aac613871aee690bc5845620e91ba348626e646dbf29bae4ec2e9283ba

memory/2116-178-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-190-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aiinen32.exe

MD5 29ae90038fc7059f16537a8822cab0fd
SHA1 cc23d612fdc7b53092e03c26c7816b639bb290ab
SHA256 8d8c510f2db627da9a2c20a95af1b3d489dac75eb99cd3a2f4e9149db6a04805
SHA512 186b79f16a455a4517d173a85b9ad95253de5aa181cb4aa44483b186e7dfea6d928ab18c0eadc54834a718f4e0fb91c68e5338fa43c9cfe83fece3614e2a02b1

\Windows\SysWOW64\Bokphdld.exe

MD5 7774605da66f56c17290fdfafc093852
SHA1 ffaa239227809adae59ef61b8fea8bd8b255d707
SHA256 81dffea54bbcfcac44cb950f0c6bf49d855334217104114c371b4b5007353818
SHA512 990642f948766d7ae154b8bfb66dddf42a4a4ffa5e827fdb506022c465aa1fffa2dd1bc192ff3e79a5d4c49a40c57e9e575b4fbda5bd9da8d96acce1ab6e5755

C:\Windows\SysWOW64\Beehencq.exe

MD5 cf3e7a3005a58c1b1be8d2a7ffd4ef18
SHA1 55ac98368b448ffaba3c487134d475a624e9a360
SHA256 bd9831bce45a443e874f0af9da744721aad761df2d33cd34bf1e7acbcbaafa9d
SHA512 30af654ada09558af166592fbf379948c85694ce916327958cd2112ba779875d6eda1b97f7bfd811c51ae7afb7bd5685980165cca39d5799619551577c075198

memory/2500-215-0x0000000000260000-0x0000000000293000-memory.dmp

memory/320-221-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-216-0x0000000000400000-0x0000000000433000-memory.dmp

memory/320-227-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Bgknheej.exe

MD5 6ba261ad06e2b352e16db99fdf29694e
SHA1 e4f4bc443bb01f679ce236848c15f760b94dc0d7
SHA256 bd36f6fa3194678e4187269e8e6c4d774bfa345d8b2e2b78add35848f48749db
SHA512 2916d843992f14d78678056b3b2b7efe7858e32c85334634d7b6c67b2534488ae651fee20faba1cf04a6f2444c52bc31660a0cbb9b48adeeac589f38747e664b

memory/948-228-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bdooajdc.exe

MD5 03f6434f52bd278aa5d7f0bae4937dd6
SHA1 2676049ca94936bdb2f21e7ac6da11d2f20f3c6f
SHA256 32b0658df5f15dd7e94080519f589ecc6b594f72d7c391941c403338069ea1cb
SHA512 4e06884fbfd22d16f79f6d45f4572a1982d9d863f4c4236b3dbeb88a3d7fced857e29719e5d6e94c54974d8763adb797edb4f9fff2a84a7394de4af46ad4607f

memory/2360-237-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cngcjo32.exe

MD5 c8f46a91bad2ddd835887893dae1af71
SHA1 a1a6e295591b6969a7ce253583e8f3eed42db7cf
SHA256 d9532ff6d1ebacf3f8c8f03bd1a2182e35408fdf5ee183b8d7251543d77b83bc
SHA512 ee3af5ca279a33a28e511c617e32156d872503a5bec798a202abca76779b1c0a8e98f54683863b6acd18a4bd3bf79783d6df48b27a0477c933a7e273d153b23a

memory/2360-243-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2344-247-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cdakgibq.exe

MD5 cce35911923dd64cc0cd7ce902e1863d
SHA1 65cba7fa502e5f5f7c59e3c26a24a0eff2b678ab
SHA256 b16330408d928b726f63dc56421874b0465f4f02faa2e6ca1767570f93f49e8c
SHA512 d96dc98d4fdd252052785aba757bd18c0fd3a5a922802bea7e924d6791ca4825cf54b75b34df25ee1e794b03954ddbfaa3efd1f45898a6ebcdd8c13d170da9cc

memory/1084-256-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cnippoha.exe

MD5 d16eea82420920cd4b18006d1720dd89
SHA1 e7ccad734251bda6ef4ee4d3f08b531201c25a8c
SHA256 4a657a58e2d0a541d3ef2e8bbe5c0b534cf72eaf5881b7a52db3a107d4c81eec
SHA512 f48234232a53b05ff6527b75463bdf1ab97f48cc6775fe2b7069c3ea0d4c71a5919790fc14e4aa688d3c94cce00bcc47ae033c1200c07ce0188f3f134aeeebfb

memory/1544-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1856-275-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1544-274-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Coklgg32.exe

MD5 34f8d2b19cf9051f82a1d856bf77182d
SHA1 742f67a7729d75e80b8063ba6c3d4cc78d2a3e36
SHA256 d40de5540c799d0344950e95c8b7f6f52c31664ea0c34ef067aa67db585aa164
SHA512 8e6341750aa841d4d1938109b25702d1b5fd53cffd832f47c2311c66b714c6d27a6d7418d64249ed6227341b7dd755280cc63c85d82dce88d311ab6539d01a58

C:\Windows\SysWOW64\Cpjiajeb.exe

MD5 33cd5a5bc2c7559ee014ffb0fea055ee
SHA1 7d30e441d8cc5da082e30cf9135d36a330343d2b
SHA256 b6906812f15c7703959bccd711d67f321309a885bc689a706cb6733d8867681b
SHA512 b9271275fa3ba7199f2813608abb3e80e17d4f9f5b7594198005945fc4c5d0659b4bef405fd9aca93dd455d437c409550a06f46562eadc82f193397e87bc39ac

memory/904-288-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cciemedf.exe

MD5 59a8e17e1858905e67a89180fb189a24
SHA1 9acba5fd6999cc0a23db0a3fe189bb625c6c14de
SHA256 9591aacb42c017d46e0d86b0f60cebd496c44b0bfb52c190767417cf57fa3004
SHA512 31d24406e5b7953d5ab7f84d8cf428224785cc1f16afa785c44068673206ac8b74f813a9396dceae62a25a8146e6af3f8f01872a56816dfbac96d3d7adc48fe8

memory/904-290-0x0000000000250000-0x0000000000283000-memory.dmp

memory/904-294-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2932-295-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ckdjbh32.exe

MD5 a49ed2b8c87adae19e38cc911b71fef9
SHA1 8161c23085c5208446dae11e0052943c3457f419
SHA256 86293cb613bcaf857ff428edd01ee4e4b83538c8636dcb5a9cf841728cd5ab7b
SHA512 345a5692e40ddf0b745e743947ede20ea385a981c49dbb7abcb1f8995a1a9180c29d7facca16f2b89b28f45e210420510f1f4b8832444389a86df2cdf6f58436

memory/836-306-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2932-305-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2932-304-0x0000000000250000-0x0000000000283000-memory.dmp

memory/836-316-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1384-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/836-315-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Cckace32.exe

MD5 f9aa463c6fa77125be1650b893293b4a
SHA1 df3c099e7189479fe02e66003fac4717a69ab2d5
SHA256 954abcd7a44c05085e9c3473f962eda75dbb9f5fa49acfcc1bf670cec9ae63bf
SHA512 c3f833284081e3e41bb2e3a012aa9ce0011d225bd21ce89d8a4cd27729961f63fe61034843d8bd617c7eeb89e2a1fc19bf8de0ea3ea2775d8f194dcd31fceb07

C:\Windows\SysWOW64\Cndbcc32.exe

MD5 5c53e7a9206cf36fef1e3a999117d17d
SHA1 1156de80972b0e8435f3fb006eee40a2eb1828da
SHA256 9bc0229625947110773856507392d62a685ecfc9a75cf76115022f6a22849d7f
SHA512 0bf0e9990d8d1d3170c3127584181e1d3571a9eada8902f0f772404453a6437fe3f66e47d71875c67aea7afd6ec859e2cc3787facee7e6685cffe3fa9143847e

memory/1984-330-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1384-329-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1984-336-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dflkdp32.exe

MD5 65adf440125a721128496b4a68f89d6f
SHA1 eb1905384a2c68c3540387eb663d08dff06d65c3
SHA256 e8a5a515fdb39592e7d12f09c17588af861f0bca7e244ec0d6967f758eb16c62
SHA512 f2dfc0cb3130b734abd0843000b60820d52c9a3544bf1cc7624c742e6faf319c4c05f149e8c8569f50c89376e465704753dcc9f6235983ee7b0e9cbab21ed397

memory/1720-337-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 bc0485b8db913b99b5868344899a8f69
SHA1 c87b46cd2dbcd25b764b4aa2a02f96236039122a
SHA256 0bc63e225a5bc6aee75eab7a56cb193799b894b37790d0e00fda0fb4e1e29deb
SHA512 757291e2ab6fbfa352f3b91e68f919ef2eac2954107004c75611e2e4a1ba298cebba25ff035e5fe1ec24550579b83f5c2ad9d1268e1823515621eff8d8ea6268

memory/2288-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1720-351-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1720-350-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Dqelenlc.exe

MD5 deb9b600448ca297162701e03d54960f
SHA1 b1611160ac3467ce28cf90aa599d99aa9f7f0ff1
SHA256 a18262876d26b105e1823bea2cffe49fadf680c84a6202b9393fbfa2fe22a73e
SHA512 cdd12dabf5cfb269d51aa326dc495f0e8c059b38f10f8908aa5428e8d48ed10a0cb4dc30f98c966413f7f2a953351c323fe4ec6c8e8aa133d71b827b082cd9a2

memory/2100-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2288-358-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2288-357-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Dnilobkm.exe

MD5 611b93aee378d1106a79477cc191ba61
SHA1 77e103a209fc9146ca8c9a0f2e9bdc6676ffb681
SHA256 743e37c9ef7563a2e0700b089c7a1dacbcd55611817803e99182f79694d59761
SHA512 d53cd4069fb7e9c7a6f20141b1296c08714d93f2ef140535a6678483225b7b2099d7cafe00fbc39db72d14aeb5ebf0838787ae560f5f9bfafb88cf80002f3d9d

memory/2664-373-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2100-372-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 c7312777ec5ab3d22c14c5590aefd938
SHA1 92515ac03d6e20f37384dfb27993ce4ea1359c72
SHA256 5b76919d55f121c7b8d903a8d4e38f019636f49c3d4270a4e097a6f49ddea879
SHA512 ded5f6c38d873cfce20318b6ed92279d048f3956f327e5b6f01074c2772a67c05a527d9709101f84c8ebef6ea7f16c88336496f9960d6495588c4a414cc88278

memory/2652-380-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2664-379-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2664-378-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2652-390-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2652-389-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 8eda2c7979a3c5885f2f622b2aeb4818
SHA1 fd12acf388d6337042b1cf100a5353d0367d7058
SHA256 a3cf8fd3461c82d50d2a71b138e2b5ac7adab11287e062279e64029d7fc8bce1
SHA512 866c237af709d361bbdaf88a7e1701e12a3bf57f1d699fcecb73f70143cdc3cdd0f1e3e519028154ec5506259c6f44399b2474bbbcd8c29a34ad85926e6227ae

memory/2640-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-400-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 9e6bec7f769aaf9a2f897accdf49872b
SHA1 1a8c72944131730a84246bde28d62ec2c5fa21bf
SHA256 a6ff91ba14403082892af0245d1f98e7be852923cc23eea4a82a044258dcdb0c
SHA512 d787e653ab60c785454ce4522736123c8fb339478ffa8b6d577c8c4aab62108d9b05e01de2f6ddace4a4c2b32aa2bf726f02852905ff5fa070ee31898d12e35c

memory/2692-395-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dqlafm32.exe

MD5 e54cb6adfe9d4d09ffb791749cabf426
SHA1 bd3961b5fecaeeefc874a07d6558c754266b08d3
SHA256 d1ac40aee8cd92006338669211d7c71854bf795b9faf6d76591c02b0628343a8
SHA512 632b7ddbb96bee465e51d12a76822cae7140a5cb6edc8dd846f97cc14919d02d6797fbc7c9f2176e34f6cf7fd9ca3e296e0a880db2e3876805bad33ed4c050a6

memory/2640-411-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2640-410-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/3016-412-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2852-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3016-422-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3016-421-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 c8bf926f703c0ca6ac210ef8ea1861ce
SHA1 b2a0a1f03f7cba71b75572f8a168622340943727
SHA256 138eeed89f4f57d20241ae2408f9419c4458a24c5fea7a93433217d45e7cd8ee
SHA512 6e7d470481aff8ac0035af66e3fad0a4e65f6e267e5ea2b269279732387fe88c72012cfed55ced7d0ad82febea982694f5b4728a4692cb064df2f4cdbfbc78ba

memory/2852-429-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 5885e0eb7aaf0cd6443eac0fa41aa099
SHA1 e92e8bb71a2dea19b59c2f87bf88d1dcc6532c5e
SHA256 f0581bb071d103cd4db7f4a589c295b0b80710bad05e9e0391ed4905b2e45406
SHA512 8ad5f405e8e06d36a18c96687e121d4bb5072d7c7c23b768b9f576d557d9cd4c9c2f80562406d707b820774e40d48d4a81471b411f631cc792351d4d09c08f9e

memory/1448-444-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3036-443-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Eflgccbp.exe

MD5 ce2d228fd4bf27d04cef1b5cac849c8e
SHA1 9e3ddba176488bd0b88027a3692cdbbce5a20c78
SHA256 5616210460420b6f35ff02a741d8c99e286089e9e5159c4ab47ea5874900b439
SHA512 d1302c8c662d67b1fa1570b020b184aa773ebb106f446ccb30ff95c03ee62f9f33eb2638a9c8145595a903d62d43a11765f04ba504dd2a4e66df15f953f020d6

memory/3036-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2852-438-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1448-450-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Epdkli32.exe

MD5 7fe476cb25187cc5a73735cac8ca7273
SHA1 fbbae033c20c8a4b046462d10c06cb471b415339
SHA256 f07071b73731b9d4bf684b9584d146af30e8e2110f4271842a0b9ea80f6aa138
SHA512 ff7c9e38d9e7f3e075f56f7f8c3ae2992caaf55aa242982a278df29fdbf0c06b160e4f9d113ed3a8389ea378ccfc41dbc524630f574c32adaadd6004b5f9ff9d

memory/1448-454-0x0000000000250000-0x0000000000283000-memory.dmp

memory/808-460-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 e8bbc399891d24b3b24166bfb610657e
SHA1 53e2ed6f4c1afcb79ec6181b1328892935f5c0a3
SHA256 fa8563fac8711c896bac898bb26305308e59d676a2758d37793ae85fb6e8e5a1
SHA512 ab03da34485e3e1f97d22ffc168d4045aff975b273896729ffa46d9d7ad667cc5ad2446eb71cff89ac525cd615b2de445b9cd4aea0ae1e54a97516b02bc95e13

memory/808-464-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2896-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/808-465-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 65554c10107b57b6abb70db74b67ff3b
SHA1 05d1e671fc1e5fe51ea1eb4c44a0efb5a75f1616
SHA256 c698c42088e369cf4cbe55edde00f6c5ab4788cd5f7e0370a49d8ee2be2b478d
SHA512 03fc32d433bf5d8c871996f788432ae07cac07043b7c645254b0e4f664d663f3ae994909591c1d01ef39936a5b6c12df86a882b3bb8946f9dbc1d6789d78d770

memory/2896-476-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2896-475-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1248-480-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eecqjpee.exe

MD5 35bed1f01d208ad5ae95828fb7b1e758
SHA1 2258fe93cf98f8f868723ed09adb3d4ff5d8405a
SHA256 a4df095f83b15f2aa86397f2375f179f98bf00b5fdfe9dd37187ae94154bbab0
SHA512 f242a8d369e0d62d5b2007f264a297dfb2426c86e07568f256ca3e37e6c9bb2317f72112eda2720a8d897dc732217e2dad15a0239676c9b87e944d28e9867c8c

memory/1748-488-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1248-487-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1248-486-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1748-498-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1748-497-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 19fc13773f58a5b1838da04638302109
SHA1 7356acbea8531e8527692870254592ac3ff5e215
SHA256 ad8d84af8f88dafd5516ada1b54c085574cb9218ced682de8d76748539534883
SHA512 ae6d79f00deb7f31c78a5040225f30367a019c6322ba597a0224409c6192aec68bfbef511462ce447aa942d74aca1f1560cd85349823856c60f893b6c1a85d18

memory/1972-502-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eeempocb.exe

MD5 9c4b800396aa6d20ec2677ed1620f713
SHA1 3d02f119128c4230a26d8e5dfec3aa1de1a2a652
SHA256 e1c30d71a31813ce876c12520ac9e5a752798e4c1b5f387ccc1291917882099a
SHA512 4a46e144a9f011e3c3bf42b21285d7c6c1bb13385ce848225a6fbcecd49ca9637b2c98b44c06d830b3258ab634c27cb7dbc5625c3018825e55372cfea00f0ce7

memory/592-510-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-509-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2980-508-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 71503547714ec079d3dc04396b954cd7
SHA1 ce7219c82d55938389944a38b2d0ae6d44a863a1
SHA256 0ec5e779453375c21cc7011498149f69d5d6a2d62ab4bf48ad2a1d2eb4ec1373
SHA512 df6e9758f92dfa16c11c2195fe03d483977da8757d4a14877a8baee7ff2e9b5672fe4246d4fa796b430e2a0a0d38b52bc6260c79157d7ad795aa9f69390410d1

memory/592-519-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 de892d4d2e41c7b4afdf613b8d0290af
SHA1 288fa7f82a03ae29bc9063985b366f87f57f8b31
SHA256 d82d948504736ea65f3dcd5456ca5a1305a49550b5a676b3f3f45c31d9b9ea0f
SHA512 352dc0119dbc87873e03e52b54d810c0233862243a2c06daab64687cc9f2bfca7a8b10cc10f41170da3fff67a434793005efca92647530cdacf89336dfdc3fda

C:\Windows\SysWOW64\Flabbihl.exe

MD5 618b8d06ca4b5a4bc08f2c2f573315fa
SHA1 9b1c0a8aceafe99be3c3df164a7eb48617967be2
SHA256 51793f679121670b51a3f49f557b7cb245c6dd7888796ab3769348e1e1397723
SHA512 55f5d78a80eec876045205a19af88520fccf99c9fa10092b304beb74de690bdf667d1687e106ad8ab312bbf33d4c22977edfc2e418ba365ffd3585c55f3244cb

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 cb6b92a562e1660fb619a02c7054ba7d
SHA1 dc2ba799fd9a9576e081242ea35be1db155cf140
SHA256 13579f6b583de0ca0f2e76e941060470bdd347ce9d5cf96ba1bb661c0c31157b
SHA512 1d9b4379d230f70f2f84393c797d7247bba88a043c48041fe92f5d96d272c3b1728efd2e0733ded21ddd6c43ae3fa6229aa3673971f8c38a32b4bc30aa980ea4

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 2c4a8f3094639990089625e9e927007c
SHA1 c60366cb9be19f0472dd2dc56f4a1eec6a4fe134
SHA256 f1752e7f0d1a4c77be3677af5de46c6d83ac9003ba6e678d196700cb5c036ee4
SHA512 9d25356c2d9b1119d434b889babe4f7b8443c315e16f1d8ea23075441c98983a3be5678b68d3cbdb9d9b5bfab6da5e77a9b797eeeb607d6baf5636c48c27fca0

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 c2303a1c25f91b79f499c1c1c95a7332
SHA1 6bc8af37cd6fa5d6e529492d6fb3b1d87f0fe8c0
SHA256 e3b25411cfd70e136713a4565db3ae13a5e77c995b31082abc59f631a1feb7a0
SHA512 c88fb49c5dd8cf51e583f20bbb6fcba11c85ddb2c626ad6757921e06a15d613c793642e97334f25f5ed21ce00f440ab9f9a70c1e460460834ead0f1ffce6b52b

C:\Windows\SysWOW64\Fjilieka.exe

MD5 1a140a84449b0682af8fc5b1c4f1d0c8
SHA1 9de42700e6b679855fc6424bff527bd2342c1975
SHA256 125a416b599035187ee905d1c59401bce45cd3e6626b41f5f2e7530dce93b05e
SHA512 a0942be63fb41754ec75f5d2b07bb39add320152f4fff6e634b41c08ae70b194893b0950064b6eb25abea33d1d9fd8b13d5bf5adfc16b5573f9d4fed74da3030

C:\Windows\SysWOW64\Facdeo32.exe

MD5 979b36c74d5c935ad562525909da141f
SHA1 92a417fcabbe406ab2fb90c6918fb24aaf8d090c
SHA256 b62b0bdf525086f65f9fe13446efe0b25c0a2b4f11a2aae5d604a6bf200bcb33
SHA512 5040f41b06b9b189758f3f16c2210bdbb8d0f22f6dbe63981359a2e5d7e1fba77c389bc38165a0ac54f63a0047174fbf2f39d2e1f66e607b6ee7d00d6cb9ba21

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 14d8bbb97f94ef74b90b38ac03abb50b
SHA1 155b83aae2e7fc90f48e028553314647ef8f9731
SHA256 f2b6db31e5622736153a5b30fa7c79e5ffaf62244a18066073b873cf61fb73e7
SHA512 b2814b2ebdae7052a71d41bc7e4f2b35b03b4fdf9e7e22d9bf9d4728f62ae3a58c221b83538242b67a6b3d70c585ddde4cef323d0d74bd191c59aeaf14197af4

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 9e27f1691193e707939ff046b43877dd
SHA1 ec38607f99ff40b7a48fe2f4261bd8dd30851f2d
SHA256 d7720df9b1c2e570c566322fa3c1344e2422be6275f2139d8cf5c9a309a8a26f
SHA512 6d0d0e0197f6ca28befb2caaeda44d951c61de084b657ca5ee869b76a6469043b7f5996eb601a2e6f65e7f93598f6c77b946c0f5972f592ee571d71d4f059b5d

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 b3c6e0f4b0149a28dbe606f895ffb85d
SHA1 f08390f9fe55e473fe5ef7e80952e5bff773dd7c
SHA256 ba216492f0c3a93ec341cdb0bd895a8ba171fcfed05f392c51106046e396b258
SHA512 863a10e772a56acc3893362c971b95e96d7bda5384e6ab75acaa592e1f7f4066364b487a846f35fb1df9e3ed809a90f6d9100c48a2246380885cc2c89406d93f

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 25f453fedeb40b73eed292589b6719b1
SHA1 c730e4a5c279a0df5fcc338b4e90e4bf73531cf7
SHA256 cbd28f9dfc8c18a874678e42313e82f41a3a2975fd404214d8ec3e15d6094ba7
SHA512 cb961e976f996ac52fb7e7ba54a094fd27e30f5317385c52ef0e51e28c26440ca3956d4419c9000c5bd2bfc5c09631f4d7e82881a7ee24f1989116467cdb5881

C:\Windows\SysWOW64\Feeiob32.exe

MD5 9ca53859195233769cce7d1da3ab46f5
SHA1 3bb39c98af08b9c9a8a5934cdf061ef88d980570
SHA256 6889282177f4dd6208eca33cdb9eb321627418619d78deed5433dc57324d8bff
SHA512 04720dc5150cc0ad64ffb2c83f41a7dcf469dcbeed394411b913f2f979fe764579c79254ebf474b5130608e4f9d8a75c0d5e75a5bf6f48e63e68d5d41617359d

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 bec747afb2bff3f98c58aa638a7556d4
SHA1 e50b58d9960ac1968e4591e9c0f8677c13f595d1
SHA256 2663a11aab26de26668b81a9ad199adc24076a7f07141a03ba9bcd648a602021
SHA512 88dbd1f8418d63cb06408601f4ca6eeec47442a3b51ac77c8a772674cf3322bbdf5430e0418dc0dcf2e4cb1f4753a21c272179928106929a3d45c15b2583281c

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 f6077bf0627f7e2389a076a47f42cb74
SHA1 b3f480831351f8333b3615b4aaaa59dd8309217f
SHA256 b5f707abeaf84013b54ee514aa05d18b1de85653f4daabb2743eaa95568b9337
SHA512 7a382ba9def33ed3ca88979a0298f0e1f380fa9ed37486238fcdc88b666aa70a8a3d0f22d99c01bf72c3f74149f0e4e49883a2d6432db849513d988addeee75b

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 a90fb4226225331fc8f7fcc9325bff5a
SHA1 22d23914668af9eaa148fd270a757dd907eecdf8
SHA256 4d3948dfb6a2b4a6aba3b01b6b4a543beab68011bbe9cc19e844a390e0a65d83
SHA512 45aefacd957bbbd226b86274c404d26d04b9a762a69750e2f0c2947577b678c153576d4a90d4ce51d1a16b93e1518daa2c4336b3f1baf6a09dfa8c8863999700

C:\Windows\SysWOW64\Gicbeald.exe

MD5 aad977ffb3cf8820618ed870e35a01c6
SHA1 19c8067783c82a42a0fa330bd552fb9a27b2c095
SHA256 840f415d88f4d221c20b3782281e284e52ee0023397b16b45336c441f3c9396e
SHA512 cb7fd7e9d36dd3a04e1e6f2abbd9a4b40361bdf240ffbb349cd9371e8002a254f39892472bd0c595145bf8c51546c1f6701de66e43b1767ca358422f92b0ae2b

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 d5f524fd7c4a9454f7baebbc8b4efb12
SHA1 a4e00e3e754386e02646dcb1a857567a62cfa6ee
SHA256 8c55a65cac95a331193e4f7df9175faee11fd50c972c45fd951e4473957ffee0
SHA512 2192b66216ba1d97bb2fe0a0270682d1ea3509752da8887e7925b082e759f19cc317b827e9dde3b4c47c18f12a52872fccc1c8f505b72b182f0cc8aaeb5d4a8c

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 61bd41101e49d0007568830987d467f2
SHA1 5f2b6626b777baab0e6514b90238d947e8f1c51c
SHA256 f4080759a07632a1087147a432a89d83c03793ef94f316f6b8ce8950dab7f60f
SHA512 d116e4eee904c823072392941e5c094b9a0dfd582a04b85b8f71ef48fa16140f7aab12a5b491056e0c25d08d6a5add954e823b1f40afe215bfcc8cbe68962f9f

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 320b77eaf94f073a4a2690de408a27e9
SHA1 172cf0308dd80b085f83dd0b3b0593a0957ae5ae
SHA256 4c8c738289666b04d6a800de20092b3b743faf962798f6ed5ad1b7d4f3252541
SHA512 3ae4f013b838f6da24bc866c9575df72f6e9f8070ae9d352af6a00d1faa38106b19b5501fcaca047db24d0e9cd8c2d123238b1ce0625ff6a0ae1f6835ed60bde

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 4d2252577db18c8fa69f9c1a9546acbc
SHA1 9c254f8f98022f75b6cdf5dd282db6ad07c4fecd
SHA256 c642db22ab940890bea098e52ecb897249681e14750f628ff7c3a53118a21239
SHA512 2eac29c9dac2c6e38a9c44e8904642ddda6fabff5283bdd15416138cc50c6d6e3a6bb893c9d19f19ddb0976f7fd780ccb093ecc14d8813cc109d881dd5307c18

C:\Windows\SysWOW64\Goddhg32.exe

MD5 93c9a61751862fb75e812ed152e5c903
SHA1 f007255bc1149aab0fa98c6025b1f40de2df3546
SHA256 552c84e8a50d3e10d541a2009412c0e5b44a89369f6386197483ccc6db6ee00c
SHA512 d4b7eb57c6ef931909191c620a884cd0a3d673f614bf125f81c76d686d5090b6ceaf9bdd11c85ccc54c16d87057ceb769a713b709adb241314c1067f1ff23325

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 47d35315b8df54ed857fb08b71fb251a
SHA1 605a3099203c161980d70d7e7d2eeb778954e3ea
SHA256 f9a3530f532e96f413852af30c2e38f482c334961b341591be3b16cb948ca506
SHA512 90a2f66f92e9c90c37ad9ba2b9fc2ec2bc9b6e9dfa564ab5321bc7a8ed0e437c2286890329ca64b0449f7f1a6d3554bfd350e9a98dba1f02e8d19a4bfc0b0874

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 3221287530fe55cc220782670d6c8bf5
SHA1 494d311c72f360fc447c4359c4c7dea45162bfc2
SHA256 b1dfd75c820e2f940285980f7016da392cc807373b47a0e1ab59587de2242868
SHA512 36219d2b488a0ecbbe750d75555019ba88f4dbfda45fe36eeb2c22e147fe54f73960ce013f59d8623863a801ec893b18a6e4e2ed3b12bbe7efb96fa66790c286

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 3da3df74a7cf7f929d822696cfdcd1ab
SHA1 8a1f06301eb045bf1fe5306870af356d564a951c
SHA256 ab4a6300dcec96191558aec79afad14b031186a742dfc2d1d0fd6e63f3a5464c
SHA512 32c1460e6a1924ab7a4a69bf54a41f410b879345fdd425ab48d2ccac48572940069c0e09f689e98602885e036dff19403fc4e9eb7f5bacd2b2992f8c03b5cc5b

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 b84ef8205e49192f02563440479cbc13
SHA1 61a6192adea28414119316e3f59f64178045623e
SHA256 ceb996ec1f600411069317a43150aed09b76b397b63e0fc3a93cdc0e1c783844
SHA512 d1b7eea2397c5aaeb221be7376a7e535c2509c0618952b7113687427f2f1029aeb35a2a197ff170a5b5606abe21dad6bc682fbea86b3e4adfdc678349e7d0451

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 f21ee9a39854c3f319df2453b7072172
SHA1 ad7eaffcdd0e050215d6d149aabe43f996046944
SHA256 7bc5c9405f0c9ff77673e164651cc21cbc34e94c7638122a69e0f801538f1eaf
SHA512 9bd8305b9875b63219c45dbb3bb8d8523639adfc3ec3c949f9cf259ffc31c860a149f3a1f2202c9c9edfa576b68e8e990c957fca27d8453cbe76774b238113db

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 6c73a22b049e325f07135c7a042e8137
SHA1 e57bcecd43f702aeb1de1f55eb90c75b164671d7
SHA256 c340216f67772cf3b3d6b99a696bd335315f2fafab1e92af9289011ad864109b
SHA512 79df9e7547a0303adfe06bd874aad84c024c0c3d669bd70d6f60e6df3ad2da3bd5fed6b868d97bf9a632fddb4bbd005dfbf82270bcea7b30d329af62f10c9a8f

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 67e1160bd51bbd1b7cb10c649efe56ab
SHA1 515577a3915fed85a048473fa9967804998e1fc6
SHA256 d5b9decb31021fe71694ee1cb205f810ec5c5f9ee316f19f9ca4534a032ec95f
SHA512 0a5cccb23c29d54d73774c5a277f85351a92fb13d4dc72bbfd6fce61efcc073216cd35a82e1f210312d2b99a8a183fb55d12899de4a8597f9f76fbfc6e7e8904

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 30becd40f11b779a52228314dbc2f1cb
SHA1 3fa9686194494bd1d70da8181726002b830aa3ef
SHA256 dabe5edb8db5c0866c821a0848bf0d3cdcebaaf5988293bcbe3dcc3503cef2c0
SHA512 db5bdb5130de8a3714be5e14267662df0850405357ee1830cba8c97481c59ac8bf96b0969e7f5e636cab15bf6d31f50ada7175e939e6f4d6b07003be7c472e1b

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 8284a01dbf13ba94d16ae6157a03e696
SHA1 247f073e4e8ab65f87155a6ad4e949f94f55f39a
SHA256 1e77ae9d33c5eb10bc858b0974e95d16c6b1ff1297e5a98cb126f17a5588ba1a
SHA512 a3e4d9c610e20906419bac862380a12b86e68b1b886358fb5f089581b6dc5f9edf08a99d42a8c4d07420cd2b27b8203ef8a936991435a24aa0f25a8a2596fd50

C:\Windows\SysWOW64\Hggomh32.exe

MD5 1a830f0753ad7e734d40ce6e320c15fa
SHA1 6bb9e4a89c897ac0ee07db18032d7986d6a12338
SHA256 110d5e202490607922568837ba012f96c87b23a36597522b43da2010014f3c64
SHA512 b33cc1d652e08b92aae3906409ea9f1db69d5f89156f067e49bf95a0d70ef8bd2db6ae297cac6e67dedcfa6c6dad66843463162b72ce348b940b1b0c6931cc0d

C:\Windows\SysWOW64\Hiekid32.exe

MD5 66548071f0c53d30c2c5e1b64f1ac9f8
SHA1 b704297580ccbbe93cf797644963777729bda5f9
SHA256 417ebd08770432c87f5473042e958e3cb142b59e5c2a20130815cff3599e1038
SHA512 d1793a4fb1671ad641822d10f86fcf0bd2f7db3a589ce6582cf6e8c777391f8292a479264694569c2dbf64215e570c0d8459b5f6466c06965e789cac2c10d8d5

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 0dad3a825434b875ed9c5c83284fbf5a
SHA1 cb012822089e0e9aceb242c3e1a96a59815f7bf2
SHA256 ae6d152732d2239e05a744b0b9087e4354e680267edd2485b2cd6597852216a1
SHA512 3099e9894f573837c3769fdea649ee255fd240d10429c2297bd7daccc0a66a2085b6eb5cf0d3ad473a655b2b90e1ee49761cb3705810024243594a60bdc66e00

C:\Windows\SysWOW64\Hellne32.exe

MD5 dcc5491956c8137288ea951986c7f2eb
SHA1 dcf9b7adef2ed99aed9d51cd91a40a9b80c68632
SHA256 992a7b952489a89d09702f39c9878c4e76bf581705a2e1d2a38d736d73302d96
SHA512 91785e5a6e86fa8b80a1da16fd2c5df062f667d131aebd34019267b95d721dc31164a2c8e688ccce64a20084074d9d10d3e17ccffcdd0f1eb1bd2f640748cfea

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 a2c8de9ad44168519acf03171ec92b61
SHA1 20c62468a78ad30cbca817ae981df01d861cc2d3
SHA256 6c10eb4d49b7dad0344214204ed082f3b2bf88b9892d5ca399dd8df2f5923ad1
SHA512 66c26aea6ebee5feebb6e0290771b69305188639511ecd455638a3c6e81ebd770b809b5cead178d5b4e430e1d985545d3eb0ae62b26367fa47d788d12ffae6b4

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 54ef567187bb507d9757951cc92207c9
SHA1 7acb314ea0584382cd2e32604dbefb883d517f7d
SHA256 8da2dee7a634907919a31cf8444b7c5a4449c2d676b4c7f36ddebdf890ca8c48
SHA512 f5106621322630e86b027297686e496eda87de255a6f14a7473a8139288a38084ab464193fc65f4cc760ce95135e940a2fc87cdeccef372ccc3f275b26ef614d

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 2ac7666c740b4fd5e05be4dba69bb8bb
SHA1 1981bc73987007acc50c728c0a436707216a117b
SHA256 8fa19a9aceeeb2e1a83c1e01e9f87b69abe4d67c9c0bfffead410dedda5ed424
SHA512 5df6f4a7ada47bdbc34c8887ba42125acd29b43844c43df4d4fdffcfe59d794803fc40d177ac81c1293b55b2c57a67ad144b9805d9e20e91fca11c96c5150772

C:\Windows\SysWOW64\Hlhaqogk.exe

MD5 eb5b8bca5c2bffb7e27ddaadf6896a27
SHA1 970dcded637e6220948c1285e336c277b0fb3b3b
SHA256 ac8083f85489faa1f59eeaf85cf31ce38aa0f2346f0102bb8cc1bd7d09bc50ba
SHA512 ebf8466b7af05e675f4aef76ba3e2604e44a185f6f9232c760406d0a8ca2f9ba418c7ce1d1d2b3a0e80ef960f3fc9974d5f8336fec14fc437da361888c7fd234

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 f0a2eb316ac1a043cf6f06befaf52bcf
SHA1 25f9cb66b1bff42884253573fed66e252cceffbb
SHA256 6067d7cfdb13796013118de239f986e90e1ce3ae9659752ee1abec17fefd67a7
SHA512 16ef5adc278d1ba477d71e973d3bc2a561f2adf198e2c9b67cd8720ce0f226d79a0ca1d46147d0c405f40c100478e0f415b0ddbb019fc2abc9c6a8bd283692c7

C:\Windows\SysWOW64\Ilknfn32.exe

MD5 781c21f059db7cd2b1d853fb90deedd0
SHA1 9c408d6f7ddf79453ad41de6f4ed400bf2a4dc74
SHA256 5010dbe5d1784ed3a653dfd502e46b82a1f851c7a1d89187b307249181829466
SHA512 09a6bc16530e3e1b9b5b6ebe14c62de868f0587555e2e0fbb1973c2d92fbd7231714e375094de1a17cc55a02efa884fadfbcfde68d6b9a21599b0ac8e61db5b9

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 bfd30c7c72994c1f86162f9839a0d01d
SHA1 dedd767cd2d9b204754104d3f0e283cb8cfb79e7
SHA256 57a18f81d0a506a56b096d253f421ce8d2f6fba1db22f465582bb63d6b90e6d5
SHA512 344b116a733d9ccd57a1eed5152025464ddd7b9f9cdca235d22e6da69cb6dc73397a72eb8068dbf4997447dc3964b0d70a758df2b3d9bb01ea5591f19aa02e1a

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 a366d5c9810517ac7900a64f138ee1fa
SHA1 a33739d590a5d1cf7f9e842a7b6c5bae5a34abe2
SHA256 001d1e37a44136959d2c678d8439ec0f7a7816c60a8ebe03b5f6a2596f349864
SHA512 6b9c5216843e816dfc48bf8195c9591e44b32b1bd05d8d7f68b58ec45729cf4e0c1d7c724414cdc20b388f7d3bafa49c1891aee64aaafd6a75c80e1657683b65

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:08

Reported

2024-06-02 04:11

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lilanioo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imgkql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fflaff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icgqggce.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mncmjfmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdhine32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbocea32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kphmie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmklen32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaedgjjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jagqlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmapha32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmoliohh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngedij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hboagf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpfijcfl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fflaff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpccnefa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kphmie32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcklgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjmoibog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgikfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcbiao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gcidfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gjclbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmdedo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laciofpa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqmhbpba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmhfhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpihai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ijaida32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Habnjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbapjafe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljnnch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lphfpbdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Fjnjqfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqkocpod.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmapha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fopldmcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffjdqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcnejk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fflaff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfnnlffc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gimjhafg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmhfhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfqjafdq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqfooodg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcekkjcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmmocpjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpklpkio.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcggpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbjhlfhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjapmdid.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmoliohh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpnhekgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcidfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbldaffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjclbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmaioo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gameonno.exe N/A
N/A N/A C:\Windows\SysWOW64\Hclakimb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hboagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hihicplj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdedo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpbaqj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnnaikp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfljmdjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hikfip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Habnjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcqjfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmioonpn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hadkpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hccglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbeghene.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjmoibog.exe N/A
N/A N/A C:\Windows\SysWOW64\Hippdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmklen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpihai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcedaheh.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbhdmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjolnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hibljoco.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmmhjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipldfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icgqggce.exe N/A
N/A N/A C:\Windows\SysWOW64\Iffmccbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijaida32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iidipnal.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakaql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipnalhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiffen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iannfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqnahgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Icljbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifjfnb32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Ifjfnb32.exe N/A
File created C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Jiikak32.exe N/A
File created C:\Windows\SysWOW64\Bpcbnd32.dll C:\Windows\SysWOW64\Kkpnlm32.exe N/A
File created C:\Windows\SysWOW64\Nngcpm32.dll C:\Windows\SysWOW64\Lkgdml32.exe N/A
File created C:\Windows\SysWOW64\Gbjhlfhb.exe C:\Windows\SysWOW64\Gcggpj32.exe N/A
File created C:\Windows\SysWOW64\Lgabcngj.dll C:\Windows\SysWOW64\Hboagf32.exe N/A
File created C:\Windows\SysWOW64\Hcqjfh32.exe C:\Windows\SysWOW64\Habnjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfdida32.exe C:\Windows\SysWOW64\Jagqlj32.exe N/A
File created C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kphmie32.exe N/A
File created C:\Windows\SysWOW64\Pipagf32.dll C:\Windows\SysWOW64\Kdhbec32.exe N/A
File created C:\Windows\SysWOW64\Oaehlf32.dll C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Paadnmaq.dll C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gfnnlffc.exe N/A
File created C:\Windows\SysWOW64\Jkageheh.dll C:\Windows\SysWOW64\Hadkpm32.exe N/A
File created C:\Windows\SysWOW64\Hfkkgo32.dll C:\Windows\SysWOW64\Ifopiajn.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Lpfijcfl.exe N/A
File opened for modification C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Dngdgf32.dll C:\Windows\SysWOW64\Lpappc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe C:\Windows\SysWOW64\Laefdf32.exe N/A
File created C:\Windows\SysWOW64\Ekipni32.dll C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Adijolgl.dll C:\Windows\SysWOW64\Gpnhekgl.exe N/A
File created C:\Windows\SysWOW64\Jaljgidl.exe C:\Windows\SysWOW64\Jidbflcj.exe N/A
File created C:\Windows\SysWOW64\Gncoccha.dll C:\Windows\SysWOW64\Kmjqmi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbfiep32.exe C:\Windows\SysWOW64\Kphmie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqmhbpba.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File created C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gimjhafg.exe N/A
File created C:\Windows\SysWOW64\Laefdf32.exe C:\Windows\SysWOW64\Ljnnch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mcnhmm32.exe N/A
File created C:\Windows\SysWOW64\Pipfna32.dll C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Lpocjdld.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Gcidfi32.exe C:\Windows\SysWOW64\Gpnhekgl.exe N/A
File created C:\Windows\SysWOW64\Iffmccbi.exe C:\Windows\SysWOW64\Icgqggce.exe N/A
File created C:\Windows\SysWOW64\Aqnhjk32.dll C:\Windows\SysWOW64\Iakaql32.exe N/A
File created C:\Windows\SysWOW64\Milgab32.dll C:\Windows\SysWOW64\Kbfiep32.exe N/A
File created C:\Windows\SysWOW64\Imppcc32.dll C:\Windows\SysWOW64\Kgfoan32.exe N/A
File created C:\Windows\SysWOW64\Lpfijcfl.exe C:\Windows\SysWOW64\Laciofpa.exe N/A
File created C:\Windows\SysWOW64\Gbledndp.dll C:\Windows\SysWOW64\Iinlemia.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijhodq32.exe C:\Windows\SysWOW64\Iiibkn32.exe N/A
File created C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Hibljoco.exe C:\Windows\SysWOW64\Hjolnb32.exe N/A
File created C:\Windows\SysWOW64\Kmjqmi32.exe C:\Windows\SysWOW64\Kkkdan32.exe N/A
File created C:\Windows\SysWOW64\Kcifkp32.exe C:\Windows\SysWOW64\Kdffocib.exe N/A
File created C:\Windows\SysWOW64\Gcgqhjop.dll C:\Windows\SysWOW64\Lgikfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ipegmg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jigollag.exe C:\Windows\SysWOW64\Jkdnpo32.exe N/A
File created C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcqjfh32.exe C:\Windows\SysWOW64\Habnjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
File created C:\Windows\SysWOW64\Kphmie32.exe C:\Windows\SysWOW64\Kaemnhla.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Liggbi32.exe N/A
File created C:\Windows\SysWOW64\Laciofpa.exe C:\Windows\SysWOW64\Lilanioo.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mnapdf32.exe N/A
File created C:\Windows\SysWOW64\Ebkdha32.dll C:\Windows\SysWOW64\Iiibkn32.exe N/A
File created C:\Windows\SysWOW64\Hjobcj32.dll C:\Windows\SysWOW64\Jbfpobpb.exe N/A
File created C:\Windows\SysWOW64\Jagqlj32.exe C:\Windows\SysWOW64\Jmkdlkph.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Jiikak32.exe N/A
File created C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Kdhbec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nafokcol.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe C:\Windows\SysWOW64\Ncgkcl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcnejk32.exe C:\Windows\SysWOW64\Ffjdqg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hibljoco.exe C:\Windows\SysWOW64\Hjolnb32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Habnjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll" C:\Windows\SysWOW64\Lilanioo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll" C:\Windows\SysWOW64\Gfnnlffc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maaepd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfnnlffc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Imgkql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll" C:\Windows\SysWOW64\Hmmhjm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipldfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll" C:\Windows\SysWOW64\Jigollag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icljbg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpihai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll" C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipegmg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iinlemia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lnepih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laefdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hbhdmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" C:\Windows\SysWOW64\Iannfk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpaghf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hadkpm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iakaql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmhfhp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkkdan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpjjod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" C:\Windows\SysWOW64\Kajfig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll" C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kknafn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" C:\Windows\SysWOW64\Jfffjqdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmapha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll" C:\Windows\SysWOW64\Hibljoco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll" C:\Windows\SysWOW64\Ipqnahgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icgqggce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifjfnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jagqlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll" C:\Windows\SysWOW64\Gpklpkio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjjbcbqj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gimjhafg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" C:\Windows\SysWOW64\Kgbefoji.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 4228 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 4228 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 1052 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 1052 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 1052 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 4156 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fqkocpod.exe
PID 4156 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fqkocpod.exe
PID 4156 wrote to memory of 4132 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fqkocpod.exe
PID 4132 wrote to memory of 1000 N/A C:\Windows\SysWOW64\Fqkocpod.exe C:\Windows\SysWOW64\Fmapha32.exe
PID 4132 wrote to memory of 1000 N/A C:\Windows\SysWOW64\Fqkocpod.exe C:\Windows\SysWOW64\Fmapha32.exe
PID 4132 wrote to memory of 1000 N/A C:\Windows\SysWOW64\Fqkocpod.exe C:\Windows\SysWOW64\Fmapha32.exe
PID 1000 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fopldmcl.exe
PID 1000 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fopldmcl.exe
PID 1000 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Fmapha32.exe C:\Windows\SysWOW64\Fopldmcl.exe
PID 5000 wrote to memory of 324 N/A C:\Windows\SysWOW64\Fopldmcl.exe C:\Windows\SysWOW64\Ffjdqg32.exe
PID 5000 wrote to memory of 324 N/A C:\Windows\SysWOW64\Fopldmcl.exe C:\Windows\SysWOW64\Ffjdqg32.exe
PID 5000 wrote to memory of 324 N/A C:\Windows\SysWOW64\Fopldmcl.exe C:\Windows\SysWOW64\Ffjdqg32.exe
PID 324 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Ffjdqg32.exe C:\Windows\SysWOW64\Fcnejk32.exe
PID 324 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Ffjdqg32.exe C:\Windows\SysWOW64\Fcnejk32.exe
PID 324 wrote to memory of 1740 N/A C:\Windows\SysWOW64\Ffjdqg32.exe C:\Windows\SysWOW64\Fcnejk32.exe
PID 1740 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Fcnejk32.exe C:\Windows\SysWOW64\Fflaff32.exe
PID 1740 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Fcnejk32.exe C:\Windows\SysWOW64\Fflaff32.exe
PID 1740 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Fcnejk32.exe C:\Windows\SysWOW64\Fflaff32.exe
PID 3784 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fflaff32.exe C:\Windows\SysWOW64\Gfnnlffc.exe
PID 3784 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fflaff32.exe C:\Windows\SysWOW64\Gfnnlffc.exe
PID 3784 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Fflaff32.exe C:\Windows\SysWOW64\Gfnnlffc.exe
PID 2160 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Gfnnlffc.exe C:\Windows\SysWOW64\Gimjhafg.exe
PID 2160 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Gfnnlffc.exe C:\Windows\SysWOW64\Gimjhafg.exe
PID 2160 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Gfnnlffc.exe C:\Windows\SysWOW64\Gimjhafg.exe
PID 4348 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gmhfhp32.exe
PID 4348 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gmhfhp32.exe
PID 4348 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Gimjhafg.exe C:\Windows\SysWOW64\Gmhfhp32.exe
PID 4580 wrote to memory of 5012 N/A C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gfqjafdq.exe
PID 4580 wrote to memory of 5012 N/A C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gfqjafdq.exe
PID 4580 wrote to memory of 5012 N/A C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gfqjafdq.exe
PID 5012 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gqfooodg.exe
PID 5012 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gqfooodg.exe
PID 5012 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gqfooodg.exe
PID 3916 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Gqfooodg.exe C:\Windows\SysWOW64\Gcekkjcj.exe
PID 3916 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Gqfooodg.exe C:\Windows\SysWOW64\Gcekkjcj.exe
PID 3916 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Gqfooodg.exe C:\Windows\SysWOW64\Gcekkjcj.exe
PID 2864 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Gcekkjcj.exe C:\Windows\SysWOW64\Gmmocpjk.exe
PID 2864 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Gcekkjcj.exe C:\Windows\SysWOW64\Gmmocpjk.exe
PID 2864 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Gcekkjcj.exe C:\Windows\SysWOW64\Gmmocpjk.exe
PID 1216 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Gmmocpjk.exe C:\Windows\SysWOW64\Gpklpkio.exe
PID 1216 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Gmmocpjk.exe C:\Windows\SysWOW64\Gpklpkio.exe
PID 1216 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Gmmocpjk.exe C:\Windows\SysWOW64\Gpklpkio.exe
PID 1664 wrote to memory of 4800 N/A C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Gcggpj32.exe
PID 1664 wrote to memory of 4800 N/A C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Gcggpj32.exe
PID 1664 wrote to memory of 4800 N/A C:\Windows\SysWOW64\Gpklpkio.exe C:\Windows\SysWOW64\Gcggpj32.exe
PID 4800 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Gbjhlfhb.exe
PID 4800 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Gbjhlfhb.exe
PID 4800 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Gbjhlfhb.exe
PID 1172 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Gbjhlfhb.exe C:\Windows\SysWOW64\Gjapmdid.exe
PID 1172 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Gbjhlfhb.exe C:\Windows\SysWOW64\Gjapmdid.exe
PID 1172 wrote to memory of 1800 N/A C:\Windows\SysWOW64\Gbjhlfhb.exe C:\Windows\SysWOW64\Gjapmdid.exe
PID 1800 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Gjapmdid.exe C:\Windows\SysWOW64\Gmoliohh.exe
PID 1800 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Gjapmdid.exe C:\Windows\SysWOW64\Gmoliohh.exe
PID 1800 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Gjapmdid.exe C:\Windows\SysWOW64\Gmoliohh.exe
PID 4768 wrote to memory of 4648 N/A C:\Windows\SysWOW64\Gmoliohh.exe C:\Windows\SysWOW64\Gpnhekgl.exe
PID 4768 wrote to memory of 4648 N/A C:\Windows\SysWOW64\Gmoliohh.exe C:\Windows\SysWOW64\Gpnhekgl.exe
PID 4768 wrote to memory of 4648 N/A C:\Windows\SysWOW64\Gmoliohh.exe C:\Windows\SysWOW64\Gpnhekgl.exe
PID 4648 wrote to memory of 1320 N/A C:\Windows\SysWOW64\Gpnhekgl.exe C:\Windows\SysWOW64\Gcidfi32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\342872c7a7e45650c3f94380fb9dd4d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Fjnjqfij.exe

C:\Windows\system32\Fjnjqfij.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fqkocpod.exe

C:\Windows\system32\Fqkocpod.exe

C:\Windows\SysWOW64\Fmapha32.exe

C:\Windows\system32\Fmapha32.exe

C:\Windows\SysWOW64\Fopldmcl.exe

C:\Windows\system32\Fopldmcl.exe

C:\Windows\SysWOW64\Ffjdqg32.exe

C:\Windows\system32\Ffjdqg32.exe

C:\Windows\SysWOW64\Fcnejk32.exe

C:\Windows\system32\Fcnejk32.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Gfnnlffc.exe

C:\Windows\system32\Gfnnlffc.exe

C:\Windows\SysWOW64\Gimjhafg.exe

C:\Windows\system32\Gimjhafg.exe

C:\Windows\SysWOW64\Gmhfhp32.exe

C:\Windows\system32\Gmhfhp32.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Gqfooodg.exe

C:\Windows\system32\Gqfooodg.exe

C:\Windows\SysWOW64\Gcekkjcj.exe

C:\Windows\system32\Gcekkjcj.exe

C:\Windows\SysWOW64\Gmmocpjk.exe

C:\Windows\system32\Gmmocpjk.exe

C:\Windows\SysWOW64\Gpklpkio.exe

C:\Windows\system32\Gpklpkio.exe

C:\Windows\SysWOW64\Gcggpj32.exe

C:\Windows\system32\Gcggpj32.exe

C:\Windows\SysWOW64\Gbjhlfhb.exe

C:\Windows\system32\Gbjhlfhb.exe

C:\Windows\SysWOW64\Gjapmdid.exe

C:\Windows\system32\Gjapmdid.exe

C:\Windows\SysWOW64\Gmoliohh.exe

C:\Windows\system32\Gmoliohh.exe

C:\Windows\SysWOW64\Gpnhekgl.exe

C:\Windows\system32\Gpnhekgl.exe

C:\Windows\SysWOW64\Gcidfi32.exe

C:\Windows\system32\Gcidfi32.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gjclbc32.exe

C:\Windows\system32\Gjclbc32.exe

C:\Windows\SysWOW64\Gmaioo32.exe

C:\Windows\system32\Gmaioo32.exe

C:\Windows\SysWOW64\Gameonno.exe

C:\Windows\system32\Gameonno.exe

C:\Windows\SysWOW64\Hclakimb.exe

C:\Windows\system32\Hclakimb.exe

C:\Windows\SysWOW64\Hboagf32.exe

C:\Windows\system32\Hboagf32.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hihicplj.exe

C:\Windows\system32\Hihicplj.exe

C:\Windows\SysWOW64\Hmdedo32.exe

C:\Windows\system32\Hmdedo32.exe

C:\Windows\SysWOW64\Hpbaqj32.exe

C:\Windows\system32\Hpbaqj32.exe

C:\Windows\SysWOW64\Hcnnaikp.exe

C:\Windows\system32\Hcnnaikp.exe

C:\Windows\SysWOW64\Hfljmdjc.exe

C:\Windows\system32\Hfljmdjc.exe

C:\Windows\SysWOW64\Hikfip32.exe

C:\Windows\system32\Hikfip32.exe

C:\Windows\SysWOW64\Hmfbjnbp.exe

C:\Windows\system32\Hmfbjnbp.exe

C:\Windows\SysWOW64\Habnjm32.exe

C:\Windows\system32\Habnjm32.exe

C:\Windows\SysWOW64\Hcqjfh32.exe

C:\Windows\system32\Hcqjfh32.exe

C:\Windows\SysWOW64\Hjjbcbqj.exe

C:\Windows\system32\Hjjbcbqj.exe

C:\Windows\SysWOW64\Hmioonpn.exe

C:\Windows\system32\Hmioonpn.exe

C:\Windows\SysWOW64\Hadkpm32.exe

C:\Windows\system32\Hadkpm32.exe

C:\Windows\SysWOW64\Hccglh32.exe

C:\Windows\system32\Hccglh32.exe

C:\Windows\SysWOW64\Hbeghene.exe

C:\Windows\system32\Hbeghene.exe

C:\Windows\SysWOW64\Hjmoibog.exe

C:\Windows\system32\Hjmoibog.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Hmklen32.exe

C:\Windows\system32\Hmklen32.exe

C:\Windows\SysWOW64\Hpihai32.exe

C:\Windows\system32\Hpihai32.exe

C:\Windows\SysWOW64\Hcedaheh.exe

C:\Windows\system32\Hcedaheh.exe

C:\Windows\SysWOW64\Hbhdmd32.exe

C:\Windows\system32\Hbhdmd32.exe

C:\Windows\SysWOW64\Hjolnb32.exe

C:\Windows\system32\Hjolnb32.exe

C:\Windows\SysWOW64\Hibljoco.exe

C:\Windows\system32\Hibljoco.exe

C:\Windows\SysWOW64\Hmmhjm32.exe

C:\Windows\system32\Hmmhjm32.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Icgqggce.exe

C:\Windows\system32\Icgqggce.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Iannfk32.exe

C:\Windows\system32\Iannfk32.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ifjfnb32.exe

C:\Windows\system32\Ifjfnb32.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Iiibkn32.exe

C:\Windows\system32\Iiibkn32.exe

C:\Windows\SysWOW64\Ijhodq32.exe

C:\Windows\system32\Ijhodq32.exe

C:\Windows\SysWOW64\Imgkql32.exe

C:\Windows\system32\Imgkql32.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Iinlemia.exe

C:\Windows\system32\Iinlemia.exe

C:\Windows\SysWOW64\Jaedgjjd.exe

C:\Windows\system32\Jaedgjjd.exe

C:\Windows\SysWOW64\Jpgdbg32.exe

C:\Windows\system32\Jpgdbg32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jagqlj32.exe

C:\Windows\system32\Jagqlj32.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Lkgdml32.exe

C:\Windows\system32\Lkgdml32.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Ljnnch32.exe

C:\Windows\system32\Ljnnch32.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lphfpbdi.exe

C:\Windows\system32\Lphfpbdi.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6672 -ip 6672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4228-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4228-4-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Fjnjqfij.exe

MD5 f5f9da74ff1280de06b9c65816e2f0c3
SHA1 fb0e3f0a0f6ef2e720d426bf498dec15282cb033
SHA256 f1496fb0245e8c3b8f0c68d916fba483353c19ecc6d2563e5844accdc2dd00b9
SHA512 5b6be04af317f5a567a1848b0e00c224fcdfe8faced3968c2809e5861cdc8ee8bc20feb3e03aeee36ebf8b9a3b78785f1f6c5aacd5b1e51987541f3032fdc827

memory/1052-13-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fmmfmbhn.exe

MD5 682d1323169515d69e7486bb5591fab3
SHA1 5d587f49a96694102be875872928053ba5748328
SHA256 df07d2a33b5af888762ab6eaa407eb5706306983652bbaa834be72cef3f18774
SHA512 a680a7c282709a0ae9a9e006e6aacf69511452c1753a16297dc2aefa6036d835cf9b3b82f685802bb889f6c247abf5875cc12ce2361b3d163adab7c463e0057c

memory/4156-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fqkocpod.exe

MD5 30b9baf52e379658164f6eadde81c479
SHA1 158cfb9075493c868ace9a75510d75d2d491c599
SHA256 9d3173a6715f63ce3ff6da6c3cc330d28fa837f9250f6d5a22b80011e99e7c0e
SHA512 780271214f813085204c417171beac8b1f70f5cadb3cd606e6239f297673a481d2d0e31689a2395e1aae6ee3ccf50bfe424712f719d45692ff72a32f685e5235

memory/4132-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fmapha32.exe

MD5 17f4cab2f325adb3c0ddafed953b68c4
SHA1 23d0b39494e274c1101228343fcc52445839d184
SHA256 c5848cb485a62d9dd742164357d0fd389a8be59ea98c07ba9999760d05296045
SHA512 34facdb158d8f1de8ed03fd2c1b2c931a0d2dba269836221bba452b382dc40838e5ac77ea909d4ebcdf976eca001de429e7e9d14c095ff768fda9e684d879e16

memory/1000-36-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fopldmcl.exe

MD5 67829d226e64088806e92ee886d77c56
SHA1 937e59bc26d976cf7a669d5e6e067445a44f951f
SHA256 0fabccd9a27d8425f1501c1ca082a5843575dc462a6aabf1ae4ef13ea194fb55
SHA512 e8bf888b01a19611986b35c9af384f60e0dfbe4fd2f9c4c970ace568543b748bbfc675b762a539e22811d982ad5b62d5f139ce7909ffc2211b33f7e7c5a5fe4f

memory/5000-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ffjdqg32.exe

MD5 ebfad6e657c7d764071f3a91b0e81f76
SHA1 09dcb7861845fe35c10591af2607ce10c2e8796d
SHA256 73594db9a10a9b9e17b19ae89802ec66b4b5645f5804a6db469de0a607d0457c
SHA512 8980407526601ef194d2028a98120b647a3518dbc2feeeacbde1a7e97b569c5633855bd24ba98edd7723c2e28e339be043dd403a1905137b75322cdc9eb48ee9

memory/324-49-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fcnejk32.exe

MD5 61e817fe485a435e8711349b49958949
SHA1 d65a1c4fbe7a9a5518fdaad29b22be9ef9fe39b9
SHA256 a8420d86d0d95495f211a5b2e21cf0b756fbc37eaa7bf08cee6ab6fa9206b613
SHA512 903ae7c3d9f0c9ea86722f576eb2c8b54a6557be4d134bc6d352e4bf2226775bee06efe7bbdb24eddaae7ff447e3c8064a58f287a5507d82fcf472b12b71fc2d

memory/1740-57-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fflaff32.exe

MD5 4518dcd21949f038047bbb24f2181f8a
SHA1 f5941c6c8c896833435f014e291aa1d9b902ca83
SHA256 59cb35364f2117f22cda5552ec6b5ad750e362ad297502905d6aa53849fabfc2
SHA512 14dc3dfba311ac07196a144bafef5dce2270ed7a08bab75099c202716b963977a13602540b0ad58d1159b5785b0a387c01338cd19fc3052b9b0ad0eecebf12b9

memory/3784-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gfnnlffc.exe

MD5 c7acf84429fc0980576e2dfa8bff048b
SHA1 347c1d626e058861e4859446a544e33ff61e1ecf
SHA256 5195c6af77c8c317b156dbce9c7a080c02b231cabbcd0a4f55a654a34835599a
SHA512 0edc5e7d40261c9554a5c7ebe22cbd055d08176f996312a14b0f835fa707b26d2685efa6d6d391bba82ee88a7a3fad6dd878d6c65a41d80c232056181c9c08fd

C:\Windows\SysWOW64\Gimjhafg.exe

MD5 c538e2330aa8f4dc16f799348369d417
SHA1 75a3a26ef8297fb91262a68fef2ea09595629a64
SHA256 775291eadd0c05a81a6b2630f2b094229ee6109c44f9f1eec15a036a8a6de877
SHA512 5275995b20ea39921e34144957e02f1ce0e14daac6ac2f766550976dbfda8075380312b3ff4f3e4528aa72ab5aefeb496958daade20af765d61fb34e0e99efed

memory/2160-77-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gmhfhp32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4348-83-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gmhfhp32.exe

MD5 463e7b1a802cb27a62c1cd8ae0ff12ff
SHA1 d92bb46f23f77dd10acab5f877684c600854ccf4
SHA256 113f630426437afd8dde38939c5079f6c3b6e1cf1564fa664bd73c5a26fdfead
SHA512 9ef5a2ad9e70846d7b8e8f852775d284b482133480f369f57ea42169142c215c241ce6e2d063b7ca689d675a1f146fc035ef3946ef1330a9e656491414914d1c

memory/4580-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gqfooodg.exe

MD5 cd58890e325a3eef55ac3e5bb1af3572
SHA1 79ab6f2d61431aabb368a152c92f45386966bf74
SHA256 408c5fe6d86632fb130b120e82fd26ff84dee0890687427a38387d8e34208a86
SHA512 c2abcbd934677a3c0fb5c157a8f0fd4944a76c3530bb71e7f2607f754b50a7bd342a290deb222621c435be00354ebd9022d5d978b6a7b8aab98341657ee950bb

memory/5012-101-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3916-109-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gfqjafdq.exe

MD5 d8c8e26439ef46aed742ed83aaf07a1d
SHA1 37fb2980debb1a0a1df4f515d8fac9f7488ab8ac
SHA256 b879ed823b74c971cdaa6f8e3f332e9f664581841931cd5dec52fab42f7de0c4
SHA512 bc7e5fa3bc332f0c6b7883ecf4bb5cccf6dcc4d90df2e21e9aaf5a101e6e60943792bded0682de099f260ea8f1316a92a42136db14436790e19384a6acabd491

C:\Windows\SysWOW64\Gcekkjcj.exe

MD5 84ffb89e7ac9b251b859747c18a11852
SHA1 89ec39593811e1ac4089bd1af2ef01b30418b0b9
SHA256 4f350084fc22fd615fadf9ff33760bd7a8cc3d4446fbb2f5c6888dc561e48d73
SHA512 ca6ea496cef57f17dc4a675fd56231ff4835ceeb849344029a6da3fe7c948b6efd39b03e4464f5128a60b7ae743c8f7648a43fedf89bc228ee1fd5ad17b62dd4

C:\Windows\SysWOW64\Gcggpj32.exe

MD5 dee061bf2960ecab0077940601ede1eb
SHA1 0a8ecd84229ecf3a3b87937e393af615bec4566b
SHA256 7bbbb731f4399fec103b60c737b46aabb3180e735ef53804d9aacd32e6d6e4a4
SHA512 62a3c10967c5add7685f83fa3bae5ab67e9ea350ddc3be867d8d4902d6504e7eeb31ce73ab52f52e7c2468515c9efac4898b765060e79a264cbe6bd7107d4874

memory/1172-149-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4800-148-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gjapmdid.exe

MD5 f24882bfff7027f4d493977da75b7c4a
SHA1 e70ccdc7d8d6ad27d1fa7738d95401304ee30786
SHA256 eb078b4b6b9baefe38b21f0eaab664615fcf3d201665f7bffa2d7da4a978ef8e
SHA512 df92b0d72466520bc24be9af2e1c61590bf43ba7b7345ca413c8f2ccbd43b888c210fd4db33751a8730f272d66d03f79c019b758b83fa07518b52e98c97c1fc1

C:\Windows\SysWOW64\Gmoliohh.exe

MD5 9907481a75a31e06dcf429c2c86407c5
SHA1 fb4f661bc0ea93c9943572de07688809840171df
SHA256 8d7aff63f3acf4a9245fb71c8f107948f498b8b0b1332597edee1d48d590ab52
SHA512 98e36b071f5b7b8ab8c69a1bd847c471962b46b07e87b37ac0816987747566e161fe9d53b56985bd824f97c932afb735af7b57d054a84d755f28ed32f28d6580

C:\Windows\SysWOW64\Gbldaffp.exe

MD5 27f2d3447694be1b9cae1b773ffbc8d4
SHA1 225cd1f6fbeecfe341565944b89d3363f8544fc5
SHA256 612672f43a172132c64b20182fafc24c745088a939902860ea54ae3253389587
SHA512 ed5436457d306c0a9aa3d86b3465ec9b8c8cc32451ce6bbc20d0e7f356ac568306f01c808f6890b42fc2c91bd09fb7d59b0d22e00a0d3df33e8599f9f1d089fd

C:\Windows\SysWOW64\Gameonno.exe

MD5 d0105bbd5513b629da732419fd1e9e4a
SHA1 9ffb63f960acb542aa9c3b914dc61afe1dea06e6
SHA256 dd4a014e62f75518ed7fef61b2b8ad93d9740b8777783652e32dcaad1a35dbc7
SHA512 0f29ffa2a18acf74e137f898b60acd969351657acaeb0de3f01b123a01ee3f766eafec1c910395ddb64a778a16e31530b26d026dfb5741266a9899a85c1ea8cf

C:\Windows\SysWOW64\Hclakimb.exe

MD5 e6675c96c5ae53cc929015e1a47feb43
SHA1 b84568750aa5da996a9e3a7b2ce5bbd6b15309a7
SHA256 83b9460db5f179877b007c7d0bacd05549608c99db1bc1465e811ee7a5b63069
SHA512 4398a067e751e409704ecd43221e791bd30fc7c538f02241e704858ff94cbe3d3a92dc61c54de1ba19173cff8946b32e58c712524308af55aefc11673a0b0909

C:\Windows\SysWOW64\Hmdedo32.exe

MD5 8e67174c6f963881a32cb4d6674efa9b
SHA1 f570f2931a646337ac371db0ca0f882209336e41
SHA256 52f4c8ef2aedd1e75d9eff86bb3b76c0b9bfd0481a6569677caf98d902981f96
SHA512 0a2600d8ac41f9822558fd42ffee88373747a4a8ecddff12f13c7503d3a27c5b92772b3a0cd6a686d31fad9b4a0194407b38f946f81b49d66107915a0f6df3bc

memory/3492-418-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3384-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1388-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4604-453-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3088-537-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1272-562-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jdhine32.exe

MD5 d51027806fb4c1886890927f422fa187
SHA1 4a5fa75cfccf0cfdbfb113f95f72a8897a427f9d
SHA256 9011a14a659198d2e9e5e30c6107e0f8ef16a597bfafd9bc55878e05f9fa630e
SHA512 4ee1323e0316c7acb2125b04b60a113cf2ef3fe00dd16e0e19d80a437932450b2bbf56f53ee17ddf408af1d49ba4f32bf1eb71677262d894210071bd4da4d8ad

memory/4608-581-0x0000000000400000-0x0000000000433000-memory.dmp

memory/968-593-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jpojcf32.exe

MD5 007e0fd17004a49269bafcb42df13276
SHA1 020eec7558d031568907fbfc05ff997f91e72af2
SHA256 91635024fe017e8cd25b1f652b5ef0e304892895587f9f759334a564f21d7d8a
SHA512 898e0253cb0c9524629ace25811e91351b5c8536adc7b3b0e1954b8cb1e5109a2499610986f1e254d9780f4d4f8a1a5b6e51fd2425fc15680204ca1343629aa4

memory/3116-610-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jangmibi.exe

MD5 42d18e20699f476bce4e38ec85a4eccd
SHA1 d47587d79cb4b153edec3b4fa8d133ba55902743
SHA256 3ff5155a9fbd8ffcac26710fef4b26140a3f24b18989c4cd51b36bc277319d76
SHA512 55ce68e8dd45068b6e3c60710cedc14e0315f1da9029f908f157c6833f6ae0cf01d7d6816737ad5e32afad692c3bdcebda4a8a08ff0d9bd81edee703777f7802

C:\Windows\SysWOW64\Kmjqmi32.exe

MD5 52e5e0d1b3af41eea99021b53cc90eab
SHA1 3b872c5ef525b5809ad11a19a2f663a757cdc253
SHA256 5798214f71c5e4be7cb3ae0c22ab6114825707344685bf4bee62ddf0341d6e8c
SHA512 d781e31913157ec9bd59cb96b6c3a4b34e6da1f3727d6b4eab53e63b9fa8cfaf06ded52522fdf7e39b0865c6d0794ed02e2f5b4d93fe0178f730f6a6098f8ed2

C:\Windows\SysWOW64\Kaemnhla.exe

MD5 d61f8b99c2e9b3797740ab8c5e662510
SHA1 f77d0f6ae4facf8f04624b0ccceb934d7098ed1d
SHA256 dbc249e1f2a4e740523f27089f5d327aa21af2d84cb5451d7c0b2ae7365fcf6c
SHA512 b13b831695785cbb21246de740150971acdd9e8d999c40247d4f481521bec3f08c36dbcb6d75cf4344d18b651eceb3d2ab9cf913a79bd07864439a3d1526fb49

C:\Windows\SysWOW64\Kcifkp32.exe

MD5 c74ba9f24ea59ec8c93c34c801816199
SHA1 7b08ae2b091296aaa479afbaebe3c62a07f71887
SHA256 6530618d24a97893de87bbe13923c3bb15760723eb54b4c58b40b2557331c257
SHA512 b2e1f426fd22d26fe3465974050b0da8893603fc54cb024c8d2c0b90ab07b623e2ada95b15a89004e091e0f9b67077112f76d1ff83a9b80efffd15fb12afe908

C:\Windows\SysWOW64\Liekmj32.exe

MD5 4ffdb87ca9a0f806d1dc36f01e53461c
SHA1 b497010d6ecaa69cf5ab921292588343ed902304
SHA256 c6a1fae71480ea5883dd948f03613458f5087c98826d8083f8ee72df34d38155
SHA512 118b1583bc28bedc8a89afd584486dd9961dee6f8a07b27e380ab930bfd71261f4e5cbaa6e72fec35e7e98506ac51ee7a19ea7564d0b22f5f95d89acef9fa238

C:\Windows\SysWOW64\Kdffocib.exe

MD5 10fc9138c6522cc05dc4145b7749187c
SHA1 93646105dfb50314248ad6c6dbc81cd8bd6ce766
SHA256 9acdcb538f5a9190d76643cc2f4598b068331b079cc74ba6df8597e72941be64
SHA512 fcd011b82e9761f60a8bd54852b0686645ac87f2f526f54fd44a52b34619791a3cfaaf86c688c550c3c74d4446e7a415efb7f558e63c599afc895cb4e969f2c0

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 3c1ebf2e24e67e900b946e5b96130f10
SHA1 71d4aac94c634bad5e087e8d8803dbe834e5a774
SHA256 6c9635fbacad731e60f57a906398f16a2267830125ff85f443746ef2395f6f57
SHA512 591cf3897c5e5347b003aa9a1272dad537fbf718dc78c891e192862d02a956c97ab8cf37a558d148d271cc1d509cc4785385b2a0256d33b81e7f233f2504e5ce

memory/4660-632-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 7dd4b058dda1a2f62057c5f569fa5757
SHA1 fbaed60c683a4c913f37fb93b2576151d0136aa7
SHA256 937151945263312e44b9ff049969a042c6388d57235ba60e5f071e60c03b53c0
SHA512 195f3a5a964f500eff538152931f4900ec3853e6d24c659539da8bdf070e8e66cfa4751f54a3a0fe993b994d88b309e9422af4f6e575c07b59293535ee7572f3

memory/1028-623-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2320-617-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4292-611-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lmccchkn.exe

MD5 828b5e3991784ef30e042550861ae797
SHA1 662fba1db85053e66c45e85643aa53ce51ab98c4
SHA256 0be5177ecb5794aa6ba26ff7a37341b8843e2d8ef84fe78202024f21120e823c
SHA512 cce77243404ff42a19a7d561bc6d0246bc01347f5e0136ce27dbbd52a92de5f157b986876c83e6e97644fde14ab29ab2533f32e057924941b0f8e7c7047fae26

memory/3128-599-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3124-587-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lilanioo.exe

MD5 12ee4b125241ed29715814fc1dda8389
SHA1 028f015b58036d43087dce79bfa661dd857d1c92
SHA256 a797ea77ebfacc3222874fb08b4d946a1e5f87a582964b0f3c57fddc3567edfd
SHA512 f5f640c3474de6be0c412dec3aed0c154db84b2d61e4ae3ad8c11459c13d9b534d5ffd918d016055ecd57fb3d673e27882335355d3f81739c0dfa62fc8c3aeca

memory/2772-575-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Laciofpa.exe

MD5 a689687399f3493c5aa2d977fdce3da5
SHA1 806f5816acd0bda592002c71b49d8871a6ff164c
SHA256 b0fa8b3539bd10e3ac653ff832a3242fe02f7b09a76dde07cf8a81c03cbc39ab
SHA512 43d22fea20b54ae20b83c507934437baa0b38f7be6a2c8bdf9194cb8404a37ee0df4971411d422469c2998ffe9e3153c65a9e676808ebdf7fface16666bd99fa

memory/440-569-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4248-563-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3368-552-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3420-548-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3288-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4724-538-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3940-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3828-520-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3772-519-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5104-518-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3320-517-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-516-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2808-515-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4668-514-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1496-513-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4948-512-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3432-511-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3724-510-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-508-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2340-507-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4308-470-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4076-469-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mpkbebbf.exe

MD5 94785d10c21be62ac12cb0ff918b6c0f
SHA1 4c6979c1504a886886fbb43f6a124b293a91c2a3
SHA256 1ff278506d2722078d9062eefcd6b8beb6b8cecd4db81a21f6189eac7c359976
SHA512 fe597f45ad6b1fc4b0a82b441349f1b4d42cd8e862763a49350898d64c463cea8e5bbccb659c47ec2b5dc3f8e332cbca58a36720573ccf5ef9bc5f061a8770e4

memory/3968-468-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4184-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4024-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/468-450-0x0000000000400000-0x0000000000433000-memory.dmp

memory/392-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2196-448-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1620-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2220-446-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3544-444-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3468-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3636-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2792-441-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3800-440-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1456-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-438-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1068-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3484-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3572-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4972-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3500-433-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2708-432-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4444-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4636-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-428-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3308-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/548-426-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mnocof32.exe

MD5 351c384448f6ff5c09d2538cea506f9a
SHA1 6bbfbb6fee1ead78a4faecad66095144b089fe6e
SHA256 4c4656fd7b60dbe0767ef6cb81ce0214e49f6af1b800ddc0ffdb82f6aff16696
SHA512 daced94abd0d89a75c22fae6c023c85e1bb0755455d60b5e55ff956feff9e9cc5ca48d8647d3fd7809c886994c67efaccbe407bb3780326c8b3bfdc25a5bed2b

memory/2680-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4056-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3296-422-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4968-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3132-420-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4600-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1320-416-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4648-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4768-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1800-412-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mcklgm32.exe

MD5 375340ed488b668fc7879f643252f61d
SHA1 0d4b824ed3b64f7fb89e91f903ef5d44ca3f06ac
SHA256 9be03fbacc74cc8188314971cd29b2530bc12ee0272fc44ebd4590856b9757b6
SHA512 deb576268ed971768080cb3cdcc9fbf498cda7f7a521d270fa2554765eaba8e9aa8a88af47ed7dc3c2004fde525bc23f8ac8aff0929ffd434dba9758a8a119d1

C:\Windows\SysWOW64\Hpbaqj32.exe

MD5 146f82f5566ead6418dda9d5d45d4274
SHA1 20c5703dbd902db93fc872e37666bfe05728124d
SHA256 8f8ed5be26553575056e33a1708151f844d25ea7fd5f032540dfebe5cc79d78b
SHA512 27896b523ab8f591c392474eaaceb505e29dd5692254ad5a14df7991a0b98b39bcdba09eabc6ce34e2de91c3d3759a867c9446c20cd96da702b14bfc9c0bb752

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 2dd2e7cebb2f357c2f3f8df3aa39aa07
SHA1 0390d53977dfaced54dea30208fe37b02c769146
SHA256 b32a5a661e224843481ebe90f4206332ec9d10925ef292a3c541441c51d24359
SHA512 878a81dbbb77899c6bc9dad0cb0e4b7610c72ee658f2c684a7fd558519ca097d2ba5214e68650930f4508041e8474babb502cff22637b1f6bd90ad9aa8060b7c

C:\Windows\SysWOW64\Hihicplj.exe

MD5 bea131d9976096aaf774637a3a56fb3c
SHA1 001d81b70fbabfe56cd6f542121c15f427720e03
SHA256 6fac80727491dac2209f7da2a35bc67eab7601a9d7e9ecbb3312d7aa44415652
SHA512 5806760fcd8cbf4ea662785ef0fcf7a2d7f32085bce005d1c2aaca71d73d35f85d7cd665d681de9f2ffbd37b51f4a92f4823ebbb43d8da79c8be7cae36dba26a

C:\Windows\SysWOW64\Hjfihc32.exe

MD5 7ac0b869b1c5445dbb67a8a20f082d08
SHA1 3fa68344d49d8c59783913e28d93a4f2315479e4
SHA256 27f4efb4a320e294497b896ae600bd3fa4c2c69be5007a2c21474b96c31938fb
SHA512 e5a767a45d0753e26dd997f691d9b19e99d0563b4e8a060469a674d22b11df6e8b8d964e90eab70014aa4b722fbc6fea3aef2f1905fea8410d6680e5bf152675

C:\Windows\SysWOW64\Hboagf32.exe

MD5 831c623a7b8d1bbf12e5ae7233e2c554
SHA1 eef971037151abf243006a6a3785e644075c31ce
SHA256 03143d14eb8f8aa496359dd94034e177bcc20dd97aa5b408d3dd7e9bc7855e07
SHA512 e8f3aada9af70d627173453ae98f9b83bb7cccbf786eef9933e4dc4e36870dca25b376344e5cdc89b2b95a75e18e2d7c0e0fd018dd345c08f707ff867e666224

C:\Windows\SysWOW64\Gmaioo32.exe

MD5 fd9d60b2dae5e12ff184d3d9fe5ac897
SHA1 13ab635c29d321b2369e27707e23407d1eac8b83
SHA256 d149a61bfd2104096d6904b45af7fb493a98f7ac27e900308f6b014af773adeb
SHA512 ae4f5dfc86a7610777feed09e055c4bfbbdab63e566a52bbb4976d6bb78f68f16778b0671d3e5abee43a10d2bf858c5c63b4fe47367350b89317edbc349077e8

C:\Windows\SysWOW64\Gjclbc32.exe

MD5 28f09d9eef7ce526ac773a3290494ee5
SHA1 3f612e2da36004c792af232ac2c6a1621d138c14
SHA256 3b97bfc461353609cdc79110de40441145cc1c2a8b0fae8ac78c0d2aa7e8588d
SHA512 68a4af25f41e0801068493495f55ccc0618273f3b715d74d056e7e8df152262f18056c05465cb8b7cf9737590e0281fef0b4cfd263f5a268a2a93be27685ca68

C:\Windows\SysWOW64\Mcnhmm32.exe

MD5 40b173826a15f631ffb5d4be37191f91
SHA1 51919c73bdbae4de6fed1be4ce56194326490d5e
SHA256 741a99b7f152b9fa757ebcf3b1fb2562c94af5e9023386342e71fb3fe5210ec4
SHA512 963e552c0fe688c07a5393d4d01a2df275ada528834f051cb2a52d3cd42318521b7875f46c8afb02ef59b5530d08ec4eeb04739609c96ef817ab1b9ab87a4c67

C:\Windows\SysWOW64\Gcidfi32.exe

MD5 ad498f61c802e43f242dd3f333dfef92
SHA1 44164cb6e7620f9e23ca99ba11bf9f4d87160fa1
SHA256 0a3a61dd33ce7c8483171968904c6487f17f7c9f31096dd35ad5b81a891b0554
SHA512 8f681a756ea292ef82d6081c0c35bdfc39b44e41a262a9ec5786d80dc3f3df374c372319152d91459e02e274ba0ac5cf591c3b8d0ba8eb3448426e692863985b

C:\Windows\SysWOW64\Gpnhekgl.exe

MD5 04eb32c074741881da97857b8bbb3371
SHA1 22bd7a4ad45ef3fa9181a96b234d1b604958ae89
SHA256 bd77c7df54639e6e4b67b5c91c5a53878e3bf992c4ca5ca05d40c8b526a30c41
SHA512 559489eda5097d12f65dcd9c28b61a8cb950153b748ebf8c55f9e640c1a3338ec54a1390ab94b0ea58fad82e3b7ae3220dbdb9036f09a978ecb4dcf043cfbdfb

C:\Windows\SysWOW64\Mncmjfmk.exe

MD5 d2eb76355dff12727ddcc0fcddf12419
SHA1 332a59401db47a03cb3bc42cbf2ac931e9d5113d
SHA256 e95e2aaafa7548bc8343dec44e0676643cf7c176c9f757c44cd0cb5bfaf3bece
SHA512 3ec030393f5a217d2f56b3c82ea48d6ced8da42b5454f524083fc91fbf68e9ddc9ad3cf6724a6db084b5caa5417adec4c27d23bfe2e3d7c34b7f724d86621bfa

memory/1664-147-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gbjhlfhb.exe

MD5 1957a0ff2e758458776364eb505c8538
SHA1 34e431916222fe337178b1f9d1d8ec271421ce77
SHA256 8ff4622dba53655409edde60c80da2824a45346d1668fbebe6e3c5f87d209df7
SHA512 1f27374de5d4ebfd902e0302bd60877f5013ebab1cd04f108fca7ee1acf52f3bd3b065507cfd31d2499a09faf57b05888014900451e2d0ca1db3f6408c8338fa

C:\Windows\SysWOW64\Gpklpkio.exe

MD5 d08dad03be3812e7a8644fb3fab9c213
SHA1 f3efaa9dfd51e5c03fdba27f01e802e96ae57ca6
SHA256 f881c65f612a6b2d6fadcc6bc0cdba0475fbc409590a704ffca5d513293121e9
SHA512 109b8b4512c26585ba7f28ffd9a90af3d458e30d4252765876f90a4e81c751fc207b4a08f0f3c4e6fe30a5b777eff44db39b14e78dc8594452b77d0692cb3127

memory/1216-125-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2864-124-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gmmocpjk.exe

MD5 4d6a5d724b5d3b8d1145e39ce5e1a5c6
SHA1 4bd9acf82a8f7bc0ba1d47b9cf96cf1304516b06
SHA256 deaa5f647e4976520442cf323e2485213c085f706f1cfe4e9e19fedbb2d3009a
SHA512 bec9cf3ddefafa06ae3d0a00a977d8db5cc3d6b0f51a22e9b8b9f286c1a22c92c472a04688f7a8d5abfb65431aaefa49387cd18bbffdb98cebf89f995f81d1df

C:\Windows\SysWOW64\Mkgmcjld.exe

MD5 e2f76b02a85ecba68dba17ae7893d83d
SHA1 ef357b78fd3c7c445d7d85149e357ad38b2e3025
SHA256 7b0017713f833983dd978565bdfa69ba69f8d05d22027189d268d27d31c795cb
SHA512 45ac8f3ce26af5757ba98781ed8fdf0cd2fa88b8bc87f18362cf47f5c035c5a551d87c30d0adcc0a8bedb051a8861a91baf1b14a91c89475645e62b8955fed1c

C:\Windows\SysWOW64\Mgnnhk32.exe

MD5 2a6d8780b5a115edd1e48964252423e8
SHA1 084f3b43f034fa3c7b00465a359267b7cd4104a1
SHA256 f9ab47b8dd1a5086574ccd20914b61b5a564942aabd4d3e4a773d5058367ac5c
SHA512 5805b58222ee622dcdec3fe8f99d0886954833797f6c4e372d7141b965d9bd312fa11327641ca222a3b96ccdc28c49a3ed25d88123439b81839d9aa5b63593e6

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 413d1162f7daffd70d543c12f6b0393c
SHA1 c1e6d1618b2627d9caadedc6029f8932e2c444eb
SHA256 7a4dba1cdb027eda116f9f759d6db445efd0c4776dd6e4f0215102f050459158
SHA512 0920493c92c69c65ea1e5e80f079ce97e901c2b4ae428de7fa3a97a22f1b9e5dd8f5aa920b85a9e4ebcf54001f4da8b891ca17090130da2752e773187eb11f93

C:\Windows\SysWOW64\Nceonl32.exe

MD5 a424b8939ed422cc309b94c8fd80a2a3
SHA1 0a9ae10109824bf3a14654e69c229ce73322029c
SHA256 9feeff2351197a36660ed041d8514aec28d96a925328d6dec00568d3ed8ca1ce
SHA512 221c32c79e998a042862acdf799672fdd7a558b3aec66ae9c3a7437d7270ebc790dd1364095d26dd91f9359c7a72aeacdc1c4b178b8ad8d22e410089f4d583ec

C:\Windows\SysWOW64\Nafokcol.exe

MD5 3c865130d968b6cfda4f38a86d3d75d5
SHA1 46558c64f250d87d56f9df3279c6f43fbc7a77e3
SHA256 99fe8d250df3795da9811281a0de12a939720e52b60c11a3724cc92171391607
SHA512 b86a90b2b828828510f13681c0b39480400cb6c66a79cba97d612edeb3ccd70fdb0a8514fdf040c977a13bc59c2c1af5233de842f4c30ec07c644b49aae8177c

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 0428f8e5b57ee6b9cddfb979b17a5a70
SHA1 ab78c0cdd52e57f32ff612d3d8062d391a0d38ab
SHA256 69e4772deafb6b94aaf5742fb346dd4eaa778c906aa611fcd548f307fde196c2
SHA512 78d2331382138fac6cf3c7dfea79eff77518a2397d9567f613ac540bce139c1d4c716f51027c39b1cc806a72c32b42406896b677c8db2b4142ce15c27b8e8f08

C:\Windows\SysWOW64\Nkqpjidj.exe

MD5 6071f70d7d4a7bf3dad829739a210def
SHA1 7d9f0ddb5ad201c1ff58c5846d64b3520a22f6df
SHA256 796f1006d1020709841a7429f3889e729ff83b9e4cb77776afe110961fd59dda
SHA512 b22fae68d6b3ca5c9b679a4a41b3336f2b00a141f1744c3b1f45dcfc4e919b700fa53891a42677fb2504595dae8d6cc4ec38d71d49d88b5c05b8d40034349e54

C:\Windows\SysWOW64\Nqmhbpba.exe

MD5 35ffe23a07be81bdb1bacc6f0015b488
SHA1 37bd25298fa1a93ea2386f9f99228ca56cd6b39b
SHA256 2d8002982497a5be8fb3b74e29f984071cc6d278998ceaa0ee1287556f24b218
SHA512 94bc77ca94d373f608ce3cb153802d9283b61522839f3eab2835093645cc95bf35aa92842b3f8cd92b81c1622d551633d12d97bcf0652f0314aa98bb446cd769

C:\Windows\SysWOW64\Ncldnkae.exe

MD5 407c02b5649cc7571f4cd1ecb64bad04
SHA1 2bbb5cf52e9a0a7637d86ad98976a118014e013d
SHA256 6e1d772d98edd772be98b19a8e83419e2b2c558f98b3b0c67803a52bbf8291a7
SHA512 b2b0767741d59c050657ad3a3c7ba9304793d31cfb23f3ea7c6ef3d1c33b962cb64ac06b243be6d778b2d76d98883ee56150690ab07bcef31496b0183ca358ae

memory/5208-1270-0x0000000000400000-0x0000000000433000-memory.dmp