Analysis Overview
SHA256
ab391beb27aabd848c1fe20defa1086c5abbd528955a0cfd7eb1d1c79c107d5c
Threat Level: Known bad
The file 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 14:42
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 14:42
Reported
2024-05-09 14:45
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Iagfoe32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqiqnfej.dll | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Odpegjpg.dll | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnagjbdf.exe | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Enlbgc32.dll | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjenmobn.dll | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fealjk32.dll | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnojdcfi.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hnagjbdf.exe | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oiogaqdb.dll | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcplhi32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hnojdcfi.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcplhi32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Lponfjoo.dll | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 140
Network
Files
memory/2188-0-0x0000000000400000-0x0000000000436000-memory.dmp
\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | 241d4a8eed9c13a17abe8358ecc21621 |
| SHA1 | 6f9ff78ec54c7ef8773640edb4c785f62b4d1aa0 |
| SHA256 | 9367bfa4323c722ec443c12b1946d070bf386a7432725871bb8b9855d4de6d40 |
| SHA512 | c37373b5e2b811ae6fbaf840965b17f9fda23aca9b18bc35e2f66f3ca5aa683bc4dfa9ff7ea06ac59b86da471719d5bac250186eaa4f44fb13ab7556ea735a9b |
memory/2188-18-0x0000000000270000-0x00000000002A6000-memory.dmp
memory/2784-19-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2188-6-0x0000000000270000-0x00000000002A6000-memory.dmp
\Windows\SysWOW64\Hnojdcfi.exe
| MD5 | e4eaa09d0fba28021a9945ab6cab4b0a |
| SHA1 | f81ace0500fbff6dce96f24856d604701399ca14 |
| SHA256 | 399973a9ecaa8a8c6f43c7e172a3ed5217a61c911616bf66e9c6e4e9cd2a411a |
| SHA512 | 77a12b5e437eadbe49c3e687e4ed4597dfdf4d6443e0b9e004170d18a43cc0cf728e125f31546d71fdacb7915c3e62f5e46bb6bf367bfce0d598021188a50657 |
memory/2508-40-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Hnagjbdf.exe
| MD5 | 8fec4eb17ef66085a352531b91fe997e |
| SHA1 | ced57ba029e646f8173a4359f9a19c22cc0e2816 |
| SHA256 | cdf2ab89e9d7fcea46f02a951ccc693c33a99b0ef25a3bf457644b424efc1ff7 |
| SHA512 | bd47971d69176b81c5064350bb7d6dab2a4cea2a5630889be45f2fc87016f13829ee7f1167e328739172f4c39ab141de0a8d82d5de2b11768847d548dcf6d593 |
memory/2584-32-0x0000000000400000-0x0000000000436000-memory.dmp
\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | c98c03a9db277d5939d3dc2ee196484b |
| SHA1 | 4109f107eaebb93c706a537aeecbca8f0a827ecb |
| SHA256 | 92e109095740db8d09e067b792fe594a162e376364c333e2c4a313a7c451c82d |
| SHA512 | 00c27a4beea56a93eaf9f8fab237aa1c65c7cf77fd380101b34fe4893af3ee44a4e2aadc7d71c56c27c39da4b66e61c89fbe332f9ddc801a93f47183686a9195 |
memory/2508-53-0x0000000000440000-0x0000000000476000-memory.dmp
C:\Windows\SysWOW64\Lponfjoo.dll
| MD5 | 3fa562c9b6ae626da3fda006c5fe2995 |
| SHA1 | 98201dd3c5fb1ffef5318f31a64dcb98198de2af |
| SHA256 | 6b1004da3595ff423c8af3a630564461df692b4bd6a4bcbbe0329b068e7a656b |
| SHA512 | 440ce95964333d107ba46277a7cfb3c8d7136617732d1c7c77df8f60fc72c838bc899a1453c75785323b086ce5a70f3673ba4dca48f97005143d5aed8f915895 |
\Windows\SysWOW64\Hcplhi32.exe
| MD5 | a017216176aa766ce8492c171c548f08 |
| SHA1 | 5dba72d7119ab1f71b5b4a29e5f1358b920f569c |
| SHA256 | e8267d22756e4022a53c667fe146372b9c234f964133f02bee3bd07099c99445 |
| SHA512 | 8699c9b459296d91ed25e19b48f8631d32be31b6a627373a0a51a691193080bc71e4141dbe6f06a465ee7ff3039be32407c39bff7e4fd8ed26b1ac078c7b252b |
memory/2508-55-0x0000000000440000-0x0000000000476000-memory.dmp
memory/2716-66-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2372-68-0x0000000000400000-0x0000000000436000-memory.dmp
\Windows\SysWOW64\Idceea32.exe
| MD5 | ac33384e370afd97f546b9f50a185807 |
| SHA1 | 1a3c811defd12f967b48f2336f318c8c3bb6a120 |
| SHA256 | 93f5066705ad78d5fbec8b2fd40af7328dc546622c10d2caad03d2c9c5734c0a |
| SHA512 | 14a73e4a1a45b9d993c7d6139e4fd652a1fb80687c80707af3251ab21315d555d1dcd1e8fc8bddebc2a535955db456fbd992f2a68e2a875fbd5878982fcf53e4 |
memory/2372-77-0x0000000000250000-0x0000000000286000-memory.dmp
\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 7736eef8375042f58d2041469b9e2540 |
| SHA1 | 7f9eb86643729c12fd4b45ed4bcc166ed46c6172 |
| SHA256 | 5520cc61e23b3f7dfe9b86f97b45522f69cdfc342e116fe73b2009a4ab0c1093 |
| SHA512 | 730eace5cba043c34090b63c3877484dfcf67103d4a878939bb939388f1ce01038e567632ba3510bbeebaf1ee64999ddab9a0d5ae3ac39f03f55a44df70b0f45 |
memory/1484-94-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2188-99-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2508-100-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2716-101-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2372-102-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2292-103-0x0000000000400000-0x0000000000436000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 14:42
Reported
2024-05-09 14:45
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdlfjh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bdlfjh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkbgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Eddnic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enlcahgh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amkhmoap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbfkceca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fbfkceca.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gjcmngnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ciihjmcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eddnic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gjcmngnj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dncpkjoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Enlcahgh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egegjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ciihjmcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Egegjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Amkhmoap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dickplko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dkbgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dncpkjoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dickplko.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddklbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ddklbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Nodeaima.dll | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dncpkjoc.exe | C:\Windows\SysWOW64\Ddklbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iolgql32.dll | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdlfjh32.exe | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdocph32.exe | C:\Windows\SysWOW64\Bdlfjh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkcpql32.exe | C:\Windows\SysWOW64\Egegjn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfaigclq.exe | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhhnfh32.dll | C:\Windows\SysWOW64\Enlcahgh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dncpkjoc.exe | C:\Windows\SysWOW64\Ddklbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qppaclio.exe | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlkppnab.dll | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddklbd32.exe | C:\Windows\SysWOW64\Dkbgjo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkhpmopi.dll | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajbfciej.dll | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| File created | C:\Windows\SysWOW64\Polcjq32.dll | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gjcmngnj.exe | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abfdpfaj.exe | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cigkdmel.exe | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qppaclio.exe | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Njonjm32.dll | C:\Windows\SysWOW64\Amkhmoap.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgqgfl32.exe | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgbanq32.exe | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| File created | C:\Windows\SysWOW64\Enlcahgh.exe | C:\Windows\SysWOW64\Eddnic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Egegjn32.exe | C:\Windows\SysWOW64\Enlcahgh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkemfl32.exe | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cigkdmel.exe | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciihjmcj.exe | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbfkceca.exe | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ampaho32.exe | C:\Windows\SysWOW64\Amkhmoap.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlojif32.dll | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgfbbb32.exe | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| File created | C:\Windows\SysWOW64\Dickplko.exe | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohjckodg.dll | C:\Windows\SysWOW64\Dickplko.exe | N/A |
| File created | C:\Windows\SysWOW64\Eddnic32.exe | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fnhbmgmk.exe | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfolacnc.exe | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcqelbcc.dll | C:\Windows\SysWOW64\Fbfkceca.exe | N/A |
| File created | C:\Windows\SysWOW64\Cildom32.exe | C:\Windows\SysWOW64\Ciihjmcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Foolmeif.dll | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkbgjo32.exe | C:\Windows\SysWOW64\Dickplko.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhaiafem.dll | C:\Windows\SysWOW64\Dncpkjoc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amkhmoap.exe | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Eaecci32.dll | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Deiljq32.dll | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dickplko.exe | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abfdpfaj.exe | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejojljqa.exe | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbpkkeen.dll | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fgqgfl32.exe | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjcmngnj.exe | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lncmdghm.dll | C:\Windows\SysWOW64\Ciihjmcj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpfmlghd.exe | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fqbeoc32.exe | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpiedd32.dll | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amkhmoap.exe | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ampaho32.exe | C:\Windows\SysWOW64\Amkhmoap.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfaigclq.exe | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgfbbb32.exe | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| File created | C:\Windows\SysWOW64\Gadeee32.dll | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbmadd32.exe | C:\Windows\SysWOW64\Gjcmngnj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdlfjh32.exe | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpfmlghd.exe | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epffbd32.exe | C:\Windows\SysWOW64\Dncpkjoc.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnmlhf32.exe | C:\Windows\SysWOW64\Fbfkceca.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Gbmadd32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bdlfjh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqelbcc.dll" | C:\Windows\SysWOW64\Fbfkceca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gjcmngnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcjq32.dll" | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkbgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll" | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll" | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll" | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eddnic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Enlcahgh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll" | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll" | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Egegjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddklbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll" | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll" | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fbfkceca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll" | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll" | C:\Windows\SysWOW64\Dickplko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll" | C:\Windows\SysWOW64\Dkbgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll" | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll" | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Abfdpfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll" | C:\Windows\SysWOW64\Eddnic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dncpkjoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Egegjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll" | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdlfjh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll" | C:\Windows\SysWOW64\Enlcahgh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" | C:\Windows\SysWOW64\Bdlfjh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll" | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ciihjmcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dkbgjo32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Qppaclio.exe
C:\Windows\system32\Qppaclio.exe
C:\Windows\SysWOW64\Abfdpfaj.exe
C:\Windows\system32\Abfdpfaj.exe
C:\Windows\SysWOW64\Amkhmoap.exe
C:\Windows\system32\Amkhmoap.exe
C:\Windows\SysWOW64\Ampaho32.exe
C:\Windows\system32\Ampaho32.exe
C:\Windows\SysWOW64\Bdlfjh32.exe
C:\Windows\system32\Bdlfjh32.exe
C:\Windows\SysWOW64\Bdocph32.exe
C:\Windows\system32\Bdocph32.exe
C:\Windows\SysWOW64\Bfolacnc.exe
C:\Windows\system32\Bfolacnc.exe
C:\Windows\SysWOW64\Bfaigclq.exe
C:\Windows\system32\Bfaigclq.exe
C:\Windows\SysWOW64\Cgfbbb32.exe
C:\Windows\system32\Cgfbbb32.exe
C:\Windows\SysWOW64\Cigkdmel.exe
C:\Windows\system32\Cigkdmel.exe
C:\Windows\SysWOW64\Ciihjmcj.exe
C:\Windows\system32\Ciihjmcj.exe
C:\Windows\SysWOW64\Cildom32.exe
C:\Windows\system32\Cildom32.exe
C:\Windows\SysWOW64\Cpfmlghd.exe
C:\Windows\system32\Cpfmlghd.exe
C:\Windows\SysWOW64\Dgbanq32.exe
C:\Windows\system32\Dgbanq32.exe
C:\Windows\SysWOW64\Dickplko.exe
C:\Windows\system32\Dickplko.exe
C:\Windows\SysWOW64\Dkbgjo32.exe
C:\Windows\system32\Dkbgjo32.exe
C:\Windows\SysWOW64\Ddklbd32.exe
C:\Windows\system32\Ddklbd32.exe
C:\Windows\SysWOW64\Dncpkjoc.exe
C:\Windows\system32\Dncpkjoc.exe
C:\Windows\SysWOW64\Epffbd32.exe
C:\Windows\system32\Epffbd32.exe
C:\Windows\SysWOW64\Ejojljqa.exe
C:\Windows\system32\Ejojljqa.exe
C:\Windows\SysWOW64\Eddnic32.exe
C:\Windows\system32\Eddnic32.exe
C:\Windows\SysWOW64\Enlcahgh.exe
C:\Windows\system32\Enlcahgh.exe
C:\Windows\SysWOW64\Egegjn32.exe
C:\Windows\system32\Egegjn32.exe
C:\Windows\SysWOW64\Fkcpql32.exe
C:\Windows\system32\Fkcpql32.exe
C:\Windows\SysWOW64\Fkemfl32.exe
C:\Windows\system32\Fkemfl32.exe
C:\Windows\SysWOW64\Fqbeoc32.exe
C:\Windows\system32\Fqbeoc32.exe
C:\Windows\SysWOW64\Fcbnpnme.exe
C:\Windows\system32\Fcbnpnme.exe
C:\Windows\SysWOW64\Fnhbmgmk.exe
C:\Windows\system32\Fnhbmgmk.exe
C:\Windows\SysWOW64\Fgqgfl32.exe
C:\Windows\system32\Fgqgfl32.exe
C:\Windows\SysWOW64\Fbfkceca.exe
C:\Windows\system32\Fbfkceca.exe
C:\Windows\SysWOW64\Gnmlhf32.exe
C:\Windows\system32\Gnmlhf32.exe
C:\Windows\SysWOW64\Gjcmngnj.exe
C:\Windows\system32\Gjcmngnj.exe
C:\Windows\SysWOW64\Gbmadd32.exe
C:\Windows\system32\Gbmadd32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1060 -ip 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 412
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/4504-0-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Qppaclio.exe
| MD5 | 58b3cbf974da99dd9d8429ad13751f1a |
| SHA1 | b7b571c361c3d02b500ecdf763759fb82abbdb83 |
| SHA256 | 5dae33bfde7c40901901ba675244d9e69d3ccbc4fa61e8a3625a9b73accbb856 |
| SHA512 | 9553889e769e98380eafab3b407e471b7f0bf27f7030db47a52fcf4958a18df8820595ff694dcb3b2b5d81eb98e754146b1a451519f7659d3def9f7e496b8340 |
memory/1232-7-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Abfdpfaj.exe
| MD5 | b4e440314009ddd2dc77e6a67c90fecc |
| SHA1 | 5e3f74c7c6bb0d333443e246881bc695b8b14245 |
| SHA256 | 1bbc8f39f6fb4e96142651019a65e5c91190675aa2fe6676007e599c60b1dcb4 |
| SHA512 | 0acf52b25b8e609d4e501d9c69c417606f347c34402d19682765bee004b6b516f0dcb03f0524ed1d3cf1fe7c3568089978cd11d6d7df7b6e79153db8914a892e |
memory/1840-16-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Amkhmoap.exe
| MD5 | 3bdfa343c72ab16c568020a2fffc0a00 |
| SHA1 | 3ef72276398c3fe4252b6a5642a1ca056a08e23f |
| SHA256 | 15f2c3adc14654d450eb029f1d4d8521fad567170736b6a5dee1286508a688ad |
| SHA512 | d7151a87a1e91e8cde9d07b4d7a38fdf4a6676d67d6bd6700af1fd796e817989ad95bc36f21a9c8990f964d6282299f45fc73db39c0379b59a46e6542f53d9cf |
memory/4928-23-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Ampaho32.exe
| MD5 | 9cb055cb00f653415dfcc79e25487297 |
| SHA1 | befcf44e8a1da76664e0954c02f8275b87065e98 |
| SHA256 | 21892b6a4c09ad4005d3a5cdb67810eaee8a914ad66195f1ca18a806847abc03 |
| SHA512 | 4dc2a8e885bd02798d15c6aa59396de62514577a61972083be53d99dda973defe2908d44260efc372a6209b1c52ecdf37ee47ec7aecbc39f8b05ed894d1b6745 |
C:\Windows\SysWOW64\Ampaho32.exe
| MD5 | 5a2d9352866182f09e103f3ac64c814b |
| SHA1 | 40d1cf91b96eeaab26f15fc927dc76253c5ff0e3 |
| SHA256 | 24db638461d7299e99427dd72bce246c78afc0c870dd424cdcbc21a16aa1a279 |
| SHA512 | 69b067c93734558eac3c4c30a314bb77fe4ddd94e6010ab362e6f1acd7a22ac888e066e97b8e6f223c6cf52213972a55892f1ae57c47331892be8ff520b8bbc7 |
memory/628-31-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Deiljq32.dll
| MD5 | f622e74a46607f9613b48515810127cb |
| SHA1 | 0db1b2d71b94936b19b8f482921b027e737c30b9 |
| SHA256 | 057a107763ea387dbc9040eb330be86bf056d1916d2152841368af1d364f5107 |
| SHA512 | a654a4b47fc060d9fa1733779c080bf682f762aa8ca35c08272e6f11d85a07f4315a5a002a7d9f21f6333bf8c47e2c9bdcf2082fda6329b76233dda760517cc2 |
C:\Windows\SysWOW64\Bdlfjh32.exe
| MD5 | 335c743746a870980c39c602b7d73c48 |
| SHA1 | 07188eb907e3330c8a45330a724f09d794cd7734 |
| SHA256 | 37dd6a3dda38c10f090435295ed0e0f1358931e8a1b2b6f560ef25ef3d4cb2d8 |
| SHA512 | 449c7c465e741bafc506faa628f1a1176bad6581e32612aac7ae37ab21ee3b2922dbb1238b34d4af8d969f2dc76879f9606f73368b7ca54316cde2fba1d64d71 |
memory/4492-40-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Bdocph32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/5104-47-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Bdocph32.exe
| MD5 | fe11b9f7e8e15919f435b524256b32d5 |
| SHA1 | d7ebf70bd762bbfb33bd41d146918f8c7ffa7209 |
| SHA256 | e35b89960d5dfe4fcb6dd856a5a727549d150db0ada6aabe063d47facfa97a75 |
| SHA512 | aed44b4eda5aa85c9c5f2c5dcad93959b4724ced7908a6079da1a43c015dc007ab633683d4940c504e6c7309d7447771de7706790e5e3dcb19508a2d3f037064 |
C:\Windows\SysWOW64\Bfolacnc.exe
| MD5 | 0ba2275b126149eb1868c7b2de84dc0f |
| SHA1 | e7cc9f36cf927c3351fd90ed7f1805109941cb5b |
| SHA256 | 820ae4c226431eabbc55cf31b2fc8518b34266203ecd6172967453d19a14f874 |
| SHA512 | b85ea640ddb59b9b614a2209fa07ccab066fcabe42b119b3eeb48568068bea91f74074145db2b4e129e7d17fa39f7dad33edb0839691bc4d28b6ae9d38568120 |
memory/5052-56-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Bfaigclq.exe
| MD5 | e078e72e2a72269617fe0676e8a29e07 |
| SHA1 | ea42f586d1c87678ce14ebe47525e2cca4135f71 |
| SHA256 | bddf141ad18968f665c3ce8e69c5b24c5834687d166ff5190b54f527fe30cef7 |
| SHA512 | c301a68cf3a5ff5a973df74ee127b6ce95c5ff971e2aed6153151c34b61bd2463723f8a80093d0aab85d1195a23bd14c9ff6d2422c4169ac0a4f78690414de8f |
memory/4020-64-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Cgfbbb32.exe
| MD5 | 465bdc1e9a0c354e4594a23e048f133b |
| SHA1 | 50224c109dcc82187e458dd3284db26926e797f2 |
| SHA256 | 816f4ba74b26ee53482acb2cc6c25061121170e8b682eab28c098b4e26787372 |
| SHA512 | f062125258da81d6fbdae7fa5be2238e41e1824f68d96ccbfab8d94c8525e2f80970ffeab32f49114a2482763b2d74e6f2bc952a4264e51860616a35d63ee0d3 |
memory/1436-71-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Cigkdmel.exe
| MD5 | a6642bd4ad17823f338e76e2c695bb86 |
| SHA1 | 737cd89b4cda77cde77cb41a84474a7eb79863cb |
| SHA256 | 4b77760d235fa548e2c05ac10fc1aac663f3cc3cfd443ba18c11cddb24ee8d20 |
| SHA512 | e3131174733a2013236c7ff1ef8f3faa583b6d1f484385c573248f3d362e1226bff379fc31f342eb2d99ef6642fac3e2495fb9b0a23584509c0678b61e4e6fe0 |
memory/608-79-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Ciihjmcj.exe
| MD5 | f224b3504bc8467007ddda08f8b8f0bf |
| SHA1 | 223a5eb818684fb36217f4ed0aae4e14de78a3d3 |
| SHA256 | a23ee56510f74c8bcfc1842da10a5ce04972d180ffa4855b67ef0071202fdcf1 |
| SHA512 | 2895f3e5f01e90e956b83b72fd3b3c221ea87aae584ce67a2231aae514029ecf75a3900aec2756c7af3ac8d029053991c52761d4f79650489203282795f6bf70 |
memory/1392-88-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Cildom32.exe
| MD5 | 3fd89b2221b5798ce47b022a9f07e107 |
| SHA1 | af339e3246db22b245b97ea4dc7fff5dfd9a15d9 |
| SHA256 | 1f59bfc1a15800c98af54b6503cd5f4053f3d3439755fe4220fa73565e06240a |
| SHA512 | 47011f938955af64c20bbb5746452105501ca83df30c3e13d8e6ac17f82b9ba51848239706fea646aa246175893fea45865491336ec386b6b36aa2ab4db54b7c |
memory/1324-95-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Cpfmlghd.exe
| MD5 | 2339a26657ad3d907d3d9a869e6be7f9 |
| SHA1 | 58b9fe0aec8e9ef272237259f00e3f9e2728a41b |
| SHA256 | 1e748d0a28d8a41039a307d951860830924f7ff1f202248336ab08105fee845e |
| SHA512 | 6496b5ee9fa65747d0fd19b4b84dff7939729860306296b310085ccb47c75bf50c318e661d078210975be0d36427fda4632f51a71e282b70fed69bb77ab4da1f |
memory/3112-103-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Dgbanq32.exe
| MD5 | e5cae125fe6945f26ae09a9d00d7935f |
| SHA1 | 8556b41756d9621ae13b0982087c963c68913595 |
| SHA256 | eb34d9a5b87412eae44f9f0f2d06bc7aaad5a5622f834c776b21d2166f20fe75 |
| SHA512 | ca198b9f929bcdc5307c854e1211a556daf810d3bdc6e60519a65c922a3122dad9887ce1d8fb5a052c3381e309a8d5eddadac1bdec7b1b7b809999d4d2135578 |
memory/3808-111-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2356-120-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3088-128-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Dkbgjo32.exe
| MD5 | 8dc4f49e12ebd4a93bb409fb00816b10 |
| SHA1 | 85420b23d3b62df996aa7e6f68c6c5dec6dfa9e8 |
| SHA256 | 91ad2117e9a1beea91a0871b5df97b3891020b35005136821397a88ffbb14ba6 |
| SHA512 | 5d4125f420d471be7daa3343b82712576de74cc2b233bcbd6d9c2da99062b0248e9cd3b5407bbc4406099e5e3bce58d8389d6225269f29d2fd5320a2131eba9e |
C:\Windows\SysWOW64\Ddklbd32.exe
| MD5 | 6b55a0789277eda79080a1e643c466d2 |
| SHA1 | 30ce54c294f7de0e8399dcc4fbfdbace3cdff7ad |
| SHA256 | f883dfb9e6f61f0e8b7ee2f8fb098938ae304f55198d06e9692423952ee15741 |
| SHA512 | 409e7ecd624c943fc704b464fa3db1546d94a9316525c4911fd2fef5a129f278536293d88425677f4e30385fb65b2b8230aa6c36471cd8d290075fdaecbfeb80 |
memory/3864-136-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Dickplko.exe
| MD5 | f1605299d972d1e540d0fab010094874 |
| SHA1 | cb61222a7e1381e3910429083ffc3ccd61182395 |
| SHA256 | 3099c3f52f2f5e28e7111d0e8af1b90fe9186e3d80e0edca4a26575d2d41ba41 |
| SHA512 | 1b0fb1799fad6f91dbdb49d29a4141ed6cef97797d06a651554e86eadd50f2b81e5a513a73f230e0639cfe6d8b6ff8fcfb28dc1dd27a4cadb8f556983f02399a |
memory/1428-144-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Epffbd32.exe
| MD5 | 551eac8587c4dc3af32458fa82d10894 |
| SHA1 | a1e8a3c262a5a54978af22f882de094cbe62271c |
| SHA256 | c8962b0b4968135e6a1d99776aa085114d3abbeb696a4b360b7ad69b183b218f |
| SHA512 | a922ccb15e501ead9b2760e7847c9bc0fd719c9f008e2781009d148baf76d6ccbc439896ee4d10cdeb2b0b1133566c252b6640f44daab4722504a96d83e9199f |
memory/4284-151-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Ejojljqa.exe
| MD5 | 18e15c29012dedfd1da9cd2bbc62f85a |
| SHA1 | 0671c2615e5783e2dd5c890d8997108d6e4de537 |
| SHA256 | 512463faf1069d4b567222f8bfbb78ee802dee485572e45baebcd430acd9a385 |
| SHA512 | 0c898d1a85cf280f0da2510ec0a7cab13892c5d2a617e31eab7ee35ba96946ea6f6eec8d693131b45470245f7e83b7f7e8818ae6125e04f8925df322c7fdba0f |
C:\Windows\SysWOW64\Eddnic32.exe
| MD5 | 22ed63a21661fc8bba1c62a3dca5c5fb |
| SHA1 | 7f068a27d3f9fd45da7b081e92064269bb9ae1f2 |
| SHA256 | 72027f369b241a53679aa835ae99dcf3d63e9d3ea20831ebac42e2b6d011481c |
| SHA512 | 6ad522221469287236589a9fdb83f95c96294dc13659f37bd781d84167f9092208a8fef85410e190e11c6b0a41dbe7b7883c343241e41e87b1cb97accac375a4 |
C:\Windows\SysWOW64\Enlcahgh.exe
| MD5 | 503f85a9716d6819986c84aab4b4f441 |
| SHA1 | 9a392d62e625d8fd6730651cb53912cf0d750f56 |
| SHA256 | ebeee2cb9b162e41f1982e5ac6e55c2eab3847919a659d8326626ea865095282 |
| SHA512 | debdb514d406f1bad5ebc673f7146ef445feaab17a9387101e2512ebb08548fbe85efbe5e2123452d8d72831c7c827a2e7c919e756d3cec9040fd3ce21289b15 |
C:\Windows\SysWOW64\Egegjn32.exe
| MD5 | 9699f1bf805a9048386c6113adefabdf |
| SHA1 | 46f3b77ba6aea8d441fdd199b21659420b38b8cc |
| SHA256 | a97c253224a2534762f3249b28dd9329a3612b2c45fd7bae2829842a2c6b324c |
| SHA512 | 4978a2d584f371929d8941257cee7a4758803638a436020ebdf79f0e926406d78925a511a719c651717899ebef2a09d899dc099e5049531f942a026afba8f316 |
memory/4656-175-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4288-183-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Egegjn32.exe
| MD5 | ff1c170fdf2db5cc85e1ed8c41602236 |
| SHA1 | 4b98b009127cefd1ad922806770a2e7a89653b81 |
| SHA256 | d0ebb0a13a129c1e86b58a4c8fb3f59e4dcd04138e8f8df706ebcf032a79e3be |
| SHA512 | 51d5dc25dfaa3ddb14bd1724fe510d38a31d8737e4ff664947a1679be01ef9c96407ef70a189f235fbb749fcd449113490804f2da77b99f2fd6d47e9f17615f7 |
C:\Windows\SysWOW64\Fkcpql32.exe
| MD5 | 54d126f377710b1a0fa9097efd3a352f |
| SHA1 | 8ae35307cfc45d39ac3cf6b291848ada1d970f6c |
| SHA256 | ac30a01f5e7e6ad7d8560e8f2fae744d33e38c642bbab694fe52c2605f6a5e29 |
| SHA512 | f1de7b51dc60649cf159734d435a61120d0eb1197e7c042393b21bd5a79ea0e169d981404962ca2abae003f2ca6d8773267ccb97c2d8f8b58b92718c52307c39 |
C:\Windows\SysWOW64\Fkemfl32.exe
| MD5 | e6967be7c47e4b0890250c266c4691e0 |
| SHA1 | ee6574c53ee1c296cf72f652c7bda2679dc3c31f |
| SHA256 | 842024a15e2727ce53b2092374b48d32c448a6ecc60a15e001700575736698d2 |
| SHA512 | 0196ff71769a84250e302ee893f4a02b0655b7cdbcc190f8922f12c44ecb4d61b1363fa1331b08939e006d0ee410c51fd3cb13d1ef074520c303050826a2373a |
memory/3372-200-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4472-192-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5016-208-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Fcbnpnme.exe
| MD5 | deef524f451184a6d9a4ece1b7223e80 |
| SHA1 | a5668f4064f371f01f2f3f6e45a2d5c4591a2ed9 |
| SHA256 | 4bf3250016e08a79be2b3f984bb9bd033acab68bee74a5592bec72035b5e9f6a |
| SHA512 | c8d495951c17d1d12f69b0ac8ae54524a6db0113874d208ede29343330154ba78b48033f5ca9d479a37fc2f8c552b6d75eeccb875cdc4799affbbdd79fe33631 |
C:\Windows\SysWOW64\Fnhbmgmk.exe
| MD5 | af3fa08f4a3503a67029f6abb8281281 |
| SHA1 | df3eac7bc4a3af95dcbde1bab77158e35e0c4d9b |
| SHA256 | 442a9d2073a9f22e595555980cc0904c2ac35125703e9fb1d467ab4e79c44686 |
| SHA512 | 8fc9380f2e26b90c211de29d567181625b00f3260ce8ed5954af109d3339e3a84c531b1acb86f44c3af0c8b63324c6400729e00337abdf5229c12a6723e94be5 |
C:\Windows\SysWOW64\Fnhbmgmk.exe
| MD5 | ca0090d1004d73e8cf7991dd253d2e71 |
| SHA1 | 748b48d61d234dee3239cf689a18e10089fcbb02 |
| SHA256 | 0017052ab8096c6edf121332d2db40f8cb8ff3a3f627d8142149a898e9b0ca98 |
| SHA512 | 2447e31792722ffd9fd4abfea96bffa168dfcc9b813d7df3811c7c65cb54cf51ad6aa52b1cb173845f1398fe20a29e99b7fe589f90f77b961ad5995639a60a21 |
C:\Windows\SysWOW64\Fgqgfl32.exe
| MD5 | f388446a293936bafe5c0c27e401836c |
| SHA1 | 4385eccc10101a9c3026741208c8eb72341b50cf |
| SHA256 | d70e959c584cdf9eb5b97425552a2e86a2301411a88551fcd7a60bc491d420cf |
| SHA512 | fe67b181d0f503297455b78365c6da651f7211181e64a2f2f48f546993956c388844c3f0b7c4c441d2381e7e85175747e8ecf6c34836ee03df4eb575fcef2c34 |
C:\Windows\SysWOW64\Fbfkceca.exe
| MD5 | 54ba62f0ed28da6aa12e315a8fe599d8 |
| SHA1 | d58d8a65a7226c75b5a31f24f37d2074d219fb07 |
| SHA256 | 1a66da8d84d7d1c14648e7ea20495097a707305fecfb1eb9ba559a5b91088ee2 |
| SHA512 | dffaa576826a4a5547e4037c3729e957edf9b66f25130bb5b0c56ac31566d38c59c80aaa3072a17b5916dedabc004f757b465994fd96ac7e327ea979fd331195 |
memory/1220-240-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4712-248-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Gjcmngnj.exe
| MD5 | 4b28066494cd84142a3d5ee87e963fdb |
| SHA1 | 86b01756f4406207db465b53751a863c9d210aa4 |
| SHA256 | 7a657a91dbb5bad48cde9c2b12a7a22ea4a2b8251ec5b9341ebb1ac82030a02b |
| SHA512 | bee98441f24224adf8047ca12deed72dc2c550015e7efd9a253b1605f3ccbaab3a118521e056561ad74300510be69c27253d5cf97aa10db3bda60386f657aa26 |
C:\Windows\SysWOW64\Gnmlhf32.exe
| MD5 | c81ff76790ca8e96791ef8c8e2f0c168 |
| SHA1 | 6f844f0664b6f482e14c7776b1f6ed1fd415e420 |
| SHA256 | 79f17d0825b83e5821b24be0b841b46f358181ea388802c15fe00455d8c153bb |
| SHA512 | 43a872b78cb6dee093f2ee34aed3969096e6693c361282bc8f9458f5157f3455ebe956ba3d191a5937bfc5aaac2a34eb9ac09034a44995031778eb97b78b2840 |
memory/1060-262-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Gbmadd32.exe
| MD5 | d458a249dfe63a03400beb56515d3d12 |
| SHA1 | 917997a0b96c92d5cc53dc89f0554567c1b48c3f |
| SHA256 | 87d47d718e954784f04d6199aeb368f6daa3310bf4b84ae2fd98ebbb06338fb8 |
| SHA512 | 0a11431004d94da057deb0bec9bf307dc173c710de86df2b8d1b80d957029290d9d838167542cc2c63566cdd3d58c384a53e6aca294d78e0ee8398d46e81aafd |
memory/2248-256-0x0000000000400000-0x0000000000436000-memory.dmp
memory/464-231-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4660-223-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4424-215-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Fqbeoc32.exe
| MD5 | 31765542b0d88a6d7e3d3d412fa2079d |
| SHA1 | a259458cb430f4731b05ed923f415ba7e92c29d1 |
| SHA256 | 49a3c0fe4b2ef275792d16805010bca3cc1b23be23c3ea090b1d35280b18a9ad |
| SHA512 | 63632ce5d03b643b0f859a2347e04df1c9310b89acaa71d83662ceec85e9aa525d1151023fa698af9ad50c38fd7261c725fbe83907bc7e33075f29a48aa78ba1 |
memory/1028-167-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4028-160-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\Dncpkjoc.exe
| MD5 | 082172615621fa5fbd6f5069ee0d335d |
| SHA1 | abbae9e2e70ba1abdeab6dd5413ce9535b60d6f2 |
| SHA256 | 92edf3642b23ea3059bed628674bde2b0e3420d75e837f428af4c6b63b3f16f1 |
| SHA512 | 8213d422374065c9e86ac36706affa3580609b5796e9d221e86117cd53cfe1b8dd0f1c72685ace3eaa41caa30c5ab18642ddc24db6a2f8c5319a5b992d3d210e |
memory/4660-268-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4424-269-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1028-275-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1428-278-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1392-284-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1840-294-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4504-296-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4928-293-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1232-295-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4492-292-0x0000000000400000-0x0000000000436000-memory.dmp
memory/628-291-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5104-290-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5052-289-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4020-288-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1436-287-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1324-286-0x0000000000400000-0x0000000000436000-memory.dmp
memory/608-285-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3112-283-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3808-282-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3864-281-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2356-280-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3088-279-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4284-277-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4028-276-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4656-274-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4288-273-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4472-272-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3372-271-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5016-270-0x0000000000400000-0x0000000000436000-memory.dmp
memory/464-267-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1220-266-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4712-265-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2248-264-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1060-263-0x0000000000400000-0x0000000000436000-memory.dmp