Analysis Overview
SHA256
652245e435118aa1cf279ec10811a7d8de742ad17df62d116af11708569f2c15
Threat Level: Known bad
The file 5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 23:58
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 23:58
Reported
2024-05-23 00:01
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ldahol32.dll | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaqcoc32.exe | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| File created | C:\Windows\SysWOW64\Hggomh32.exe | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| File created | C:\Windows\SysWOW64\Amammd32.dll | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnempl32.dll | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgbebiao.exe | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iknnbklc.exe | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcplhi32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkpnhgge.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcaipkch.dll | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlakpp32.exe | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| File created | C:\Windows\SysWOW64\Hciofb32.dll | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ihoafpmp.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Geolea32.exe | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| File created | C:\Windows\SysWOW64\Pffgja32.dll | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjhhocjj.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kleiio32.dll | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahcocb32.dll | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gknfklng.dll | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokeef32.dll | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hahjpbad.exe | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File created | C:\Windows\SysWOW64\Cabknqko.dll | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaqcoc32.exe | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| File created | C:\Windows\SysWOW64\Fndldonj.dll | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gmjaic32.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcplhi32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojhcelga.dll | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhpdae32.dll | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjhhocjj.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghmiam32.exe | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oiogaqdb.dll | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpkjko32.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hahjpbad.exe | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpkjko32.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkpnhgge.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpocfncj.exe | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjenmobn.dll | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Geolea32.exe | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghmiam32.exe | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fenhecef.dll | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Gejcjbah.exe | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkihhhnm.exe | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgbebiao.exe | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hckcmjep.exe | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbniiffi.dll | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Njmekj32.dll | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File created | C:\Windows\SysWOW64\Fealjk32.dll | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpmkde32.dll | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Hckcmjep.exe | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hobcak32.exe | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkihhhnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
C:\Windows\SysWOW64\Gkgkbipp.exe
C:\Windows\system32\Gkgkbipp.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Gkihhhnm.exe
C:\Windows\system32\Gkihhhnm.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Geolea32.exe
C:\Windows\system32\Geolea32.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Hgbebiao.exe
C:\Windows\system32\Hgbebiao.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
C:\Windows\SysWOW64\Hckcmjep.exe
C:\Windows\system32\Hckcmjep.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 140
Network
Files
memory/1888-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1888-6-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Gicbeald.exe
| MD5 | af8db936a4b8852394e426b346bc6d80 |
| SHA1 | ab368917bca3e8cabce85d4b77ff40e103ddd4ae |
| SHA256 | 044577d15df0aa7468f7fdfeb30cc4d350e44b7a82fed866f6ce26b3fa882acf |
| SHA512 | 6f601624051353e7d9fd92880608f6fbafae5b649c3f459c40249849b3c7742b9b19f59ebcca06306c67c01548598dd964bf98c84373d1e23cca1c3548fb91d9 |
memory/1564-20-0x0000000000260000-0x00000000002A0000-memory.dmp
\Windows\SysWOW64\Gejcjbah.exe
| MD5 | 3fb913b75693291e9055a59b006afab4 |
| SHA1 | ce86be1d64a5de558d037bb88950eb9cae4ffbc3 |
| SHA256 | ca29f306d697b614d2b45e6c7c38b6d9037454a28494cb610464c14fa18e18ac |
| SHA512 | 20c638d6c988abb8bf957a456359dc47b3a9c77895103cceff47d462b4a7ebeb740d43db85df5b8d0e850474dab10ef49f1b1a2f679ecb4991e266ddb296bfad |
C:\Windows\SysWOW64\Gkgkbipp.exe
| MD5 | 756c72d82083c905b164e264546e2936 |
| SHA1 | 002a52306ebc8861fc7ab03a25104480f14d78ec |
| SHA256 | 6beeb4a0a821e3fc081b579bf11e46def814a346b903dd5b354d93e4f2b900ce |
| SHA512 | 04901925c2edd947822b9bf51b15362d407dbbd5070d7da29f159de85486ed5c3b7455029935d9c28123d74db2d412e800f2016efa7179c8abe7f323f331efeb |
memory/2684-31-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3068-39-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | 2d97bc7d47daf5191820fe96940c5c40 |
| SHA1 | 9ee6172f210e6784be1dd793d2570bd45557793c |
| SHA256 | fc3cbef0cbcbb8f54c7546fffdb515bb4c085f9710243443abb551962e6eb8bf |
| SHA512 | 63d4de3940aed6e5e3f055ba48ea262b3cbf566844b1fb790f3f4a433184949273c50feb8f64ebc936db91389ec40bb6db6f1e78b965095044beb181836ad26d |
memory/3068-47-0x00000000005D0000-0x0000000000610000-memory.dmp
\Windows\SysWOW64\Gkihhhnm.exe
| MD5 | 4fdd64ffe99e62eefbc92542fd8c812b |
| SHA1 | 261f3f6b4a69bdfb4270606ab00f9e5fc5d71e72 |
| SHA256 | ea0aade98022b11e52ef4bfcca981a8c3b4ab6f992fd4f8b220d86d658ab8956 |
| SHA512 | c3710dbe8a38690de4417a53bae275086e036981620bc35012dac3c99d47693a9b32c562ecebcb92d262bcb2cb3496c3c7d01eae9be1ff05678228a631d2369e |
memory/848-62-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2436-78-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | 8321d624907e4163237d81792723eb4d |
| SHA1 | 06f2358c1ce16b235808851c825b88f36956e5fc |
| SHA256 | fe10fc685cf236d10acdc1674b126242843f46968f264414fb9f791cbefa4609 |
| SHA512 | 41fe325a15925b14d692971f0c2bb7fcbba8e9954e112cb60451e90aa1cbc9365434e7fad5a0cb73d1ea37a0ab7f05c598911791432a1ddadc2110fe183bf7fb |
C:\Windows\SysWOW64\Geolea32.exe
| MD5 | 81bdf265736f6a99585819018b05e086 |
| SHA1 | cddd1517172a26cc89939ce804cadcdb908502df |
| SHA256 | 32b0256966e27ccc0e33d106be75bfd4268aa78e29bcd2ffbd528d106b066744 |
| SHA512 | c8606fbedcde1f15c2c212445f3f9c13431b85201d7ebd02e0e91d016aee30ff3e08b6ff72d642d2dd5dc76cacc0c6ba6467dcb32ecc96d6637fcbaaaf534ceb |
\Windows\SysWOW64\Ghmiam32.exe
| MD5 | 480c3bd703fa125082e099933dd16782 |
| SHA1 | 867fc9d12b17a78ca4a22c5f40375e1c220dca22 |
| SHA256 | a865a0ac6ee5a44b95e3f439819d61057d06541ece3a191c926b72bc972c45bc |
| SHA512 | daff04a390206bcfd5462afaa927263b5de8268376804001d86eb367f3b9866d866921cb33d815f7cde51bb1cd02c8560786aafb1ae7cf31145f67656789e5a6 |
\Windows\SysWOW64\Gmjaic32.exe
| MD5 | 53e2342fe6856000d58428ef8a68a920 |
| SHA1 | 63836a3f7279df53cdb5131254b83eb6b033ab57 |
| SHA256 | 4f5e38e4fe86bf0467469a59fa108ff7935a2f274f0a1a17fbe3c3fcf7cabb86 |
| SHA512 | 50f4dc6c84114e416aca96d4b9d3e81987775cdf535ce461c660c0ee370faa62019f2bd9ef51e2b3cefb520efa42b438d7c3679e35a576390c94abf681de66b2 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | e30ae316bed21ea7f084d269ed01bd06 |
| SHA1 | c415d3b57eec85076f7f8ab9ab72704501545bf2 |
| SHA256 | 498b163d20fb8e759e92b9c7a6a173be6fb743043eca3f4b6b08f075bef77bb4 |
| SHA512 | 2612550e0aaa1661dd63497356d902fa3a67b5e15c8b25ec4d39182ab16bca64682a322b832cfba3714e0e3f9529fc1e13e5a231cf614308382d3f3afdd626cd |
memory/1476-117-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2460-144-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | 59c2863a71d82188b3bc5130b34a73a8 |
| SHA1 | 527d379fd8bc5e58da9665890542055c0c62a109 |
| SHA256 | 574748255cbdfb7545c3e5dc2756c8c953c1a9cce6e4c5178b24068f9db5fa29 |
| SHA512 | e2bda48683b38f23e3a089e04a17b06a65db5ea2048c907b7e41fd6406c5590d5a85151a440e62911afb63ef2054c51ac7e8be9c959c1ead8d10a43accb5c697 |
memory/1488-138-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hgbebiao.exe
| MD5 | 8d3e8ca61adf7eb78f197d28f4fe0f9e |
| SHA1 | 837c125735fac798fe20637da7a5067e5b66d314 |
| SHA256 | b8a291ed2aa914d80f981cecbd72342e49fee303dc8e87cfd4442062750363d9 |
| SHA512 | f9d7a314e12d04d74f13942efd0c21cc1eb33ec0eb878f90b2023685b47b46f71995addf6e4b6d6f0eb1696125c24728e5b23d6cc068587ff81b6772bf7bd47f |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | 033c009b022fea443e65182801c26cd0 |
| SHA1 | cda2d943f61cc83c2c6c8e8d8fae145a2c1f204d |
| SHA256 | bc2adaff0b5eb1fe7527b461e1e4cb0fbb954044f62cea3e24aefbb409c9a63f |
| SHA512 | a1dc0ae68b824897e66372539a95726532c03b3d4ba8198c4a16f1cb262ccb189c81d21ff078fd1c7a6c25de9ceca9bdb001e6b7e52990cb422c0fd963e48bbe |
memory/864-189-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hkpnhgge.exe
| MD5 | 4221f11faa21678ed68a7a6b5a29b0fa |
| SHA1 | 24b76d8fb4a4b280e257a3e404fcad5f264cd418 |
| SHA256 | 1835a9279be1ad24a1ca817cf182053f510b281a13631f2325ed2fc2a7e39bcd |
| SHA512 | b3c9b04bb405c365ba7d430265baf53ae51b6f1382f122fda26ed3d1f5f15a44525fd4c1277a9ace80ba9675c684fad94ef4822429503b81749701cecbd2306f |
memory/1976-217-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hlakpp32.exe
| MD5 | 5162d15e791e5f950eb1a313a284fc1e |
| SHA1 | 771523b6f75a99c965378770614b086530e1fc18 |
| SHA256 | 6b5e2a844836777ae2e99ad5a0971851d09671f893d736ffa649b785ab5a8ad6 |
| SHA512 | f60b24156e9732f5167ef481c315336e2733dae943f495592c8625d3dce0529dcf9c880e7b495ba61130303356c55135b5e16e1b31e8a800ad41afd088741f7b |
memory/1976-219-0x0000000001F30000-0x0000000001F70000-memory.dmp
memory/2916-235-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1960-266-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/1916-287-0x0000000000400000-0x0000000000440000-memory.dmp
memory/392-286-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1688-298-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1688-307-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1688-308-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2592-319-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hogmmjfo.exe
| MD5 | 2d6274062fef9e50b8c41aca051c56ae |
| SHA1 | b6c6cd9180db59a3b4d5ad84fc5528d3743d9c78 |
| SHA256 | cb38a9647e7ff064f362e6eab03fe9c68ea1e7730ec80cec8d02bbc40099665c |
| SHA512 | 86ea5e364e0302a5945d33abdb6aa44a2923de47adebbc6ffc8799f53302f38fde2a5bababa3261b638cca57b6274ad266f5e400d32cea037e43b5584f31728e |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | cd37c554323359c93ec1b5c8a7b0b751 |
| SHA1 | e3c4b0b395061b881e59d80f69c87c16480c70bb |
| SHA256 | 8e3c8e73cd87722cbee105be11cb558a901a58a83f7735051cc1b1a3021cbbb7 |
| SHA512 | da172918289ccd9235d368a35821a9bdabe39fafd4d3c98dee0b9cfb2ae84663f9e5fe34e520438c1b61cb155862ccb5c02c52be4bc8c397f50ae098da1cad8e |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | a8b86dfbda13f6b07b8b8a0f06802472 |
| SHA1 | 7f9c610e1bc00e4683b7a3e619ae025d95184c1b |
| SHA256 | 27e3cb8a5af057be9882516b380a6ac887c07055a1336ae086eebd4215e7954c |
| SHA512 | 4892a3fe9d8e8b779f9b10a730128a498bd83e904444105b276c11feae8ef964329f73f1a107fa1ff6eacb550597e348335bc77bf5f27fac08dd66ea4baeb71d |
C:\Windows\SysWOW64\Iknnbklc.exe
| MD5 | 682e641c30635b7bf56cdc79f578bf6e |
| SHA1 | 0e68b26b5a8aca84416be269760c1a4c57c21714 |
| SHA256 | 8c8aa9a5709772c8888c35a8a57c072580f1ebab60446ebad8feeb8ecc71a811 |
| SHA512 | c89f3850a4b9e223e2870e6a76df9aeac4c546d916d2ce108e1ee5941162af3bf13292b01e4a350ead938e39fe0adf8b417b7914f6ae672c80d8063100623afe |
memory/2960-394-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2140-393-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2960-392-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2960-391-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2756-390-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2756-389-0x00000000005D0000-0x0000000000610000-memory.dmp
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 046b81af578bfc49feaa0b7d1b127988 |
| SHA1 | cfbf6feaefa62ebc8182aebce5ad7057ea626bcf |
| SHA256 | 3a009ee71b9158944c3f7ba2a0412665b05e61cb15f76cd414928f0ece7c1631 |
| SHA512 | 9ae88746920637618664ce6926913b117d93f7960810b3a73fc676242bbd28710fa5a4fd2c06d28a012edd08602827269a52c940549c8f613ef8667c73b810f5 |
memory/2756-372-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2944-371-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2944-362-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-361-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2552-360-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2552-351-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2536-350-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2536-349-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2536-345-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2516-339-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2516-338-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | a3db81b1ea4f2935a322a7bade6a141c |
| SHA1 | 379808c1d7c85ef9e51d6a364801f49fe82af3c2 |
| SHA256 | 088da39503a645b480a0e55765f07c2f676d2fd9df63edaed11732bb4eb6962b |
| SHA512 | 5d75a8eb2d7bb876e74ffdf6fc410d87634b34485afe0db9947af38bc48f8e2568d8871ac67854d2efdf4f6b02fc25ed64cea046757f9a67ae74808a9893d960 |
memory/2516-333-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2592-331-0x0000000001F60000-0x0000000001FA0000-memory.dmp
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 1dc2005b73090e7ea90814dd43d22770 |
| SHA1 | 9dec6a5a1dfdb82bbc5d7d9d04934983cdd47d72 |
| SHA256 | 179c90465e7e6fc38eb34b7482388b634c5311fd432fb5a9a3c004fbdb7444be |
| SHA512 | 51824338e92f80ad95e49df1dcb304fd57825857da6831cd7748c1513fe53c06286255ab65800166e10170cffdea01ea29862b1f1241d0fa05805b985bd4c244 |
memory/1700-318-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/1700-317-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | 4a21237ef81a1da5e3df391d376a961e |
| SHA1 | fe161b7d96f3e7669fc5c7e01ceb86abc07de255 |
| SHA256 | 8dc850ead68690cba054d6590953d384d61a6d0f0d4bb2e6373b08f7e20b856d |
| SHA512 | fb4a02c3b884927369c3a79e501a660d67a34ef7d395e8b30b62fafea20c4525528b46061ebd0ad37949c4e0536e1cfc989f876593ef35203d257da20b2b5f65 |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | 218ae320f4bf5384122eb654cea68f71 |
| SHA1 | 804187ebf4b14948a2d4eddec15002b863422154 |
| SHA256 | 425e481e517568e9c3bb6f174f9b86e7a736479d3d13a08f481fdbb4992b38cc |
| SHA512 | 048cf2e0123f7a92d2def43c8957e12d32406894f7c09bd3dc7815419fcab61bbb09b57e34cff68ff37d55baf8dbc590132e665868a820bba6bd328432c18659 |
memory/1916-297-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1916-296-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hjhhocjj.exe
| MD5 | 5d691da1b544c0184e2269ea1c77789a |
| SHA1 | 6e4e6718d76b49328fba2055fcce748f4bdd96d8 |
| SHA256 | 00f7ed64012ecf0a1857960664fd90e57d36da05dafe2caca595d9b2612c4179 |
| SHA512 | 29d46edd2671440cd2bd86d7f5d682bd67b9d649f4d9a32a20d4ef4f3e174f95a518ab0bcb2705487aa624befd55b93f68ed78496be4a38b861d7ec25316bc49 |
memory/392-285-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | a8ca437322be24b22bcdea890ba8a446 |
| SHA1 | 297056335997c8b93cac5ab3b6a3ab94a014cc2c |
| SHA256 | 5f9228a5c89d94103d6cd9e2ba5c1bd715b55dc660e57b0ccdf4cbb561a1f75c |
| SHA512 | 61832a87dd0d2bc58ca90d86e0dbcc4200effd502200ffacc7308c7bcde8db61c509f642c8b3c8559db778d45efab394ec8c24b9bb9363f91254e6b97452b900 |
memory/392-279-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1148-275-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Hobcak32.exe
| MD5 | 6bdac8af771c30afde5dffa928087ef5 |
| SHA1 | 19c28210024d1e12d1dc80c3bc1e755ec8141a48 |
| SHA256 | 6dbdf8722d9d9fbbf2ee15d2f46beb425ad477d062b03df818d99a4dcfc7aba1 |
| SHA512 | cf425b6d0b5ce5c3614e1cdd46b2097a90f229bf0d7a12782d7a550048423a131546a01992842979f4b2469ca103dde390c6b306a3cb0c486e697eef2af74ef3 |
memory/1960-265-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/1960-260-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | 2c65475df31cb28f2fc491d3dcf024d0 |
| SHA1 | 62a94d2b4fffb6497a24cc8a585d2bc3e0373064 |
| SHA256 | 75fcd959607e1089c3f2a8de3ebac347bc4310dea4b89a5680a6c4cab4feb878 |
| SHA512 | 69fabf922436e177a42825b36be56319fbe29cddb3bbce8fd8ce55ff572f91c4f5f79d9b6aa00f64029bcd70724c0c6be3422c6eec512c5cb3c57dd1077024bb |
memory/2100-259-0x0000000000280000-0x00000000002C0000-memory.dmp
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | 365beff0169af940214c5b9426d7af1f |
| SHA1 | 0a922c31f9e766ab7d7979dc8ab42fae3e4dd00c |
| SHA256 | 24ec13bf37e86227b0053222c394fac1f393442bf398ca78082367ddd04eef7f |
| SHA512 | 37f0e88f95cfc7447f6b77e21316079fcff772e0a0429de627c24617ff63a7015b51c19dc352de7b66f21a255d2db228edec622007850afedccba4a72972fbc1 |
memory/2100-246-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2916-245-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2916-244-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | cb6f869a84f0c3419b07af0345bd2d6d |
| SHA1 | ceaef1b9913a409ae09786cf17ac8f9f04ef2beb |
| SHA256 | 9ce936f6b2056e74f4bc8289f660e29a269131b85c4d464798d153e7d034bf54 |
| SHA512 | d26f4f3f77b73890348563b9f077212bcd91bc48a474f5ee4bc78c306b6bf78a8df3dc7ee448af24c99c65ba785ad33c27a27ce50683aa6b452a7ef1defeb6af |
memory/1972-234-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1972-233-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hckcmjep.exe
| MD5 | fe201ea0ac600eb02ab403dae385f151 |
| SHA1 | 95011a3cda3297152b3cf5ffec4e7d404f8a915a |
| SHA256 | 1d3f492a561b6b868dc190493d57c6092bb483e56ace368f92a51e61ce25a862 |
| SHA512 | 382c8a2f1f6c041ac36483f5d1cea4cfa755558d5bb0d40ec380623a913b0a8f775e0b0150322b483a4233bb6ec283a173df734301e0567090ce224dcdde683b |
memory/1972-224-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1976-223-0x0000000001F30000-0x0000000001F70000-memory.dmp
memory/1648-211-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | c316f27b806d48e56f1b3030ad3cf01a |
| SHA1 | c36e2fe916dd0f4fc2b89a3919dc42b33072b69d |
| SHA256 | f2aa17f3f17c5b280e473d27013e531dead4a0200113071b575a50e065db90fd |
| SHA512 | 8d5c8118d996244254cddbde10440339b7c47253a40a66f13ae343f57e9c42aa4affb7273ed28fc5762cc638f70352546c1e8516c1a8337aa377f6acb368b79a |
memory/1648-198-0x0000000000400000-0x0000000000440000-memory.dmp
memory/864-192-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Hpkjko32.exe
| MD5 | 7f3c5cb196828b34314b370ae58857ac |
| SHA1 | 95273962fcdfcef2679f3223bfb2282200195969 |
| SHA256 | 5a7e7255e4727d9169062dedeb649d0738f247543dda5b374c8f95ca090efd6a |
| SHA512 | 886d473ee6c70937459e07000722b28dbeed6b57b7f7c90a5e80a2620d0f599a7d8cdfe83ad71ec74ea5d811ff4eeb95a811391f238495049cb37f4d01880f41 |
memory/984-183-0x0000000000250000-0x0000000000290000-memory.dmp
memory/984-170-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2460-151-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/1476-129-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2788-99-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2788-91-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1888-395-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1564-396-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3068-397-0x0000000000400000-0x0000000000440000-memory.dmp
memory/848-398-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2388-399-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2436-400-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2788-401-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2820-402-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1476-403-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2460-404-0x0000000000400000-0x0000000000440000-memory.dmp
memory/540-405-0x0000000000400000-0x0000000000440000-memory.dmp
memory/984-406-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1648-407-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1976-408-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1972-409-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2916-410-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2100-411-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1148-412-0x0000000000400000-0x0000000000440000-memory.dmp
memory/392-413-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1916-414-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1688-415-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1700-416-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2592-417-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2516-418-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2536-419-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-420-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2944-421-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2756-422-0x0000000000400000-0x0000000000440000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 23:58
Reported
2024-05-23 00:01
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iogopi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfgklkoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nqoloc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qbonoghb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdjblf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbbajjlp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbbajjlp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lhgdmb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhoahh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfccogfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdaile32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lklnconj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mllccpfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blnjecfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ipkdek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jblmgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gnohnffc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkgmoncl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnlhncgi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fecadghc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ecbeip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kalcik32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afeban32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpqlfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amkhmoap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bigbmpco.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qfjcep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dedkogqm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dinael32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcbdcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfccogfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iccpniqp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amnebo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnljkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eafbmgad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddcogo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbojlfdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojemig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbiockdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kheekkjl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbbnbemf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qhhpop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fecadghc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdbnmbhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aflpkpjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fbbicl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abcgjg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nfgklkoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfhmjf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hccggl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ijbbfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hbldphde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qjhbfd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Koljgppp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Egpnooan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdhbpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbldphde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcmfnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fncibg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fglnkm32.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Bejceb32.dll | C:\Windows\SysWOW64\Fglnkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnohnffc.exe | C:\Windows\SysWOW64\Fdpnda32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jacpcl32.exe | C:\Windows\SysWOW64\Jnbgaa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Poidhg32.exe | C:\Windows\SysWOW64\Piolkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgfbbb32.exe | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnljkk32.exe | C:\Windows\SysWOW64\Dinael32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcfbkpab.exe | C:\Windows\SysWOW64\Mhanngbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Lamlphoo.exe | C:\Windows\SysWOW64\Llpchaqg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpgjpb32.exe | C:\Windows\SysWOW64\Bikeni32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkeoha32.dll | C:\Windows\SysWOW64\Bikeni32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbmlmmjd.exe | C:\Windows\SysWOW64\Cehlcikj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmnbjama.dll | C:\Windows\SysWOW64\Pplobcpp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnaaib32.exe | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Egpnooan.exe | C:\Windows\SysWOW64\Enhifi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhoeef32.exe | C:\Windows\SysWOW64\Jogqlpde.exe | N/A |
| File created | C:\Windows\SysWOW64\Mllccpfj.exe | C:\Windows\SysWOW64\Mafofggd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccegac32.dll | C:\Windows\SysWOW64\Gbbajjlp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfgbakef.dll | C:\Windows\SysWOW64\Pfccogfc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gqbneq32.exe | C:\Windows\SysWOW64\Gkefmjcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Koljgppp.exe | C:\Windows\SysWOW64\Kahinkaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Koljgppp.exe | C:\Windows\SysWOW64\Kahinkaf.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhgdmb32.exe | C:\Windows\SysWOW64\Lamlphoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfandnla.exe | C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baegibae.exe | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| File created | C:\Windows\SysWOW64\Eoggpbpn.dll | C:\Windows\SysWOW64\Mekdffee.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfbnnelf.dll | C:\Windows\SysWOW64\Nchhfild.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpgjpb32.exe | C:\Windows\SysWOW64\Bikeni32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hnbeeiji.exe | C:\Windows\SysWOW64\Hbldphde.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojemig32.exe | C:\Windows\SysWOW64\Oonlfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bbaclegm.exe | C:\Windows\SysWOW64\Biiobo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qhhpop32.exe | C:\Windows\SysWOW64\Pdjgha32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ampaho32.exe | C:\Windows\SysWOW64\Amnebo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgihop32.exe | C:\Windows\SysWOW64\Djegekil.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcbdcf32.exe | C:\Windows\SysWOW64\Pdqcenmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bemlhj32.exe | C:\Windows\SysWOW64\Bldgoeog.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbdcakkc.dll | C:\Windows\SysWOW64\Fajbjh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbkqqe32.dll | C:\Windows\SysWOW64\Jblmgf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpedeiff.exe | C:\Windows\SysWOW64\Bbaclegm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Binhnomg.exe | C:\Windows\SysWOW64\Bpedeiff.exe | N/A |
| File created | C:\Windows\SysWOW64\Nepmal32.dll | C:\Windows\SysWOW64\Cdjblf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djegekil.exe | C:\Windows\SysWOW64\Dpmcmf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enlcahgh.exe | C:\Windows\SysWOW64\Eafbmgad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kahinkaf.exe | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmdblp32.exe | C:\Windows\SysWOW64\Qbonoghb.exe | N/A |
| File created | C:\Windows\SysWOW64\Eknphfld.dll | C:\Windows\SysWOW64\Bboffejp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljnakk32.dll | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hccggl32.exe | C:\Windows\SysWOW64\Gbbkocid.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffmnibme.dll | C:\Windows\SysWOW64\Medglemj.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqjhif32.dll | C:\Windows\SysWOW64\Akihcfid.exe | N/A |
| File created | C:\Windows\SysWOW64\Mckmcadl.dll | C:\Windows\SysWOW64\Nmjfodne.exe | N/A |
| File created | C:\Windows\SysWOW64\Egpnooan.exe | C:\Windows\SysWOW64\Enhifi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kocphojh.exe | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hbldphde.exe | C:\Windows\SysWOW64\Hnnljj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Defgao32.dll | C:\Windows\SysWOW64\Abcgjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpmapodj.exe | C:\Windows\SysWOW64\Bnlhncgi.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkefmjcj.exe | C:\Windows\SysWOW64\Gqpapacd.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpcaaeme.dll | C:\Windows\SysWOW64\Qhhpop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lhgdmb32.exe | C:\Windows\SysWOW64\Lamlphoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbaclegm.exe | C:\Windows\SysWOW64\Biiobo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kalcik32.exe | C:\Windows\SysWOW64\Kdhbpf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndfchkio.dll | C:\Windows\SysWOW64\Cibkohef.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddcogo32.exe | C:\Windows\SysWOW64\Ddqbbo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipihpkkd.exe | C:\Windows\SysWOW64\Ilkoim32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jblmgf32.exe | C:\Windows\SysWOW64\Ipkdek32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dbkhnk32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jbojlfdp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ojemig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll" | C:\Windows\SysWOW64\Bfabmmhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hahokfag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddlig32.dll" | C:\Windows\SysWOW64\Heepfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" | C:\Windows\SysWOW64\Pplobcpp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baegibae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gejhef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mhanngbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pfccogfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" | C:\Windows\SysWOW64\Fglnkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abcgjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll" | C:\Windows\SysWOW64\Dpmcmf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" | C:\Windows\SysWOW64\Bnlhncgi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdjblf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Koljgppp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfhofnpp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qfgfpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kcmfnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll" | C:\Windows\SysWOW64\Pcbkml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" | C:\Windows\SysWOW64\Binhnomg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfdpdo.dll" | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll" | C:\Windows\SysWOW64\Jnbgaa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nhgmcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Piolkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" | C:\Windows\SysWOW64\Fecadghc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll" | C:\Windows\SysWOW64\Abcgjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll" | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ijbbfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kahinkaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll" | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll" | C:\Windows\SysWOW64\Pmmlla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jogqlpde.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll" | C:\Windows\SysWOW64\Gbiockdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll" | C:\Windows\SysWOW64\Dnljkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll" | C:\Windows\SysWOW64\Cdaile32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijdf32.dll" | C:\Windows\SysWOW64\Llpchaqg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lhgdmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mkgmoncl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aimhmkgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfabmmhe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll" | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Koljgppp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll" | C:\Windows\SysWOW64\Qfjcep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll" | C:\Windows\SysWOW64\Ddqbbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbmlmmjd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hnlodjpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgohiia.dll" | C:\Windows\SysWOW64\Fdpnda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Halaloif.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnbgaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll" | C:\Windows\SysWOW64\Aimhmkgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bpbpecen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll" | C:\Windows\SysWOW64\Hahokfag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhcdb32.dll" | C:\Windows\SysWOW64\Hnlodjpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbojlfdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" | C:\Windows\SysWOW64\Adjjeieh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d6e9ecebaa07acfd4221c417a3534c0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Pfandnla.exe
C:\Windows\system32\Pfandnla.exe
C:\Windows\SysWOW64\Pplobcpp.exe
C:\Windows\system32\Pplobcpp.exe
C:\Windows\SysWOW64\Pdjgha32.exe
C:\Windows\system32\Pdjgha32.exe
C:\Windows\SysWOW64\Qhhpop32.exe
C:\Windows\system32\Qhhpop32.exe
C:\Windows\SysWOW64\Akkffkhk.exe
C:\Windows\system32\Akkffkhk.exe
C:\Windows\SysWOW64\Aknbkjfh.exe
C:\Windows\system32\Aknbkjfh.exe
C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
C:\Windows\SysWOW64\Agimkk32.exe
C:\Windows\system32\Agimkk32.exe
C:\Windows\SysWOW64\Bpdnjple.exe
C:\Windows\system32\Bpdnjple.exe
C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
C:\Windows\SysWOW64\Baegibae.exe
C:\Windows\system32\Baegibae.exe
C:\Windows\SysWOW64\Bnlhncgi.exe
C:\Windows\system32\Bnlhncgi.exe
C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
C:\Windows\SysWOW64\Enfckp32.exe
C:\Windows\system32\Enfckp32.exe
C:\Windows\SysWOW64\Fqppci32.exe
C:\Windows\system32\Fqppci32.exe
C:\Windows\SysWOW64\Fdnhih32.exe
C:\Windows\system32\Fdnhih32.exe
C:\Windows\SysWOW64\Fbbicl32.exe
C:\Windows\system32\Fbbicl32.exe
C:\Windows\SysWOW64\Fgoakc32.exe
C:\Windows\system32\Fgoakc32.exe
C:\Windows\SysWOW64\Fecadghc.exe
C:\Windows\system32\Fecadghc.exe
C:\Windows\SysWOW64\Fajbjh32.exe
C:\Windows\system32\Fajbjh32.exe
C:\Windows\SysWOW64\Gbiockdj.exe
C:\Windows\system32\Gbiockdj.exe
C:\Windows\SysWOW64\Gejhef32.exe
C:\Windows\system32\Gejhef32.exe
C:\Windows\SysWOW64\Gihpkd32.exe
C:\Windows\system32\Gihpkd32.exe
C:\Windows\SysWOW64\Gbbajjlp.exe
C:\Windows\system32\Gbbajjlp.exe
C:\Windows\SysWOW64\Hahokfag.exe
C:\Windows\system32\Hahokfag.exe
C:\Windows\SysWOW64\Hnlodjpa.exe
C:\Windows\system32\Hnlodjpa.exe
C:\Windows\SysWOW64\Hnnljj32.exe
C:\Windows\system32\Hnnljj32.exe
C:\Windows\SysWOW64\Hbldphde.exe
C:\Windows\system32\Hbldphde.exe
C:\Windows\SysWOW64\Hnbeeiji.exe
C:\Windows\system32\Hnbeeiji.exe
C:\Windows\SysWOW64\Ilfennic.exe
C:\Windows\system32\Ilfennic.exe
C:\Windows\SysWOW64\Iogopi32.exe
C:\Windows\system32\Iogopi32.exe
C:\Windows\SysWOW64\Ilkoim32.exe
C:\Windows\system32\Ilkoim32.exe
C:\Windows\SysWOW64\Ipihpkkd.exe
C:\Windows\system32\Ipihpkkd.exe
C:\Windows\SysWOW64\Ipkdek32.exe
C:\Windows\system32\Ipkdek32.exe
C:\Windows\SysWOW64\Jblmgf32.exe
C:\Windows\system32\Jblmgf32.exe
C:\Windows\SysWOW64\Jbojlfdp.exe
C:\Windows\system32\Jbojlfdp.exe
C:\Windows\SysWOW64\Jlikkkhn.exe
C:\Windows\system32\Jlikkkhn.exe
C:\Windows\SysWOW64\Kheekkjl.exe
C:\Windows\system32\Kheekkjl.exe
C:\Windows\SysWOW64\Kcmfnd32.exe
C:\Windows\system32\Kcmfnd32.exe
C:\Windows\SysWOW64\Khiofk32.exe
C:\Windows\system32\Khiofk32.exe
C:\Windows\SysWOW64\Lakfeodm.exe
C:\Windows\system32\Lakfeodm.exe
C:\Windows\SysWOW64\Lfiokmkc.exe
C:\Windows\system32\Lfiokmkc.exe
C:\Windows\SysWOW64\Mhoahh32.exe
C:\Windows\system32\Mhoahh32.exe
C:\Windows\SysWOW64\Mhanngbl.exe
C:\Windows\system32\Mhanngbl.exe
C:\Windows\SysWOW64\Mcfbkpab.exe
C:\Windows\system32\Mcfbkpab.exe
C:\Windows\SysWOW64\Nfgklkoc.exe
C:\Windows\system32\Nfgklkoc.exe
C:\Windows\SysWOW64\Nfihbk32.exe
C:\Windows\system32\Nfihbk32.exe
C:\Windows\SysWOW64\Nqoloc32.exe
C:\Windows\system32\Nqoloc32.exe
C:\Windows\SysWOW64\Ncpeaoih.exe
C:\Windows\system32\Ncpeaoih.exe
C:\Windows\SysWOW64\Nmjfodne.exe
C:\Windows\system32\Nmjfodne.exe
C:\Windows\SysWOW64\Oqhoeb32.exe
C:\Windows\system32\Oqhoeb32.exe
C:\Windows\SysWOW64\Oonlfo32.exe
C:\Windows\system32\Oonlfo32.exe
C:\Windows\SysWOW64\Ojemig32.exe
C:\Windows\system32\Ojemig32.exe
C:\Windows\SysWOW64\Pcbkml32.exe
C:\Windows\system32\Pcbkml32.exe
C:\Windows\SysWOW64\Pfccogfc.exe
C:\Windows\system32\Pfccogfc.exe
C:\Windows\SysWOW64\Pmmlla32.exe
C:\Windows\system32\Pmmlla32.exe
C:\Windows\SysWOW64\Pmphaaln.exe
C:\Windows\system32\Pmphaaln.exe
C:\Windows\SysWOW64\Pfhmjf32.exe
C:\Windows\system32\Pfhmjf32.exe
C:\Windows\SysWOW64\Qbonoghb.exe
C:\Windows\system32\Qbonoghb.exe
C:\Windows\SysWOW64\Qmdblp32.exe
C:\Windows\system32\Qmdblp32.exe
C:\Windows\SysWOW64\Qjhbfd32.exe
C:\Windows\system32\Qjhbfd32.exe
C:\Windows\SysWOW64\Abcgjg32.exe
C:\Windows\system32\Abcgjg32.exe
C:\Windows\SysWOW64\Amikgpcc.exe
C:\Windows\system32\Amikgpcc.exe
C:\Windows\SysWOW64\Amkhmoap.exe
C:\Windows\system32\Amkhmoap.exe
C:\Windows\SysWOW64\Abhqefpg.exe
C:\Windows\system32\Abhqefpg.exe
C:\Windows\SysWOW64\Amnebo32.exe
C:\Windows\system32\Amnebo32.exe
C:\Windows\SysWOW64\Ampaho32.exe
C:\Windows\system32\Ampaho32.exe
C:\Windows\SysWOW64\Adjjeieh.exe
C:\Windows\system32\Adjjeieh.exe
C:\Windows\SysWOW64\Bigbmpco.exe
C:\Windows\system32\Bigbmpco.exe
C:\Windows\SysWOW64\Bboffejp.exe
C:\Windows\system32\Bboffejp.exe
C:\Windows\SysWOW64\Biiobo32.exe
C:\Windows\system32\Biiobo32.exe
C:\Windows\SysWOW64\Bbaclegm.exe
C:\Windows\system32\Bbaclegm.exe
C:\Windows\SysWOW64\Bpedeiff.exe
C:\Windows\system32\Bpedeiff.exe
C:\Windows\SysWOW64\Binhnomg.exe
C:\Windows\system32\Binhnomg.exe
C:\Windows\SysWOW64\Bfaigclq.exe
C:\Windows\system32\Bfaigclq.exe
C:\Windows\SysWOW64\Cgfbbb32.exe
C:\Windows\system32\Cgfbbb32.exe
C:\Windows\SysWOW64\Cdjblf32.exe
C:\Windows\system32\Cdjblf32.exe
C:\Windows\SysWOW64\Cgklmacf.exe
C:\Windows\system32\Cgklmacf.exe
C:\Windows\SysWOW64\Ccblbb32.exe
C:\Windows\system32\Ccblbb32.exe
C:\Windows\SysWOW64\Cdaile32.exe
C:\Windows\system32\Cdaile32.exe
C:\Windows\SysWOW64\Dinael32.exe
C:\Windows\system32\Dinael32.exe
C:\Windows\SysWOW64\Dnljkk32.exe
C:\Windows\system32\Dnljkk32.exe
C:\Windows\SysWOW64\Dpmcmf32.exe
C:\Windows\system32\Dpmcmf32.exe
C:\Windows\SysWOW64\Djegekil.exe
C:\Windows\system32\Djegekil.exe
C:\Windows\SysWOW64\Dgihop32.exe
C:\Windows\system32\Dgihop32.exe
C:\Windows\SysWOW64\Ejjaqk32.exe
C:\Windows\system32\Ejjaqk32.exe
C:\Windows\SysWOW64\Ecbeip32.exe
C:\Windows\system32\Ecbeip32.exe
C:\Windows\SysWOW64\Enhifi32.exe
C:\Windows\system32\Enhifi32.exe
C:\Windows\SysWOW64\Egpnooan.exe
C:\Windows\system32\Egpnooan.exe
C:\Windows\SysWOW64\Eafbmgad.exe
C:\Windows\system32\Eafbmgad.exe
C:\Windows\SysWOW64\Enlcahgh.exe
C:\Windows\system32\Enlcahgh.exe
C:\Windows\SysWOW64\Fncibg32.exe
C:\Windows\system32\Fncibg32.exe
C:\Windows\SysWOW64\Fqbeoc32.exe
C:\Windows\system32\Fqbeoc32.exe
C:\Windows\SysWOW64\Fglnkm32.exe
C:\Windows\system32\Fglnkm32.exe
C:\Windows\SysWOW64\Fdpnda32.exe
C:\Windows\system32\Fdpnda32.exe
C:\Windows\SysWOW64\Gnohnffc.exe
C:\Windows\system32\Gnohnffc.exe
C:\Windows\SysWOW64\Gqpapacd.exe
C:\Windows\system32\Gqpapacd.exe
C:\Windows\SysWOW64\Gkefmjcj.exe
C:\Windows\system32\Gkefmjcj.exe
C:\Windows\SysWOW64\Gqbneq32.exe
C:\Windows\system32\Gqbneq32.exe
C:\Windows\SysWOW64\Gbbkocid.exe
C:\Windows\system32\Gbbkocid.exe
C:\Windows\SysWOW64\Hccggl32.exe
C:\Windows\system32\Hccggl32.exe
C:\Windows\SysWOW64\Hcedmkmp.exe
C:\Windows\system32\Hcedmkmp.exe
C:\Windows\SysWOW64\Hjolie32.exe
C:\Windows\system32\Hjolie32.exe
C:\Windows\SysWOW64\Heepfn32.exe
C:\Windows\system32\Heepfn32.exe
C:\Windows\SysWOW64\Halaloif.exe
C:\Windows\system32\Halaloif.exe
C:\Windows\SysWOW64\Hgeihiac.exe
C:\Windows\system32\Hgeihiac.exe
C:\Windows\SysWOW64\Hghfnioq.exe
C:\Windows\system32\Hghfnioq.exe
C:\Windows\SysWOW64\Icogcjde.exe
C:\Windows\system32\Icogcjde.exe
C:\Windows\SysWOW64\Ibpgqa32.exe
C:\Windows\system32\Ibpgqa32.exe
C:\Windows\SysWOW64\Ilhkigcd.exe
C:\Windows\system32\Ilhkigcd.exe
C:\Windows\SysWOW64\Iccpniqp.exe
C:\Windows\system32\Iccpniqp.exe
C:\Windows\SysWOW64\Inkaqb32.exe
C:\Windows\system32\Inkaqb32.exe
C:\Windows\SysWOW64\Ijbbfc32.exe
C:\Windows\system32\Ijbbfc32.exe
C:\Windows\SysWOW64\Jaljbmkd.exe
C:\Windows\system32\Jaljbmkd.exe
C:\Windows\SysWOW64\Jejbhk32.exe
C:\Windows\system32\Jejbhk32.exe
C:\Windows\SysWOW64\Jnbgaa32.exe
C:\Windows\system32\Jnbgaa32.exe
C:\Windows\SysWOW64\Jacpcl32.exe
C:\Windows\system32\Jacpcl32.exe
C:\Windows\SysWOW64\Jogqlpde.exe
C:\Windows\system32\Jogqlpde.exe
C:\Windows\SysWOW64\Jhoeef32.exe
C:\Windows\system32\Jhoeef32.exe
C:\Windows\SysWOW64\Kahinkaf.exe
C:\Windows\system32\Kahinkaf.exe
C:\Windows\SysWOW64\Koljgppp.exe
C:\Windows\system32\Koljgppp.exe
C:\Windows\SysWOW64\Kdhbpf32.exe
C:\Windows\system32\Kdhbpf32.exe
C:\Windows\SysWOW64\Kalcik32.exe
C:\Windows\system32\Kalcik32.exe
C:\Windows\SysWOW64\Kopcbo32.exe
C:\Windows\system32\Kopcbo32.exe
C:\Windows\SysWOW64\Kocphojh.exe
C:\Windows\system32\Kocphojh.exe
C:\Windows\SysWOW64\Khkdad32.exe
C:\Windows\system32\Khkdad32.exe
C:\Windows\SysWOW64\Lklnconj.exe
C:\Windows\system32\Lklnconj.exe
C:\Windows\SysWOW64\Lojfin32.exe
C:\Windows\system32\Lojfin32.exe
C:\Windows\SysWOW64\Llngbabj.exe
C:\Windows\system32\Llngbabj.exe
C:\Windows\SysWOW64\Llpchaqg.exe
C:\Windows\system32\Llpchaqg.exe
C:\Windows\SysWOW64\Lamlphoo.exe
C:\Windows\system32\Lamlphoo.exe
C:\Windows\SysWOW64\Lhgdmb32.exe
C:\Windows\system32\Lhgdmb32.exe
C:\Windows\SysWOW64\Mekdffee.exe
C:\Windows\system32\Mekdffee.exe
C:\Windows\SysWOW64\Mkgmoncl.exe
C:\Windows\system32\Mkgmoncl.exe
C:\Windows\SysWOW64\Mdbnmbhj.exe
C:\Windows\system32\Mdbnmbhj.exe
C:\Windows\SysWOW64\Mafofggd.exe
C:\Windows\system32\Mafofggd.exe
C:\Windows\SysWOW64\Mllccpfj.exe
C:\Windows\system32\Mllccpfj.exe
C:\Windows\SysWOW64\Medglemj.exe
C:\Windows\system32\Medglemj.exe
C:\Windows\SysWOW64\Nchhfild.exe
C:\Windows\system32\Nchhfild.exe
C:\Windows\SysWOW64\Nooikj32.exe
C:\Windows\system32\Nooikj32.exe
C:\Windows\SysWOW64\Nhgmcp32.exe
C:\Windows\system32\Nhgmcp32.exe
C:\Windows\SysWOW64\Nbbnbemf.exe
C:\Windows\system32\Nbbnbemf.exe
C:\Windows\SysWOW64\Ofijnbkb.exe
C:\Windows\system32\Ofijnbkb.exe
C:\Windows\SysWOW64\Pdqcenmg.exe
C:\Windows\system32\Pdqcenmg.exe
C:\Windows\SysWOW64\Pcbdcf32.exe
C:\Windows\system32\Pcbdcf32.exe
C:\Windows\SysWOW64\Piolkm32.exe
C:\Windows\system32\Piolkm32.exe
C:\Windows\SysWOW64\Poidhg32.exe
C:\Windows\system32\Poidhg32.exe
C:\Windows\SysWOW64\Pomncfge.exe
C:\Windows\system32\Pomncfge.exe
C:\Windows\SysWOW64\Qfgfpp32.exe
C:\Windows\system32\Qfgfpp32.exe
C:\Windows\SysWOW64\Qfjcep32.exe
C:\Windows\system32\Qfjcep32.exe
C:\Windows\SysWOW64\Qkfkng32.exe
C:\Windows\system32\Qkfkng32.exe
C:\Windows\SysWOW64\Aflpkpjm.exe
C:\Windows\system32\Aflpkpjm.exe
C:\Windows\SysWOW64\Akihcfid.exe
C:\Windows\system32\Akihcfid.exe
C:\Windows\SysWOW64\Aimhmkgn.exe
C:\Windows\system32\Aimhmkgn.exe
C:\Windows\SysWOW64\Apgqie32.exe
C:\Windows\system32\Apgqie32.exe
C:\Windows\SysWOW64\Aecialmb.exe
C:\Windows\system32\Aecialmb.exe
C:\Windows\SysWOW64\Aeffgkkp.exe
C:\Windows\system32\Aeffgkkp.exe
C:\Windows\SysWOW64\Afeban32.exe
C:\Windows\system32\Afeban32.exe
C:\Windows\SysWOW64\Bfhofnpp.exe
C:\Windows\system32\Bfhofnpp.exe
C:\Windows\SysWOW64\Bldgoeog.exe
C:\Windows\system32\Bldgoeog.exe
C:\Windows\SysWOW64\Bemlhj32.exe
C:\Windows\system32\Bemlhj32.exe
C:\Windows\SysWOW64\Bpbpecen.exe
C:\Windows\system32\Bpbpecen.exe
C:\Windows\SysWOW64\Bikeni32.exe
C:\Windows\system32\Bikeni32.exe
C:\Windows\SysWOW64\Bpgjpb32.exe
C:\Windows\system32\Bpgjpb32.exe
C:\Windows\SysWOW64\Bfabmmhe.exe
C:\Windows\system32\Bfabmmhe.exe
C:\Windows\SysWOW64\Blnjecfl.exe
C:\Windows\system32\Blnjecfl.exe
C:\Windows\SysWOW64\Cibkohef.exe
C:\Windows\system32\Cibkohef.exe
C:\Windows\SysWOW64\Cehlcikj.exe
C:\Windows\system32\Cehlcikj.exe
C:\Windows\SysWOW64\Cbmlmmjd.exe
C:\Windows\system32\Cbmlmmjd.exe
C:\Windows\SysWOW64\Cpqlfa32.exe
C:\Windows\system32\Cpqlfa32.exe
C:\Windows\SysWOW64\Cfjeckpj.exe
C:\Windows\system32\Cfjeckpj.exe
C:\Windows\SysWOW64\Cbaehl32.exe
C:\Windows\system32\Cbaehl32.exe
C:\Windows\SysWOW64\Ddqbbo32.exe
C:\Windows\system32\Ddqbbo32.exe
C:\Windows\SysWOW64\Ddcogo32.exe
C:\Windows\system32\Ddcogo32.exe
C:\Windows\SysWOW64\Dedkogqm.exe
C:\Windows\system32\Dedkogqm.exe
C:\Windows\SysWOW64\Ddekmo32.exe
C:\Windows\system32\Ddekmo32.exe
C:\Windows\SysWOW64\Dmnpfd32.exe
C:\Windows\system32\Dmnpfd32.exe
C:\Windows\SysWOW64\Dbkhnk32.exe
C:\Windows\system32\Dbkhnk32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6916 -ip 6916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 400
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.214.39.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/1600-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1600-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Pfandnla.exe
| MD5 | 6e70b23fc1c66af183e5dcbeaeeafd59 |
| SHA1 | b63c310ec02592357852ae80fff16b2356378347 |
| SHA256 | d41938b445938d9db2c83353d6dc57082f30bc6dc44668542ec9e26638bed1de |
| SHA512 | 6a40b41aa206f6d014a3162b80fe5ad89113958b720961223f14bcb5c0711490ff58eb148708a4bbd4ffb866a7d1f7d1f6ce8a133156b8193c75802fdbb3f0cf |
memory/4428-8-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pplobcpp.exe
| MD5 | 3f3b34abba9b5089bc2b2e245ebbc4de |
| SHA1 | b1bce6b9095c95ec966ff2d9fe3dbc55eb37602a |
| SHA256 | 5da9d8fdd68182c734dda769e2acff2656ba35fa4a7119fe2cb2392ea50e5748 |
| SHA512 | d8d3bd3ab815a514894f285ae12f63e585b9a32fdfc8035ebd55a7b4ef1c01ab282f41f18f10196f8edfc63e6ff6df2c0973dc0d83729fa64538253b2905a8b5 |
memory/1488-16-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pdjgha32.exe
| MD5 | 69a95bd45af7d4bda06ba3845e8c35a9 |
| SHA1 | 2dca44b2f16f5a9f0edbed1efff40cfac785c72a |
| SHA256 | 74d0e03284b0ede75fe826790efeed09583d785f7c13d48e7f56ac688c525ba9 |
| SHA512 | 7e0619d35d76856604f01e70c91504839317b36035e83f36ff020d149562e29cb5e6e8913930fef9232740baf77e4b883d7e9a48faab5f7b07a686c60218bcb4 |
memory/1288-24-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qhhpop32.exe
| MD5 | a2482588f77ea614c1f58dc3e239b675 |
| SHA1 | 52ee0755ed06fe5f3d3503557c780f982bcbe3b8 |
| SHA256 | e628b513908ded6c85eb2b89f921619ae3d4e1fb7930f31a04e9a80ed57d0e81 |
| SHA512 | 5387ebcf63b9c00f5b7af1f40862b3ae6a4ae39269e56bc739030a2581ba9076db930d3570751782c52c1b666a4cc79d9dbd1a4af19b754ac8fd4d8dbb28ac1f |
memory/1004-32-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Akkffkhk.exe
| MD5 | 2d1c7806abe736fe97a1d2d173d0bf35 |
| SHA1 | dc2840598cb84e7e13d31be629ef39cc54000e6b |
| SHA256 | cf57e7fbe02622931de55ed434ccd135518c1346d955f073c08a2817e4438002 |
| SHA512 | d2874579b4ed6096d10bf2a83ef9bb37ab0a3e6a4659bb542e838cd3159b1b35b170cd68879329cee1d03ade258706a8d42ce166b69ef8671bb7a29b75fce58b |
memory/3060-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aknbkjfh.exe
| MD5 | ff19aa0f337b793e7509d4a669c1928a |
| SHA1 | 4f493a724b008df5b486ba8bfc442dfab2bd3510 |
| SHA256 | d7eee62520a43105859162d04c36e507bb0f48697cb1c987ad3d34abc29689fe |
| SHA512 | 39f4484e89b25e585d7bc6a48efbd57da2b1fd8682bb1ad87ee36ebc73626611b4158e57c647b31b3c57d994c6c1515d1f84f0bbd8378be92a281b395052d2ed |
memory/1092-48-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aajhndkb.exe
| MD5 | ce6da4274efda9412e6b36e2e8011a14 |
| SHA1 | d3bf1d03674f793457cdcd6300505212cebc6a7f |
| SHA256 | 7de51623cbd5a84cf58fca2fc622175b6a97cbfa2bc4148c6d5423432295191f |
| SHA512 | 68940a07d60d8613b60b581781263528716267f2204d363d6944057437f3f32d985ae7072831a86673dec1f337977be06c5728ba0438b724cb3dcffb1fba15aa |
memory/2204-56-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Agimkk32.exe
| MD5 | abf9ee4b66754fbb2b4b00b6f8aa3d8b |
| SHA1 | a86fc6abb6b98a95cf5c9e1b7232d65a341d9f43 |
| SHA256 | 0cc592371aa944fc7092744e0699cb8ebf85c63f6aaff0845cdda6f937df1b79 |
| SHA512 | 7afec649e068c8d6ff690eee7c3dd06aae9c02a69f971d6376b3bc2ad9bd718c3b54676cd9c030a67916b9f1ddee9c49eef397820754e55c76c6c3547d178cfe |
memory/936-64-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bpdnjple.exe
| MD5 | 49bbb2ba6551f59b31f14f0a332b4558 |
| SHA1 | 4f82e398d448f7ef3f133d87a987bc68af6a31c2 |
| SHA256 | 9f66088e9aee43d90e6cc620f2949b8da05f7a88769594e625b1bab86e62f0e2 |
| SHA512 | ac1f1b226ad0d24ca8c5148543aacce7161f8e66ccf129d16a7f3f1444851b506a9b3eb430ac9d9e70b34145aa8cd4017fecd90ebe4046a1390cdaa9e0cf0270 |
memory/4760-72-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bacjdbch.exe
| MD5 | 125761460a6c3477fc83f969eef46e91 |
| SHA1 | 031aa2101df9c2e85f6fbdcdcc46ad3076bd6074 |
| SHA256 | 17ae524d268951bf28e4446abfbbbe1b5aa2fa2ac33afacad5158e9930951267 |
| SHA512 | cce2a3bcd46d98f2d60c65b1834710b723e1c664f45d2a0eab85deac58128ee6df08690d149f7f30f7b7ac38e5b73cbc4cae763f4b85cbbfd3698b04293c2291 |
memory/4328-80-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Baegibae.exe
| MD5 | 48e5de6752c88a750fe5d45c7810a152 |
| SHA1 | 78711ba2ab66d819cce38002735b0bf12123a08e |
| SHA256 | 6d759a45b6ed99bfbed7a6ac1f4ac692c44f173a7f32d4840b8ef0e50ac93e18 |
| SHA512 | 0e2dcb0e79570689c3f5453b6ae1f2bf0fa16a059923e05fa7dd726bf97e628eeb4ed4dace93d0fb403dc749ba273c206d32b3cdf34271043695a8c37332648d |
memory/1596-89-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bnlhncgi.exe
| MD5 | 2f58684c700672a2de3d7d1876b1e5f2 |
| SHA1 | dd9f9a31ca24c8b651775827cd091c8d00f15f19 |
| SHA256 | cba28c17b1feca3c0c665c542d537ec42202a5b0fac78502924ae79b5069e1ab |
| SHA512 | a355a1049e829650ab5075c7abe26d0ec006fe38d4e469f42ece485e1f677853709e474617ba72cb16f0878026bf39d5dbfe6dd8a1ce7e4cfb346622f787c2e0 |
memory/4140-96-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cpmapodj.exe
| MD5 | 55c3c1988e50f233b950a9d8b2cf6117 |
| SHA1 | 5c5cceb44c5c4832069e5c0e60a1f74055078e59 |
| SHA256 | 30c3bf1b31c17dff5cc94691a447bbe4d11ff54206df9c7d35b044fd7edb9432 |
| SHA512 | edcac3d7c031ea0ad821f5089c80def48cc24a31c5473b9176b12b7e057292cb35ddaf076a056f4d49928a11bd0491709fd1218b37bfdbbeeb76a1b7580d1cd9 |
memory/2544-104-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cnaaib32.exe
| MD5 | 3b02d1db435af7f94b80492671c2a7da |
| SHA1 | 2c74d3595c56a1a8dd5190e1087ba27b194a7585 |
| SHA256 | a189fc81210acf93755e4a850dfbecb35c63bb7d432b1a782a6df8a5bc24ebe2 |
| SHA512 | a3be1accb67e45d710dbea7084c2cfd9b8586815e5b2bf9ebd3ca949d45f48c2dce7ded554951905228438f56f10e167040856a4507325a88d4e9b340ca9d184 |
memory/4256-112-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Enfckp32.exe
| MD5 | a6ba03d7bd0af120225a6446efafdc2b |
| SHA1 | 2f333f819595f58d5129b7255d9b3f6a55c6209e |
| SHA256 | ebe31de4f5849c4c113e052bb69fc5e3aefcb24a4dfd94e70b832b97cb5d83c9 |
| SHA512 | 76413d1365f94e069ef2a3f0b63933b524a09dd1e472c72c4648106a5e9544571f3218bd48dc0eda0d4773c8712536ab2c44dc2e6ba055b60c381e0c2ef7a494 |
memory/1436-121-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fqppci32.exe
| MD5 | 27cb1d831836a5c92debd0f3c3fcc9a2 |
| SHA1 | dd4ef1dc10b3e76f293e4fa6814a850f1ac3194a |
| SHA256 | f25de1d2c3b02d0c56807d72298ac2b60a0b6739e7c78c57410cacd016c0f4f9 |
| SHA512 | 6d90bbcfce6d4307d9d2f6b8a1e4986861872a5976bca5e6311f27c1624267d27715e5c3ebdafa4020d1553449cce23922a05d2cc7fd31e306febc8f3f862fe4 |
memory/4960-129-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fdnhih32.exe
| MD5 | ee4a13e6e26be79c091a824fdf7e977c |
| SHA1 | ab72b7f4cb9b38d219bdbb98e7a4a3f9b4da0bbb |
| SHA256 | 278edd019a7d0bed4540b2c8317e260d4c73076760eb7e1ee7ac4490fb5cf7ea |
| SHA512 | 9cb575d04da6aa6f79e87f7b610d746f0c25b9b805660f2fd4693bb88966a27046dde0952ffd2651e39133349e8c80a42d9594954c3c97a3db45d11844c9ba06 |
memory/4828-136-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fbbicl32.exe
| MD5 | 3558fc5e99421dc019e66a0cf75d0798 |
| SHA1 | 8e20df90070a1a90893919e0c2e85c466a27ed84 |
| SHA256 | b441edb8603fa184a4be5ad5fde5a023dabb899e5696b93087833f1962b16241 |
| SHA512 | 9f9df128d4556262bd5d0aec8c758160b02eec7a9f2aa2abc08f6b3738e1db60145333244c969bf76b4156c2a7a9b85e710f1450bb12c01cefd21df8b9fe4270 |
memory/2684-144-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fgoakc32.exe
| MD5 | 6c297537d30fb0e186258b3486e68ce0 |
| SHA1 | f30764eada7ea682a1a636664660ce8ba5e90771 |
| SHA256 | 74a68403ba4f129462c224cacc428dae60d0f004ff787bb06160c00cb0360db4 |
| SHA512 | 3c3752a7d0847d39137cae9651c1789f5822cd35ce97ada73011b47f4f834d30f0ff003f7c1bae933e9eeeeea1a643b377b1e351342cca0aec699bb034ff2aaf |
memory/2236-152-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fecadghc.exe
| MD5 | e1f7de0c1b9d0b4d873e1eb401ecae83 |
| SHA1 | 49742bacb31b246e0136c7edafa30f5aad9db0e7 |
| SHA256 | 1536d45245a045b948b9a83f52512cb61dc49d4275d0a04e6d6ba22152e21c68 |
| SHA512 | 84c70241dc36d1947970f574c1c452a366d0534a2cfa47f355283c5b8011bf5e98981e9c023502acf1ee7e157b33569cda39dccc4582bf40af1fc5ee9c315efa |
C:\Windows\SysWOW64\Fajbjh32.exe
| MD5 | fcb4b88c8939ae85179ea77900995993 |
| SHA1 | 7f866a342b94badf9c8856b54911d581ad84b938 |
| SHA256 | ea6b39fd78689f9ae8e8792d6025197e914bda462535d0dad781adc719eaeeec |
| SHA512 | 3ebc50569a5fc0b0a3a946352287e378070f1f27548b1a48380c68a458a4dd35bba6ade3d12f02cabea4be12c4a85159f8fb1a61bfad821859007acb0302ab68 |
memory/3748-160-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4092-168-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gbiockdj.exe
| MD5 | 675126ecb57f83e90dc692cebe51a1a4 |
| SHA1 | fb1fd0b11843b31c557e3b276c8ba64829573057 |
| SHA256 | d698617077cbb8a81f15a89e215a88e0a0052601410e43aa6c422379da9bf680 |
| SHA512 | e0e28b2d3b04e072742e4a49f03841070dfce8e13d3d6ea55fe730e5f3bc6ea026d4bcb6ba2f48c33d7546a18d1d593697e495f1f30e7ec8fc5a62621bf62175 |
memory/636-176-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gejhef32.exe
| MD5 | 239d9e2f2bcb855e69180959055356f5 |
| SHA1 | 5445d5da65478d91298a66b22ee9742585162cf5 |
| SHA256 | 66795ed1f40d948e04875dca03987f628b7105840402493b1fcdb00833dca6cc |
| SHA512 | 230dfed0fd0a91f428ab28efe20c0a41b0d2a32c4c10792caf38b205687a3df1f30b841d49fc385a12de96a3e92b65aaefdcb3899efb91aa91caac5b6dc8e5fa |
memory/4980-187-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gihpkd32.exe
| MD5 | 7ae8f4f5b01e448dd84acabef3cf8484 |
| SHA1 | 372d41ba6ca71e186e4c4b1057a49b72d35d0081 |
| SHA256 | b3e9e71b52c41f330566bee96c0fde77397b6989a6c1ecf6250d63262ee1c449 |
| SHA512 | cf9f97c1896743586b4df5236f61aec292dc55ae92262f0d3378f9f770d4c5ce6e3ace1455a49bfe884b7f205e9d625535642c717e345d2de84ed65cc6e38d6a |
memory/3920-193-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gbbajjlp.exe
| MD5 | 7662a188b3f84101d1d22534b08bbbbf |
| SHA1 | 09ceff2dd958aa6161a369738754d89fed70574f |
| SHA256 | e91a6e69c59028d8bd473cd431c08ef19a6ed52660bdcaba44f27dccfea12d01 |
| SHA512 | 6736d857ae7a98d05f6290f0131e66d0dd4252755919935730da1e933c770662f9ba3ea3c836b6375e54fe50e1dd5997014562cdc4abdbc9f306c916154509f9 |
memory/2184-200-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hahokfag.exe
| MD5 | 08f8e661b6a5e9c73f427753764c59d5 |
| SHA1 | 55be81e95b3fe5991e56bd4bc5ea16e6dda1cf97 |
| SHA256 | 8bb38ae309ea362b73eaaeae5e949a683d6da3a1a88d5337a49ed5ae3199039e |
| SHA512 | 926e1a4117b8c5934f5c69ad1ebea8fa932bb7726134cea6dc7081de9d84e08932096b6f4e4ae131acda7414c262c43e7083e9443f862eb4d96b64ff59bbe718 |
memory/2872-209-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hnlodjpa.exe
| MD5 | 50a8e0bc40c2b46203f68dbda1462457 |
| SHA1 | c2f463ad3540e87ff3743ed85fd02f8cd0c4390b |
| SHA256 | 25604438338e1f84d83573a595b620220e4964a7de09aeb6c0caec7810d38617 |
| SHA512 | 053f6ca4b58221493463161b8a29c07ed6133432050e72e26a813ae5c3f6742b73d634c7b79e84dad493c98b76630af95589a3ce34d2d0e5bc892e0efa117ecf |
memory/3808-217-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hnnljj32.exe
| MD5 | 8debaae7fb0c3c540fc237a2914d2907 |
| SHA1 | f9ac908b7f8726d8fddb2b3688ff5f11cedab79f |
| SHA256 | 276024c225073f5d078bcdf2388b3a1d27cc06cee15a1f0f31cd22104a52065d |
| SHA512 | c5535d9094012407f9f9b7334dc66daf34c2439979369500107d7a96d87046196feeadbc10d51a78ffef0a0a7864a8971547fd875c686d1f11a3f318b3de2c5b |
memory/1948-224-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hbldphde.exe
| MD5 | 59ffce5187ba97d3db6dd3a7cff701d7 |
| SHA1 | ffd1cb65f97f2191d8b6a6b9fec36195ee9cbd22 |
| SHA256 | 2b796df763cf8fa65d6a6446bb1d021b0667b3ea540c725e35cf3eac3e8ce81a |
| SHA512 | 611fd519b614cd559afea074055fc2a0b5a9d82220183724924aef2ab9edabce0d5a6b5661be950c23fa6c137356624c7ddd814647689b3f0f11399e783844c3 |
memory/388-233-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4460-241-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hnbeeiji.exe
| MD5 | 415232e84c10ea9af88818c4a00feaed |
| SHA1 | 658ae639a22a3445a48679ed5bf910f5ee8eb363 |
| SHA256 | 09f0504695db31807924052758a9415d2ff6202d17067849771bf77101912f9f |
| SHA512 | 4df8541a98f90feb3b85725dba36651900603f00c02d4d837cbe05f6c3ccc5b6f40b07560b71a673fed2848c56674bef8bf7534c2adf8c7b8b5377ff4f1ac6b9 |
C:\Windows\SysWOW64\Ilfennic.exe
| MD5 | 96259aa5ae10c01e5de21a159f2a86bb |
| SHA1 | 698499baaffc1a2e137af583e368c80c63c9ea51 |
| SHA256 | 3794f48abe77bcd167658c88234340bdd3752147e93774f83cfb6085740bd227 |
| SHA512 | 4627e9cb790beff5e8d53472e52e0dbb009ee7d3118770be4b60df7c89badad23ae8197c8f9389da1968d3ff18b93bdf068b5a5dc08d79d22139b7739807927e |
memory/728-248-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Iogopi32.exe
| MD5 | 8bb072cc6ae2a0db15fc89f3863e2b18 |
| SHA1 | 546d4bba122e1d99e9dfe258ea263217b6e4fd66 |
| SHA256 | fad72fef8ce8265a92f375932e147e135059b2b6f013921b51f50454e74dd774 |
| SHA512 | 5d85d3fb529c4e8369e03e12f96deaebc6eece384a697705a7d2e969c489e51db47f8ef736273d495acb41abc188288f43dc141e26e9c9121cf3bae0687691b9 |
memory/2244-261-0x0000000000400000-0x0000000000440000-memory.dmp
memory/448-263-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ipihpkkd.exe
| MD5 | 56b53f33d63e4501af6ab5268b2ce3e0 |
| SHA1 | 6df4570372798f646bac9375e90c64dfd30b268f |
| SHA256 | 24807b435e819d1f5d689b494002953e578e18921cebd9e37b10aa9392290b45 |
| SHA512 | a349ae9a60ebf7937eaaec4edf7045c0c034c17112a2a367a115fb85278bbae94d8fca82c3a15b02b67d484063470648fd45333bf2d557095920f75bb2c70d5e |
memory/384-269-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3336-275-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3520-281-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2884-287-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jlikkkhn.exe
| MD5 | aea67cd9281adf06ef4e4a08aebddf55 |
| SHA1 | 79282b3c88f6ef8236fd06fd06655ca59ffca62d |
| SHA256 | 9bc8f7fbc77c24b7e8c91405f25a7763b124d79c91314530dca9001c034dc402 |
| SHA512 | 68e81b0a42aab6a4a71383660a5ba37bdd46178fb454e7d0d8a1f4e7664527ffc85d73e3ad9986fe80f9079c964e8cb873235f3fae4b49e4de84b19df946f2b7 |
memory/3752-293-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3320-299-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1384-305-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4184-311-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lakfeodm.exe
| MD5 | f9f141ba6477a52aae3c2d72c20a5586 |
| SHA1 | 1d5e16b79aa1f71bda232933377d7f24705b40cd |
| SHA256 | 21849678c107aab76a7d8d1a7dfc7921b45d05d155d85a18c98343146317f976 |
| SHA512 | 5b036d94b08637feae7baf5b6517d87d6eec76277e09176ab2b34867e966114002c9e77251b6bcf134acb407ed16551405d41bfaa3dee0bfe15ea19b9778a901 |
memory/3912-317-0x0000000000400000-0x0000000000440000-memory.dmp
memory/904-323-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mhoahh32.exe
| MD5 | 4ecc7897ce20418327325114069da913 |
| SHA1 | 9080885c3e0b0a2721d22e3c4cdeb3390df9002a |
| SHA256 | d8389c5de7848dd7bc837a131abb7b7941fc8abf636666431a65af2e430afe8b |
| SHA512 | 5a470bbed1b13f5e5ab9a38b68f51a67ce1c364d17ffa3ac0b33c3e097859ae785e359667e9d7b31e76cf923900f2c751d1cf73f0c2b20669833ad439dfe66aa |
memory/4640-329-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2140-335-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mcfbkpab.exe
| MD5 | a16206993a6ff2b388f6c2f07eff3e9b |
| SHA1 | 9729ea2f086d6b9cb99c0746629f1a679ba826b1 |
| SHA256 | 875f6a8ff5c785db1a506da49a12e93a58b347aa324d7447a1cdd5593a9b1b2f |
| SHA512 | a5a32bf8afb8ea8f86ea3460f417e0225c8f9a01428edf77908b0df5f08399164271c157d1e7426999bb3d7bddb05774e6f198eb36626cca23ef77652da60095 |
memory/620-341-0x0000000000400000-0x0000000000440000-memory.dmp
memory/220-347-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3524-353-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4396-359-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3636-365-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4296-371-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4492-377-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4508-383-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2856-389-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1536-395-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pfccogfc.exe
| MD5 | a01718b0834e16e92f90ea6d01900cbf |
| SHA1 | 2df78071a2b0048c84bd3dfaca1c43bb571a8e27 |
| SHA256 | a1b7ecab25a5c95f3e63aa91fb7fad70742f44c12e518ccbee433bfc1ae43734 |
| SHA512 | 246fb4518843d0ec19905efed439603fcb92f3d86b2e9cb4c3e7ffacaaca8d1bf46ad429aa72c3f5a14c26d541eb40cb22af65e4df48270e40bdff0a11e7ab8a |
memory/3600-401-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2876-407-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4260-413-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1188-419-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qbonoghb.exe
| MD5 | a9cfc265c3bebf95ec1f811c738648b8 |
| SHA1 | 8d66ef3cf8c645753a887d03c146b372d7100be0 |
| SHA256 | 178d654237f93a66e335a28f784b226caf24a25a33f27fbd4574927d69a629b7 |
| SHA512 | f6022cfc75d36d3b8f29b089bfd498a5095abb74b77fd773cc79159e8246b9411a02ee3ad00f64fa4deb3c9050dd4b7c43d431f8c7d5f4ab38dc8c60d6a60c22 |
memory/3744-429-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4596-431-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4968-443-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2368-442-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3164-449-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Amkhmoap.exe
| MD5 | 4d204e06e9ff2c1e468f6e645f7e3c86 |
| SHA1 | 01d635c2a3da5fe90a7bc4f7abab9866bbb9e900 |
| SHA256 | b7c27d32a8dab001aef487899f676b9af61edc545a60cb641d25faf6f2912392 |
| SHA512 | 25c8258503ff7d8e278aeb8440bed3650aef73dde166f06c7c9ca2fd97d5f6d34238260d11b1ddc8014867c3622d0502d423a2f22966d16da3d80f1d24d8eb9f |
memory/2456-459-0x0000000000400000-0x0000000000440000-memory.dmp
memory/232-461-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4996-467-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5196-473-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Adjjeieh.exe
| MD5 | 22a5bbd567fadfd61c82ca7c0d0187a1 |
| SHA1 | 0f5a58b9ebf20c47206f55fbfc7bbc2116631eeb |
| SHA256 | 03fd356e07d96cdc2dd2e5640d627af5b2c914894363b5c0b4f22dada646a7af |
| SHA512 | f367aacb702574088c9025f0f85991b19f2de647fe7c35b1348d3c2824d9ef72e962e71a995fbbd8e0dc02e06c360f70d0d923a18769a7246d135fb7e570e08b |
memory/5236-479-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5288-490-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5324-496-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5364-497-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5412-507-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5456-509-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5512-515-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bfaigclq.exe
| MD5 | 060a15d6ef3313b9e185a6b3ac31957a |
| SHA1 | 6ca638cc631434b336be6570f607551b1c873106 |
| SHA256 | 440af50fd7e6fe83eada09fbd85d1ec6900aad6bd6b032e73545570520518f3c |
| SHA512 | 4fdfb73d4640e08a1c6a3207068ae2468889b30c773fa51f3e14f6e112bccbd94e279db41af023311c16c2cab524680491432519a25646340cd1ef9d9539ce49 |
memory/5552-525-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5592-527-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5632-533-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cgklmacf.exe
| MD5 | 21910181a0ef8559ae7784fdd3758270 |
| SHA1 | f0956d92d54ed07beffb298a86229ec2c8b04f86 |
| SHA256 | 76da7ca52184f3b2dec8bd378e8ce08639220a61e7634aa0522e6df06bfa2332 |
| SHA512 | 43c0bdb9e8cde2fc39d1d14bd1a8e909026d58ba769589679df4d06f41c5b83c742dca809f81b2fb6556c6ef09cd1f5d9e114564416d83bfa60a5476a729ea64 |
memory/1600-539-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5676-540-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5720-546-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4428-552-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5760-553-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1488-559-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5804-560-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1288-566-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5848-567-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dpmcmf32.exe
| MD5 | c4051a0ad5a4e5711e4770ae0fad621e |
| SHA1 | 7bc3eea5a54af92269544e168bea4725c7eb4ce5 |
| SHA256 | 032b0791850ba6f92c04bd077a06cc61cec2f114b9f20344eb71ef2d3b0fd4dc |
| SHA512 | ed6ea781b7d0508d6cd75e7022d9d5760f33195a680e5916bebc830fe388445c028f30f01899c197a2e59390556b5329fecfe83b7253f2ef70e0452ca7871bf5 |
memory/1004-573-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5892-574-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5936-581-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3060-580-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5980-588-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1092-587-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ejjaqk32.exe
| MD5 | 8b2eee1a42d13ce35f123ada14da54d6 |
| SHA1 | 5e95b4297c83d70b0423b8f3c7e5bc390660a355 |
| SHA256 | 93f717592cf27eccfcadaa3bc059eabd7f766a77b2017088c4f1a0b1fb88744a |
| SHA512 | 044a37ae0e214d90feb7dc95d01bc54e8eb539b730ddbe5614e8d86dc2afca220c6276f2d1ccfa493743a63b48d85ef6b754e920f1b6b656575ef57be4c14f53 |
memory/2204-594-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Eafbmgad.exe
| MD5 | 032b73416a57b1c1e6ecfecf20a8bc7a |
| SHA1 | 186a664b28729849f4ace0ca8c4b553ee3246b57 |
| SHA256 | 24c9fe64582c37273cb5aec075b25feae1b6be6f241642bbbd188551789c4e16 |
| SHA512 | 832683bca29dea3e6f4b98d8c8869d58bd29f17f9a512b50e42afae99c2da9debce80004cb4035001cec5bbceb60c25d6c7d4c631c30d0a0053458692aa1ccf0 |
C:\Windows\SysWOW64\Fdpnda32.exe
| MD5 | 59c3cc968c56762d4a815cdbf88775ae |
| SHA1 | bc04544a9c6daa3a8ec0d1f9560fda6867efb4a1 |
| SHA256 | d878fb5f9a7ae9b682a1751814dfa9aceb2219e38a7efd0402801200c102fbc1 |
| SHA512 | f4f9591c59570455d7be7bf3994e72bb9710c6aac6bf44428f392d9ef55a5f3035863ec815b3148c9ae6ac8988bcc92cc886bc59f45524ec5e60050e788fdceb |
C:\Windows\SysWOW64\Gkefmjcj.exe
| MD5 | 8250d43cb0533457be78d2eb66b52118 |
| SHA1 | f423333ee8522e0748279c255ea85aafc217041e |
| SHA256 | dbdc6b298cb8323d16ad826b5444bb032c35bd4670d6bd6c3f6a8a1c134015ef |
| SHA512 | a670680e5ee3f6689548bc0630444876d9449aff5c5fd60aaeb2d59e6efb2e7dab00dbc49c072c02a829640cfd44b08c393c66071f8bee1c9d24908ea3506b20 |
C:\Windows\SysWOW64\Gbbkocid.exe
| MD5 | 604956fc31513cb7387a2aa7b71107d0 |
| SHA1 | 8482daab6a9b7ccdb766c4de7f3f8f6eece63e6e |
| SHA256 | a2ea17c2e6017462b87c9b63513579c540ae15b1578207ac057bd7cb755f7ed0 |
| SHA512 | d91e1a098e25449c530cf97c9deb557c73a9f7a92e742a7361b1323fafaf4abc4a106c417db1426f40099fa2b49a5ac117cbf0423402c867030f204afbd9ffc2 |
C:\Windows\SysWOW64\Hghfnioq.exe
| MD5 | 83cdf98b665b0e3d06bd85b48a3ff120 |
| SHA1 | 326d8fbd7d662e326621b813d2d892e632cc519f |
| SHA256 | 89a4b7f39d2ab624c2123ce1ca0ea8e51a4080eef558e80a585dc032459fd48d |
| SHA512 | a3cee4fa13442152413ba9d442c253e0f015cae1e7e61abcd7fd8dc104e7fe91e235dbe7c464130d214da1d871782d4e5d1b898f5afaa9b91b36d20aadeacfde |
C:\Windows\SysWOW64\Jaljbmkd.exe
| MD5 | b56f4bf312a3a022397267c38fcf1129 |
| SHA1 | 5fd782acad9063c442ed29f551a6c8cde9e718f1 |
| SHA256 | be7194609affb9d8556462f1715ac73fe0c559747c7d1cc72789c2bbe9a4b377 |
| SHA512 | 39ded62949f2f9f3a4f68f4cc341173ed94abef31c3dafeb7651c36f273990e1f4538b31023177fd82c11f4da1aa34513e593b5ab8dffdc3deb1c5401604ada2 |
C:\Windows\SysWOW64\Jnbgaa32.exe
| MD5 | af71ccd468462003eb49bded72317341 |
| SHA1 | 7c330385cb2851ead96d2efb9605e7ae868222f5 |
| SHA256 | 638c4d7239f9b7cd47f7bc3bcd5a4cb850d5342a8a37b1f2c0951e4d53829775 |
| SHA512 | 877bc21b5509ed8282616fc2c6bcb12fef01d5e7dd890c3fbd662d006b451e2ae432bc608ea0128bbf766f4d1416f08978093917fd8a7a722419ba77436ab0ac |
C:\Windows\SysWOW64\Kahinkaf.exe
| MD5 | 7735fb7415a2b81aa1f07aa013d6e473 |
| SHA1 | a7da6666bf478cce44981cbaffda7505edd57bb2 |
| SHA256 | 78f4d4bd8f09f470a45d1944ae4c68db2783bc8b3b5a2b18a02df4521b0eea84 |
| SHA512 | 87a08f0a30ec7677607c4740f85dc806ef27f18ee3562569028c9fe1be824bbf7bfdc3f45ec467573ede024dbdd1a1a7a50c625506f087b3e33f1ecc655f6fb7 |
C:\Windows\SysWOW64\Kdhbpf32.exe
| MD5 | 480850297d5c048fda2be18b50ef97ec |
| SHA1 | 1cb54a6deeb93fd602d90e5dd1892c2245950f5f |
| SHA256 | bd99d27f69ddfbd508733aa20f413f89951467f6da94b93d5156d82625f7f039 |
| SHA512 | a5662f7c44f203a9b13c0be39e8abad227699703df16f38a414734db96c07c5bb6f8add4dbdaf8f19c225d71f72ad3ec6131654010d71674bad740a06292ff1e |
C:\Windows\SysWOW64\Lklnconj.exe
| MD5 | 1b0a84af28b680c023a60d0f4d626743 |
| SHA1 | 785e976226e5667800504953059374de2d99e9c6 |
| SHA256 | a5b3773f35c980dfabd48cc2a3e6d072628d545c1d3603d4ec3c0428f5baa12f |
| SHA512 | 7a6f70cd314ba57efc80b959d424fc668b9484fdc1b2ac8622e1e9856e7b506ca831e7fed27c14cad52e51405b4ba852b73f3736967b8f36d813afc7a764b640 |
C:\Windows\SysWOW64\Llngbabj.exe
| MD5 | 53668319cbac25f14f12d2711b4764ae |
| SHA1 | c5e0551eb98120e57345df5c3654e3cf2547ce18 |
| SHA256 | 03794e7fdac91c9ea8c12559f35dedc6d209f09c9a8e666c5bd9c3783f3c8728 |
| SHA512 | 3c870afbb36beabe6d997ff80e8f46cc7b4bf17246f821920553326c16120181622538a9ca2ea172003a02c79a2946f4133c99a484fe9013c6fa7460810889e5 |
C:\Windows\SysWOW64\Mllccpfj.exe
| MD5 | 9336a546bd234f25bdd4495b33a297b6 |
| SHA1 | b313fa44b87bef894a1e8f1ee9385d8f63270bb7 |
| SHA256 | 0ff0ca1ce0a3e2cf3525239fba5c00713018741fc1be0a18ea40d5b2877dd8c6 |
| SHA512 | f19038ae8d7576da81caac91dcb165ff1923fa74870905640820aa8e9b2f04a244155f6237fa52acda330cd12bbc2a4ab3a10ae0b0d89135e9316fbc5701e017 |
C:\Windows\SysWOW64\Nchhfild.exe
| MD5 | 459ddededdcf740884726fb8297a2e9a |
| SHA1 | 503a2a68382d95be8be205d698930edd8ac51a53 |
| SHA256 | f6fe0e77460c1edd295951d26e3c32c155f09ff159c44a90c1c23007f48d97c9 |
| SHA512 | 7e4d95c99f6af3ef46a6dbbd8d4c01a2d71111394cc8882e473f03c4d4d1ed3df7f3fd4f9c44359972e926e534ebe5bc192f94d4d9d26eb12e51326dd4b1b3b1 |
C:\Windows\SysWOW64\Nhgmcp32.exe
| MD5 | f305a5dcbfaa0bef273a81cc808b24fd |
| SHA1 | d4926ffbb8336080aa16dedaf35b884f1ef18684 |
| SHA256 | eec20ed7b33b9560e115d07ad2090811146346cc4e1194e29fadcbb844d463d1 |
| SHA512 | 4fd1b356485afe1a6a243b7abf436997ec4a7fc7328e929fad24b68471ddca1056eea4708204193c19e0e728a5470c57f5d08cc0232f46bc3a588a924e8bffab |
C:\Windows\SysWOW64\Poidhg32.exe
| MD5 | 3b72ced0b63ac54f69e5404e70e3f18f |
| SHA1 | 48953dd97fe51e8e3127d33a061d16b3b9efe099 |
| SHA256 | 82b72c08bae1f03ba316231af17ff1e0e5bd80a4c92c8362e59a967f3e08b781 |
| SHA512 | 091c6a4e50bb798101367d1b93eebf261348442e8eb7661bc599c7da4f6a1b9c0b82b9bef306c7236fae9ed1c37d454c8f6765bc07b6baeeaf5481a4db1e47b6 |
C:\Windows\SysWOW64\Qfgfpp32.exe
| MD5 | 65f2694590a05eb3c9e60c198c084b76 |
| SHA1 | a904d252019436dfae50bee7f9e90b8afc72173b |
| SHA256 | 8c80ab15a5934c2b5200eb244601a71fbc5ac87071ea03635a17eadf386aff68 |
| SHA512 | 7c76ec03e8e3a2249f50ea4f8736732bb571bb40dec5aad39372c51b8d4308a5c9b9341111d3a15a8b4b66a7b3587ac9cdbfa4451280e0e1a4dd88b8a5e2b4b0 |
C:\Windows\SysWOW64\Bfhofnpp.exe
| MD5 | ee792de5ad4cba4e3bb486e3380a87ab |
| SHA1 | 92130e90a1e0320821f6a119652bfa338fc5faa3 |
| SHA256 | 65644e3b38e56dc439050b0a0e5388d41c59ff3a8000f2e269facbe6771dc5c7 |
| SHA512 | d9244a9daa7a3c8105cf1e0a6d2bf4c74abec65cc26f3445c3bcb20568dcd56455806143d26b3e6365d01093955a85540f840fc05c35ee573cfb49766940cf9c |
C:\Windows\SysWOW64\Cibkohef.exe
| MD5 | 14e76e781e703d3a84fdeef8b5396b7d |
| SHA1 | d6c81d70ce7f326e22c487b48c7fe2c7d5c96e30 |
| SHA256 | 76311cc81a810a72b99aa5d254baed7c0f609731b9a0fec66066115cdf618d86 |
| SHA512 | dc8004c50160045bd4bf9a0ab65371c6ed5f1dec4517430be678b2df1279fa90df5cc1be292c7933e91f0352c91ce3ecdcbeccbb8b9ace1779fa7ce4ccf92b77 |
C:\Windows\SysWOW64\Cfjeckpj.exe
| MD5 | 4ffc0286ca0c302c9cfe874efe9d9a35 |
| SHA1 | 19f059f94f710caab9c424fc6981f2abf61869ed |
| SHA256 | 18cd7795342af7743abfb1c672aeceea304f617341046e4268ccfb0a491adb95 |
| SHA512 | ad0d9c9640dbbcca4c0a11ee42153d37d67ec144398e9758bb8622eeabf913fbcad44dc8ae0ead9fccca38eeaf5e9c94c641ab9c30c575c51c9909351791901b |
C:\Windows\SysWOW64\Ddqbbo32.exe
| MD5 | b50acade379e9fe3ac4ab4a2537de67a |
| SHA1 | 3f921c059ce76ccfc87cb2b6af89e524b0329482 |
| SHA256 | df4a98ca78b0381cefe761817dab6f2c1e1d540d2cdc181eee2aaba7ed7f58e6 |
| SHA512 | d136470abc357cdeae1a418e6badab437f5bdfaa9201f503454962bb8c00474b7099fe0cc7345ca581a3998b27a20aac9e72b1db435d52fe1efcd4da114e1653 |
C:\Windows\SysWOW64\Ddekmo32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |