Malware Analysis Report

2025-08-05 22:11

Sample ID 240509-r3f2zahh49
Target 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics
SHA256 ab391beb27aabd848c1fe20defa1086c5abbd528955a0cfd7eb1d1c79c107d5c
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab391beb27aabd848c1fe20defa1086c5abbd528955a0cfd7eb1d1c79c107d5c

Threat Level: Known bad

The file 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 14:42

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 14:42

Reported

2024-05-09 14:45

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Odpegjpg.dll C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File created C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Enlbgc32.dll C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Gjenmobn.dll C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Fealjk32.dll C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Oiogaqdb.dll C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File created C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File created C:\Windows\SysWOW64\Lponfjoo.dll C:\Windows\SysWOW64\Hlfdkoin.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Idceea32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcplhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnagjbdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 2188 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Hcifgjgc.exe
PID 2784 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hnojdcfi.exe
PID 2784 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hnojdcfi.exe
PID 2784 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hnojdcfi.exe
PID 2784 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hnojdcfi.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hnagjbdf.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hnagjbdf.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hnagjbdf.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hnagjbdf.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hlfdkoin.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hlfdkoin.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hlfdkoin.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hlfdkoin.exe
PID 2716 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hcplhi32.exe
PID 2716 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hcplhi32.exe
PID 2716 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hcplhi32.exe
PID 2716 wrote to memory of 2372 N/A C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hcplhi32.exe
PID 2372 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Idceea32.exe
PID 2372 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Idceea32.exe
PID 2372 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Idceea32.exe
PID 2372 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Hcplhi32.exe C:\Windows\SysWOW64\Idceea32.exe
PID 2292 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iagfoe32.exe
PID 2292 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iagfoe32.exe
PID 2292 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iagfoe32.exe
PID 2292 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Iagfoe32.exe
PID 1484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1484 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 140

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Hcifgjgc.exe

MD5 241d4a8eed9c13a17abe8358ecc21621
SHA1 6f9ff78ec54c7ef8773640edb4c785f62b4d1aa0
SHA256 9367bfa4323c722ec443c12b1946d070bf386a7432725871bb8b9855d4de6d40
SHA512 c37373b5e2b811ae6fbaf840965b17f9fda23aca9b18bc35e2f66f3ca5aa683bc4dfa9ff7ea06ac59b86da471719d5bac250186eaa4f44fb13ab7556ea735a9b

memory/2188-18-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/2784-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2188-6-0x0000000000270000-0x00000000002A6000-memory.dmp

\Windows\SysWOW64\Hnojdcfi.exe

MD5 e4eaa09d0fba28021a9945ab6cab4b0a
SHA1 f81ace0500fbff6dce96f24856d604701399ca14
SHA256 399973a9ecaa8a8c6f43c7e172a3ed5217a61c911616bf66e9c6e4e9cd2a411a
SHA512 77a12b5e437eadbe49c3e687e4ed4597dfdf4d6443e0b9e004170d18a43cc0cf728e125f31546d71fdacb7915c3e62f5e46bb6bf367bfce0d598021188a50657

memory/2508-40-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 8fec4eb17ef66085a352531b91fe997e
SHA1 ced57ba029e646f8173a4359f9a19c22cc0e2816
SHA256 cdf2ab89e9d7fcea46f02a951ccc693c33a99b0ef25a3bf457644b424efc1ff7
SHA512 bd47971d69176b81c5064350bb7d6dab2a4cea2a5630889be45f2fc87016f13829ee7f1167e328739172f4c39ab141de0a8d82d5de2b11768847d548dcf6d593

memory/2584-32-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Hlfdkoin.exe

MD5 c98c03a9db277d5939d3dc2ee196484b
SHA1 4109f107eaebb93c706a537aeecbca8f0a827ecb
SHA256 92e109095740db8d09e067b792fe594a162e376364c333e2c4a313a7c451c82d
SHA512 00c27a4beea56a93eaf9f8fab237aa1c65c7cf77fd380101b34fe4893af3ee44a4e2aadc7d71c56c27c39da4b66e61c89fbe332f9ddc801a93f47183686a9195

memory/2508-53-0x0000000000440000-0x0000000000476000-memory.dmp

C:\Windows\SysWOW64\Lponfjoo.dll

MD5 3fa562c9b6ae626da3fda006c5fe2995
SHA1 98201dd3c5fb1ffef5318f31a64dcb98198de2af
SHA256 6b1004da3595ff423c8af3a630564461df692b4bd6a4bcbbe0329b068e7a656b
SHA512 440ce95964333d107ba46277a7cfb3c8d7136617732d1c7c77df8f60fc72c838bc899a1453c75785323b086ce5a70f3673ba4dca48f97005143d5aed8f915895

\Windows\SysWOW64\Hcplhi32.exe

MD5 a017216176aa766ce8492c171c548f08
SHA1 5dba72d7119ab1f71b5b4a29e5f1358b920f569c
SHA256 e8267d22756e4022a53c667fe146372b9c234f964133f02bee3bd07099c99445
SHA512 8699c9b459296d91ed25e19b48f8631d32be31b6a627373a0a51a691193080bc71e4141dbe6f06a465ee7ff3039be32407c39bff7e4fd8ed26b1ac078c7b252b

memory/2508-55-0x0000000000440000-0x0000000000476000-memory.dmp

memory/2716-66-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2372-68-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Idceea32.exe

MD5 ac33384e370afd97f546b9f50a185807
SHA1 1a3c811defd12f967b48f2336f318c8c3bb6a120
SHA256 93f5066705ad78d5fbec8b2fd40af7328dc546622c10d2caad03d2c9c5734c0a
SHA512 14a73e4a1a45b9d993c7d6139e4fd652a1fb80687c80707af3251ab21315d555d1dcd1e8fc8bddebc2a535955db456fbd992f2a68e2a875fbd5878982fcf53e4

memory/2372-77-0x0000000000250000-0x0000000000286000-memory.dmp

\Windows\SysWOW64\Iagfoe32.exe

MD5 7736eef8375042f58d2041469b9e2540
SHA1 7f9eb86643729c12fd4b45ed4bcc166ed46c6172
SHA256 5520cc61e23b3f7dfe9b86f97b45522f69cdfc342e116fe73b2009a4ab0c1093
SHA512 730eace5cba043c34090b63c3877484dfcf67103d4a878939bb939388f1ce01038e567632ba3510bbeebaf1ee64999ddab9a0d5ae3ac39f03f55a44df70b0f45

memory/1484-94-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2188-99-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2508-100-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2716-101-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2372-102-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2292-103-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 14:42

Reported

2024-05-09 14:45

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdlfjh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfolacnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgqgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cildom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fcbnpnme.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkcpql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fkcpql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fkemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Abfdpfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdlfjh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkbgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eddnic32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ampaho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cigkdmel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cildom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epffbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enlcahgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qppaclio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amkhmoap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Epffbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbfkceca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fbfkceca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gnmlhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjcmngnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdocph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bfolacnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ciihjmcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eddnic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gjcmngnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfaigclq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dncpkjoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Enlcahgh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbanq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egegjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ciihjmcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qppaclio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Egegjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcbnpnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Amkhmoap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bfaigclq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cigkdmel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dickplko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dkbgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ejojljqa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abfdpfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bdocph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dncpkjoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Gnmlhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ampaho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dickplko.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddklbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ddklbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejojljqa.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qppaclio.exe N/A
N/A N/A C:\Windows\SysWOW64\Abfdpfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Amkhmoap.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampaho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdlfjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdocph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfolacnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfaigclq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgfbbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cigkdmel.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciihjmcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cildom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfmlghd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgbanq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dickplko.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkbgjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddklbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dncpkjoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Epffbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejojljqa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eddnic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enlcahgh.exe N/A
N/A N/A C:\Windows\SysWOW64\Egegjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkcpql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqbeoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcbnpnme.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgqgfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbfkceca.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnmlhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjcmngnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbmadd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nodeaima.dll C:\Windows\SysWOW64\Bfolacnc.exe N/A
File created C:\Windows\SysWOW64\Dncpkjoc.exe C:\Windows\SysWOW64\Ddklbd32.exe N/A
File created C:\Windows\SysWOW64\Iolgql32.dll C:\Windows\SysWOW64\Fcbnpnme.exe N/A
File created C:\Windows\SysWOW64\Bdlfjh32.exe C:\Windows\SysWOW64\Ampaho32.exe N/A
File created C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bdlfjh32.exe N/A
File created C:\Windows\SysWOW64\Fkcpql32.exe C:\Windows\SysWOW64\Egegjn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfaigclq.exe C:\Windows\SysWOW64\Bfolacnc.exe N/A
File created C:\Windows\SysWOW64\Jhhnfh32.dll C:\Windows\SysWOW64\Enlcahgh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dncpkjoc.exe C:\Windows\SysWOW64\Ddklbd32.exe N/A
File created C:\Windows\SysWOW64\Qppaclio.exe C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Nlkppnab.dll C:\Windows\SysWOW64\Cpfmlghd.exe N/A
File created C:\Windows\SysWOW64\Ddklbd32.exe C:\Windows\SysWOW64\Dkbgjo32.exe N/A
File created C:\Windows\SysWOW64\Mkhpmopi.dll C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
File created C:\Windows\SysWOW64\Ajbfciej.dll C:\Windows\SysWOW64\Qppaclio.exe N/A
File created C:\Windows\SysWOW64\Polcjq32.dll C:\Windows\SysWOW64\Abfdpfaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Gjcmngnj.exe C:\Windows\SysWOW64\Gnmlhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abfdpfaj.exe C:\Windows\SysWOW64\Qppaclio.exe N/A
File opened for modification C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Cgfbbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qppaclio.exe C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Njonjm32.dll C:\Windows\SysWOW64\Amkhmoap.exe N/A
File created C:\Windows\SysWOW64\Fgqgfl32.exe C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbanq32.exe C:\Windows\SysWOW64\Cpfmlghd.exe N/A
File created C:\Windows\SysWOW64\Enlcahgh.exe C:\Windows\SysWOW64\Eddnic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Egegjn32.exe C:\Windows\SysWOW64\Enlcahgh.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkemfl32.exe C:\Windows\SysWOW64\Fkcpql32.exe N/A
File created C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Cgfbbb32.exe N/A
File created C:\Windows\SysWOW64\Ciihjmcj.exe C:\Windows\SysWOW64\Cigkdmel.exe N/A
File created C:\Windows\SysWOW64\Fbfkceca.exe C:\Windows\SysWOW64\Fgqgfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ampaho32.exe C:\Windows\SysWOW64\Amkhmoap.exe N/A
File created C:\Windows\SysWOW64\Jlojif32.dll C:\Windows\SysWOW64\Cgfbbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Bfaigclq.exe N/A
File created C:\Windows\SysWOW64\Dickplko.exe C:\Windows\SysWOW64\Dgbanq32.exe N/A
File created C:\Windows\SysWOW64\Ohjckodg.dll C:\Windows\SysWOW64\Dickplko.exe N/A
File created C:\Windows\SysWOW64\Eddnic32.exe C:\Windows\SysWOW64\Ejojljqa.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnhbmgmk.exe C:\Windows\SysWOW64\Fcbnpnme.exe N/A
File created C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bdocph32.exe N/A
File created C:\Windows\SysWOW64\Mcqelbcc.dll C:\Windows\SysWOW64\Fbfkceca.exe N/A
File created C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Ciihjmcj.exe N/A
File created C:\Windows\SysWOW64\Foolmeif.dll C:\Windows\SysWOW64\Dgbanq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkbgjo32.exe C:\Windows\SysWOW64\Dickplko.exe N/A
File created C:\Windows\SysWOW64\Lhaiafem.dll C:\Windows\SysWOW64\Dncpkjoc.exe N/A
File opened for modification C:\Windows\SysWOW64\Amkhmoap.exe C:\Windows\SysWOW64\Abfdpfaj.exe N/A
File created C:\Windows\SysWOW64\Eaecci32.dll C:\Windows\SysWOW64\Epffbd32.exe N/A
File created C:\Windows\SysWOW64\Deiljq32.dll C:\Windows\SysWOW64\Ampaho32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dickplko.exe C:\Windows\SysWOW64\Dgbanq32.exe N/A
File created C:\Windows\SysWOW64\Abfdpfaj.exe C:\Windows\SysWOW64\Qppaclio.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejojljqa.exe C:\Windows\SysWOW64\Epffbd32.exe N/A
File created C:\Windows\SysWOW64\Kbpkkeen.dll C:\Windows\SysWOW64\Bdocph32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fgqgfl32.exe C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
File created C:\Windows\SysWOW64\Gjcmngnj.exe C:\Windows\SysWOW64\Gnmlhf32.exe N/A
File created C:\Windows\SysWOW64\Lncmdghm.dll C:\Windows\SysWOW64\Ciihjmcj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Cildom32.exe N/A
File created C:\Windows\SysWOW64\Fqbeoc32.exe C:\Windows\SysWOW64\Fkemfl32.exe N/A
File created C:\Windows\SysWOW64\Fpiedd32.dll C:\Windows\SysWOW64\Fgqgfl32.exe N/A
File created C:\Windows\SysWOW64\Amkhmoap.exe C:\Windows\SysWOW64\Abfdpfaj.exe N/A
File created C:\Windows\SysWOW64\Ampaho32.exe C:\Windows\SysWOW64\Amkhmoap.exe N/A
File created C:\Windows\SysWOW64\Bfaigclq.exe C:\Windows\SysWOW64\Bfolacnc.exe N/A
File created C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Bfaigclq.exe N/A
File created C:\Windows\SysWOW64\Gadeee32.dll C:\Windows\SysWOW64\Fkemfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbmadd32.exe C:\Windows\SysWOW64\Gjcmngnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdlfjh32.exe C:\Windows\SysWOW64\Ampaho32.exe N/A
File created C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Cildom32.exe N/A
File created C:\Windows\SysWOW64\Epffbd32.exe C:\Windows\SysWOW64\Dncpkjoc.exe N/A
File created C:\Windows\SysWOW64\Gnmlhf32.exe C:\Windows\SysWOW64\Fbfkceca.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Gbmadd32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bdlfjh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cigkdmel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Epffbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqelbcc.dll" C:\Windows\SysWOW64\Fbfkceca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gjcmngnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcjq32.dll" C:\Windows\SysWOW64\Abfdpfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" C:\Windows\SysWOW64\Bfaigclq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkbgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejojljqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll" C:\Windows\SysWOW64\Fgqgfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qppaclio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll" C:\Windows\SysWOW64\Cildom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bfaigclq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdocph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll" C:\Windows\SysWOW64\Ejojljqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fkemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfaigclq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eddnic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Enlcahgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gnmlhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll" C:\Windows\SysWOW64\Gnmlhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfolacnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll" C:\Windows\SysWOW64\Fkcpql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fkemfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Egegjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ampaho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddklbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll" C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll" C:\Windows\SysWOW64\Fcbnpnme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fbfkceca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll" C:\Windows\SysWOW64\Fkemfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cildom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll" C:\Windows\SysWOW64\Dickplko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll" C:\Windows\SysWOW64\Dkbgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll" C:\Windows\SysWOW64\Epffbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" C:\Windows\SysWOW64\Bfolacnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll" C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fkcpql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Abfdpfaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ampaho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll" C:\Windows\SysWOW64\Eddnic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dncpkjoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egegjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll" C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fgqgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fgqgfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdlfjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll" C:\Windows\SysWOW64\Enlcahgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fcbnpnme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" C:\Windows\SysWOW64\Bdlfjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll" C:\Windows\SysWOW64\Cigkdmel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ciihjmcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dkbgjo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Qppaclio.exe
PID 4504 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Qppaclio.exe
PID 4504 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe C:\Windows\SysWOW64\Qppaclio.exe
PID 1232 wrote to memory of 1840 N/A C:\Windows\SysWOW64\Qppaclio.exe C:\Windows\SysWOW64\Abfdpfaj.exe
PID 1232 wrote to memory of 1840 N/A C:\Windows\SysWOW64\Qppaclio.exe C:\Windows\SysWOW64\Abfdpfaj.exe
PID 1232 wrote to memory of 1840 N/A C:\Windows\SysWOW64\Qppaclio.exe C:\Windows\SysWOW64\Abfdpfaj.exe
PID 1840 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Abfdpfaj.exe C:\Windows\SysWOW64\Amkhmoap.exe
PID 1840 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Abfdpfaj.exe C:\Windows\SysWOW64\Amkhmoap.exe
PID 1840 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Abfdpfaj.exe C:\Windows\SysWOW64\Amkhmoap.exe
PID 4928 wrote to memory of 628 N/A C:\Windows\SysWOW64\Amkhmoap.exe C:\Windows\SysWOW64\Ampaho32.exe
PID 4928 wrote to memory of 628 N/A C:\Windows\SysWOW64\Amkhmoap.exe C:\Windows\SysWOW64\Ampaho32.exe
PID 4928 wrote to memory of 628 N/A C:\Windows\SysWOW64\Amkhmoap.exe C:\Windows\SysWOW64\Ampaho32.exe
PID 628 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ampaho32.exe C:\Windows\SysWOW64\Bdlfjh32.exe
PID 628 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ampaho32.exe C:\Windows\SysWOW64\Bdlfjh32.exe
PID 628 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ampaho32.exe C:\Windows\SysWOW64\Bdlfjh32.exe
PID 4492 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Bdlfjh32.exe C:\Windows\SysWOW64\Bdocph32.exe
PID 4492 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Bdlfjh32.exe C:\Windows\SysWOW64\Bdocph32.exe
PID 4492 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Bdlfjh32.exe C:\Windows\SysWOW64\Bdocph32.exe
PID 5104 wrote to memory of 5052 N/A C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bfolacnc.exe
PID 5104 wrote to memory of 5052 N/A C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bfolacnc.exe
PID 5104 wrote to memory of 5052 N/A C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bfolacnc.exe
PID 5052 wrote to memory of 4020 N/A C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bfaigclq.exe
PID 5052 wrote to memory of 4020 N/A C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bfaigclq.exe
PID 5052 wrote to memory of 4020 N/A C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bfaigclq.exe
PID 4020 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Bfaigclq.exe C:\Windows\SysWOW64\Cgfbbb32.exe
PID 4020 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Bfaigclq.exe C:\Windows\SysWOW64\Cgfbbb32.exe
PID 4020 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Bfaigclq.exe C:\Windows\SysWOW64\Cgfbbb32.exe
PID 1436 wrote to memory of 608 N/A C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Cigkdmel.exe
PID 1436 wrote to memory of 608 N/A C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Cigkdmel.exe
PID 1436 wrote to memory of 608 N/A C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Cigkdmel.exe
PID 608 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Ciihjmcj.exe
PID 608 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Ciihjmcj.exe
PID 608 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Ciihjmcj.exe
PID 1392 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Ciihjmcj.exe C:\Windows\SysWOW64\Cildom32.exe
PID 1392 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Ciihjmcj.exe C:\Windows\SysWOW64\Cildom32.exe
PID 1392 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Ciihjmcj.exe C:\Windows\SysWOW64\Cildom32.exe
PID 1324 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cpfmlghd.exe
PID 1324 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cpfmlghd.exe
PID 1324 wrote to memory of 3112 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cpfmlghd.exe
PID 3112 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Dgbanq32.exe
PID 3112 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Dgbanq32.exe
PID 3112 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Dgbanq32.exe
PID 3808 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Dgbanq32.exe C:\Windows\SysWOW64\Dickplko.exe
PID 3808 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Dgbanq32.exe C:\Windows\SysWOW64\Dickplko.exe
PID 3808 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Dgbanq32.exe C:\Windows\SysWOW64\Dickplko.exe
PID 2356 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Dickplko.exe C:\Windows\SysWOW64\Dkbgjo32.exe
PID 2356 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Dickplko.exe C:\Windows\SysWOW64\Dkbgjo32.exe
PID 2356 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Dickplko.exe C:\Windows\SysWOW64\Dkbgjo32.exe
PID 3088 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Dkbgjo32.exe C:\Windows\SysWOW64\Ddklbd32.exe
PID 3088 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Dkbgjo32.exe C:\Windows\SysWOW64\Ddklbd32.exe
PID 3088 wrote to memory of 3864 N/A C:\Windows\SysWOW64\Dkbgjo32.exe C:\Windows\SysWOW64\Ddklbd32.exe
PID 3864 wrote to memory of 1428 N/A C:\Windows\SysWOW64\Ddklbd32.exe C:\Windows\SysWOW64\Dncpkjoc.exe
PID 3864 wrote to memory of 1428 N/A C:\Windows\SysWOW64\Ddklbd32.exe C:\Windows\SysWOW64\Dncpkjoc.exe
PID 3864 wrote to memory of 1428 N/A C:\Windows\SysWOW64\Ddklbd32.exe C:\Windows\SysWOW64\Dncpkjoc.exe
PID 1428 wrote to memory of 4284 N/A C:\Windows\SysWOW64\Dncpkjoc.exe C:\Windows\SysWOW64\Epffbd32.exe
PID 1428 wrote to memory of 4284 N/A C:\Windows\SysWOW64\Dncpkjoc.exe C:\Windows\SysWOW64\Epffbd32.exe
PID 1428 wrote to memory of 4284 N/A C:\Windows\SysWOW64\Dncpkjoc.exe C:\Windows\SysWOW64\Epffbd32.exe
PID 4284 wrote to memory of 4028 N/A C:\Windows\SysWOW64\Epffbd32.exe C:\Windows\SysWOW64\Ejojljqa.exe
PID 4284 wrote to memory of 4028 N/A C:\Windows\SysWOW64\Epffbd32.exe C:\Windows\SysWOW64\Ejojljqa.exe
PID 4284 wrote to memory of 4028 N/A C:\Windows\SysWOW64\Epffbd32.exe C:\Windows\SysWOW64\Ejojljqa.exe
PID 4028 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Ejojljqa.exe C:\Windows\SysWOW64\Eddnic32.exe
PID 4028 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Ejojljqa.exe C:\Windows\SysWOW64\Eddnic32.exe
PID 4028 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Ejojljqa.exe C:\Windows\SysWOW64\Eddnic32.exe
PID 1028 wrote to memory of 4656 N/A C:\Windows\SysWOW64\Eddnic32.exe C:\Windows\SysWOW64\Enlcahgh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Qppaclio.exe

C:\Windows\system32\Qppaclio.exe

C:\Windows\SysWOW64\Abfdpfaj.exe

C:\Windows\system32\Abfdpfaj.exe

C:\Windows\SysWOW64\Amkhmoap.exe

C:\Windows\system32\Amkhmoap.exe

C:\Windows\SysWOW64\Ampaho32.exe

C:\Windows\system32\Ampaho32.exe

C:\Windows\SysWOW64\Bdlfjh32.exe

C:\Windows\system32\Bdlfjh32.exe

C:\Windows\SysWOW64\Bdocph32.exe

C:\Windows\system32\Bdocph32.exe

C:\Windows\SysWOW64\Bfolacnc.exe

C:\Windows\system32\Bfolacnc.exe

C:\Windows\SysWOW64\Bfaigclq.exe

C:\Windows\system32\Bfaigclq.exe

C:\Windows\SysWOW64\Cgfbbb32.exe

C:\Windows\system32\Cgfbbb32.exe

C:\Windows\SysWOW64\Cigkdmel.exe

C:\Windows\system32\Cigkdmel.exe

C:\Windows\SysWOW64\Ciihjmcj.exe

C:\Windows\system32\Ciihjmcj.exe

C:\Windows\SysWOW64\Cildom32.exe

C:\Windows\system32\Cildom32.exe

C:\Windows\SysWOW64\Cpfmlghd.exe

C:\Windows\system32\Cpfmlghd.exe

C:\Windows\SysWOW64\Dgbanq32.exe

C:\Windows\system32\Dgbanq32.exe

C:\Windows\SysWOW64\Dickplko.exe

C:\Windows\system32\Dickplko.exe

C:\Windows\SysWOW64\Dkbgjo32.exe

C:\Windows\system32\Dkbgjo32.exe

C:\Windows\SysWOW64\Ddklbd32.exe

C:\Windows\system32\Ddklbd32.exe

C:\Windows\SysWOW64\Dncpkjoc.exe

C:\Windows\system32\Dncpkjoc.exe

C:\Windows\SysWOW64\Epffbd32.exe

C:\Windows\system32\Epffbd32.exe

C:\Windows\SysWOW64\Ejojljqa.exe

C:\Windows\system32\Ejojljqa.exe

C:\Windows\SysWOW64\Eddnic32.exe

C:\Windows\system32\Eddnic32.exe

C:\Windows\SysWOW64\Enlcahgh.exe

C:\Windows\system32\Enlcahgh.exe

C:\Windows\SysWOW64\Egegjn32.exe

C:\Windows\system32\Egegjn32.exe

C:\Windows\SysWOW64\Fkcpql32.exe

C:\Windows\system32\Fkcpql32.exe

C:\Windows\SysWOW64\Fkemfl32.exe

C:\Windows\system32\Fkemfl32.exe

C:\Windows\SysWOW64\Fqbeoc32.exe

C:\Windows\system32\Fqbeoc32.exe

C:\Windows\SysWOW64\Fcbnpnme.exe

C:\Windows\system32\Fcbnpnme.exe

C:\Windows\SysWOW64\Fnhbmgmk.exe

C:\Windows\system32\Fnhbmgmk.exe

C:\Windows\SysWOW64\Fgqgfl32.exe

C:\Windows\system32\Fgqgfl32.exe

C:\Windows\SysWOW64\Fbfkceca.exe

C:\Windows\system32\Fbfkceca.exe

C:\Windows\SysWOW64\Gnmlhf32.exe

C:\Windows\system32\Gnmlhf32.exe

C:\Windows\SysWOW64\Gjcmngnj.exe

C:\Windows\system32\Gjcmngnj.exe

C:\Windows\SysWOW64\Gbmadd32.exe

C:\Windows\system32\Gbmadd32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1060 -ip 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

memory/4504-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Qppaclio.exe

MD5 58b3cbf974da99dd9d8429ad13751f1a
SHA1 b7b571c361c3d02b500ecdf763759fb82abbdb83
SHA256 5dae33bfde7c40901901ba675244d9e69d3ccbc4fa61e8a3625a9b73accbb856
SHA512 9553889e769e98380eafab3b407e471b7f0bf27f7030db47a52fcf4958a18df8820595ff694dcb3b2b5d81eb98e754146b1a451519f7659d3def9f7e496b8340

memory/1232-7-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Abfdpfaj.exe

MD5 b4e440314009ddd2dc77e6a67c90fecc
SHA1 5e3f74c7c6bb0d333443e246881bc695b8b14245
SHA256 1bbc8f39f6fb4e96142651019a65e5c91190675aa2fe6676007e599c60b1dcb4
SHA512 0acf52b25b8e609d4e501d9c69c417606f347c34402d19682765bee004b6b516f0dcb03f0524ed1d3cf1fe7c3568089978cd11d6d7df7b6e79153db8914a892e

memory/1840-16-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Amkhmoap.exe

MD5 3bdfa343c72ab16c568020a2fffc0a00
SHA1 3ef72276398c3fe4252b6a5642a1ca056a08e23f
SHA256 15f2c3adc14654d450eb029f1d4d8521fad567170736b6a5dee1286508a688ad
SHA512 d7151a87a1e91e8cde9d07b4d7a38fdf4a6676d67d6bd6700af1fd796e817989ad95bc36f21a9c8990f964d6282299f45fc73db39c0379b59a46e6542f53d9cf

memory/4928-23-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ampaho32.exe

MD5 9cb055cb00f653415dfcc79e25487297
SHA1 befcf44e8a1da76664e0954c02f8275b87065e98
SHA256 21892b6a4c09ad4005d3a5cdb67810eaee8a914ad66195f1ca18a806847abc03
SHA512 4dc2a8e885bd02798d15c6aa59396de62514577a61972083be53d99dda973defe2908d44260efc372a6209b1c52ecdf37ee47ec7aecbc39f8b05ed894d1b6745

C:\Windows\SysWOW64\Ampaho32.exe

MD5 5a2d9352866182f09e103f3ac64c814b
SHA1 40d1cf91b96eeaab26f15fc927dc76253c5ff0e3
SHA256 24db638461d7299e99427dd72bce246c78afc0c870dd424cdcbc21a16aa1a279
SHA512 69b067c93734558eac3c4c30a314bb77fe4ddd94e6010ab362e6f1acd7a22ac888e066e97b8e6f223c6cf52213972a55892f1ae57c47331892be8ff520b8bbc7

memory/628-31-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Deiljq32.dll

MD5 f622e74a46607f9613b48515810127cb
SHA1 0db1b2d71b94936b19b8f482921b027e737c30b9
SHA256 057a107763ea387dbc9040eb330be86bf056d1916d2152841368af1d364f5107
SHA512 a654a4b47fc060d9fa1733779c080bf682f762aa8ca35c08272e6f11d85a07f4315a5a002a7d9f21f6333bf8c47e2c9bdcf2082fda6329b76233dda760517cc2

C:\Windows\SysWOW64\Bdlfjh32.exe

MD5 335c743746a870980c39c602b7d73c48
SHA1 07188eb907e3330c8a45330a724f09d794cd7734
SHA256 37dd6a3dda38c10f090435295ed0e0f1358931e8a1b2b6f560ef25ef3d4cb2d8
SHA512 449c7c465e741bafc506faa628f1a1176bad6581e32612aac7ae37ab21ee3b2922dbb1238b34d4af8d969f2dc76879f9606f73368b7ca54316cde2fba1d64d71

memory/4492-40-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Bdocph32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5104-47-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Bdocph32.exe

MD5 fe11b9f7e8e15919f435b524256b32d5
SHA1 d7ebf70bd762bbfb33bd41d146918f8c7ffa7209
SHA256 e35b89960d5dfe4fcb6dd856a5a727549d150db0ada6aabe063d47facfa97a75
SHA512 aed44b4eda5aa85c9c5f2c5dcad93959b4724ced7908a6079da1a43c015dc007ab633683d4940c504e6c7309d7447771de7706790e5e3dcb19508a2d3f037064

C:\Windows\SysWOW64\Bfolacnc.exe

MD5 0ba2275b126149eb1868c7b2de84dc0f
SHA1 e7cc9f36cf927c3351fd90ed7f1805109941cb5b
SHA256 820ae4c226431eabbc55cf31b2fc8518b34266203ecd6172967453d19a14f874
SHA512 b85ea640ddb59b9b614a2209fa07ccab066fcabe42b119b3eeb48568068bea91f74074145db2b4e129e7d17fa39f7dad33edb0839691bc4d28b6ae9d38568120

memory/5052-56-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Bfaigclq.exe

MD5 e078e72e2a72269617fe0676e8a29e07
SHA1 ea42f586d1c87678ce14ebe47525e2cca4135f71
SHA256 bddf141ad18968f665c3ce8e69c5b24c5834687d166ff5190b54f527fe30cef7
SHA512 c301a68cf3a5ff5a973df74ee127b6ce95c5ff971e2aed6153151c34b61bd2463723f8a80093d0aab85d1195a23bd14c9ff6d2422c4169ac0a4f78690414de8f

memory/4020-64-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cgfbbb32.exe

MD5 465bdc1e9a0c354e4594a23e048f133b
SHA1 50224c109dcc82187e458dd3284db26926e797f2
SHA256 816f4ba74b26ee53482acb2cc6c25061121170e8b682eab28c098b4e26787372
SHA512 f062125258da81d6fbdae7fa5be2238e41e1824f68d96ccbfab8d94c8525e2f80970ffeab32f49114a2482763b2d74e6f2bc952a4264e51860616a35d63ee0d3

memory/1436-71-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cigkdmel.exe

MD5 a6642bd4ad17823f338e76e2c695bb86
SHA1 737cd89b4cda77cde77cb41a84474a7eb79863cb
SHA256 4b77760d235fa548e2c05ac10fc1aac663f3cc3cfd443ba18c11cddb24ee8d20
SHA512 e3131174733a2013236c7ff1ef8f3faa583b6d1f484385c573248f3d362e1226bff379fc31f342eb2d99ef6642fac3e2495fb9b0a23584509c0678b61e4e6fe0

memory/608-79-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ciihjmcj.exe

MD5 f224b3504bc8467007ddda08f8b8f0bf
SHA1 223a5eb818684fb36217f4ed0aae4e14de78a3d3
SHA256 a23ee56510f74c8bcfc1842da10a5ce04972d180ffa4855b67ef0071202fdcf1
SHA512 2895f3e5f01e90e956b83b72fd3b3c221ea87aae584ce67a2231aae514029ecf75a3900aec2756c7af3ac8d029053991c52761d4f79650489203282795f6bf70

memory/1392-88-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cildom32.exe

MD5 3fd89b2221b5798ce47b022a9f07e107
SHA1 af339e3246db22b245b97ea4dc7fff5dfd9a15d9
SHA256 1f59bfc1a15800c98af54b6503cd5f4053f3d3439755fe4220fa73565e06240a
SHA512 47011f938955af64c20bbb5746452105501ca83df30c3e13d8e6ac17f82b9ba51848239706fea646aa246175893fea45865491336ec386b6b36aa2ab4db54b7c

memory/1324-95-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cpfmlghd.exe

MD5 2339a26657ad3d907d3d9a869e6be7f9
SHA1 58b9fe0aec8e9ef272237259f00e3f9e2728a41b
SHA256 1e748d0a28d8a41039a307d951860830924f7ff1f202248336ab08105fee845e
SHA512 6496b5ee9fa65747d0fd19b4b84dff7939729860306296b310085ccb47c75bf50c318e661d078210975be0d36427fda4632f51a71e282b70fed69bb77ab4da1f

memory/3112-103-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Dgbanq32.exe

MD5 e5cae125fe6945f26ae09a9d00d7935f
SHA1 8556b41756d9621ae13b0982087c963c68913595
SHA256 eb34d9a5b87412eae44f9f0f2d06bc7aaad5a5622f834c776b21d2166f20fe75
SHA512 ca198b9f929bcdc5307c854e1211a556daf810d3bdc6e60519a65c922a3122dad9887ce1d8fb5a052c3381e309a8d5eddadac1bdec7b1b7b809999d4d2135578

memory/3808-111-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2356-120-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3088-128-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Dkbgjo32.exe

MD5 8dc4f49e12ebd4a93bb409fb00816b10
SHA1 85420b23d3b62df996aa7e6f68c6c5dec6dfa9e8
SHA256 91ad2117e9a1beea91a0871b5df97b3891020b35005136821397a88ffbb14ba6
SHA512 5d4125f420d471be7daa3343b82712576de74cc2b233bcbd6d9c2da99062b0248e9cd3b5407bbc4406099e5e3bce58d8389d6225269f29d2fd5320a2131eba9e

C:\Windows\SysWOW64\Ddklbd32.exe

MD5 6b55a0789277eda79080a1e643c466d2
SHA1 30ce54c294f7de0e8399dcc4fbfdbace3cdff7ad
SHA256 f883dfb9e6f61f0e8b7ee2f8fb098938ae304f55198d06e9692423952ee15741
SHA512 409e7ecd624c943fc704b464fa3db1546d94a9316525c4911fd2fef5a129f278536293d88425677f4e30385fb65b2b8230aa6c36471cd8d290075fdaecbfeb80

memory/3864-136-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Dickplko.exe

MD5 f1605299d972d1e540d0fab010094874
SHA1 cb61222a7e1381e3910429083ffc3ccd61182395
SHA256 3099c3f52f2f5e28e7111d0e8af1b90fe9186e3d80e0edca4a26575d2d41ba41
SHA512 1b0fb1799fad6f91dbdb49d29a4141ed6cef97797d06a651554e86eadd50f2b81e5a513a73f230e0639cfe6d8b6ff8fcfb28dc1dd27a4cadb8f556983f02399a

memory/1428-144-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Epffbd32.exe

MD5 551eac8587c4dc3af32458fa82d10894
SHA1 a1e8a3c262a5a54978af22f882de094cbe62271c
SHA256 c8962b0b4968135e6a1d99776aa085114d3abbeb696a4b360b7ad69b183b218f
SHA512 a922ccb15e501ead9b2760e7847c9bc0fd719c9f008e2781009d148baf76d6ccbc439896ee4d10cdeb2b0b1133566c252b6640f44daab4722504a96d83e9199f

memory/4284-151-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ejojljqa.exe

MD5 18e15c29012dedfd1da9cd2bbc62f85a
SHA1 0671c2615e5783e2dd5c890d8997108d6e4de537
SHA256 512463faf1069d4b567222f8bfbb78ee802dee485572e45baebcd430acd9a385
SHA512 0c898d1a85cf280f0da2510ec0a7cab13892c5d2a617e31eab7ee35ba96946ea6f6eec8d693131b45470245f7e83b7f7e8818ae6125e04f8925df322c7fdba0f

C:\Windows\SysWOW64\Eddnic32.exe

MD5 22ed63a21661fc8bba1c62a3dca5c5fb
SHA1 7f068a27d3f9fd45da7b081e92064269bb9ae1f2
SHA256 72027f369b241a53679aa835ae99dcf3d63e9d3ea20831ebac42e2b6d011481c
SHA512 6ad522221469287236589a9fdb83f95c96294dc13659f37bd781d84167f9092208a8fef85410e190e11c6b0a41dbe7b7883c343241e41e87b1cb97accac375a4

C:\Windows\SysWOW64\Enlcahgh.exe

MD5 503f85a9716d6819986c84aab4b4f441
SHA1 9a392d62e625d8fd6730651cb53912cf0d750f56
SHA256 ebeee2cb9b162e41f1982e5ac6e55c2eab3847919a659d8326626ea865095282
SHA512 debdb514d406f1bad5ebc673f7146ef445feaab17a9387101e2512ebb08548fbe85efbe5e2123452d8d72831c7c827a2e7c919e756d3cec9040fd3ce21289b15

C:\Windows\SysWOW64\Egegjn32.exe

MD5 9699f1bf805a9048386c6113adefabdf
SHA1 46f3b77ba6aea8d441fdd199b21659420b38b8cc
SHA256 a97c253224a2534762f3249b28dd9329a3612b2c45fd7bae2829842a2c6b324c
SHA512 4978a2d584f371929d8941257cee7a4758803638a436020ebdf79f0e926406d78925a511a719c651717899ebef2a09d899dc099e5049531f942a026afba8f316

memory/4656-175-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4288-183-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Egegjn32.exe

MD5 ff1c170fdf2db5cc85e1ed8c41602236
SHA1 4b98b009127cefd1ad922806770a2e7a89653b81
SHA256 d0ebb0a13a129c1e86b58a4c8fb3f59e4dcd04138e8f8df706ebcf032a79e3be
SHA512 51d5dc25dfaa3ddb14bd1724fe510d38a31d8737e4ff664947a1679be01ef9c96407ef70a189f235fbb749fcd449113490804f2da77b99f2fd6d47e9f17615f7

C:\Windows\SysWOW64\Fkcpql32.exe

MD5 54d126f377710b1a0fa9097efd3a352f
SHA1 8ae35307cfc45d39ac3cf6b291848ada1d970f6c
SHA256 ac30a01f5e7e6ad7d8560e8f2fae744d33e38c642bbab694fe52c2605f6a5e29
SHA512 f1de7b51dc60649cf159734d435a61120d0eb1197e7c042393b21bd5a79ea0e169d981404962ca2abae003f2ca6d8773267ccb97c2d8f8b58b92718c52307c39

C:\Windows\SysWOW64\Fkemfl32.exe

MD5 e6967be7c47e4b0890250c266c4691e0
SHA1 ee6574c53ee1c296cf72f652c7bda2679dc3c31f
SHA256 842024a15e2727ce53b2092374b48d32c448a6ecc60a15e001700575736698d2
SHA512 0196ff71769a84250e302ee893f4a02b0655b7cdbcc190f8922f12c44ecb4d61b1363fa1331b08939e006d0ee410c51fd3cb13d1ef074520c303050826a2373a

memory/3372-200-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4472-192-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5016-208-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Fcbnpnme.exe

MD5 deef524f451184a6d9a4ece1b7223e80
SHA1 a5668f4064f371f01f2f3f6e45a2d5c4591a2ed9
SHA256 4bf3250016e08a79be2b3f984bb9bd033acab68bee74a5592bec72035b5e9f6a
SHA512 c8d495951c17d1d12f69b0ac8ae54524a6db0113874d208ede29343330154ba78b48033f5ca9d479a37fc2f8c552b6d75eeccb875cdc4799affbbdd79fe33631

C:\Windows\SysWOW64\Fnhbmgmk.exe

MD5 af3fa08f4a3503a67029f6abb8281281
SHA1 df3eac7bc4a3af95dcbde1bab77158e35e0c4d9b
SHA256 442a9d2073a9f22e595555980cc0904c2ac35125703e9fb1d467ab4e79c44686
SHA512 8fc9380f2e26b90c211de29d567181625b00f3260ce8ed5954af109d3339e3a84c531b1acb86f44c3af0c8b63324c6400729e00337abdf5229c12a6723e94be5

C:\Windows\SysWOW64\Fnhbmgmk.exe

MD5 ca0090d1004d73e8cf7991dd253d2e71
SHA1 748b48d61d234dee3239cf689a18e10089fcbb02
SHA256 0017052ab8096c6edf121332d2db40f8cb8ff3a3f627d8142149a898e9b0ca98
SHA512 2447e31792722ffd9fd4abfea96bffa168dfcc9b813d7df3811c7c65cb54cf51ad6aa52b1cb173845f1398fe20a29e99b7fe589f90f77b961ad5995639a60a21

C:\Windows\SysWOW64\Fgqgfl32.exe

MD5 f388446a293936bafe5c0c27e401836c
SHA1 4385eccc10101a9c3026741208c8eb72341b50cf
SHA256 d70e959c584cdf9eb5b97425552a2e86a2301411a88551fcd7a60bc491d420cf
SHA512 fe67b181d0f503297455b78365c6da651f7211181e64a2f2f48f546993956c388844c3f0b7c4c441d2381e7e85175747e8ecf6c34836ee03df4eb575fcef2c34

C:\Windows\SysWOW64\Fbfkceca.exe

MD5 54ba62f0ed28da6aa12e315a8fe599d8
SHA1 d58d8a65a7226c75b5a31f24f37d2074d219fb07
SHA256 1a66da8d84d7d1c14648e7ea20495097a707305fecfb1eb9ba559a5b91088ee2
SHA512 dffaa576826a4a5547e4037c3729e957edf9b66f25130bb5b0c56ac31566d38c59c80aaa3072a17b5916dedabc004f757b465994fd96ac7e327ea979fd331195

memory/1220-240-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4712-248-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Gjcmngnj.exe

MD5 4b28066494cd84142a3d5ee87e963fdb
SHA1 86b01756f4406207db465b53751a863c9d210aa4
SHA256 7a657a91dbb5bad48cde9c2b12a7a22ea4a2b8251ec5b9341ebb1ac82030a02b
SHA512 bee98441f24224adf8047ca12deed72dc2c550015e7efd9a253b1605f3ccbaab3a118521e056561ad74300510be69c27253d5cf97aa10db3bda60386f657aa26

C:\Windows\SysWOW64\Gnmlhf32.exe

MD5 c81ff76790ca8e96791ef8c8e2f0c168
SHA1 6f844f0664b6f482e14c7776b1f6ed1fd415e420
SHA256 79f17d0825b83e5821b24be0b841b46f358181ea388802c15fe00455d8c153bb
SHA512 43a872b78cb6dee093f2ee34aed3969096e6693c361282bc8f9458f5157f3455ebe956ba3d191a5937bfc5aaac2a34eb9ac09034a44995031778eb97b78b2840

memory/1060-262-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Gbmadd32.exe

MD5 d458a249dfe63a03400beb56515d3d12
SHA1 917997a0b96c92d5cc53dc89f0554567c1b48c3f
SHA256 87d47d718e954784f04d6199aeb368f6daa3310bf4b84ae2fd98ebbb06338fb8
SHA512 0a11431004d94da057deb0bec9bf307dc173c710de86df2b8d1b80d957029290d9d838167542cc2c63566cdd3d58c384a53e6aca294d78e0ee8398d46e81aafd

memory/2248-256-0x0000000000400000-0x0000000000436000-memory.dmp

memory/464-231-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4660-223-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4424-215-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Fqbeoc32.exe

MD5 31765542b0d88a6d7e3d3d412fa2079d
SHA1 a259458cb430f4731b05ed923f415ba7e92c29d1
SHA256 49a3c0fe4b2ef275792d16805010bca3cc1b23be23c3ea090b1d35280b18a9ad
SHA512 63632ce5d03b643b0f859a2347e04df1c9310b89acaa71d83662ceec85e9aa525d1151023fa698af9ad50c38fd7261c725fbe83907bc7e33075f29a48aa78ba1

memory/1028-167-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4028-160-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Dncpkjoc.exe

MD5 082172615621fa5fbd6f5069ee0d335d
SHA1 abbae9e2e70ba1abdeab6dd5413ce9535b60d6f2
SHA256 92edf3642b23ea3059bed628674bde2b0e3420d75e837f428af4c6b63b3f16f1
SHA512 8213d422374065c9e86ac36706affa3580609b5796e9d221e86117cd53cfe1b8dd0f1c72685ace3eaa41caa30c5ab18642ddc24db6a2f8c5319a5b992d3d210e

memory/4660-268-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4424-269-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1028-275-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1428-278-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1392-284-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1840-294-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4504-296-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4928-293-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1232-295-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4492-292-0x0000000000400000-0x0000000000436000-memory.dmp

memory/628-291-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5104-290-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5052-289-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4020-288-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1436-287-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1324-286-0x0000000000400000-0x0000000000436000-memory.dmp

memory/608-285-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3112-283-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3808-282-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3864-281-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2356-280-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3088-279-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4284-277-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4028-276-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4656-274-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4288-273-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4472-272-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3372-271-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5016-270-0x0000000000400000-0x0000000000436000-memory.dmp

memory/464-267-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1220-266-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4712-265-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2248-264-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1060-263-0x0000000000400000-0x0000000000436000-memory.dmp