Malware Analysis Report

2025-01-18 15:33

Sample ID 240614-dwg4ssxclr
Target 9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe
SHA256 d1b37734ac3e49a96ecb7cdc5e4581792c2bd49487abbf14e6762b3fe44ccb3e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1b37734ac3e49a96ecb7cdc5e4581792c2bd49487abbf14e6762b3fe44ccb3e

Threat Level: Known bad

The file 9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:21

Reported

2024-06-14 03:23

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nckjkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mlfojn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lapnnafn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfmffhde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liplnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mapjmehi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nadpgggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aigchgkh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbkameaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nkbalifo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kcakaipc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aajbne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Magqncba.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olonpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdacop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohaeia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmagdbci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agfgqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kbkameaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pmagdbci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ohaeia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfpclh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nmnace32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocfigjlp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pckoam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lfmffhde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mdacop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nmpnhdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mooaljkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmnace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Knklagmb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kicmdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcfqkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkbalifo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knklagmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Olonpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odoloalf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ncbplk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lfpclh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohendqhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knmhgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Liplnc32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kcakaipc.exe N/A
N/A N/A C:\Windows\SysWOW64\Knklagmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmhgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kicmdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkameaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghjel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lapnnafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmffhde.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfpclh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphhenhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfdaigg.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcfqkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmneda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mooaljkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhhfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlfojn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Magqncba.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmnace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmpnhdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncbplk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohaeia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocfigjlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohendqhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogkkfmml.exe N/A
N/A N/A C:\Windows\SysWOW64\Odoloalf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaheq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmagdbci.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pndpajgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpjakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aajbne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbggjfq.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aigchgkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Blobjaba.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbikgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkgocpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Chkmkacq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcakaipc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcakaipc.exe N/A
N/A N/A C:\Windows\SysWOW64\Knklagmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Knklagmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmhgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmhgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kicmdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kicmdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkameaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkameaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghjel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghjel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lapnnafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lapnnafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmffhde.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmffhde.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfpclh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfpclh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphhenhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphhenhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfdaigg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfdaigg.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcfqkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcfqkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmneda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmneda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mooaljkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mooaljkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhhfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhhfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlfojn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlfojn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Magqncba.exe N/A
N/A N/A C:\Windows\SysWOW64\Magqncba.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmnace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmnace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmpnhdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmpnhdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncbplk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncbplk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohaeia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohaeia32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Knmhgf32.exe C:\Windows\SysWOW64\Knklagmb.exe N/A
File created C:\Windows\SysWOW64\Pndpajgd.exe C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Qgoapp32.exe N/A
File created C:\Windows\SysWOW64\Pdlbongd.dll C:\Windows\SysWOW64\Mlfojn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe C:\Windows\SysWOW64\Nmnace32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncbplk32.exe C:\Windows\SysWOW64\Nmpnhdfc.exe N/A
File created C:\Windows\SysWOW64\Gnnffg32.dll C:\Windows\SysWOW64\Chkmkacq.exe N/A
File created C:\Windows\SysWOW64\Negoebdd.dll C:\Windows\SysWOW64\Liplnc32.exe N/A
File created C:\Windows\SysWOW64\Pmagdbci.exe C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajpjakhc.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Hkhfgj32.dll C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdkgocpm.exe C:\Windows\SysWOW64\Bbikgk32.exe N/A
File created C:\Windows\SysWOW64\Chkmkacq.exe C:\Windows\SysWOW64\Baohhgnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Mofglh32.exe C:\Windows\SysWOW64\Mdacop32.exe N/A
File created C:\Windows\SysWOW64\Fibkpd32.dll C:\Windows\SysWOW64\Ndemjoae.exe N/A
File created C:\Windows\SysWOW64\Elonamqm.dll C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File created C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lbfdaigg.exe N/A
File created C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Ocfigjlp.exe N/A
File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bdkgocpm.exe N/A
File created C:\Windows\SysWOW64\Mdacop32.exe C:\Windows\SysWOW64\Mlfojn32.exe N/A
File created C:\Windows\SysWOW64\Kicmdo32.exe C:\Windows\SysWOW64\Knmhgf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lbfdaigg.exe N/A
File created C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Nkmdpm32.exe N/A
File created C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Aigchgkh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe C:\Windows\SysWOW64\Chkmkacq.exe N/A
File created C:\Windows\SysWOW64\Cbgjqo32.exe C:\Windows\SysWOW64\Cmjbhh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe C:\Windows\SysWOW64\Mapjmehi.exe N/A
File created C:\Windows\SysWOW64\Hjojco32.dll C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Ckpfcfnm.dll C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
File created C:\Windows\SysWOW64\Kcakaipc.exe C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Gnddig32.dll C:\Windows\SysWOW64\Lfpclh32.exe N/A
File created C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Ohendqhd.exe N/A
File created C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File created C:\Windows\SysWOW64\Hnecbc32.dll C:\Windows\SysWOW64\Lfmffhde.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Lphhenhc.exe N/A
File created C:\Windows\SysWOW64\Ocfigjlp.exe C:\Windows\SysWOW64\Ohaeia32.exe N/A
File created C:\Windows\SysWOW64\Lcnaga32.dll C:\Windows\SysWOW64\Ohaeia32.exe N/A
File created C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File created C:\Windows\SysWOW64\Ihmnkh32.dll C:\Windows\SysWOW64\Aaolidlk.exe N/A
File created C:\Windows\SysWOW64\Lapnnafn.exe C:\Windows\SysWOW64\Lghjel32.exe N/A
File created C:\Windows\SysWOW64\Jhpjaq32.dll C:\Windows\SysWOW64\Ogkkfmml.exe N/A
File created C:\Windows\SysWOW64\Ajpjakhc.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aajbne32.exe C:\Windows\SysWOW64\Ajpjakhc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhhfdo32.exe C:\Windows\SysWOW64\Mooaljkh.exe N/A
File created C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Pndpajgd.exe N/A
File opened for modification C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Aajbne32.exe N/A
File created C:\Windows\SysWOW64\Knmhgf32.exe C:\Windows\SysWOW64\Knklagmb.exe N/A
File created C:\Windows\SysWOW64\Aobcmana.dll C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File created C:\Windows\SysWOW64\Ncmdic32.dll C:\Windows\SysWOW64\Pndpajgd.exe N/A
File created C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Ajbggjfq.exe N/A
File created C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Lfpclh32.exe N/A
File created C:\Windows\SysWOW64\Lcfqkl32.exe C:\Windows\SysWOW64\Liplnc32.exe N/A
File created C:\Windows\SysWOW64\Mlfojn32.exe C:\Windows\SysWOW64\Mapjmehi.exe N/A
File opened for modification C:\Windows\SysWOW64\Magqncba.exe C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Ffjmmbcg.dll C:\Windows\SysWOW64\Pmagdbci.exe N/A
File created C:\Windows\SysWOW64\Imjcfnhk.dll C:\Windows\SysWOW64\Qodlkm32.exe N/A
File created C:\Windows\SysWOW64\Hpggbq32.dll C:\Windows\SysWOW64\Agfgqo32.exe N/A
File created C:\Windows\SysWOW64\Diaagb32.dll C:\Windows\SysWOW64\Mmneda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nmpnhdfc.exe C:\Windows\SysWOW64\Nkbalifo.exe N/A
File created C:\Windows\SysWOW64\Lhnnjk32.dll C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Qijdocfj.exe N/A
File created C:\Windows\SysWOW64\Jmogdj32.dll C:\Windows\SysWOW64\Qgoapp32.exe N/A
File created C:\Windows\SysWOW64\Nfolbbmp.dll C:\Windows\SysWOW64\Bdkgocpm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" C:\Windows\SysWOW64\Aigchgkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbfdaigg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohaeia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oancnfoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pndpajgd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" C:\Windows\SysWOW64\Ohendqhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agfgqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lghjel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll" C:\Windows\SysWOW64\Lbfdaigg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll" C:\Windows\SysWOW64\Mhhfdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nckjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mooaljkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocfigjlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aigchgkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ocfigjlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nmpnhdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Olonpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" C:\Windows\SysWOW64\Kbkameaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" C:\Windows\SysWOW64\Mlfojn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Magqncba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olonpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ogkkfmml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lcfqkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nckjkl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ncbplk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll" C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" C:\Windows\SysWOW64\Kcakaipc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll" C:\Windows\SysWOW64\Olonpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lghjel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Liplnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncbplk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll" C:\Windows\SysWOW64\Ohaeia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mlfojn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oancnfoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" C:\Windows\SysWOW64\Mooaljkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" C:\Windows\SysWOW64\Mdacop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll" C:\Windows\SysWOW64\Kicmdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" C:\Windows\SysWOW64\Mmneda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nmnace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll" C:\Windows\SysWOW64\Nkmdpm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll" C:\Windows\SysWOW64\Liplnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mooaljkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mhhfdo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Kcakaipc.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Kcakaipc.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Kcakaipc.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Kcakaipc.exe
PID 2148 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Kcakaipc.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 2148 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Kcakaipc.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 2148 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Kcakaipc.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 2148 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Kcakaipc.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 2624 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Knmhgf32.exe
PID 2624 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Knmhgf32.exe
PID 2624 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Knmhgf32.exe
PID 2624 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Knmhgf32.exe
PID 2808 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Knmhgf32.exe C:\Windows\SysWOW64\Kicmdo32.exe
PID 2808 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Knmhgf32.exe C:\Windows\SysWOW64\Kicmdo32.exe
PID 2808 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Knmhgf32.exe C:\Windows\SysWOW64\Kicmdo32.exe
PID 2808 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Knmhgf32.exe C:\Windows\SysWOW64\Kicmdo32.exe
PID 2704 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kicmdo32.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 2704 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kicmdo32.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 2704 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kicmdo32.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 2704 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kicmdo32.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 2504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 2504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 2504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 2504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 1200 wrote to memory of 548 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lapnnafn.exe
PID 1200 wrote to memory of 548 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lapnnafn.exe
PID 1200 wrote to memory of 548 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lapnnafn.exe
PID 1200 wrote to memory of 548 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lapnnafn.exe
PID 548 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Lapnnafn.exe C:\Windows\SysWOW64\Lfmffhde.exe
PID 548 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Lapnnafn.exe C:\Windows\SysWOW64\Lfmffhde.exe
PID 548 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Lapnnafn.exe C:\Windows\SysWOW64\Lfmffhde.exe
PID 548 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Lapnnafn.exe C:\Windows\SysWOW64\Lfmffhde.exe
PID 1372 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Lfmffhde.exe C:\Windows\SysWOW64\Lfpclh32.exe
PID 1372 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Lfmffhde.exe C:\Windows\SysWOW64\Lfpclh32.exe
PID 1372 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Lfmffhde.exe C:\Windows\SysWOW64\Lfpclh32.exe
PID 1372 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Lfmffhde.exe C:\Windows\SysWOW64\Lfpclh32.exe
PID 2596 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Lfpclh32.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 2596 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Lfpclh32.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 2596 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Lfpclh32.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 2596 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Lfpclh32.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1848 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1408 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lcfqkl32.exe
PID 1408 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lcfqkl32.exe
PID 1408 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lcfqkl32.exe
PID 1408 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lcfqkl32.exe
PID 2428 wrote to memory of 800 N/A C:\Windows\SysWOW64\Lcfqkl32.exe C:\Windows\SysWOW64\Mmneda32.exe
PID 2428 wrote to memory of 800 N/A C:\Windows\SysWOW64\Lcfqkl32.exe C:\Windows\SysWOW64\Mmneda32.exe
PID 2428 wrote to memory of 800 N/A C:\Windows\SysWOW64\Lcfqkl32.exe C:\Windows\SysWOW64\Mmneda32.exe
PID 2428 wrote to memory of 800 N/A C:\Windows\SysWOW64\Lcfqkl32.exe C:\Windows\SysWOW64\Mmneda32.exe
PID 800 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Mmneda32.exe C:\Windows\SysWOW64\Mooaljkh.exe
PID 800 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Mmneda32.exe C:\Windows\SysWOW64\Mooaljkh.exe
PID 800 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Mmneda32.exe C:\Windows\SysWOW64\Mooaljkh.exe
PID 800 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Mmneda32.exe C:\Windows\SysWOW64\Mooaljkh.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Mooaljkh.exe C:\Windows\SysWOW64\Mhhfdo32.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Mooaljkh.exe C:\Windows\SysWOW64\Mhhfdo32.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Mooaljkh.exe C:\Windows\SysWOW64\Mhhfdo32.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Mooaljkh.exe C:\Windows\SysWOW64\Mhhfdo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Kcakaipc.exe

C:\Windows\system32\Kcakaipc.exe

C:\Windows\SysWOW64\Knklagmb.exe

C:\Windows\system32\Knklagmb.exe

C:\Windows\SysWOW64\Knmhgf32.exe

C:\Windows\system32\Knmhgf32.exe

C:\Windows\SysWOW64\Kicmdo32.exe

C:\Windows\system32\Kicmdo32.exe

C:\Windows\SysWOW64\Kbkameaf.exe

C:\Windows\system32\Kbkameaf.exe

C:\Windows\SysWOW64\Lghjel32.exe

C:\Windows\system32\Lghjel32.exe

C:\Windows\SysWOW64\Lapnnafn.exe

C:\Windows\system32\Lapnnafn.exe

C:\Windows\SysWOW64\Lfmffhde.exe

C:\Windows\system32\Lfmffhde.exe

C:\Windows\SysWOW64\Lfpclh32.exe

C:\Windows\system32\Lfpclh32.exe

C:\Windows\SysWOW64\Lphhenhc.exe

C:\Windows\system32\Lphhenhc.exe

C:\Windows\SysWOW64\Lbfdaigg.exe

C:\Windows\system32\Lbfdaigg.exe

C:\Windows\SysWOW64\Liplnc32.exe

C:\Windows\system32\Liplnc32.exe

C:\Windows\SysWOW64\Lcfqkl32.exe

C:\Windows\system32\Lcfqkl32.exe

C:\Windows\SysWOW64\Mmneda32.exe

C:\Windows\system32\Mmneda32.exe

C:\Windows\SysWOW64\Mooaljkh.exe

C:\Windows\system32\Mooaljkh.exe

C:\Windows\SysWOW64\Mhhfdo32.exe

C:\Windows\system32\Mhhfdo32.exe

C:\Windows\SysWOW64\Mapjmehi.exe

C:\Windows\system32\Mapjmehi.exe

C:\Windows\SysWOW64\Mlfojn32.exe

C:\Windows\system32\Mlfojn32.exe

C:\Windows\SysWOW64\Mdacop32.exe

C:\Windows\system32\Mdacop32.exe

C:\Windows\SysWOW64\Mofglh32.exe

C:\Windows\system32\Mofglh32.exe

C:\Windows\SysWOW64\Mgalqkbk.exe

C:\Windows\system32\Mgalqkbk.exe

C:\Windows\SysWOW64\Magqncba.exe

C:\Windows\system32\Magqncba.exe

C:\Windows\SysWOW64\Ndemjoae.exe

C:\Windows\system32\Ndemjoae.exe

C:\Windows\SysWOW64\Nmnace32.exe

C:\Windows\system32\Nmnace32.exe

C:\Windows\SysWOW64\Nckjkl32.exe

C:\Windows\system32\Nckjkl32.exe

C:\Windows\SysWOW64\Nkbalifo.exe

C:\Windows\system32\Nkbalifo.exe

C:\Windows\SysWOW64\Nmpnhdfc.exe

C:\Windows\system32\Nmpnhdfc.exe

C:\Windows\SysWOW64\Ncbplk32.exe

C:\Windows\system32\Ncbplk32.exe

C:\Windows\SysWOW64\Nadpgggp.exe

C:\Windows\system32\Nadpgggp.exe

C:\Windows\SysWOW64\Nkmdpm32.exe

C:\Windows\system32\Nkmdpm32.exe

C:\Windows\SysWOW64\Ohaeia32.exe

C:\Windows\system32\Ohaeia32.exe

C:\Windows\SysWOW64\Ocfigjlp.exe

C:\Windows\system32\Ocfigjlp.exe

C:\Windows\SysWOW64\Olonpp32.exe

C:\Windows\system32\Olonpp32.exe

C:\Windows\SysWOW64\Ohendqhd.exe

C:\Windows\system32\Ohendqhd.exe

C:\Windows\SysWOW64\Oancnfoe.exe

C:\Windows\system32\Oancnfoe.exe

C:\Windows\SysWOW64\Ogkkfmml.exe

C:\Windows\system32\Ogkkfmml.exe

C:\Windows\SysWOW64\Odoloalf.exe

C:\Windows\system32\Odoloalf.exe

C:\Windows\SysWOW64\Pdaheq32.exe

C:\Windows\system32\Pdaheq32.exe

C:\Windows\SysWOW64\Pnimnfpc.exe

C:\Windows\system32\Pnimnfpc.exe

C:\Windows\SysWOW64\Pqjfoa32.exe

C:\Windows\system32\Pqjfoa32.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Pmagdbci.exe

C:\Windows\system32\Pmagdbci.exe

C:\Windows\SysWOW64\Pckoam32.exe

C:\Windows\system32\Pckoam32.exe

C:\Windows\SysWOW64\Pmccjbaf.exe

C:\Windows\system32\Pmccjbaf.exe

C:\Windows\SysWOW64\Pndpajgd.exe

C:\Windows\system32\Pndpajgd.exe

C:\Windows\SysWOW64\Qijdocfj.exe

C:\Windows\system32\Qijdocfj.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Aniimjbo.exe

C:\Windows\system32\Aniimjbo.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Ajpjakhc.exe

C:\Windows\system32\Ajpjakhc.exe

C:\Windows\SysWOW64\Aajbne32.exe

C:\Windows\system32\Aajbne32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Ajbggjfq.exe

C:\Windows\system32\Ajbggjfq.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Aigchgkh.exe

C:\Windows\system32\Aigchgkh.exe

C:\Windows\SysWOW64\Aaolidlk.exe

C:\Windows\system32\Aaolidlk.exe

C:\Windows\SysWOW64\Blobjaba.exe

C:\Windows\system32\Blobjaba.exe

C:\Windows\SysWOW64\Bbikgk32.exe

C:\Windows\system32\Bbikgk32.exe

C:\Windows\SysWOW64\Bdkgocpm.exe

C:\Windows\system32\Bdkgocpm.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Cmgechbh.exe

C:\Windows\system32\Cmgechbh.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Cgpjlnhh.exe

C:\Windows\system32\Cgpjlnhh.exe

C:\Windows\SysWOW64\Cmjbhh32.exe

C:\Windows\system32\Cmjbhh32.exe

C:\Windows\SysWOW64\Cbgjqo32.exe

C:\Windows\system32\Cbgjqo32.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 140

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Kcakaipc.exe

MD5 85a1a45cda04c381316c752155701001
SHA1 932c407b57b3dd1ad43831b2bd144b5f08878f7c
SHA256 6f385ec6e7091e6f65c03ba5fcecb0530ac5f815a40a229b3951aa0e466e92d6
SHA512 74fda81fed991efbef5c75041400a008a76114b3f68bda7c699f995637cb8acc0e85e21e49e8e7d8dda15c9e1915221eb37fd5c5f26bd7da75c10100932476f2

memory/2980-6-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2980-13-0x0000000000220000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\Knklagmb.exe

MD5 fb4ce1931233de7ec6797666525875d2
SHA1 d6030d3582579eb1cf1c786c0f65f5efd103c7eb
SHA256 58a970e8d34d612378509ecadbf7d42e9623e81221e69d2b1d4b29632b7dfce2
SHA512 4db234900707a96eecd3ac15fe0932fda7e7170ceb583d1b3e2a167047750d6abbbede32e1a601205272a60aa07d86a6bdc55acdb180e7ff64f963097fadc578

memory/2148-21-0x00000000002B0000-0x00000000002F1000-memory.dmp

memory/2148-27-0x00000000002B0000-0x00000000002F1000-memory.dmp

C:\Windows\SysWOW64\Knmhgf32.exe

MD5 cc2f248ec8baf607c43928cd0361619e
SHA1 9c3e780e0d53bedfe9e645dc9492ca5a38223ded
SHA256 e1ba6e6dc5003ab2ecc1475e18bb8e4cd532f18ca01e6cdd6e22766b062c0c74
SHA512 f25f37e395a2633cf15d2350e0b401cf07c42e147f642610565dfbd31ddc90af47c2f3ec5dcd9f6b30c546d970c25d255844233d114036dc93589dc5215b9725

memory/2808-41-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2624-34-0x00000000002A0000-0x00000000002E1000-memory.dmp

memory/2704-54-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hoaebk32.dll

MD5 7e268ffee038960d1ed0d59defc606b7
SHA1 54145d0e8a9cbee22994ef90f079ca566de12771
SHA256 3d3929ae3accaa16c7fa8394e1e6548b735ad18f922510d197d8c57af4bccec3
SHA512 f626bdbfca17f25b28557ecb38e97107a9c2282aae734c110bca026587c973fe0edd5bb0b4d4fdab945e985f2e82559d838ff4b7dd2d62ee75811b4b1f07d2af

memory/2704-67-0x0000000000270000-0x00000000002B1000-memory.dmp

C:\Windows\SysWOW64\Kbkameaf.exe

MD5 9d28ce28bb4a8ebd58d718148ef76a3b
SHA1 1079bf39ab27cfd21a8e3a7c4ac458a7291792cc
SHA256 fc11dec52546f2237a42e8a885c506c2dd3bb73d4f8397a9f58d87c4e56b5cc5
SHA512 954b5573d09be3380aaddb14efa2a929f51c2f12290b01d23b987c2bc4a118605dee4b20123e4e22f205ce0ce529ae7285dd21c01418cdd7176b0f546c86aee0

memory/2504-68-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lghjel32.exe

MD5 fd3503de3a5d80e9b178ae9b8d1ac5c9
SHA1 ce49270a7fd0d969ac401640104263ba5f609d41
SHA256 d3d4ff7e0b6edc2c8c41301c8e96ad4ccbda3750121abc216e4d3e1d50566ce4
SHA512 43d436f0634a386a70aabb5f7b313845e4d936de161dd28bcc7c6194e09b9308bbb11093fed1333ce6ae5e4fcca6aeb0ee7e875ec5264bcb1e9aceb6f530a91e

\Windows\SysWOW64\Lapnnafn.exe

MD5 1d8608f1e27d405ffaad2327275e43a6
SHA1 6991d8cbcd4a2c48b3844b312c8e1401b9f7d533
SHA256 672f454d4a91a134d5c935f0dc637f9e99e5e9a939214db6bbe7e3d168eeb69a
SHA512 ef33b8848c58005f04445202952e024f381fa86359c5b1a3c9aa4772d32aa839f8bb7ffaf5d1d6391c403fbfbeb5decbdfba271db0b020692c3c40da9a8407d4

memory/548-95-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Lfmffhde.exe

MD5 1eeda41089cea70fbd4172b1076cf8a3
SHA1 e792146e4e1055cec1a26ca39c9520f6043a8761
SHA256 3aa1b2be050da4292f4bbdcede795151715919a1b8b11720de8cb12876e4f581
SHA512 df16c2f00aa9fef62080c331570b584024335413fd66384edc36f01bacbdfe72b4712f18f94285f2242bcb13a17bd878444e7165256b608d29619109aeb4eff8

memory/1372-113-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Lfpclh32.exe

MD5 75432ac00f4fc329d20934a6aa461ab9
SHA1 c27f207c67f3db0bd1f01b03cc6252145da4cba8
SHA256 7ca604bcc2de40ad097ea7623a7ae12cc150b10a877ac24313aa32c9fabec948
SHA512 4d303b0fff1406fe4fe6c9c6d5d226dd67a5ebb4b0fcd535ba439cae880229161ff885c6ad56cf9adb6807bf21dd3a4d57c46fb37f4f6b4c3ab2cf9c0e2427c6

C:\Windows\SysWOW64\Lphhenhc.exe

MD5 f5ae742496b6da1f20d2706a804a0a78
SHA1 f88c54fb951168960cad45203d26ce439b271846
SHA256 b01b749e84ac462dfde4aa2dcff2659c19e9e09fbe9785df557cf8aba36f2983
SHA512 213d1b385c70d94197159dd05658c8a33af9ddb6e479cbe7b789eaacfb2d7d7a94c2ed1686ed20fcacec89b0919411789f8f45f937668c0111b85ea4796dc42e

C:\Windows\SysWOW64\Lbfdaigg.exe

MD5 d342768282d35f360b09ff1ba244db7a
SHA1 fd91fe9fe7175f610d1edddf9a5f9a53293c4bf6
SHA256 d5906ddd7a55f31860030eea5955a04fff632514951c696b685041ccf91ef126
SHA512 e3cb051fd9dfdbf5f35b583ad528fcfc0f2b088223a494469535456f9b4e1ac7e7bbb1c88963f242b65c2c7576fa3a62cb588bcecc119f2ff4da5cb070c83860

memory/1992-148-0x0000000000260000-0x00000000002A1000-memory.dmp

C:\Windows\SysWOW64\Liplnc32.exe

MD5 ba535b028f84c87723f58276d21975bc
SHA1 19d5638d748bb1158110c2986670a136ffb50693
SHA256 e6745d68adbd62d96167e575521d2820f5dbe14f66eed0793bc8b67cfe20eaeb
SHA512 a103147d99f32b06c5f6e656e2f2939022a9f6aabcf118800783620f7dcb7bde1ef76601b08ee939f8b567632f07f250d16cd543551280648629291df09441bb

C:\Windows\SysWOW64\Lcfqkl32.exe

MD5 96d19897c86bdd2248bec8c0cf1260bd
SHA1 03787751f2eb076ffbf40f3914218036de9e2f82
SHA256 bff5002bbe4dea64a283900dbb4e01243ab30a593273f14b5ac2bf2c50aae90b
SHA512 cef5bd27d78dc418b6972144ed04d44399d6514e1c0f305147fa6043f2bd0ba429071aac05211132e8a21dfa8582b695ddc2202894d78d531b661e7309f670a3

memory/2428-182-0x0000000000260000-0x00000000002A1000-memory.dmp

C:\Windows\SysWOW64\Mooaljkh.exe

MD5 30e3ed23d83de7a35f493eb97b52cddb
SHA1 d554f323fc727a977d0832aa647cb3a28e63fa97
SHA256 46c820c1f5558639792f50a7bd1994d61e4629d53f71889d664ae5bf60702ba6
SHA512 60600d9518946f722bf43191937944e4a58891528be2b1c2dee73f429234420ba053c3ad2b8acdadf6e564bf553e94f1b0384dc1c0bd752da99028b603cfe565

memory/2776-214-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2776-224-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1960-226-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mlfojn32.exe

MD5 66ea4a7731e2c5ff1fe502d633543b4b
SHA1 3e32e248b8abd41463a29419aba701bb1d7d82b1
SHA256 2bda8d49b17987a2171bac32d98f951cdd29d441367f04b10e52c4db85a3e40b
SHA512 e74550cec23dc5c1f635800b51a2d4410c3ff7204dc524d8a5b68af4d80fcfa8e5e9550a763a905199374e76764c706b4ff5d345516f68d718c320ab5febdd56

memory/2348-245-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1892-256-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mgalqkbk.exe

MD5 0dc58625e98bb2158b81fa45ad6e3957
SHA1 59810f6bab14d34072538373492ac9fe571b9cbe
SHA256 63d92ff7747b9bf0ded049985122ed3f1b19989a960359dad298159bf548fe3e
SHA512 d6dd466e4133125f3df999b331ec3ce96ae0f57eab1a6759b85c4541922bfe69c4ca67d4bd7ea0ca043982d98968ddd4ff41bcece9db331666de70c6b47b8269

C:\Windows\SysWOW64\Magqncba.exe

MD5 817da6f088487613fd320064321f1f0b
SHA1 62e486fdc70a532d208227eaf0f0fb1865b85ef9
SHA256 2eaa2aeee0b8be93616af82263d589f8b6dd2d4221919eb25a6418d3f60d3083
SHA512 c89e61255fd52c1d9ba970385e61ede6e4cfb654e34e36c6e17025ac6bac809d395937bc9d628ad59335f8edd3f28c1741125255b6f6b57341478016965f41cb

memory/1352-286-0x00000000003A0000-0x00000000003E1000-memory.dmp

C:\Windows\SysWOW64\Nmnace32.exe

MD5 e848029288f75722811cf3eeb659e391
SHA1 8b143fac97377640b3ae912f9e2451006a0fd783
SHA256 fcafcaf6bfd3fa81f5d09ed44ef8bc36f561ac81e0b4f2ffb3edc53339b6cb5e
SHA512 28a122663c6ac75f102f79924ccb4d5710987f6a94d3e3c8a7e4cf80796c17a7dd344cefcd6c233eb2954f532755673a8333e480cd1cffee2375a4cf9fbe5edd

memory/2020-321-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2320-320-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2020-319-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2020-318-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1464-317-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Nkbalifo.exe

MD5 61a2e9e966751640c6d5e6edafad9af8
SHA1 f694e80936d5ebb77d5c293fd4b7c74c3cc00b1c
SHA256 f7d9eead31c5ca679eae8e9367856a3f188fd7e0ba8a97551428ea5b37b29e17
SHA512 b0b43cfc7a918ee6548f7c66372fc1663de123037e5a67b9f96a7e1b3f6622fcc43b4fc4cae9be25bb7e4dea0c1d4a85ae4ca83554bbbe806656b39a59c68729

memory/1464-313-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Nmpnhdfc.exe

MD5 5e576fef794bcebd583201cc5b80d169
SHA1 18000c0c92adcb7bc5dd75be79c2c8e012a577e8
SHA256 ff69ce20bf6c4f9680bb5741940faa2edaeced76f571ad69bcd0fbc439e41288
SHA512 235a523a8f327389048c9db4aa474dc51d0aabf2a60d3a3608eae3736cd4ec8272dcf06a9fe9d15711575af471d1a17c8d7e65f8790e468aac8063be337ea242

memory/2076-347-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Nadpgggp.exe

MD5 6c4fe022c587150bc66d9421f5a57ed9
SHA1 df723528f4acdac485d2a1d1e74c717ab2927c90
SHA256 5ff16ff20b57b20305965d67b03f1e831d3994288b7f70f164eea3b8c1c254eb
SHA512 82f067242f436321c1e27c75c49e2e3805a0874092cf1cc50ab66ae49e038c8bd1f7aff9a72065cca2cd1980265885e1e01c999f104e24e839aabf64f6f12bf3

C:\Windows\SysWOW64\Nkmdpm32.exe

MD5 05d629334868ebcdbe4b661d498cfdca
SHA1 3c485a93928cf79b16c234e9b20b3a87a59cf24a
SHA256 f632ac5219a070df0af7e9b2c33377d871b2d1be4758212b7c5f463a33b5bd26
SHA512 9b330542892834edd431813cca544fe3b76ae3483b3a8a67dbb01fe7fb6317815ac6b1cb83d2b495260ad969bc9c3f77a3644c9fb46b98e17b3ce1c580d77b0c

memory/2652-365-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3056-364-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2568-387-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2568-397-0x0000000000230000-0x0000000000271000-memory.dmp

C:\Windows\SysWOW64\Ohendqhd.exe

MD5 25cc19a67adc2944f4e8369501bb7157
SHA1 95a30f30eb9b6405c1f38ab08fcad26b794b0701
SHA256 f9b6dc6f7f0d4082de69f6e737565ed513e1019de078d87b155c09224b1cadc3
SHA512 bfac45f1721f07ec6ef3a9769ddff3af77816a81bd6bf15e4f9cde8b17b73e4a4c6b3e5709cf57bad234b8bcb60091adf86163896b81a060c546fb84d8c0d176

memory/3060-424-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ogkkfmml.exe

MD5 10c940ef477adc3a215712966749578b
SHA1 2c836bff90c4bc49375ba4bd57e0622dc91ab8eb
SHA256 b92a15508dbbe3a5d4bc4b91d418b650a9ac047304117475c698a5ffeb7cce47
SHA512 cdbcba62bd68b1f77366d36a50171811bfd2cab4654e6d562f6ecd250ea7bb6e331f7a3bdba01a79502d7fd871b1434a4391fb17a84183bafe8a67911c7285d2

memory/2240-431-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3060-430-0x00000000002C0000-0x0000000000301000-memory.dmp

memory/272-445-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Pdaheq32.exe

MD5 7049cfa2b0e39b313724b1f8ce3a0de2
SHA1 d71ed17b99e38c6e929af292ab274f124a2ff220
SHA256 735ee925c93f384577df38a01c8c542c2e826bc416c1e06e48a6ab12562f7e95
SHA512 4b3cea2c865e2bfb59b99bb90b4a35523166da8781e489bb3e8b79ef107a2bb37d8a38969ca0a9d0c39e97691eb874e40b795e5fce35a53558dff54260218fa8

memory/1040-457-0x0000000000400000-0x0000000000441000-memory.dmp

memory/272-454-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Pnimnfpc.exe

MD5 5d27512044d9edaa564a52fb7100eb83
SHA1 99d3fe72895b1325a1909978c77c8851cd90aaba
SHA256 6bd02fa9a04693a738766363d0df4ccf2cf483f5d62b22850cd07cea4e636d4d
SHA512 34b9765d18411273572890097fdc72115e88bf58b0f682b3f7f7a45fe2c082226746694d3422446b17b26802e99f72041359e42b791ab1ed8b791ea842fcd1cc

memory/2772-478-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Pbkbgjcc.exe

MD5 5a79cec8046ff8335883f58d7a65e809
SHA1 6f4bd2fdb13fe1adfdbafa2dff527d6b6ccadd09
SHA256 6ff9fcb91d375a02bb99f29f7e234a2f51c9bbca39f7520ac5caa3afac67a9c9
SHA512 e95fc825a220f0497a9650fb20bbdb330bb67c2744f94f0d3e9a3e7e3db367ef9dee458270bfeaa75441e18bd848342d3da82eaa82f3875332d400c2ba9b25bf

C:\Windows\SysWOW64\Pmagdbci.exe

MD5 a901709b81de11f394eae1946387bc8e
SHA1 f205ad7726c808b8ee0ce5f1262793290ccb173c
SHA256 e9cf9e14e1cb9c3c6e27042c9155b0324094ce676fe923d5a08c8f88f761ac59
SHA512 23ad49c0c775f2b8e075a77c496416eb19e27e194712299333a42c5fba541b41f387bc580f911a0a30cfc67cf2adfc8c14a9fe1e2c6263500d6570f7cf74beb3

memory/2772-492-0x00000000002D0000-0x0000000000311000-memory.dmp

C:\Windows\SysWOW64\Pckoam32.exe

MD5 cc96aefb4cfd688a26af2d088e7d0078
SHA1 162a1983bc00f55b637ef840e00d760ffcc28be0
SHA256 55153c80be78572e8b073ef9baf65dc3b963d4eb3b9f87439f135f3d88e5e5bf
SHA512 369cad6231926c5fa60c972792337b1ff56949ad58f06f255befdeec4a62f2c00a09f8d64a2839a4451188a86312a376fef626c8ab0e6d14d286f2fc9df381c2

C:\Windows\SysWOW64\Pmccjbaf.exe

MD5 fa185255763ba4f04762083b162abd4a
SHA1 4c4f834ea2911936849954e1206fc48bce1ea974
SHA256 31413bd1edae8b1e990673b6b4c415a0c19b3a57346edb983cafadda494e7318
SHA512 6066ad5b074cb140d035bbd7a564d608614ab268aac1ea490fe5b2ad936648031138efe3091dee86972a84b64be9d9a126e35735b3d1a72d8a43f8bf72489e7b

C:\Windows\SysWOW64\Pndpajgd.exe

MD5 5f5ac9b24d43d5f46d34f03ef23d9938
SHA1 1c9477b388eafab13f2ec3f68910a9993e87ff28
SHA256 b3ffbe333100804e725a333da4f2db882125cfe2bbd164c80a655d3319dfa61a
SHA512 d59283bf42da4c0272a0208bfb15b9b6bba0ad71bdf7a9d1bf7c810755c4d1b47221a6a56795bf9c15a21463e399e7804bf49b9894a9357b7ae7f55268d5a29f

C:\Windows\SysWOW64\Qijdocfj.exe

MD5 faa16f8fc9b4af979e9ce2f896c37869
SHA1 fb649d5d604b391256be4a259a17eef5c63faaf4
SHA256 487d22ea758aff622249eee986d93db9fbbbe717648e931c2c9cd41c1ccdeea0
SHA512 a0d3384f311216b70c8119574e2c9e97367cffa3b12c76e9b326fbe7a308494608a5a67a62b1a70f8f78c30688ba92e85be7cd04257d08620d9e0cfa2ec51043

C:\Windows\SysWOW64\Qodlkm32.exe

MD5 5d210e3e30ee069bbdc1a6f49a0b31df
SHA1 8a038cc21a115798e89f28b1a9874245b93860d0
SHA256 c19977e4219809f1e86ecd15526c0233efc45c4a8b47e0f99553a20c4ba8f58d
SHA512 cfe71e05111def038e26631e5d585e9a96c56adff5bd9c280f817307dfd1a9bbe9d0c33b8e4de4eec24542f256a18f2e6964ac161aa42c77985c4fa0867de5ea

C:\Windows\SysWOW64\Qqeicede.exe

MD5 5059bc10eefdb872d067d09d3a6f0216
SHA1 cb371c84ba4b1b55c718e4dbb33557dd258934cf
SHA256 a62e9fcc4a7f139ac8f2435c058969e8f2a51972db79e32f2a993aee799ac1ea
SHA512 074088365f7111600407f75b7fd7896aada7cfcf555c9808a5bb0c4590e992ab122a4547de47224dd6641bfdd18db1bc8eac5a060c773fa52c0ea5bb4c6a5e86

C:\Windows\SysWOW64\Qgoapp32.exe

MD5 1e38f980dd6f43a86a461f458f3aea83
SHA1 2027aae403a774985b0562530c9bc2306f85d201
SHA256 b730ab013503d4cdaa470406a43e96f0c6da3092d6b0a0df8e774157247a8225
SHA512 fe9cfa5e73ef4c31bc998483eec816dace29b609ab2323a25a7689696361e952c61307667c345b1dd16cdf081ebe80ad20177f6e568a54e88b827a50169e87f8

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 716192759fc9bca494c0ec9567cac1f3
SHA1 8938d2a968fe2fbf26128de4be369ddb8a4af23c
SHA256 365585ae1dd9c8cab518f88adfbde50140226f3fbd11ae99c1e8e5944ff61e81
SHA512 7f236ab8ba7ac346bc2c56d0f316f1f1fedd4deab3d04029633b28f06fb577dfcfa9f533ac38ec37c9f713ba23f56f596e39e2c1dc7f2fe0f93d47ccb9873909

C:\Windows\SysWOW64\Aajbne32.exe

MD5 09c2518e13b783a2c1a63684af13f127
SHA1 02a4d0cfc3ab533d458ce2fd038e96ce84e67540
SHA256 cb41347568dac8a868ba7810e50f1fb1f6445f5b3851e4d9d3202f0bed94894d
SHA512 85447c1e4143a090840d632f8650498e5db8b60186227ed2fd64a28171932961007b9cc48b87afee93205ff4d7c8aaa7f24c435f80e871eaae25bb2e87f438b3

C:\Windows\SysWOW64\Agdjkogm.exe

MD5 ccb51f127aa137e54e8b289e52997eb7
SHA1 22bd2561ed896389f00d03e6ef8ef30ba335e797
SHA256 2868a7d8feefcf326a15ef2554d18da230b4ed09a09e38af53ac5c84a0ba39ad
SHA512 3316bfec1bd5700e15a5453a3c28770d83a9ee264c7baa20eca7f80985eaef48a1cda04089742ae39f1b26a2569f32aefb2fef7b015103efcf56ba15a7f361c1

C:\Windows\SysWOW64\Ajbggjfq.exe

MD5 04714a903bb6bf9e84e52f5746551868
SHA1 eeff4401cfc10431622715575c6c6fe8c0185559
SHA256 adc51a1c8a217c5b642117d7beb2c94466f0e21aa49bc1abf019517d3151c3a6
SHA512 f6c064552fb9c85dac28b9b8adc65e4167109bc3f7e695b60e3c5c4676afc22e2b92ba07cfc72355b7b4c0b306686965efb36baaa27bfe0661f6ad674ea26f8e

C:\Windows\SysWOW64\Agfgqo32.exe

MD5 78cc48726c3ca27d80630e811f415859
SHA1 e2ae374e4cd090f09ea38ca7c0a60eaa4fc24af9
SHA256 c5eb74d23d5ea9f8f2b7add21cbfb89cf1ac926d669a2274ee94aa4bc1935469
SHA512 773280ec53f0506169ca5f62b02d76c22cd5bb8bed0a5c23936f0fa362b2822aa4cfcd8c66c1f18e99476b791216c6a45c8f4aaac719405b5add2e750c62b81d

C:\Windows\SysWOW64\Aigchgkh.exe

MD5 2a70f61603fd4eafd003754e004ad4ef
SHA1 d98efc72751bccddd5bdd2a295ebf97d590fb1f4
SHA256 222f833f0b5adf827077fe8e7dace67c7e564d6a76c71cb4c068a3b6013e8b73
SHA512 02b19708c59cbd4dfd8f67d70450104f6b0145096b813aaef203c66bdc149b4aa3153ce1236d469921a80af9cc8ac628a33bd4a471aa7771471a363f1bf5ecea

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 ea26c253d846250ff320fbd3d833ad86
SHA1 a707de60be73add20e25f501652c71afac832a7b
SHA256 7409223b214a19e957da652b6f1d1659108692f4559267b35f7776bfd9951ec9
SHA512 6115e80fc4ae37bda3cbe260d10ac8b8830f21d47b988066ab28b571810dcbb2ab8f79a624fd5b6eaa1dfa784f7a71dc27cd70c18145f0c0fb0c99c8af9c8b98

C:\Windows\SysWOW64\Ajpjakhc.exe

MD5 d5d721ad4a0d6fef71ad3ff046c49e99
SHA1 4e7667cab416a06992a1896a65733425ffc88b9d
SHA256 2c626574b162a582043e958784663c7194b4a8a8de2b73e5549deefceb678050
SHA512 2e8e52f867f48239403abc3896c59047ed08ced9f6791eb1fdffe53476d1da7fd93d11d8e1712932083e23febc50fa56650a764e4ba714a4a96576ac758cb278

C:\Windows\SysWOW64\Aniimjbo.exe

MD5 6653f5f5ad1380a1037ad73372cbf018
SHA1 0b8807f47b1dbb829aaa574fc8214cf101e33160
SHA256 8deec44f1f6269083cb637c173eaaa238efe862aa373a3398a561dd67d95cb1d
SHA512 dd7f77eb296cb4f87913224a05015fd121da79fe8a56d26100e0858be00415964036a6b1b5095aeb5ee1cd3a4de04a07ba6921b3f54c99c80b0f62c74117e5af

memory/2704-495-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2300-494-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1732-493-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2772-491-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/2808-473-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Pqjfoa32.exe

MD5 a35575cd1074e8d7dba45524a04b34e7
SHA1 36246786bdb43fe6a4b4d0db72109429e96523d4
SHA256 b98378213062f445a60c4bab18281623f917eeae663d428565f7bff05f7a8150
SHA512 d678f1875e82c4aa8e2a6755050a5a7b9c02e10ce4d95eb269521da7e5760dd1b809c7e9eada9d48c2c709443e73bfa9bda9841d94987f9e0e4f1fe9da3cd250

memory/2392-469-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1040-467-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2624-462-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2148-451-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2980-441-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2240-440-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Odoloalf.exe

MD5 cdab56830e429aaab72cd65ca034fc54
SHA1 59219c1e75d3f9ae0229ec202f1772b2791c094f
SHA256 a9e6ed938f65dd783021198169b3844f4e7d6c2625495e05b9001c1225a622d0
SHA512 0ccfffb0b5769710f0f11d05d4e6fc945e71b2bbe9cbfcf5289f549bd0966410e73a807e66c270a9c7c48466e94655f9aaba1a9a4634605a178b6a1a8d0563a8

memory/3060-429-0x00000000002C0000-0x0000000000301000-memory.dmp

memory/772-418-0x0000000000220000-0x0000000000261000-memory.dmp

memory/772-419-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Oancnfoe.exe

MD5 038cc7b96fe5abdd794dfc82b2d1748c
SHA1 984ebfbeb6807a3724e9b2efac91142c7a04af12
SHA256 adf5e8a82420923dcdb6d84e92dfa5c8247c24a497355e2fd73a4ce12ed96640
SHA512 19ab8ba871bbf0933b0a9fc344a5dc9e6c2818298d66e29718137f160087e5a05d69a77e9522817b6f1781f795eee6ae0ef143e466d0183baf879090064c6363

memory/772-409-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2472-408-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2472-407-0x0000000000450000-0x0000000000491000-memory.dmp

memory/2472-402-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2568-396-0x0000000000230000-0x0000000000271000-memory.dmp

C:\Windows\SysWOW64\Olonpp32.exe

MD5 89e67d36ad30d431a0da3f97823f0cb1
SHA1 4be31ede65f5c68801eecd3983f2ba6d03ca4c66
SHA256 e69dac56cf7dbaa456f4d75889e49b2ba8d495c6ae83f62b56f2735515effb53
SHA512 8452c2445e14496b18cc22390e558cfd7f904ec46e1d4dbc567bddf94d21e9ee991a9516a344c45b728b1797b29ebb51da4afdc2219254a2912c26493e3cfdf2

memory/2656-386-0x00000000002A0000-0x00000000002E1000-memory.dmp

memory/2656-385-0x00000000002A0000-0x00000000002E1000-memory.dmp

C:\Windows\SysWOW64\Ocfigjlp.exe

MD5 b2334ad5fd23d46e4be6fbde4d13b66f
SHA1 480711ce0f4c9f343b3fd135bca5c85f4b189148
SHA256 876dcf60bb44483c762ef5a21e6d5d752cd17d5ef6c6160dc3d8f2c8a283ac38
SHA512 ea87cfeba47f2f077e604ee1536e42c4843619367f3a2d29ea04021e165cdb25a8434474851fb038518fa4a87233ecbc4d5069da25aaec7e0b643139d5e2db50

memory/2656-380-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2652-375-0x00000000002E0000-0x0000000000321000-memory.dmp

memory/2652-374-0x00000000002E0000-0x0000000000321000-memory.dmp

C:\Windows\SysWOW64\Ohaeia32.exe

MD5 f51666ba151134692e63988ad806f5a0
SHA1 2b9de39a4ef48f91cae7a1804b6fadd3e2b53720
SHA256 547b87b03953d43b37c2d7fd6bb06331370228e7875c492590c35335662e30e4
SHA512 d61c0c9ad57d7cfb1714dd3041288c9697b36ae0a4cd91390bebc498e2d1ec9a023f7820045092caceb13ed111d9b6e30ddadc974b0209edaf9b906595681779

memory/3056-363-0x0000000000450000-0x0000000000491000-memory.dmp

memory/3056-359-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1692-353-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1692-350-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1692-346-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2076-341-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2076-340-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2320-339-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Ncbplk32.exe

MD5 c8e8cc7acadf6fd2107456ec599a8cb0
SHA1 c84fdca63dd395173a04bc4182ace7b570f5fff0
SHA256 5b302c15d78e0e798a2d5c582dc298a82a7a75e6e53212f461edd016e9169126
SHA512 b86fe8f032434bb680515ea631c8b4ab3bfce27e1ad7f48889a1dd9936d6f838100fa509dcb7f4340e1d9e7bd835355469324656fd1aef613badf0133ea9f6d6

memory/2320-335-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Nckjkl32.exe

MD5 75d91982e92bea12959bb1e3b0486077
SHA1 4021ed93508548145497e39f824d4432f0abce74
SHA256 ce16e6e16e20c5cd7240af85aeb499555cf408466f33b2ee14a7b20b5e9a950e
SHA512 5f16f3d7605c5afbef11c3e4f254c513c14b6c9fe81a19ae0061daa784f6bed60190793f6914bd5a9df4cb2095199b0d9100183d2cf4d4b8ce3bc96a92d23563

memory/608-296-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1464-299-0x0000000000400000-0x0000000000441000-memory.dmp

memory/608-298-0x0000000000220000-0x0000000000261000-memory.dmp

memory/608-297-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1352-291-0x00000000003A0000-0x00000000003E1000-memory.dmp

C:\Windows\SysWOW64\Ndemjoae.exe

MD5 a446c3497f059c4a082bffb494f954d7
SHA1 a22a9673d02f5c4cf81b8f6a722583d15170aaaf
SHA256 4b6ae64d572884a9a0844e1bbb26b8bde51f261a37ca5b01c693a7f42a21d846
SHA512 48ff98d03aa925abce26aa32b3d9ac0714a2cba7939d83d9fa265cb00f01490614e378e837bb1c559eda79f9ed274c9573b64537c45f53abfc2520079e2fe5e5

memory/1488-277-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1488-276-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1488-271-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1892-270-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/1892-267-0x0000000000290000-0x00000000002D1000-memory.dmp

memory/2348-255-0x0000000000790000-0x00000000007D1000-memory.dmp

memory/2348-254-0x0000000000790000-0x00000000007D1000-memory.dmp

C:\Windows\SysWOW64\Mofglh32.exe

MD5 9182982f087f1d831e52903e3e394e83
SHA1 25013c74ca42f7b5dae7a84f666bbd8e7c41e1ea
SHA256 7f0eee09bbbf74514cf48d20e5b9ed3cf09afa3c26b60fc891c62d19c01f7655
SHA512 e9f171fac317a4d06aeac4521f3d03edd265a26036fc394978e04e1fdfbcafeb6b3da7d0f4af6cfeb7382f648f130b2a7a52fbfda622e7981d1d989f31dda56f

C:\Windows\SysWOW64\Mdacop32.exe

MD5 b5e6d8512a9d53d3b5929b30ade232a6
SHA1 4502e36571260a29f7a260699764d95ec45a0210
SHA256 b4cea3ee1c530174d76f32c79034f5016aa7846720f3ded0975c5dc999e4fae4
SHA512 7d74c1910746d9dee96dea65fcf698fad7b2364f6ad512807bafb2143d91129d2a5d054d7ec1562e642016f82cad8f98d2923a0c265d59e25ffb17b0dc927967

memory/2132-236-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1960-235-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2776-225-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Mapjmehi.exe

MD5 ca9a2916c4499d0587faf03cdf1ecc75
SHA1 9f59ef988452ac1192f3283821517fafbaca561e
SHA256 634545e8c0a15359b419ae82df3d9ffdd4f5b85761004921c764a0f05169d0a2
SHA512 015654220c68df52582a96269f7c407e316721764ea78dc5abe605ea017cce9c229dc539cc0e19afee307965d029c3ca551d1f2113c19c2ff2106e047dc6804b

C:\Windows\SysWOW64\Mhhfdo32.exe

MD5 ba8036ad81b25e22d75a1a69a417cdb4
SHA1 fe633f87abc102988b89676d7d44c4e865726aa4
SHA256 c045cba1abf247533f056b786878f422552b3ff128ddaf869f1d3c27df24dd88
SHA512 9baffae26afdca864feb245f1cd817ebd277615af8626446450f60c1801cbcbef2fcad5637ad02950b27b896289d058b064cc565edca183b75545115d919035a

memory/2280-201-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mmneda32.exe

MD5 a770df9c6f01fd71df368d5b57bcfab9
SHA1 19ee2ba3c5aa5b4b729293e205ff85999ac47bf7
SHA256 98704479dbc2588360711ed39ac39b16a6c52a931da246f6159c49687abb644a
SHA512 bc89f052e92b2e1beab8a0eead61ee7a846e88998a781a2cb3eea5a16ae9361aa4e523e8ff0b472df5f0005b75398577155884763464de4d8d9766fc3723164f

memory/800-188-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2428-174-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1408-161-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1992-135-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1372-121-0x0000000000220000-0x0000000000261000-memory.dmp

memory/548-107-0x0000000000450000-0x0000000000491000-memory.dmp

memory/1200-88-0x0000000000450000-0x0000000000491000-memory.dmp

memory/1200-81-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kicmdo32.exe

MD5 a60beaf1245ddd5e4efb33191699000d
SHA1 2b34c766018d2fe60cc90009e98b15e22595f6ea
SHA256 9523d4e3283e15ea4476370b5f3ba5cc260e7151bae6574caee4ef2ba543956f
SHA512 46ea26c2fd9f5c2cc2dd545c1a349ea38e279455ff0b175fcfd2ca70258fde9bb58ba1b372063e0f2f50b9ce703862b539e8a689d315084518eee8e17def5988

C:\Windows\SysWOW64\Aaolidlk.exe

MD5 bdfc1f95a56f34922ef649decbb7b99c
SHA1 2574bb109a2975d29006f232e885ee2820f9bea6
SHA256 14ced57d8e745eac94825c73c406ca13a11936069410916840498056665f3f1c
SHA512 d0b41ab168a195d134b81fa84479bc7f8bc8be9cc94ef6ce220ff05acd3cb5e45d4ce0e60cc95fa511fe25f0ad654a8c828afa883df7ad737004006084a45234

C:\Windows\SysWOW64\Blobjaba.exe

MD5 74e1e848e934505d706e6a070528bf1c
SHA1 da54cc9c4e17c88c1adcaf926202266dd3cc7f83
SHA256 717671e0f5afdfdf8db4a3149ac0d15d13c33c12ce778e9693a03a543f316eee
SHA512 b99eca28d207d213fed727d05040ed27870fcce26c885d05598a4940ec2a1b189ac1bf6a3d7d9507088f44e00954006614af2578fde09157e36f86aaa6047fc2

C:\Windows\SysWOW64\Bbikgk32.exe

MD5 79c3381a2cc22f2475b9d32fe17db5c3
SHA1 0ebe8ea73d7039ef78f71e52b6293c4867cd91b3
SHA256 362fb8806dd264b44fec4e4dc29beaedb447264abdf7cd39dab71fc4e14a597b
SHA512 725c999c6574a57eacaf49696085f2659cca8cea6b443e9bffbad2e69cfbf2865d798e105fba5023bae3a057f779adb9aadd92cb78068f6731984e8623948d7b

C:\Windows\SysWOW64\Bdkgocpm.exe

MD5 0f1a75e47aa4df7e4637b13e479eac3c
SHA1 5c516b8030786999f49147f0c31a07fe4a698754
SHA256 b930e387c97bfa9c517309755359584998cfc65b13140bee51a3deed7db1b7be
SHA512 8c87958176edc4db18b0ab38b6b8b092cb9d88743def1c189d8ad517156b10532822aed4e59d26986a6b7dcefd931d6cef30cc3230ef625bce7e5a7fcf35afc9

C:\Windows\SysWOW64\Baohhgnf.exe

MD5 5b650681825ef9485271b0492ab1d05d
SHA1 bf64a0380f4aa29bd030360c725d250238f64df4
SHA256 6b0c2fd872f332dfa34267b3732a0a2068156d77a3648b6569ce78deaf50451c
SHA512 4efd7a63a57fdd6c1d41d4a123a2d9c870df25de52ee73bc2bd3d831c1dbe29e0f34a46523ecef422f815159152839d44d8a6cb583aacb1f83b2f7c9eb11164a

C:\Windows\SysWOW64\Chkmkacq.exe

MD5 aab90ee8f5870f19427bdcf60d719342
SHA1 4e451375f45eeeeab65fc6d90f9e923456559b21
SHA256 faa65503575f7c478f3db1e9119ec12a74e945eff9aadd6c6fa1eeb774e8dc26
SHA512 d6f26d2c3ca31f574564610be9706f9a2444eee0763ffb2ad8e9aa3827e709a03e1d8031c9ffbfb60aa1e7dbf88a4c169190cdb749bc5dab9cdcde6bc325fbf1

C:\Windows\SysWOW64\Cmgechbh.exe

MD5 266e507a1d4b8ccc9dd3a77e3eefaa88
SHA1 3b99abbc58cc269a97f110b2226e23ef5c5e149a
SHA256 98861b353d0c19037e1ceb1771258443ffceef256e08116b6948e2d9d1b4904c
SHA512 68b908ba8800a5e114c6193bfe9e8b6b91030ee730e276b38de179a2608ffbadcf1290bd88955f0188150b9d90cce7c6db1fcfddf4742583700417cc62d21c4c

C:\Windows\SysWOW64\Cpfaocal.exe

MD5 7716420204e49db13b50ad550fd1520a
SHA1 fab3151cd76c62dd93386b86cdb898e6b6ab8e98
SHA256 c67440a0881d065fe6bcbfa8d0159aced6b287c8230f29acd7bbcbbb23a8a2ec
SHA512 6e5e86aec787d61255c12e01c621dd47a68233cc89a73d9d641848da43dc43d3d74beed479ec72e950ad6f57e9ae8fedc94316eb6674a4f5fe930dd0b59df268

C:\Windows\SysWOW64\Cgpjlnhh.exe

MD5 28cc8a23e403423384fce98f2528c56c
SHA1 2668438878c6049316db2747a85dc613578697ea
SHA256 a25fcc0a483835e18ec9759f50f23ac673aee3eed1c95fdaadc72fa6f5a9ceb8
SHA512 70bef3c406cdacd6ce92c35e994ef57a51a13730ae8d24e3da798a092deca14b2791adf3dd5486103e664bd4cf4543b3689dd44c88e2e4b8a4cc26984c0d435b

C:\Windows\SysWOW64\Cmjbhh32.exe

MD5 abd9107b3b8c8d62d04cf1645d1c5bb0
SHA1 f00feb804331a27f0b7b8a01b95199ac94c179b8
SHA256 c8fbf4f4f9ebb35242a9cc538eb56d4f78f13bad54be138b95efc2a29e714938
SHA512 c65c91007ea4f68ca12116d08f6e5f9a3430d4660d4086d9f5b40866f57f3393217b34528cc07ae7a8026b655c6799de2fe3ff0219115975f0dfde74cda8064f

C:\Windows\SysWOW64\Cbgjqo32.exe

MD5 65fa60193688b8e779f2dc7ac52758c1
SHA1 acec9c0b3911d174018849f28a41e06c54cded18
SHA256 69b4570958044327161ddc0aee968bb472482198cdaf4a6f2fc78cc040ece52c
SHA512 1f003d18ee9d66d722ba01b25b55dec2538193d3c4dbd1099d0daa72403b446093315b25003a4bcb21cf4bcbb7a435ac056bb7d8bd1f435699f1690a0ce05bff

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 b40db9e0a2f4e589994f32f8a9e1496e
SHA1 7bcf2a1f3ede7d69e9367f1f3dfc7bb3d20d884b
SHA256 e634780f14e3a07424879779a8bccf47012d9608a6d498de71fc30f8f46e042e
SHA512 1075c14ed5b381df1899beeab3558a6542b17eaa9e4fb550f9192e4cfbf4a4e9b7d1e40db551fcfd57a297698355e84b2c73418e0ce41dec27463313edf27128

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:21

Reported

2024-06-14 03:23

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imdnklfp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ejjqeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eqciba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fodeolof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gbcakg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gjjjle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gqkhjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jbocea32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkgdml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lpcmec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebeejijj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hikfip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mcklgm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjjjle32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjpeepnb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nklfoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gmhfhp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfedle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpenfjad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Haidklda.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgfoan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lalcng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpcmec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ejegjh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fqohnp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fodeolof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Imgkql32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Maohkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldkojb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqciba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hmklen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hpihai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jaljgidl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jiikak32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fbqefhpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjapmdid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjfihc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kpepcedo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfqjafdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kgbefoji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmccchkn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjclbc32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ehekqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eckonn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejegjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elccfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Eflhoigi.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqalmafo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecphimfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejjqeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqciba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebeejijj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoifcnid.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjnjqfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmfmbhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjqgff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fomonm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbllkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fifdgblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqmlhpla.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckhdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjepaecb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqohnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbqefhpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijmbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fodeolof.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbcakg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjjjle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmhfhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfqjafdq.exe N/A
N/A N/A C:\Windows\SysWOW64\Giofnacd.exe N/A
N/A N/A C:\Windows\SysWOW64\Goiojk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfcgge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Giacca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqikdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcggpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfedle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjapmdid.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqkhjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbldaffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjclbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gameonno.exe N/A
N/A N/A C:\Windows\SysWOW64\Hboagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdedo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpbaqj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfljmdjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hikfip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpenfjad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbckbepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Himcoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpgkkioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfachc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmklen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpihai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfcpncdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Haidklda.exe N/A
N/A N/A C:\Windows\SysWOW64\Icgqggce.exe N/A
N/A N/A C:\Windows\SysWOW64\Iidipnal.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakaql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibmmhdhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Iiffen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqnahgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibojncfj.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Fijmbb32.exe C:\Windows\SysWOW64\Fbqefhpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbocea32.exe C:\Windows\SysWOW64\Jangmibi.exe N/A
File created C:\Windows\SysWOW64\Kgfoan32.exe C:\Windows\SysWOW64\Kckbqpnj.exe N/A
File created C:\Windows\SysWOW64\Peeafpaf.dll C:\Windows\SysWOW64\Gmhfhp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Himcoo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe C:\Windows\SysWOW64\Lpcmec32.exe N/A
File created C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gfcgge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mamleegg.exe N/A
File opened for modification C:\Windows\SysWOW64\Imgkql32.exe C:\Windows\SysWOW64\Ifmcdblq.exe N/A
File created C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkgdml32.exe C:\Windows\SysWOW64\Lgkhlnbn.exe N/A
File created C:\Windows\SysWOW64\Ipmack32.dll C:\Windows\SysWOW64\Ibccic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdhbec32.exe C:\Windows\SysWOW64\Kajfig32.exe N/A
File created C:\Windows\SysWOW64\Djmdfpmb.dll C:\Windows\SysWOW64\Gfedle32.exe N/A
File created C:\Windows\SysWOW64\Jdcpcf32.exe C:\Windows\SysWOW64\Iinlemia.exe N/A
File created C:\Windows\SysWOW64\Cfjbmnlq.dll C:\Windows\SysWOW64\Fjepaecb.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gjjjle32.exe N/A
File opened for modification C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gfcgge32.exe N/A
File created C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jdcpcf32.exe N/A
File created C:\Windows\SysWOW64\Ghmfdf32.dll C:\Windows\SysWOW64\Jjpeepnb.exe N/A
File created C:\Windows\SysWOW64\Ncihikcg.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Hboagf32.exe C:\Windows\SysWOW64\Gameonno.exe N/A
File created C:\Windows\SysWOW64\Ibooqjdb.dll C:\Windows\SysWOW64\Hbckbepg.exe N/A
File created C:\Windows\SysWOW64\Ibccic32.exe C:\Windows\SysWOW64\Ipegmg32.exe N/A
File created C:\Windows\SysWOW64\Eqbmje32.dll C:\Windows\SysWOW64\Lmccchkn.exe N/A
File created C:\Windows\SysWOW64\Lpcmec32.exe C:\Windows\SysWOW64\Lnepih32.exe N/A
File created C:\Windows\SysWOW64\Epmjjbbj.dll C:\Windows\SysWOW64\Mpmokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mpolqa32.exe N/A
File created C:\Windows\SysWOW64\Qchnlc32.dll C:\Windows\SysWOW64\Hpgkkioa.exe N/A
File opened for modification C:\Windows\SysWOW64\Haidklda.exe C:\Windows\SysWOW64\Hfcpncdk.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpjqhgol.exe C:\Windows\SysWOW64\Jbfpobpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Njcpee32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ehekqe32.exe C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Gfqjafdq.exe C:\Windows\SysWOW64\Gmhfhp32.exe N/A
File created C:\Windows\SysWOW64\Dgcifj32.dll C:\Windows\SysWOW64\Mpolqa32.exe N/A
File created C:\Windows\SysWOW64\Jplifcqp.dll C:\Windows\SysWOW64\Kdhbec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldkojb32.exe C:\Windows\SysWOW64\Lalcng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcgblncm.exe C:\Windows\SysWOW64\Laefdf32.exe N/A
File created C:\Windows\SysWOW64\Mgblmpji.dll C:\Windows\SysWOW64\Icgqggce.exe N/A
File opened for modification C:\Windows\SysWOW64\Iakaql32.exe C:\Windows\SysWOW64\Iidipnal.exe N/A
File created C:\Windows\SysWOW64\Ikjmhmfd.dll C:\Windows\SysWOW64\Imdnklfp.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe C:\Windows\SysWOW64\Laciofpa.exe N/A
File created C:\Windows\SysWOW64\Gqffnmfa.dll C:\Windows\SysWOW64\Mcklgm32.exe N/A
File created C:\Windows\SysWOW64\Kflflhfg.dll C:\Windows\SysWOW64\Imgkql32.exe N/A
File created C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Opbnic32.dll C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Gmggiogn.dll C:\Windows\SysWOW64\Ejjqeg32.exe N/A
File created C:\Windows\SysWOW64\Jpckhigh.dll C:\Windows\SysWOW64\Gjjjle32.exe N/A
File created C:\Windows\SysWOW64\Gcggpj32.exe C:\Windows\SysWOW64\Gqikdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kaemnhla.exe C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
File created C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File created C:\Windows\SysWOW64\Ldkojb32.exe C:\Windows\SysWOW64\Lalcng32.exe N/A
File created C:\Windows\SysWOW64\Ibmmhdhm.exe C:\Windows\SysWOW64\Iakaql32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Nggqoj32.exe N/A
File created C:\Windows\SysWOW64\Fphbondi.dll C:\Windows\SysWOW64\Ejegjh32.exe N/A
File created C:\Windows\SysWOW64\Ppgjkamf.dll C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fifdgblo.exe C:\Windows\SysWOW64\Fbllkh32.exe N/A
File created C:\Windows\SysWOW64\Imppcc32.dll C:\Windows\SysWOW64\Kgfoan32.exe N/A
File created C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Kmalco32.dll C:\Windows\SysWOW64\Nklfoi32.exe N/A
File created C:\Windows\SysWOW64\Eagncfoj.dll C:\Windows\SysWOW64\Gameonno.exe N/A
File created C:\Windows\SysWOW64\Kpepcedo.exe C:\Windows\SysWOW64\Kilhgk32.exe N/A
File created C:\Windows\SysWOW64\Lcglnp32.dll C:\Windows\SysWOW64\Fijmbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe C:\Windows\SysWOW64\Kilhgk32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmhfhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjclbc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kipabjil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll" C:\Windows\SysWOW64\Goiojk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lpcmec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laefdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll" C:\Windows\SysWOW64\Jpjqhgol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll" C:\Windows\SysWOW64\Fbllkh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Giofnacd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ehekqe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Imgkql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jpjqhgol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" C:\Windows\SysWOW64\Jdhine32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kmlnbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fifdgblo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gqikdn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgmlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll" C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjapmdid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll" C:\Windows\SysWOW64\Kaqcbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mglack32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gameonno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fjqgff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lilanioo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll" C:\Windows\SysWOW64\Maaepd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll" C:\Windows\SysWOW64\Ibccic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll" C:\Windows\SysWOW64\Jiikak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" C:\Windows\SysWOW64\Lkdggmlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jangmibi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll" C:\Windows\SysWOW64\Lkgdml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebeejijj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll" C:\Windows\SysWOW64\Gbcakg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll" C:\Windows\SysWOW64\Hpenfjad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll" C:\Windows\SysWOW64\Gqkhjn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ifopiajn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdhbec32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mdpalp32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Ehekqe32.exe
PID 2536 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Ehekqe32.exe
PID 2536 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe C:\Windows\SysWOW64\Ehekqe32.exe
PID 2188 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Ehekqe32.exe C:\Windows\SysWOW64\Eckonn32.exe
PID 2188 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Ehekqe32.exe C:\Windows\SysWOW64\Eckonn32.exe
PID 2188 wrote to memory of 3704 N/A C:\Windows\SysWOW64\Ehekqe32.exe C:\Windows\SysWOW64\Eckonn32.exe
PID 3704 wrote to memory of 5140 N/A C:\Windows\SysWOW64\Eckonn32.exe C:\Windows\SysWOW64\Ejegjh32.exe
PID 3704 wrote to memory of 5140 N/A C:\Windows\SysWOW64\Eckonn32.exe C:\Windows\SysWOW64\Ejegjh32.exe
PID 3704 wrote to memory of 5140 N/A C:\Windows\SysWOW64\Eckonn32.exe C:\Windows\SysWOW64\Ejegjh32.exe
PID 5140 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Ejegjh32.exe C:\Windows\SysWOW64\Elccfc32.exe
PID 5140 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Ejegjh32.exe C:\Windows\SysWOW64\Elccfc32.exe
PID 5140 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Ejegjh32.exe C:\Windows\SysWOW64\Elccfc32.exe
PID 3096 wrote to memory of 5168 N/A C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Ecmlcmhe.exe
PID 3096 wrote to memory of 5168 N/A C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Ecmlcmhe.exe
PID 3096 wrote to memory of 5168 N/A C:\Windows\SysWOW64\Elccfc32.exe C:\Windows\SysWOW64\Ecmlcmhe.exe
PID 5168 wrote to memory of 5152 N/A C:\Windows\SysWOW64\Ecmlcmhe.exe C:\Windows\SysWOW64\Eflhoigi.exe
PID 5168 wrote to memory of 5152 N/A C:\Windows\SysWOW64\Ecmlcmhe.exe C:\Windows\SysWOW64\Eflhoigi.exe
PID 5168 wrote to memory of 5152 N/A C:\Windows\SysWOW64\Ecmlcmhe.exe C:\Windows\SysWOW64\Eflhoigi.exe
PID 5152 wrote to memory of 436 N/A C:\Windows\SysWOW64\Eflhoigi.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 5152 wrote to memory of 436 N/A C:\Windows\SysWOW64\Eflhoigi.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 5152 wrote to memory of 436 N/A C:\Windows\SysWOW64\Eflhoigi.exe C:\Windows\SysWOW64\Eqalmafo.exe
PID 436 wrote to memory of 5380 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ecphimfb.exe
PID 436 wrote to memory of 5380 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ecphimfb.exe
PID 436 wrote to memory of 5380 N/A C:\Windows\SysWOW64\Eqalmafo.exe C:\Windows\SysWOW64\Ecphimfb.exe
PID 5380 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Ecphimfb.exe C:\Windows\SysWOW64\Ejjqeg32.exe
PID 5380 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Ecphimfb.exe C:\Windows\SysWOW64\Ejjqeg32.exe
PID 5380 wrote to memory of 1188 N/A C:\Windows\SysWOW64\Ecphimfb.exe C:\Windows\SysWOW64\Ejjqeg32.exe
PID 1188 wrote to memory of 920 N/A C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Eqciba32.exe
PID 1188 wrote to memory of 920 N/A C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Eqciba32.exe
PID 1188 wrote to memory of 920 N/A C:\Windows\SysWOW64\Ejjqeg32.exe C:\Windows\SysWOW64\Eqciba32.exe
PID 920 wrote to memory of 5264 N/A C:\Windows\SysWOW64\Eqciba32.exe C:\Windows\SysWOW64\Ebeejijj.exe
PID 920 wrote to memory of 5264 N/A C:\Windows\SysWOW64\Eqciba32.exe C:\Windows\SysWOW64\Ebeejijj.exe
PID 920 wrote to memory of 5264 N/A C:\Windows\SysWOW64\Eqciba32.exe C:\Windows\SysWOW64\Ebeejijj.exe
PID 5264 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Ebeejijj.exe C:\Windows\SysWOW64\Ejlmkgkl.exe
PID 5264 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Ebeejijj.exe C:\Windows\SysWOW64\Ejlmkgkl.exe
PID 5264 wrote to memory of 3188 N/A C:\Windows\SysWOW64\Ebeejijj.exe C:\Windows\SysWOW64\Ejlmkgkl.exe
PID 3188 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Ejlmkgkl.exe C:\Windows\SysWOW64\Eoifcnid.exe
PID 3188 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Ejlmkgkl.exe C:\Windows\SysWOW64\Eoifcnid.exe
PID 3188 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Ejlmkgkl.exe C:\Windows\SysWOW64\Eoifcnid.exe
PID 4228 wrote to memory of 5776 N/A C:\Windows\SysWOW64\Eoifcnid.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 4228 wrote to memory of 5776 N/A C:\Windows\SysWOW64\Eoifcnid.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 4228 wrote to memory of 5776 N/A C:\Windows\SysWOW64\Eoifcnid.exe C:\Windows\SysWOW64\Fjnjqfij.exe
PID 5776 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 5776 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 5776 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Fmmfmbhn.exe
PID 1492 wrote to memory of 3876 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fjqgff32.exe
PID 1492 wrote to memory of 3876 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fjqgff32.exe
PID 1492 wrote to memory of 3876 N/A C:\Windows\SysWOW64\Fmmfmbhn.exe C:\Windows\SysWOW64\Fjqgff32.exe
PID 3876 wrote to memory of 680 N/A C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Fomonm32.exe
PID 3876 wrote to memory of 680 N/A C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Fomonm32.exe
PID 3876 wrote to memory of 680 N/A C:\Windows\SysWOW64\Fjqgff32.exe C:\Windows\SysWOW64\Fomonm32.exe
PID 680 wrote to memory of 3120 N/A C:\Windows\SysWOW64\Fomonm32.exe C:\Windows\SysWOW64\Fbllkh32.exe
PID 680 wrote to memory of 3120 N/A C:\Windows\SysWOW64\Fomonm32.exe C:\Windows\SysWOW64\Fbllkh32.exe
PID 680 wrote to memory of 3120 N/A C:\Windows\SysWOW64\Fomonm32.exe C:\Windows\SysWOW64\Fbllkh32.exe
PID 3120 wrote to memory of 5960 N/A C:\Windows\SysWOW64\Fbllkh32.exe C:\Windows\SysWOW64\Fifdgblo.exe
PID 3120 wrote to memory of 5960 N/A C:\Windows\SysWOW64\Fbllkh32.exe C:\Windows\SysWOW64\Fifdgblo.exe
PID 3120 wrote to memory of 5960 N/A C:\Windows\SysWOW64\Fbllkh32.exe C:\Windows\SysWOW64\Fifdgblo.exe
PID 5960 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Fifdgblo.exe C:\Windows\SysWOW64\Fqmlhpla.exe
PID 5960 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Fifdgblo.exe C:\Windows\SysWOW64\Fqmlhpla.exe
PID 5960 wrote to memory of 3916 N/A C:\Windows\SysWOW64\Fifdgblo.exe C:\Windows\SysWOW64\Fqmlhpla.exe
PID 3916 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Fqmlhpla.exe C:\Windows\SysWOW64\Fckhdk32.exe
PID 3916 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Fqmlhpla.exe C:\Windows\SysWOW64\Fckhdk32.exe
PID 3916 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Fqmlhpla.exe C:\Windows\SysWOW64\Fckhdk32.exe
PID 2548 wrote to memory of 1944 N/A C:\Windows\SysWOW64\Fckhdk32.exe C:\Windows\SysWOW64\Fjepaecb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e526de0f1c4ae54766ff7bb2147e460_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Ehekqe32.exe

C:\Windows\system32\Ehekqe32.exe

C:\Windows\SysWOW64\Eckonn32.exe

C:\Windows\system32\Eckonn32.exe

C:\Windows\SysWOW64\Ejegjh32.exe

C:\Windows\system32\Ejegjh32.exe

C:\Windows\SysWOW64\Elccfc32.exe

C:\Windows\system32\Elccfc32.exe

C:\Windows\SysWOW64\Ecmlcmhe.exe

C:\Windows\system32\Ecmlcmhe.exe

C:\Windows\SysWOW64\Eflhoigi.exe

C:\Windows\system32\Eflhoigi.exe

C:\Windows\SysWOW64\Eqalmafo.exe

C:\Windows\system32\Eqalmafo.exe

C:\Windows\SysWOW64\Ecphimfb.exe

C:\Windows\system32\Ecphimfb.exe

C:\Windows\SysWOW64\Ejjqeg32.exe

C:\Windows\system32\Ejjqeg32.exe

C:\Windows\SysWOW64\Eqciba32.exe

C:\Windows\system32\Eqciba32.exe

C:\Windows\SysWOW64\Ebeejijj.exe

C:\Windows\system32\Ebeejijj.exe

C:\Windows\SysWOW64\Ejlmkgkl.exe

C:\Windows\system32\Ejlmkgkl.exe

C:\Windows\SysWOW64\Eoifcnid.exe

C:\Windows\system32\Eoifcnid.exe

C:\Windows\SysWOW64\Fjnjqfij.exe

C:\Windows\system32\Fjnjqfij.exe

C:\Windows\SysWOW64\Fmmfmbhn.exe

C:\Windows\system32\Fmmfmbhn.exe

C:\Windows\SysWOW64\Fjqgff32.exe

C:\Windows\system32\Fjqgff32.exe

C:\Windows\SysWOW64\Fomonm32.exe

C:\Windows\system32\Fomonm32.exe

C:\Windows\SysWOW64\Fbllkh32.exe

C:\Windows\system32\Fbllkh32.exe

C:\Windows\SysWOW64\Fifdgblo.exe

C:\Windows\system32\Fifdgblo.exe

C:\Windows\SysWOW64\Fqmlhpla.exe

C:\Windows\system32\Fqmlhpla.exe

C:\Windows\SysWOW64\Fckhdk32.exe

C:\Windows\system32\Fckhdk32.exe

C:\Windows\SysWOW64\Fjepaecb.exe

C:\Windows\system32\Fjepaecb.exe

C:\Windows\SysWOW64\Fqohnp32.exe

C:\Windows\system32\Fqohnp32.exe

C:\Windows\SysWOW64\Fbqefhpm.exe

C:\Windows\system32\Fbqefhpm.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fodeolof.exe

C:\Windows\system32\Fodeolof.exe

C:\Windows\SysWOW64\Gbcakg32.exe

C:\Windows\system32\Gbcakg32.exe

C:\Windows\SysWOW64\Gjjjle32.exe

C:\Windows\system32\Gjjjle32.exe

C:\Windows\SysWOW64\Gmhfhp32.exe

C:\Windows\system32\Gmhfhp32.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Giofnacd.exe

C:\Windows\system32\Giofnacd.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gfcgge32.exe

C:\Windows\system32\Gfcgge32.exe

C:\Windows\SysWOW64\Giacca32.exe

C:\Windows\system32\Giacca32.exe

C:\Windows\SysWOW64\Gqikdn32.exe

C:\Windows\system32\Gqikdn32.exe

C:\Windows\SysWOW64\Gcggpj32.exe

C:\Windows\system32\Gcggpj32.exe

C:\Windows\SysWOW64\Gfedle32.exe

C:\Windows\system32\Gfedle32.exe

C:\Windows\SysWOW64\Gjapmdid.exe

C:\Windows\system32\Gjapmdid.exe

C:\Windows\SysWOW64\Gqkhjn32.exe

C:\Windows\system32\Gqkhjn32.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gjclbc32.exe

C:\Windows\system32\Gjclbc32.exe

C:\Windows\SysWOW64\Gameonno.exe

C:\Windows\system32\Gameonno.exe

C:\Windows\SysWOW64\Hboagf32.exe

C:\Windows\system32\Hboagf32.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hmdedo32.exe

C:\Windows\system32\Hmdedo32.exe

C:\Windows\SysWOW64\Hpbaqj32.exe

C:\Windows\system32\Hpbaqj32.exe

C:\Windows\SysWOW64\Hfljmdjc.exe

C:\Windows\system32\Hfljmdjc.exe

C:\Windows\SysWOW64\Hikfip32.exe

C:\Windows\system32\Hikfip32.exe

C:\Windows\SysWOW64\Hpenfjad.exe

C:\Windows\system32\Hpenfjad.exe

C:\Windows\SysWOW64\Hbckbepg.exe

C:\Windows\system32\Hbckbepg.exe

C:\Windows\SysWOW64\Himcoo32.exe

C:\Windows\system32\Himcoo32.exe

C:\Windows\SysWOW64\Hpgkkioa.exe

C:\Windows\system32\Hpgkkioa.exe

C:\Windows\SysWOW64\Hfachc32.exe

C:\Windows\system32\Hfachc32.exe

C:\Windows\SysWOW64\Hmklen32.exe

C:\Windows\system32\Hmklen32.exe

C:\Windows\SysWOW64\Hpihai32.exe

C:\Windows\system32\Hpihai32.exe

C:\Windows\SysWOW64\Hfcpncdk.exe

C:\Windows\system32\Hfcpncdk.exe

C:\Windows\SysWOW64\Haidklda.exe

C:\Windows\system32\Haidklda.exe

C:\Windows\SysWOW64\Icgqggce.exe

C:\Windows\system32\Icgqggce.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ibmmhdhm.exe

C:\Windows\system32\Ibmmhdhm.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Ibojncfj.exe

C:\Windows\system32\Ibojncfj.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Ipckgh32.exe

C:\Windows\system32\Ipckgh32.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Imgkql32.exe

C:\Windows\system32\Imgkql32.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Ifopiajn.exe

C:\Windows\system32\Ifopiajn.exe

C:\Windows\SysWOW64\Iinlemia.exe

C:\Windows\system32\Iinlemia.exe

C:\Windows\SysWOW64\Jdcpcf32.exe

C:\Windows\system32\Jdcpcf32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jpjqhgol.exe

C:\Windows\system32\Jpjqhgol.exe

C:\Windows\SysWOW64\Jjpeepnb.exe

C:\Windows\system32\Jjpeepnb.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jigollag.exe

C:\Windows\system32\Jigollag.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kpepcedo.exe

C:\Windows\system32\Kpepcedo.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kmlnbi32.exe

C:\Windows\system32\Kmlnbi32.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lkdggmlj.exe

C:\Windows\system32\Lkdggmlj.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lgkhlnbn.exe

C:\Windows\system32\Lgkhlnbn.exe

C:\Windows\SysWOW64\Lkgdml32.exe

C:\Windows\system32\Lkgdml32.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Nklfoi32.exe

C:\Windows\system32\Nklfoi32.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6300 -ip 6300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp

Files

memory/2536-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ehekqe32.exe

MD5 b7bf5d7550d7d09bb3bc221015a69df2
SHA1 bbb751a69b25c01ed2133605e29add5d8ea73f5f
SHA256 e3510d37ceec05098eca4d7f323c94002efdae84113f43001366496ee2c9cf45
SHA512 6034ac7ab9b2d51f7c1b86e5f7fa8ebf2375c2d9394c8c7250feff0135d2c169af76c10b203bb0a4d3f563f63659987e51f491a1cba4d96c8d1ed28894a109e7

memory/2188-7-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eckonn32.exe

MD5 ab8ebb54c40d2fb11b9f761001c92098
SHA1 f44cff0ea921891c4048a50b85cdfef8b8280f4e
SHA256 eab198b4be3ecf4f202a33950bbb08cb69e118321cdc191f67d45ece13a26ad3
SHA512 9f9a2674bef3b49278af08d7ff3a246735183c327cc32fccdb4c7fb6e737ccfa8998cb09455bc601bd75abf5837cf1cbacb243428d558c0470d6d1da626a5b93

memory/3704-16-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ejegjh32.exe

MD5 9626ee7e669e6770a4219a5cacd11484
SHA1 1bc758b82d31efff1028a6923377d9f34c085a1a
SHA256 5f15938f797817942933d0998c8eb686c56dc122fb5d3a3179e5e362c49ff44d
SHA512 101ea6fa89a3ef87d702ca339c0e0b402618a46d288b61ecd85c0adfe12b9aed86bf91e69ea349b54ec90fb948e932e7b312ca8295a9f919f946cb37aeeaf409

memory/5140-23-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Elccfc32.exe

MD5 cf0a43d227823fe1e74251c8fb365308
SHA1 e762c0779f5fd304e2944f7532646a0c147faf3b
SHA256 5bd5378fd9d6b2eb3d666e32a60a03b3b12312ba0b1bbe891bca436e94ee3aba
SHA512 0da0bf0cf3a223da5dceab9f7e96b7c2a96f864d24b5f1f135a0116f9386765f6e009a8c24abf44f43c17b82ea1d6cf243c9c421209e4f60d0da3d0a901ffbeb

memory/3096-31-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eoodnhmi.dll

MD5 be94038599898f29adc1f8bd2f6b01ef
SHA1 b529e48cac4568a73f68fb9a1c81e555b8007ab2
SHA256 1cade1c6898ac2b2be85690d09271e1b010c3d59406575688b706965de03c364
SHA512 171ebdf4b1f0e8debe4d2ec42f1ad83a3bf6c0c344ac1d1be8f4cb6aa41d5fb78851516e5c33a66302a9032bdc50b74741cceeaca2ac7cf5cb0e6780b9aebaa0

C:\Windows\SysWOW64\Ecmlcmhe.exe

MD5 3722f4e0820153b9fdcd8c07b7a6c265
SHA1 836aa69fb8f11444eacad66ae94e9fd905309d88
SHA256 e7b44fb7f2d10c2c75dc1b1a770742011ffa550c10d86d500647a7a6fe044bc4
SHA512 aa439b09f86f31083fbe198180e8d68d81220aee996842953c25d7328275b24ee10a22ffb92c009a94c0f0a4253b2d9e44ba9165399fd1ffbadf7fb7f1479f63

memory/5168-40-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eflhoigi.exe

MD5 ca2ebf166f042548effb04c279f2dfbf
SHA1 92bb08869f158c8da2c350d288b2a3933eb412b6
SHA256 3adebdd15691c43f27bb6618308d58f52ffd204908f9163f489bc22472e670e8
SHA512 fd8bfeb1813f410260525c2eb6e917e59d1c4f280ed35d4f069ed06efffa35c0a0d0d1935fab897e611b794a3e98fc69aa46ba8dd27575ac137d756d79264616

memory/5152-48-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eqalmafo.exe

MD5 55ab994242e3f91b80d8c099392e46fe
SHA1 c4765e4644948ad7b4d41182380377a1d53e9513
SHA256 73450ec28f3b0262b691943b1392e524426ff2888dcbff98a96e95f8ec168d3f
SHA512 d7748ccae234024ead5633de63cc639bd88a6da6e8c25d4bc8bd9cee2f931d60d2cc24b231b285c35cc1db1e41ad73d80ca7b8f133d403624cac1c25b1b69173

memory/436-56-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ecphimfb.exe

MD5 b8022b423cd1f3f95a98da96ea8778fa
SHA1 aaa34ac15671773f9e040314d5525a06297afc96
SHA256 8ee049aa0bb7f1f1c217b5ffd261bf946b9d8a50ae5f5c5ac9acc80f3bd829a4
SHA512 b11a16d5568a29eb9ca5300bc58360066f08e2668cde9a4361deeb3fe4a35a2772568d0266b4926dd234f1cbb0ba6538b094fa044ee39ba5c436e582955656b3

memory/5380-67-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ejjqeg32.exe

MD5 b685d6ed1684e72b9a0e13bd92f12747
SHA1 0dae6b756f781366317db84e6c8d4ae34a460a9d
SHA256 e7ca994969f1bedbce3dc87f6a1dd6b4e0fc8ea5fe2ea37933e5f1f87383a036
SHA512 53a3445c3009c11b9bb18be2d6fa4c3a10939c47a2e4903723b49acc73f87c9881e5bfbfb4cee154db3f7334fdf8b7c47e4c4cdb9b63abe34eeab7581d10e67f

memory/1188-72-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eqciba32.exe

MD5 f631f35c2c7154fabe2ab8e0b8fd84f9
SHA1 b4283d2f8436904c4c2a86d4c098371be60f0f39
SHA256 9f0c0e958d2eee2c18a77b4e3c3cb4a7b180b917d4adbad0355274b9cde46c1e
SHA512 6139054744331af4b713a6b64f2e076d468e843498c5c302012fc88071c50940be18b59799163df6060dce587872daf22e4215e518aa596710114ef6ed82b182

memory/920-80-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ebeejijj.exe

MD5 2c0e867c56316cb956fb41aba562a10e
SHA1 fffe5fa6591524dc4aeec9dbf857ce96c799e2c1
SHA256 2e3081a95ab5fccd75c0ef948c1172d925f65cd938f65e878e6b0cdb3d5592c4
SHA512 fd7e4ac5c4f19976154aa692f14db613570bc9c1951a2bf18d4c33b8f3b6951e0c8225054241568da205f3969ab1b1824d511fa7bc1253c3b8bb48e112b69ef5

memory/5264-88-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ejlmkgkl.exe

MD5 db5005b317d7086c5e08080dea7bc2dc
SHA1 0335320b03387778bb8827a33560d3f5048f6f9b
SHA256 a3a09a6f1007702490705bcf10ae12d43874bbd081671bf5c909047b59268056
SHA512 6d079b9ccac1b7e5374531fa5952b944a722422a019cd0b3379d55093dfd6cde03c01d2c2be6de52e75347f733bffa414940b07b67705bc30471237e6143ac66

memory/3188-96-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eoifcnid.exe

MD5 3a69273c5f609d2792ae1574785682dd
SHA1 88a921fc9787948bd79481b96bee1d7470586660
SHA256 ba9d7fe7c627af07645bf593cf3535cebc74123962e7299bef7fe529517a1f6c
SHA512 7816a43a5c171ba5cd48274260464be1667445b58c1136fc8d2f8f73de22f4da95ecc2373ed0e9edb83c48834769ebf2c28f89053f96b59ce6c05c51782d55f0

memory/4228-104-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fjnjqfij.exe

MD5 1fdb5de0cf840c71b9d02509947d8ccb
SHA1 bfa24846fde95d6d4524acb08cf4d014700bcc60
SHA256 7ec0593e98cfad5b433aef7e1349b12ba36e7b541db8b789fb5223039ea2f295
SHA512 74faf0584516b9596f36b3feddb2a54dd2fd646aa545f175163671938e09a44dc7df29eafc203bf1eb8e8228ef9db3db38ffdc822f00f37ec81cfe4028f87d28

memory/5776-112-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fmmfmbhn.exe

MD5 055f8a509c6cd2ec4e181b0890b053b9
SHA1 47036a0da1b035c07d2715820880807cd1331f00
SHA256 31ce583bd7255575dc22971256265f74df7df702fa36c98d6cb848f04379931c
SHA512 f872472a1e5e2dbf5b344d343e3c0aa7c30e8b57d98c541be968d0e96841df24f51d241b9735ba59ff46d5bb03d407b31f6b23df934b24b4659a4e2f5d2212d5

memory/1492-120-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fjqgff32.exe

MD5 1d3246538f9624dd1781f2b7e5767a50
SHA1 4cdaf6e7e3f117c58a5079d22b1230050d547fa6
SHA256 7dd131f19362275f446382c5f6e3e8ad85b9617b95a24ff0858e161e810371f1
SHA512 f954b2304ae8bd0461965a6ad504a9cdd3d3d18658f9b543bdb153f2a1df3c23938764f57c04e20b5b4100f90ef85d785c89d5d89835e8e13046f724a1750ee6

memory/3876-127-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fomonm32.exe

MD5 c198d218db5c6b636b1808909fbc88ca
SHA1 b1a2759fff9e1228db00e24eee6612f0173b371c
SHA256 bf50557317e71e4b4ac0a57dda031e5b1ab70f392be60d862af754d1d473685e
SHA512 7086256ac30ae2d43564b2e8f6cc0cb2adec19c3831b611358c52a82af357142c236a6e8c8bebc7875767fbe636459e7ef1fd27d5a8cd8c37b73da2453b9db34

memory/680-136-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fbllkh32.exe

MD5 6b7a4aa544c9cd449aeb729d3226e484
SHA1 e825ac91eccb5a1cd699a469fe49943134b30ca0
SHA256 8d8ff0d8dca2f1057deb0ba4833b75d17802c2613d9870a19fb55dd465ae7257
SHA512 c66952c5888ed075781feee52c90e5573b602e516bc1545f43953c3398d7978a36baeba3fa7d252fc97c82409238af82a727019dbd6e103328c5a05a9ede8533

memory/3120-144-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fifdgblo.exe

MD5 e2c057aab19a74659d2a2721a9f5a85c
SHA1 c8e5d8437686d7e11ce675c99ad8edfdc3a639c7
SHA256 8cd97afd1ddf2402105a302944f57c642f6632ca9c09e765d8346bef688cc08b
SHA512 c51e1772bd3dc5332b433094d9641680e5f0bab8c0472116bface7ccf5dab04d798e55c6fa6e782dd39617841d68e901dd013b051a324bd988d753c20d3092bf

memory/5960-153-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fqmlhpla.exe

MD5 facbd3ace867187348d509b3f57b52b5
SHA1 f3f3bdacee989a160c75e6175dd53fef3d5b40e8
SHA256 cd5136fb87219c33666e72f381d9efa8255effb65ff2e4af7c3653ac98c62a94
SHA512 ad6cc0fe79f3c4ba35c02e39f32ddbc69fd5982723b97966c7f125aebb0a694e55e5cba9230125a714f10b0091ad2ebb4426c0446875c59c5ac02955c0e8bb66

memory/3916-160-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fckhdk32.exe

MD5 aeff2e401d12dc0a62472aecbe97aaf8
SHA1 654204982d256190f5d28d0f5a1965245e326b38
SHA256 02629a29353dcf8f4d0766666740312fecbaa53edd6bdbebd535ff560a0418f9
SHA512 e1aafda1da234e0b8978b75a6386e0a797a95668ebe8fad9fbd93dc014d752b8c1abae3723a8193f07dc7311783e563b187471c8da4d6c9d495dd0096202c1ba

memory/2548-168-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fjepaecb.exe

MD5 40bc26ff994d98feb8e83742ae6ea2af
SHA1 21277c3a71b02d0a3d62581c2cf5a460592086d6
SHA256 6574eb8957c790d743e6b6e45d27a7f7354644b302821ae0016d8b4cdb951ce2
SHA512 80605119707c74470d6c1b1d9b41fc0a6d96aaf80ee49d905dce0569c4592372bc495f3b74e907d2619e607c6e5ce7c323f79273d4a4ff8f965a612cad5ea1e5

memory/1944-176-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fqohnp32.exe

MD5 e500dfb5003c791a0ece2df2f1f8b343
SHA1 e4b381546c0f1bee384066ad1842774bd1b51e85
SHA256 2c2d395b60eccf84ae1ee9411cb6fb68349fb75755d73aee221081389164b2f7
SHA512 0fa231a2027463bd7714d904fa3dfc044130cc6ed758fd3cb007ca2c2aa1da0ecc9c97dda84d50685d51d394ddb3282f7caeb30d647844642503570ac0f7d6a1

memory/5936-184-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fbqefhpm.exe

MD5 50ea26909967733d2cb3e7ba9b4b66af
SHA1 14af96b3241549420320964705c172f5058387ae
SHA256 2ec1cab72290d64a5733daa7b99e928dc7a73f4994ca58faa99a77f10ba201f7
SHA512 e31e964ab9f41f38906d4e46f3372fd1ee212cde83cf8664aeb7b976c61ada496191d30a82c6dd87f136617965cae61a87596968fb0973cf0c432a83ca73b6f9

memory/5432-192-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fijmbb32.exe

MD5 7d2c14eee43c2da0530585da3d0592f2
SHA1 4d94a7ee6581936203c3fb58bedba15edccdfd6d
SHA256 e5b1754dd7f93e2ea912b5da38992a9e09574e26312c408c2737af4e94da31cc
SHA512 87befea8045506b240910f8ee08703d5c6a8eee41a27a2a8d1ed723e170455e534a082ab783d9fc670868a92ae7b883d810c051ec062729eabf286c2db367da5

memory/5416-200-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fodeolof.exe

MD5 62a74691446b58939825c624ccf7ab3e
SHA1 b90a41bf63166de8b906b07d18174715d39d9fbd
SHA256 cae2ef6563d7e24061b0670359f9e1819e8240eea9640f9c405eabeae3ecf5f9
SHA512 9b37d3b9135284f75973f64b24a4e7efb6f6c9d9a14516b46c4aa714bd0c0512876e2191eafd1343e93e532d3d1c9e6b8be6860e797d7a6b3e1a2d5f8f83f3fd

memory/2452-208-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gbcakg32.exe

MD5 21154b865052bcb2e9b7cf8414835b19
SHA1 280106058c2348cf36d07cc1b33051fa0a0ab0c9
SHA256 1ea6372c6f970f3b0a4bd2d15319be18e707e35c52578b80148e29951c647d63
SHA512 ee2aff92d665617f6a3be39ffe3d473e8f202a5bbff085137c44d549e8500aaec04b35d16502bc2c2ed644bbd85828993372f4e3981ecb3e4b3b965963f04d93

memory/1632-220-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gjjjle32.exe

MD5 2396dfe30b228d60b66a23c0ed810348
SHA1 a2b1f292bd43ccd578b1956c44b8c4a038ab07aa
SHA256 05bcc8c3326cab07524541af75a5fac39303344b697dcd898f01dd63704032ff
SHA512 6930fd288689adedc9fe7ba4f83162a554a3c51ef3db2cf760364cfdfdcebe6af189a8e52f829605df9df7dc7dc420dde9fcd3e4f54ce2d9f7897d98dbad0326

memory/2368-224-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gmhfhp32.exe

MD5 dec4140fab3ff5e077a148d1e85fc3ca
SHA1 564a5e9a86865fd404b357bad52e473f147732ac
SHA256 e40f07999122571cc1ab772c9b3e0cdf7da89e9645b69b8cd85657e18aaefeb9
SHA512 22f3dbfc1b7215e76e8bbefa550c390453b9366cccc4f6040e99fd84b0ea7c70a9f7ab49b94499829bc8d6be0c7355b7d57b8d95c046489407e2b512705f3bb5

memory/2872-232-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gfqjafdq.exe

MD5 6cf3523c2a05161e3708709b81adf08c
SHA1 83e064670d1c9a98e27f9f3900c9722b001f50d8
SHA256 ca288e6756cc782ea46c216ad44a4055c24f90795e1b16f7495295e05e893a13
SHA512 843722cee0198e49796d0f064fc6f0a411ebca5fa492273dce5eb4543188710af063fb0edebc9003b978247300b8b60332e9cf5a933c9203f163ab97ea2c6ae4

memory/2556-244-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Giofnacd.exe

MD5 d1dc171eafb977bc21c6a96b743f55e8
SHA1 a3ab8dab4687327a29221270bd1687690f72b74f
SHA256 868091a39ec77e0ecc9ff58d320c0e26e94af7889cd2c8f12a2c7d4f5d19e0de
SHA512 57bdec20e950ca817df5859f979689198cc8f108d380aabdb5a0ed87d551b17871f3c7e27b399b63ba063c9680243646b9f648d909b4ee17569e584d6648a3f7

memory/4764-248-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Goiojk32.exe

MD5 8c08bd786adb8d93248c889dd06c5649
SHA1 bd76fa94f4591fdeefe59eea92960c042afd2785
SHA256 f68470a66ae64b02a26fb97fde55f2d4d28a1ca83cd70a83a4c326498ca53f47
SHA512 cb7bb27338757513fe89375e373cab2389524c5a4d76fd174aac52c731d0f7c450ae783227b63fe47e47e6404219a3583adb7c41a4e250feb385e272c0a57530

memory/5320-258-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3708-266-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5708-268-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1232-274-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gcggpj32.exe

MD5 228aa3e939b921f4d32a39024c44285d
SHA1 6f4a5a53a85fd3033813a548d34663191b08c82f
SHA256 f63dd792a273e6c40053261d2ab60914290114ef17da4d18db8a64282eeb264a
SHA512 54c555d2383d3a67b17da07db6d5a59c5af20c55674edc02195a2373327f9afda371b46b981ea391369ea014913af7fd5adaafff343f55237fb7f88df005e070

memory/2540-281-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4168-286-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4844-292-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1544-298-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4284-308-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4276-315-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2136-316-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hboagf32.exe

MD5 cb0edff9d8378628bfe6930ae3ed96ec
SHA1 7a72802e7faeca4070eb0b8d93a06e22cc5e89ef
SHA256 e433f633f3ddac0d8a339cfabf4b7788bd4f4c9d9b231713e9a75e6a35b6ddc3
SHA512 69b0bd6dc85053548ab8a5e3d32b9eb6476f505b6c86507ea8e38e42f87b80064f8acdf113a51063c5dc0f2ed767ad5b3e832f72dc19a5a0abed6487c834d84a

memory/1780-326-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1868-328-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hpbaqj32.exe

MD5 6cb7541b54e87f14267ca2d1e2659055
SHA1 96b7c24b99fffba56b228654588da9c9d0230e4b
SHA256 be72b8aacee518e4e6f18df676c480a68147e58150244a77a047278404e2ee17
SHA512 211077733afd3f1c49fe76fb7bacf010bce3c780e5374c942d15cd9451623aa11e03dcc058d10068b81b9d2a278279ee8a3a3c42d95ad5a32f1a20351434e916

memory/2788-338-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4596-344-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4584-350-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5284-352-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3796-358-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1800-364-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4708-372-0x0000000000400000-0x0000000000441000-memory.dmp

memory/716-376-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4836-382-0x0000000000400000-0x0000000000441000-memory.dmp

memory/6048-388-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3572-394-0x0000000000400000-0x0000000000441000-memory.dmp

memory/464-400-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2592-406-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1640-412-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2280-418-0x0000000000400000-0x0000000000441000-memory.dmp

memory/6056-424-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5384-430-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5712-438-0x0000000000400000-0x0000000000441000-memory.dmp

memory/804-447-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3988-448-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5308-454-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4064-460-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1468-470-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4112-476-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1700-482-0x0000000000400000-0x0000000000441000-memory.dmp

memory/6036-489-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4188-490-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5688-496-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5752-503-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3952-508-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1620-514-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jjpeepnb.exe

MD5 2b008c1d3346e5aa4edf1dd3cff02d7a
SHA1 42f817eaccc4931163ebf1500777c38a5c4e11ac
SHA256 b09b0876f50b104ea9d3970dceed1a8be679b795592798776de6e8f5ea5eae03
SHA512 424d05c7ccbd88aca1362db27ef1302b62e1f353cb7eb1f340a7ad35c227c705d382d952776521993c9b9b3713ab1d259a8067ffcf48606e23b0df9c62bcfa73

memory/2876-520-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1252-526-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4668-532-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jaljgidl.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4932-542-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2536-544-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2416-545-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2188-551-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3800-556-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3704-558-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4824-563-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5140-565-0x0000000000400000-0x0000000000441000-memory.dmp

memory/312-566-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3096-572-0x0000000000400000-0x0000000000441000-memory.dmp

memory/404-577-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5168-579-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5884-584-0x0000000000400000-0x0000000000441000-memory.dmp

memory/932-592-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5152-590-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3508-594-0x0000000000400000-0x0000000000441000-memory.dmp

memory/436-593-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kpjjod32.exe

MD5 bbbd8fa85bd0d2bf70a261149eb1cb84
SHA1 e67a11c3bcdc1a5dbd25e5d257c34ad4be5bd73d
SHA256 190131766f6b22eb6513ace6e30961678f2d0a1afaa123f2cec9bd8ceb47d6d3
SHA512 64fd5f3c048abef840f92dec0642583e811f5db31caf6797e89b0771b7dd89e80b150171c6758d40b9f0d04d45e5f780f78629a8d3a8e33d796724f94b100f76

C:\Windows\SysWOW64\Kajfig32.exe

MD5 52cc77170f09110cb66a3b72d3cd3abd
SHA1 6e8fe9dd5d8e8ea6591dcd8ea44fb69433e1ce38
SHA256 1471dc9e761d7c9299eb45bbecafa51c81f8a37f2b66720507898ada831c64ef
SHA512 bfdddbd10eca61e31e1db0dbd12f908d6fe5ab26f0524fe9f818b36142b893b8df4febb7ebb2e8e820424f43edebfcc18c2cadcfea57a70506dedfbc4bbfd3ec

C:\Windows\SysWOW64\Laciofpa.exe

MD5 280b5ece6f2f44a377a02a6a77c997e9
SHA1 af7cdb7d3d6594db7946186c97542fbffadd2ad7
SHA256 7959ee9c98e859b217290d1d43a4e3b463fea254b3b60041fae1c4d2b17d1c6b
SHA512 528660261f54df03053aaed2514e902c0ca26d276a55085385f87d8e0c6bbb6844f0184a73e068b94de875691a01c5f1cf181343a8e83c6e1921350a96e1ac47

C:\Windows\SysWOW64\Lklnhlfb.exe

MD5 c559d6be9c37d2e46db57cddbdf4f5f0
SHA1 fbce2ecb9f4f68a4d41a4a72b17723423d432094
SHA256 ac245197de0dc8e7f9c52218a93e864628c6abf0a32e568e9a692a655bffecf0
SHA512 9576a383b3d46b7c95e2e8a28e2e3f93f37cfec184d9fac5c4767c1bfe92ac9d2606a5f0475ac0c08f7684b93a5ca0671ef993b5600931b0e7c4c5fcf6bee2b8

C:\Windows\SysWOW64\Mjcgohig.exe

MD5 28a5a591ddfe471a5fc857e6d97d9c61
SHA1 23150e36aaa56de940766b363dc75273e1d70742
SHA256 ea252c1e4b2bb4f976003970e18f74d6b16350eb933f92d5dd9cc597f3d62e5c
SHA512 4930e8509874ecc7fd3e68fb27fcb357d66c1693b1431ab19750e896b8aa830b1ad85e5ec0facf4b9f1e994050ceef40e68937dfbbd865cb617479f9f60d475c

C:\Windows\SysWOW64\Nddkgonp.exe

MD5 7f643717b90671254c78903674cf39ff
SHA1 645b64005cca277801aa6a3594f0cbc29c6546a0
SHA256 16c41d86b91a714f2f5a51cc2e66b9087391912236c6b422531a70a4fc1e1a6a
SHA512 95e5a28e1bbf9333ddd54fad61ff7080de02b307abe76baaa047d13fefddb6ed3e45c9d3136c65cfede6664df2550dd289dab4a71de5a818a5b76cdaf7508a01