Malware Analysis Report

2025-01-23 05:40

Sample ID 240522-zwtcqage8t
Target 3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe
SHA256 d04cb939a5120c10c89db9592131e7fb8415e03c529101baa59e39b0520b2ca6
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d04cb939a5120c10c89db9592131e7fb8415e03c529101baa59e39b0520b2ca6

Threat Level: Known bad

The file 3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Malware Dropper & Backdoor - Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:04

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:04

Reported

2024-05-22 21:07

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dflkdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iaeiieeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dflkdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efncicpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdoclk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfefiemq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cphlljge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clcflkic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glfhll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbnbobin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gddifnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddagfm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcfdgiid.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emeopn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clcflkic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emhlfmgj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiekid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gicbeald.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjilieka.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicbeald.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgkbipp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbnccfpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdamqndn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddifnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hknach32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmlnoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hahjpbad.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnojdcfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiekid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpocfncj.exe N/A
N/A N/A C:\Windows\SysWOW64\Hobcak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgilchkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhjhkq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpapln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjjddchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhnaho.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cphlljge.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cciemedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Clcflkic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfdgiid.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnneja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emeopn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eilpeooq.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhlfmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File created C:\Windows\SysWOW64\Ooghhh32.dll C:\Windows\SysWOW64\Gbnccfpb.exe N/A
File created C:\Windows\SysWOW64\Hgilchkf.exe C:\Windows\SysWOW64\Hobcak32.exe N/A
File created C:\Windows\SysWOW64\Hpapln32.exe C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Efncicpm.exe C:\Windows\SysWOW64\Emeopn32.exe N/A
File created C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Djnpnc32.exe N/A
File created C:\Windows\SysWOW64\Fclomp32.dll C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Fjilieka.exe N/A
File created C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbnbobin.exe C:\Windows\SysWOW64\Chemfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Ddagfm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe C:\Windows\SysWOW64\Hiekid32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dcfdgiid.exe N/A
File opened for modification C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File created C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Hepmggig.dll C:\Windows\SysWOW64\Hdhbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Clcflkic.exe N/A
File opened for modification C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Eloemi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Faagpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cciemedf.exe N/A
File created C:\Windows\SysWOW64\Ddagfm32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Iaeiieeb.exe C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File created C:\Windows\SysWOW64\Clcflkic.exe C:\Windows\SysWOW64\Cbnbobin.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe C:\Windows\SysWOW64\Eihfjo32.exe N/A
File created C:\Windows\SysWOW64\Egdnbg32.dll C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File created C:\Windows\SysWOW64\Ojhcelga.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe C:\Windows\SysWOW64\Gkgkbipp.exe N/A
File created C:\Windows\SysWOW64\Hknach32.exe C:\Windows\SysWOW64\Gddifnbk.exe N/A
File created C:\Windows\SysWOW64\Hogmmjfo.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Djnpnc32.exe N/A
File created C:\Windows\SysWOW64\Lbidmekh.dll C:\Windows\SysWOW64\Efppoc32.exe N/A
File created C:\Windows\SysWOW64\Gfefiemq.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Gicbeald.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Iaeiieeb.exe N/A
File created C:\Windows\SysWOW64\Goddhg32.exe C:\Windows\SysWOW64\Glfhll32.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hjjddchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe C:\Windows\SysWOW64\Hknach32.exe N/A
File created C:\Windows\SysWOW64\Pfabenjd.dll C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File created C:\Windows\SysWOW64\Hahjpbad.exe C:\Windows\SysWOW64\Hmlnoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Ebagmn32.dll C:\Windows\SysWOW64\Dgdmmgpj.exe N/A
File created C:\Windows\SysWOW64\Ndabhn32.dll C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hpapln32.exe N/A
File created C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fejgko32.exe N/A
File created C:\Windows\SysWOW64\Nokeef32.dll C:\Windows\SysWOW64\Hpocfncj.exe N/A
File created C:\Windows\SysWOW64\Gmibbifn.dll C:\Windows\SysWOW64\Hogmmjfo.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fejgko32.exe N/A
File created C:\Windows\SysWOW64\Lkojpojq.dll C:\Windows\SysWOW64\Emeopn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flmefm32.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File created C:\Windows\SysWOW64\Pffgja32.dll C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Jnmgmhmc.dll C:\Windows\SysWOW64\Fioija32.exe N/A
File created C:\Windows\SysWOW64\Hiekid32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Eihfjo32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdamqndn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" C:\Windows\SysWOW64\Eilpeooq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" C:\Windows\SysWOW64\Fmhheqje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" C:\Windows\SysWOW64\Dgfjbgmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmlnoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hobcak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efncicpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnpnndgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpocfncj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" C:\Windows\SysWOW64\Cfbhnaho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cphlljge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" C:\Windows\SysWOW64\Cbnbobin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" C:\Windows\SysWOW64\Enkece32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gicbeald.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cciemedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnneja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Gbnccfpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkhcmgnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" C:\Windows\SysWOW64\Hknach32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" C:\Windows\SysWOW64\Hobcak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eloemi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbnbobin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" C:\Windows\SysWOW64\Hpapln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" C:\Windows\SysWOW64\Gfefiemq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hogmmjfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjilieka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmhheqje.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Cfbhnaho.exe
PID 3064 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 3064 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 3064 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 3064 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Cfbhnaho.exe C:\Windows\SysWOW64\Cphlljge.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Cphlljge.exe C:\Windows\SysWOW64\Cciemedf.exe
PID 2744 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2744 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2744 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2744 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Cciemedf.exe C:\Windows\SysWOW64\Chemfl32.exe
PID 2892 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cbnbobin.exe
PID 2892 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cbnbobin.exe
PID 2892 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cbnbobin.exe
PID 2892 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Chemfl32.exe C:\Windows\SysWOW64\Cbnbobin.exe
PID 2852 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Cbnbobin.exe C:\Windows\SysWOW64\Clcflkic.exe
PID 2852 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Cbnbobin.exe C:\Windows\SysWOW64\Clcflkic.exe
PID 2852 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Cbnbobin.exe C:\Windows\SysWOW64\Clcflkic.exe
PID 2852 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Cbnbobin.exe C:\Windows\SysWOW64\Clcflkic.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Clcflkic.exe C:\Windows\SysWOW64\Dflkdp32.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Clcflkic.exe C:\Windows\SysWOW64\Dflkdp32.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Clcflkic.exe C:\Windows\SysWOW64\Dflkdp32.exe
PID 2684 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Clcflkic.exe C:\Windows\SysWOW64\Dflkdp32.exe
PID 2236 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2236 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2236 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 2236 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Dflkdp32.exe C:\Windows\SysWOW64\Dkhcmgnl.exe
PID 1056 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Ddagfm32.exe
PID 1056 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Ddagfm32.exe
PID 1056 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Ddagfm32.exe
PID 1056 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Dkhcmgnl.exe C:\Windows\SysWOW64\Ddagfm32.exe
PID 2816 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Ddagfm32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2816 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Ddagfm32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2816 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Ddagfm32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 2816 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Ddagfm32.exe C:\Windows\SysWOW64\Djnpnc32.exe
PID 1592 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dcfdgiid.exe
PID 1592 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dcfdgiid.exe
PID 1592 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dcfdgiid.exe
PID 1592 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Djnpnc32.exe C:\Windows\SysWOW64\Dcfdgiid.exe
PID 1752 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 1752 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 1752 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 1752 wrote to memory of 1812 N/A C:\Windows\SysWOW64\Dcfdgiid.exe C:\Windows\SysWOW64\Dnlidb32.exe
PID 1812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 1812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 1812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 1812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Dnlidb32.exe C:\Windows\SysWOW64\Dgdmmgpj.exe
PID 2444 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 2444 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 2444 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 2444 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Dgdmmgpj.exe C:\Windows\SysWOW64\Dnneja32.exe
PID 1680 wrote to memory of 660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 1680 wrote to memory of 660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 1680 wrote to memory of 660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 1680 wrote to memory of 660 N/A C:\Windows\SysWOW64\Dnneja32.exe C:\Windows\SysWOW64\Dgfjbgmh.exe
PID 660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe
PID 660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Dgfjbgmh.exe C:\Windows\SysWOW64\Eihfjo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Cfbhnaho.exe

C:\Windows\system32\Cfbhnaho.exe

C:\Windows\SysWOW64\Cphlljge.exe

C:\Windows\system32\Cphlljge.exe

C:\Windows\SysWOW64\Cciemedf.exe

C:\Windows\system32\Cciemedf.exe

C:\Windows\SysWOW64\Chemfl32.exe

C:\Windows\system32\Chemfl32.exe

C:\Windows\SysWOW64\Cbnbobin.exe

C:\Windows\system32\Cbnbobin.exe

C:\Windows\SysWOW64\Clcflkic.exe

C:\Windows\system32\Clcflkic.exe

C:\Windows\SysWOW64\Dflkdp32.exe

C:\Windows\system32\Dflkdp32.exe

C:\Windows\SysWOW64\Dkhcmgnl.exe

C:\Windows\system32\Dkhcmgnl.exe

C:\Windows\SysWOW64\Ddagfm32.exe

C:\Windows\system32\Ddagfm32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Dcfdgiid.exe

C:\Windows\system32\Dcfdgiid.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dgdmmgpj.exe

C:\Windows\system32\Dgdmmgpj.exe

C:\Windows\SysWOW64\Dnneja32.exe

C:\Windows\system32\Dnneja32.exe

C:\Windows\SysWOW64\Dgfjbgmh.exe

C:\Windows\system32\Dgfjbgmh.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Emeopn32.exe

C:\Windows\system32\Emeopn32.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eilpeooq.exe

C:\Windows\system32\Eilpeooq.exe

C:\Windows\SysWOW64\Emhlfmgj.exe

C:\Windows\system32\Emhlfmgj.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Fjilieka.exe

C:\Windows\system32\Fjilieka.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Gkgkbipp.exe

C:\Windows\system32\Gkgkbipp.exe

C:\Windows\SysWOW64\Gbnccfpb.exe

C:\Windows\system32\Gbnccfpb.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Gddifnbk.exe

C:\Windows\system32\Gddifnbk.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hmlnoc32.exe

C:\Windows\system32\Hmlnoc32.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hiekid32.exe

C:\Windows\system32\Hiekid32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hobcak32.exe

C:\Windows\system32\Hobcak32.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hpapln32.exe

C:\Windows\system32\Hpapln32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Hogmmjfo.exe

C:\Windows\system32\Hogmmjfo.exe

C:\Windows\SysWOW64\Iaeiieeb.exe

C:\Windows\system32\Iaeiieeb.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 140

Network

N/A

Files

memory/836-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Cfbhnaho.exe

MD5 a3733efbf96d8e673882e44435fdd82a
SHA1 6fc559de420224f14f747926973a9c1fc8c9f959
SHA256 5a6aeeff9b536466edcef450d52fbf86876ab23bbedd1a4db6d1794530aaba87
SHA512 1dbc3e9b6af1a65c579bcba51a598d24925915b9c084d2d259646bb5d7372c7dd5536cca2f2d7c937ff6bbd495c0e130e00978c3abf0e6ee5b82c4fdd0ea0529

memory/3064-13-0x0000000000400000-0x0000000000440000-memory.dmp

memory/836-12-0x00000000002D0000-0x0000000000310000-memory.dmp

\Windows\SysWOW64\Cphlljge.exe

MD5 d370ba4d72e759ed620db2a0b08e3d8d
SHA1 3981d27121b6af7479c1740a9a2dd8af864be7cf
SHA256 161f165b6b6d66c5e82fd14f8234a333303275a29e6609a8e3d719b5d889abba
SHA512 c8cca8eba3506d033b544a570e3f93b0240e7d63cfce6e0d2f89b393b291bb7e8261bc487e2c1da0fcc652c400264154cd5161baf9d633fdc2fde99a55f21237

memory/3064-26-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2796-27-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Cciemedf.exe

MD5 0a038eb3267e229059e4aba4d0da2957
SHA1 275c02666f2ebe4984fc0deb312f84a48b540316
SHA256 91577d1bcac1b7c5f1a0943995ea75c807dd45ef319113aa63114405286ddd89
SHA512 5288052631dfad786e7e19be67dbc14b63aeda5136e7e9cd49d5d47707c19a06cce3805a27897b22e83fb8af9f41c096cab1fefa1d5da9380f818b8b80d562c9

memory/2796-34-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Chemfl32.exe

MD5 37440a697a6bbfb4f2936bf6b03de660
SHA1 f2ab15335840283e7f544115ab3b60565e2055d6
SHA256 6e4ad3c25deaf26d1bb5f4b11f544969574c9d7068ab19660300f8fa624d984d
SHA512 644392f79176636438c9c2ae3e233b06ef66926656218e26c14bdd43cd618baaa9d8e2fb19fe49d0208d0947b778d902c60ece8ad6b5334d109e227d6c5b60ce

memory/2744-50-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2744-47-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Cbnbobin.exe

MD5 83d85ed96d60ea9cae287505ca50c29c
SHA1 2849444641e6544228793b824a343d48f93932d3
SHA256 8d48e37f394fd4b766f8d3f650583b6799cbca39ec86e3a23467ae65a0054c12
SHA512 1d003bfdb57c47e6df81dfb0e03dbba1390a495c768e2a584e2ab9247a16fab6671fc5daa21f8c5256717e9181e961a1f2f066ca9fea9e9a8e957a11f4a1d411

memory/2892-62-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2852-72-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Clcflkic.exe

MD5 a6fbb2042ad99db8d24f53438103f6b6
SHA1 8cdef79dea739efb70512296d058584d73913d14
SHA256 f4b9fb2bb683619912786d95fe806722cef799f9efe2c7cfeeacf9ce49b7934a
SHA512 22458b309afda9103c07dc16efd9c8779cd451b562da624bb04d34a664814f39e9e937e9bd39fc07e8d79195fdf4e0ee24b27a6d5c9d7bac897fc8ab57cec9a7

memory/2684-81-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dflkdp32.exe

MD5 228e6c13817f81ef7d70b588a595564f
SHA1 5dadb4413632d2816c911b86378d5e7b2f7f6bcc
SHA256 2667219d3e926dcc934d2e03f529deb0b331a7d57af6ccec12f3511ad64269ed
SHA512 2260344078d227001c15eef1aac2adf7471d240e41f440525243b5f59dd3a3a23ebadfb705f0a57521a9c2257aabadc56eae04bdc45fe960bb74493619ab9a09

memory/2684-89-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2236-100-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dkhcmgnl.exe

MD5 6ccddb465905df1298c0bcdae260bea0
SHA1 5f387f92448b2457f3aa43d1853a2f7d5ecbcef5
SHA256 e2c1a57ea01e18bbb136a2588ee88416d36d75ef783d6a98d3f801fce5e48681
SHA512 85f95becfa830d2b832bd1ce2beae7193a6048bae5c9819e8a8ce650172c38616dc8f9cae297aa46515b4c16548111930daaf1e5986b057362567f78df379411

memory/1056-108-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ddagfm32.exe

MD5 416bdca5a0c4fbca45ec5f58343cea05
SHA1 8c414da1a3586eb8131293bc6820c3a2d182370f
SHA256 e06753e962e61f0782cccb3b86b131cbdfbec9b8460ce917519034cf15a440c3
SHA512 cbaf5a3b0e0863aa32368058eb69f632306aa46ee6e9d141baf5b00807f71d4a9c5d896743730247c8086145cffc68408311c19d35df79429f5019f446a445b0

memory/1056-115-0x0000000001F60000-0x0000000001FA0000-memory.dmp

memory/2816-126-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1592-135-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 cd58a1408c8ce3e432ee75507f8647e4
SHA1 e246788738184276fe8be0300d39051bf1344107
SHA256 f143d3074aa9c771a378134bf8c781c6b774a3e5f5593b64697840e854e45321
SHA512 c1a25a3816fc1072ba0d9f4676d3281dde00986bc008ac2b19af44ebb1125373a79ccdec05f64d07059b8cf7daf91004b38f7942dbcb3cb7a0ded35590d986b4

\Windows\SysWOW64\Dcfdgiid.exe

MD5 e439cf393afc95d36d96756d12a0afb5
SHA1 33620db08b3dc67ba761576b8599f195c462db9a
SHA256 5e4c8593acacb796dd9a37a5d63d78d830fea7f7052f9a0bfda8b32bc34d6fb1
SHA512 c1432e85ba9f1473666fb05c5134776c6388a2f7dfe8e168cab4e587a6f360570487f42a6e37bbb95639fec9163317be3ada098df167d2ba67f948dbcffb621e

memory/1592-143-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1752-150-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dnlidb32.exe

MD5 e6a4545f8dc2e0076005e77778f14951
SHA1 f22485b8375a23b817aab93149e5807326045e1d
SHA256 1197a6bab1f2045ac7258382daca09b27edc5a620ee11e4c831855626d10096c
SHA512 c3c384b1e9edc94b16547452508e08609eadac84397b4bbe80465ca5fa7abeae59dad9c93794ed6766aeab9ee7761d6a390688c1cbb4fc8483984374ef7fda37

memory/1812-162-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dgdmmgpj.exe

MD5 4f97f7dbfbdbfc0cbbc61ddd13310e75
SHA1 86de436f2aa05d8a009aee716994f8a9c1d007fc
SHA256 1eb4bc36f5f5c31c4aa7b8618a9eca1e6945413eea3f8d30d93bb24b26cf4c01
SHA512 00e36141eb474201132fe64aba01cb57d18b280d2f888c68034c4e04dd31e1743e35fe6f40ada6f22c83fed5381cde18312a0e2dc629f2b4421bf52fe2725754

\Windows\SysWOW64\Dnneja32.exe

MD5 d357d8cf902e08533421744a9388c51b
SHA1 649795bb68c8d860be4d92c190bc58e6dc3746b5
SHA256 c6920da269e04b5e51e456fe691b84b852d2db90b4e1d5f7f26acc2c77679689
SHA512 e62d964865ea24cca81bd2a93e4fdf5813a825f5a1768594c96630937a41a90ae4da262e5d1d9692b17ec074b7e7def9c1ff3fb0aeb789f5489133816bb69934

memory/1680-188-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2444-182-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Dgfjbgmh.exe

MD5 a082721764b4ef24bb9be3cb53eedf04
SHA1 b165bcec526a506d001efc3fbe4df6bc186e3f8d
SHA256 993badf2dedecf2e47f38f902c9e94cae5b5032f0d1731d3e0c9f61b55952cbd
SHA512 bd946643e65a18a9315a35690d29011810b838ae752f73360bcef3eaa6355c051b0b739d61fb9178b2e81337eb4d7011bb0dcf4e7698d335abee7764b662ac7b

memory/660-206-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 f042065743017f0fcee1ab6774556b2c
SHA1 5d7a21776e1fcb0d630c42218d08c627f4468d90
SHA256 ef9f695572e728058976602f5c06095ac3084817bf6f3c23a9f1c42e0d80fa9b
SHA512 401e03f797261ffa235ac8fff6a251293efbc94efeaf25bfa6248500c4555c9579017593d58036dad20726002623e2065e5c7d1c3b30954df77d3a03477c7980

memory/2912-214-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 1f0e1b29851a36ae54abdf07289f7e39
SHA1 5d14ab6b76e01d3df3a2747fe44d546cab5600b3
SHA256 806005c1d7bb4573d2a236a9ca1854361734054b4801b41eaae992cb95631bcd
SHA512 05b049e762f1563033f07831758740511a6afec56286426d3dcdaf517ff309a36a76fa68a86ad5e27328e1492bab879a3e00cc6506f3b34d5ad3dbcf20cd2a6f

memory/332-227-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Emeopn32.exe

MD5 dda183e662edca2e878e36a735c50aa0
SHA1 6d59bcfd42c697dfa0ad4b37cdff6a563003de10
SHA256 791c6c06f5f88cad328e892f09503e15157a923a521aa743c9630c980135310e
SHA512 6bde0f6b974c38280d1438a3e01f8c3046c68de0e3c5fba815448269ae4b5163c7bf2a14a3e6f7166b17215037d8de384e3caceba53bed16a17b494690778802

memory/576-233-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 7b0ed5cc15c759e2399f3ec50b8ecdd3
SHA1 e61a0a47eecb90ac0b34aefc44441cefd1db239e
SHA256 31b3a498698c849c8f1858de1b9c1280f64e65e21db20fc076ac9e17d62a29e8
SHA512 8e7f56f2fb7c5d777d4deaf43dca5a5711f26c3b0d2d5fe44ad98c3dd1f18e7de4f137175ade4849a96c48f3045eea3c02c495c357ffcd18ded0a64108e3cb07

memory/576-242-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2964-246-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Eilpeooq.exe

MD5 6f5dc346e2c231f477b1366ac9d6daa7
SHA1 364ebbe16c6e6999b4eb09dba1426bc32dbac484
SHA256 ce6e8a245cf734fa82a54e32bbdf3f0816b9cc1bd090c00d6e633501706be3f8
SHA512 6bfb601fe6772cee877a4cca28eac011bd3fd008878cf013dfefb6b78a3080f8b152d470918253f4fb019587e75a84a0d2e99b69e9340acd100b992c3a40cc02

memory/448-254-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2964-253-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2964-252-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Emhlfmgj.exe

MD5 1889f2370383c9712a5e7469d4ec584e
SHA1 9103131399fde3738b8541f5a5c7119491ea16de
SHA256 d17ab1114dac8bba78f03f662d4f7912f66206768a009d0c6dcb80b3f29856f4
SHA512 7c7cb9b96911f22d99e3ab10191b86d1181e67a78df3ae5e741f8db6fb1c766f90f4084c483b747c1fc8a3300d7ec5e6be5ca5147a1ffb76dbee77638f8bfb5c

memory/448-264-0x0000000000250000-0x0000000000290000-memory.dmp

memory/448-263-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1652-265-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1652-274-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Efppoc32.exe

MD5 5f6390862fd368e71ef981f48a4114f9
SHA1 3e3a0e9a667000e9be152464a385eace64b1ce1c
SHA256 785e4061f44168e2cbc89b343ada4aab271d62845bbf2f80a76693503b7680a1
SHA512 e2b56fe8e039dc4d90b25ad87cd31d27959cbd605e38c1d839b75e96292d0eef7f7515321acbfe574085d54bdb4bf47431b32f14476e2b66e3888cdbd73fc683

memory/1908-275-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 b9db5d1417f581066030e784265f28ec
SHA1 05ae2d7d8fb13c507fe99caa2aa0d69bdbf6597c
SHA256 d8126d24c31b838f9ac7bf06b3b0ff7de6298b9d9cfeced9df92cdafa8058df8
SHA512 d63dd3077d0c61b1619abb89466eb5428e5104cfae95eb7c0d13114877b35a0aaab1398caeaed28b30b75c084cdc7ab7a6f8022c5affec022e281664ab5da39b

memory/920-286-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1908-285-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1908-284-0x0000000000290000-0x00000000002D0000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 f2dd091f27c637eaa4f51d7209e1c501
SHA1 78d91fa282258bb9f6953c5150fe455816b3ad15
SHA256 151e1e3426250a959bd2f7e50db008f00c5a8cef94eb6d81395f02aad3eaf536
SHA512 7948d566a4868fc5284aacfff184a1caf74c2be9c7d97d16dc6e67e121573629b747aba3f2e1945cbe3e92ca56b0d5b60d820744c0e0d1670c2e774579418296

memory/920-296-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2880-300-0x0000000000400000-0x0000000000440000-memory.dmp

memory/920-295-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Eloemi32.exe

MD5 73aa94b9e1d79839c231def7cc0878c4
SHA1 8549460fd0f898c6821ddead8cd5447e021aa957
SHA256 bf1d221a0fa65f7114dce1e5ea4dac7c441db762c6d0571567274a45b83f6815
SHA512 518bc86f2c24f63b6ffafa6376716314bd6b291f8eb9235da139ab2292022d24063544fe7011c147f3340772b272922ada2636979037d69ad63a58419b572ed1

memory/2880-307-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2936-308-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2880-306-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Ealnephf.exe

MD5 33dd106a824d226bc8707289030d6eae
SHA1 b0c3c559bcaf15c140e479e7a927fc61b4bdde57
SHA256 93ca406662245821bc25ff76384d145bd70e7a860badea97f14fcc025db786a4
SHA512 3347ceff966453df22a51fa3e27614f3f615bffca9e43a71338ab1a9801798d21d80d1c670e923856add330878e858efb7f5ce3e68af1aca68cbeddbc22e10d5

memory/892-323-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2936-322-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2936-321-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 28670a9ac99cf3f372a8b7aa580ad83f
SHA1 2254a9f2d3c08f7c89af019d2066af37fd03b1a0
SHA256 98c36ea1223b9e9ce7c9e624a9231cc4a1e44c7e2f41b74c66e11d28fe43bc62
SHA512 caa56bf20e982a2c3c8e9a1f67efff2c3ed2378fc9fdda94a00fcbd082d51bb9759cb259445f3df065914a02fc3451c13b28ec2c75ebcbc121b71a31dd8f8990

memory/892-331-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1656-333-0x0000000000400000-0x0000000000440000-memory.dmp

memory/892-332-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1656-339-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 4f5e21f47695443d0c5849e76f3ed426
SHA1 a7317dffb113c9433d7f651c3a1f347bc5200ca2
SHA256 703f2276555b0ad3772d3b7dc671112305503ef3ee8270b010f7f9c490e30ab4
SHA512 d99142cf92b44e26cbec087298b243b458af6dd8db8fc0891e1a83a5168d3fde58bf9417a95f7d83815ccb3fd162e33aaff977b4535209b1095de3e3a22a1a43

memory/1576-343-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1656-340-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1576-347-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Windows\SysWOW64\Fejgko32.exe

MD5 8438baf14099c20119aeab40bfb0195c
SHA1 59978e296baf140b4b12a586ca12881996fb86c0
SHA256 e755613f6e4bf4dac9ceab7fb4c0c93de714ba38fa78ed3775690450e594beed
SHA512 fc1a890b7f32613b49489a59babe3b9fc4fa84e0a5c4193d324421be26aac0765c2b11421c346ddaa2b0643ba8a2f2db6ac23274d9ab4efaa2f9b39a6ce40bd3

memory/1576-351-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2356-355-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Faagpp32.exe

MD5 d395236ab0ba5f8b78d97d19ce47051b
SHA1 ff7dc9deffae0feda6c240d82b31eeb2566dee77
SHA256 4188091e9b7edbd35fd0740a69343025ed42f8192377b041a01c520c47521966
SHA512 f800c121dbb536c801392fbd23c58dbcdc4981a69692678c49028e0dd02a07cfe1ed7d79bb5bfc6b8bbe7b14402034d75f2ca18b8d72c06856e20009ba19b5ee

memory/2356-361-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2616-363-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2356-362-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Fdoclk32.exe

MD5 83c8b8fb8fe31f004171053b9495e050
SHA1 6aabd6770e210d58535c9d946e1f40f26bad2d09
SHA256 716e257dfa199055a255a681b2164ed22f67598b58b5f755a3a98cfdf70bb61a
SHA512 d1ad00278ee1d347049e45b4d45b21f8c3895e15c4da16b1db6c46c775ce9cef6c5b2574726a1bb241c878a482bb73289658b457119b85a3534aafaae75bb14e

memory/2616-377-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2616-378-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2740-385-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2640-384-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2640-383-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Fjilieka.exe

MD5 39fa709325fed69957b37469ceabb9b3
SHA1 be8c61b4b2988b4f3eea2467b350b7fc0b19e26b
SHA256 f7c27814b067e971584db5f4f7c44ccefb114c03a1223a7ef0b9ddece7aaba6f
SHA512 13911b1a52f83cd65f359d5fc204fdd5c815366367682b28d48574a1dfdb18368ada19d40ca5bfa1763f6e26067164455af7df499c2cc5d0fa74e58e64fe9d7b

memory/2640-379-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 4d903200acbead78e508f739137da341
SHA1 acf52acb124716fb5a8e9d16f91b88cd529bf8ad
SHA256 57336b3865e8eb088d759914252d5c329df8f1a9d45d7a8430b66c8a46fb3729
SHA512 6e9b27de7c0ee1d0284bc9ca27128b8a5dadf046981945a2e8fd25806e92388d75f50eb41c097f0b517a69cea0b7d2cee5025c0965df2165af11574b2a2d6478

memory/2740-395-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2740-394-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2568-399-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fioija32.exe

MD5 8208d9960fbca1368a60631354404705
SHA1 5efbd2b33b61fa08127288cc169f201426fd7d9b
SHA256 d9c70ef414399482057f20b2922bbba8980758d5189bfc852f2de004a304fa87
SHA512 7b81a2de1c7bff7ed30f6c70138b65dddc43222be1eec29a75d48e4efab5787cbb2edc3f70fb90fe82afd75c88a52109033b552b0da2f5523c0653da807bb6b5

memory/2524-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2568-406-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2568-405-0x0000000001F30000-0x0000000001F70000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 5f130307fb7e19566026afeb9ca1ab9a
SHA1 6ae6a79ae6db0b33e8e479dea7edd05eeea4cc30
SHA256 69c4138a04a134c8282282a09c99c4d8e9d11e9cd9d75c229f97239738e4b3c5
SHA512 e42d2f5fdce590587d152c2cc77f76b6116b0947350d1f8faf694405e32c12506c2e20aa1cb0b4bd654570f2f9ce9a673dee08b0c7caf141d57ee5c12c8bcb04

memory/1988-418-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2524-417-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2524-416-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/1988-424-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 c2f41ab554598255e97db0eaabb4f6e3
SHA1 42b3149399bd212f0d8e7790d5b27d3995c98b04
SHA256 3e2956838e27a6cab55e354fc38b2d3a5234527c94d486a401713e65b8d7926a
SHA512 197d61bc1cb2fecb17adf03a4b39dc02a86663c6d8c0b293d6197fb9ed310de3498a8ae559d8bc50c4976a9da91b465557c4a17643a20e129bd2e4c7f1dde1ce

memory/2800-429-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1988-428-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 07272addbe9a73f656d468aeee605fd7
SHA1 310f29eafaec7b8b1818fc04b18bb592e67ee884
SHA256 353b27dc5e9f58b53b2db2dee7fa25b5e2eaf1d08031dbabc5a506b27708fbb0
SHA512 bccd10358810db1eb1ebf00d57488f3a0110dd27940e0ed08c5fda8565697e0224622086b66434af9209b9772c2514527b8899c69b86d9ce3cd32ba585b6582c

memory/2800-443-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1796-453-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2864-450-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2864-449-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2864-448-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 53eb533aa17180b8225efe4780333d25
SHA1 e3c73cf83b356caa849068dc9d2e09c2b05421f8
SHA256 afde14de6c6185c6e14dd3da919e4dbe1bbb36981d9717d005cab2dcc45dc0bd
SHA512 6ff91f53048b968d5dc74e0669295cb7e1e3da43feaba44458059bcc1655bcecc144db16e3e5892bb593c15455677fedf157275643c227fb73ec60a5177e63ec

memory/2800-444-0x0000000000290000-0x00000000002D0000-memory.dmp

C:\Windows\SysWOW64\Gicbeald.exe

MD5 5386713401dfbfe9dd2ac0c25c9fa5be
SHA1 0105429bf913c8ebf018a8a79899f6729ec2a539
SHA256 d4e751f11a60f965c18d73ce6f45a4c7f5521e5b29c45623862d9ff2b91cfa1e
SHA512 7f21f0f259c7fd92cd678c6b34b31360a4b1757f87ea6ea4e5ba258fa318034d57197630b7168a8b88df3333ae265104a29d66523a6eef73184bf50e47bc9f0c

memory/1796-461-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1796-460-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1816-462-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gkgkbipp.exe

MD5 2ebcc85529142faee0dcf502a5897802
SHA1 27d8dc90fb1c1bddfbd62c17edd7240cbef8d10e
SHA256 95e4e0d94cd3688ab44a2955a609593f46ff17f83e0cab47e1d9202c013a15cf
SHA512 88551c197b53b86f86ec8e3c3f9276a8aee0c2c7425ec3653f1f8515286f0e5fc6216830a1c70443e4e1513d25c6f50c503a9df12f36590d2ed1c0a487a297a1

memory/692-477-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1816-476-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/1816-475-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/692-482-0x0000000001F70000-0x0000000001FB0000-memory.dmp

C:\Windows\SysWOW64\Gbnccfpb.exe

MD5 4cb85c8cb0921e6a006af74846b975c2
SHA1 941c6314d13356f239a9c21bb08d8b8712f3bdd0
SHA256 f13d9a49261df03fe3cbb0807e5bd342b41d8408a3e3aa074d9b015f352b9b4c
SHA512 96d9a64a8f255083cbf4923daf77b50c3793a5d7a908672e7fc9ac9c6f2cc2944aa4904adba631437d8b5c2258a40389cf7d843b18bd4ded131e4cc9209f9d10

memory/692-483-0x0000000001F70000-0x0000000001FB0000-memory.dmp

memory/1736-488-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Glfhll32.exe

MD5 dc0a1389e48f10d973d93e743b407220
SHA1 9735ff1aa45b2e4a984576b63028f42f9129c77a
SHA256 b4b061bdb376d013ccd1e0bc2f865d9abc3a7155ac4f5ffbbca642cf4b76ed08
SHA512 8de63d8a638f6f8a9bb4ca88d28b1c80ddfda181e6924ea828e53a4846ab5ffed7c3ce46feb6dc616ec702b544d975e827c1777b0793f3dc189c24b88b69f8b2

memory/1736-493-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1768-499-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1736-494-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Goddhg32.exe

MD5 1ea699e05615d1137b5d54518b09bbbd
SHA1 830a71425678ee73e787619f16d8e0742f49db80
SHA256 6dff22744c48c8dda717638caa644570e225efbbde3fc714545e30e0d5cf041b
SHA512 ed251f714157baf74027f1a55fed7d52a074ba89e432a3c42bf2ec57f6316e2f88b669ab417759bcf184af87e3b17d4ca145fe124e298772c1a685c4d8b5afa7

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 2599440dcf55b0c10dcbd9cad7c87002
SHA1 2a36cfb07d06e955efd9bb0fc3a39d8514e35784
SHA256 0d8f0e116b7b3b3b5b117f51d2b4b178c74543fdded77e32ab06bc9adefb7df3
SHA512 16ebe6027539bc83aa8a974fbca207d08fd71ccfb322fe2775c1dfe055be232136867d4ad0053d68bd29875252e86d603cc4e4d27342d9b4536f39e10b618527

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 5f2f3766c0a2578a55149d5cf720c15c
SHA1 e2dfa227a6a03d4297898c66ad979a82a18303e4
SHA256 77447a3a26284cbacce6cf3f205ed9d8cb2c6377c77795faa5fc1f955cb8abc1
SHA512 bb234ac2d4fda41c6e85fa4f1c31fd3182319d01222e0d6e1c411000ab39df4aa0ebcb0b119a28766153163e35e3eab2bb3ede6117bd5294c2de5b061baa0fa6

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 3fc559a6a0f9510f1ae75dad44aa8c82
SHA1 15e75de7c8cedc0662e9f5665e03818e32adbda9
SHA256 0e15e12bb0e458a4f25b3d5af1ec08606e2dc638e07a011f5bda4b68c1b07b73
SHA512 5c34bbc30cc63c443d1db0a460f5c25f11a7e42afdbbe8bb2b90c01979c908d709e192a9ff9205baf2f4d30c749ab574421b00b2a4e6ee949e0af8324e3ac707

C:\Windows\SysWOW64\Gddifnbk.exe

MD5 ed2f2d42d21182e1602b4098cbea191f
SHA1 1e7fdf93e5af70b3ed9b7d4ef375f1079f112be9
SHA256 6978c3350217948604ebbaded121efb2d1cb5b989d7b9b0367580303b95aad95
SHA512 47a4aa4ff703268c0da44949284add1f4f95d07910877f143427e691efb27a9261aab548261b27e8b7d62ba607d984635fec15cee2b2cf5f2ae8781b6167bd9c

C:\Windows\SysWOW64\Hknach32.exe

MD5 fd23aee7eba77a7b4d5f95a68d6242a6
SHA1 3c11611fa17b550a2b062d5475d87a9847ff219a
SHA256 a77008bd6c7cca5a5a67fd187f40cd5e0578b1f59e516b6e3b30ae9bf3755ac9
SHA512 33a660655a84a6a9700a9e2407aaec821e75c4a4f2e8d4146b7748e85e216e34269d265599eb8e2c62cfe966149a14ad395cf157f3af2229f25aa185080b960c

C:\Windows\SysWOW64\Hmlnoc32.exe

MD5 7f9c29ac0d560264e2a379bfb9896860
SHA1 3638fb4b6bc3926a7b875d8b74fbaabc659e7f6c
SHA256 67bbd3b75ba276bc0abeabd83cdb266b2030f934d53fb888c0c3dfb0007e76e4
SHA512 6a8d0ad4ae0098c543e023501bd3198b0c1f028fde0bd591548aa235a7a4d44d51faa49165583a59a41f33c7c43981795bb9c61db100abfe23969ed279ed05cc

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 870c9d8a87455591e98bbc92cc87cb41
SHA1 92ff8172befb509cc81d51b99abd64603ece05e1
SHA256 0d609ca7681224a1875714757ef0e85244a0e742e0b39cb2ec7d576c236d4036
SHA512 19ac0e3b8156b20b0b4438da4aa595d0adf864a9baa8b1bf42c586e60a4ab157ee66d22b41ae5c2e77239eff4c028bf5022597cd50181e29f499a7102fccd8d3

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 31a017681943e1017d2e833cc0b341dc
SHA1 cf0ffc858c0e53abc3c002b1197debd67f84382c
SHA256 abc9f7072d9f732127b6c80f5378bf4d2e51f3b8d5887be2f124620688e3a6b4
SHA512 157c3b676fb24a27eeea6c279d742f36fa3c9d3bda8c91abbc4863d323e60e1acc6063ed553df26995e3d60046208690de6aef64fd55df4ef8c16f8834722d92

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 1a30fe9057aef16352610dac3b0ba9d7
SHA1 14e46dc084cd311ffc3d240e8dc8dbeee43cb3e9
SHA256 298775e83a9d69a5535a95fda290d403ce27136ddd6301d0cee78771cb68de5b
SHA512 9b794441231e7b067642d1657924cd19b5671ddde6b255198fb705d63eae8ffb3858f3f29ae00aa66d4e561806e5b7d6eb772e7e990caa9ab7bc62053e93397f

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 49efceb162fcb3e2cc475993815fe82e
SHA1 3102a3723edde8ac6bc5d415b0c25f5f1b0fac04
SHA256 0a710e2ccdae2ef93689f9bfd3c02801982ec72151ce022edbe0269b4ceb3683
SHA512 ad4bf7ed8ae5e91cd3b1492bdb7d86383cd273a363c6362901d6e840c94adf29e0f87dd916189f0533b9cf08e061925091cac49e2149fc217ef20cde44fa751b

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 e69dfb0e312d00d1acd299a5ee2fce4b
SHA1 b9d5dad9596f8422fb25a06c0ccfe368c517b567
SHA256 0d8c266db8f663851a9e5970014ce41e4eb216bf50b8484f2d74d23686e996db
SHA512 51f19c8703ec69dabfd89306102a280ce51699a3e08a6fe81c7f9edd01fde7c877fed541203aa467065286419a4a19ee161e205669ee5ed5a200e47fba59df8c

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 5b12aa3ac71cbe2576d7ecc8357c50f7
SHA1 6078e315e2b5a880b0e274b14e00421743686c2e
SHA256 4d484389eb717df136aa657d6dfb595977b655c5f37534cbca86082929c1e58e
SHA512 a71413e1cb9eec1c5f49da3cae569af47a51c9b1dc85a33d38f5ec6f13af10cb7b104d18e05b20fd177ab2d6c3e4770327ea515d7d0e82109c3b94df6034c6fc

C:\Windows\SysWOW64\Hiekid32.exe

MD5 ccd65aedde4e11f6b41db766126f788b
SHA1 5b4adf6ebe2dddd080f14d50b0d3736bb9de27da
SHA256 aba7116648dc45ad518172c1c176a3e3915bf295a78fd20e10b14821e0071724
SHA512 ec290c118d94e01f600ae2f046e93e9aff214ff855b8c6f770dd097117c0db89cbd68798295be82537c80aac989bad8bfe6550c1dde2094e82355aa59c6b9d21

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 389e55fe90c7fcfa798f9b4be9a9bca7
SHA1 826c05ccae676752b90d54d7736dde90135f822b
SHA256 a3b58b02105ec5bd33454624ef09edea3c8779c68c8a84d3b8f03a48537cc7a2
SHA512 c7d4b2e5dd4bcc273496c89a689b1fee4a1a09e3bbb7099954ea0ad2c5b2177979343b79327c7e719ae284ba029d5ffbbe7b3227b37418acc2821c39427209e7

C:\Windows\SysWOW64\Hobcak32.exe

MD5 9fcc33e679823488cc19595be718bd25
SHA1 469159e1db752a7f1a890b9a7d29ecb7061aa349
SHA256 4a4a61422e6b82f60e472755dfc2d284f95de9f32863edbc222e33d32edfe31e
SHA512 940fd3a7b3b52b5bea160a88fb4a50cf1ac636a116b614bcd5a2c4149752fa98233edcbcd414446aaafad66ac2ab8ca67332221223a2c3b78a0babb73588c8b8

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 566d2814f0ce4366b5dbc75924efd787
SHA1 a92567eb983efb654a97f8ee01075514af070a2e
SHA256 13a87812d4b4fcf5839bf33d4ed0cde183a85ece00f7ec80f222ed24f6427e51
SHA512 06e0c475bf6b019bf8f7715ded1f60b156093bb491a278dc62f84a77f69191424e7765bd4018ee3c1e82e4d5dff2e09bd20737866c9326c912327f5c80ebe969

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 f4be385155f5ace33ce7c251697b6e45
SHA1 e4333dd18102e38ebc2d494542df5ed1e1cb2d2d
SHA256 e79501ee5c9004ede5b18c7553fa0f516c4fda6621b023fb409d4f5269622773
SHA512 c167274d034782bf5ca620ae1513f367f6405ab878acdf070375d565103c7dee9fa75af6367c8ac360ad2ff7437d60881dcde012df0dc3c00cc0d1b17068062c

C:\Windows\SysWOW64\Hpapln32.exe

MD5 22465124fbcf8079e48c870467efbfff
SHA1 5d56e65ece4774cf8a6680898caf18f843d9a599
SHA256 52c39ab9d9ae86bd7c1b94aa41bc0caa92f2039c6d10f74eab0b28c48b3d4b13
SHA512 f81959d059361668639934bac208817d811ec7aead95bd80dfa5dc63ccae3f1040b3263c52b6fb7ce6261cea36746ad6469cafe5615943b3689b93deb3fad674

C:\Windows\SysWOW64\Henidd32.exe

MD5 8504b48e2554747f059c641756a4ad6d
SHA1 76b635c98ba5e57a702ebc5f2afdea02614f6f08
SHA256 1b06d07a55d8d51305df6423db8e83c432ffa81f9f3c673ab9d2448b11ce7288
SHA512 ac69183b55f4576c242e56c13228a1338f76060851881a217447b04c6cedb48424bd5631c0ef8225e639657f907dd4ef002ce3179e87320fb07aa62553428e60

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 0cf9f952060610783c145befa7d7d11a
SHA1 8a34c1a6fad3387fff9dd1154ac8e793b6f458ee
SHA256 18f2c64fd2212e7f33927d85c878b11b4a83b0625ae491867d8ab54872ca422e
SHA512 b632762b271d770de157b0ee76fc5cb6c5a156de125facb42bbe39e0c20fdf70101c66f07ba9763bc085820d5ae3efe4c25e358873b15475ef75ffe5d1754b43

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 1933cb4c6ec8d294224f6989dddf5fa0
SHA1 f04ae9935ea0968ec1947911ec0153a8ff360ec0
SHA256 1c03b6c5e6dd3158ec91647b50b2076056a317152c1aa3862eb2df607a682361
SHA512 a2b9b3fc25ce4c783da8323da9932ae4051df486b2a812126645f819c25ec6e11e5e6062a08b52306e3966d5647e6e82be239acbaf4f61db8b874ea44a43eae4

C:\Windows\SysWOW64\Hogmmjfo.exe

MD5 9a9ce22a505047972b645565ce8fd556
SHA1 f3bd4a7de681d6fa6d98be827cd8dbb84913e227
SHA256 67ddd17f3f7bd2d3ce666e9848fd5382b34fa8668043a7562e980d59dc797768
SHA512 95356b36f5ccca76a37000d06d83001924fe5ab4e0242cad0072f2f60c3611d03cec959383bae5fa05c35586271250d87cd955b8e21b87f636c8b95c9a4f3233

C:\Windows\SysWOW64\Iaeiieeb.exe

MD5 5bfa204112b01a5b4ba1e69628d7f602
SHA1 85f7b354c7980944882d637aaa6d5f7abc7f655f
SHA256 26bd7aac445bc91d01cbdc58e92b1ec8189be055d6e2da656979e41967302b55
SHA512 98d31ce9814c6d6402d8ec21e5085566538c4870223d1ac1346986bf0a725ceb0d125b91768799883de936fa70f81f421d78ffb81e2be1c343166f9c6ab02a9f

C:\Windows\SysWOW64\Idceea32.exe

MD5 cbd8450ff7ba9bcfd3a413ae585a17f3
SHA1 78c26b0046b8e604704afd7790d138845d19300a
SHA256 9e5c1faf59b2fa034b8efd53eb49cc1fdf4adc274e3e1e53d1206fc55bbad071
SHA512 42bd1d13ada7101d7172ea6a5d54c068caa064ac303094a8935d4d4cb221ddf8dd6dad31185f86ff53890f8f672778b8d185cedaefd3c96577fe0946d4abac61

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 cded6edab9d12e72ddb7e106be3a21d3
SHA1 d4719596b779c3dab00d49968e962876c82217f7
SHA256 e4a374f4cb88ecdfa31a6abfd4adf0f18ebc1286f59e8541458ddfc0a358229b
SHA512 60bb11aba2893b46bd398a9a771985cdaeb976beb1e2c5be86e0194bdc8f879b20f939143248546b036838f49d09cfd57e4bc4798a8bf020b471766d9cc82245

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 2e5ebdea9a3d2439b9439e1a7c10fc50
SHA1 75f489a40697658cc25985ed89b02c8bac1b3c7f
SHA256 64cc3078f42fc91d0e1481d6b93260f19f45603f599a040209354045c8ecca40
SHA512 65addaa8e2cec5d3d877da90b52210187f01d5c7f7a1fd0aa40f0a66bd0e03bbbf37723f6d0b4ededa4cf575fbc3e08ab56f4e6c0566e1c9541908228c725939

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:04

Reported

2024-05-22 21:07

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Lkfbjdpq.dll C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ogpnaafp.dll C:\Windows\SysWOW64\Ndghmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Nbhkac32.exe C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ipkobd32.dll C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Bdknoa32.dll C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Opbnic32.dll C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ndidbn32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndghmo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 1184 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 1184 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe C:\Windows\SysWOW64\Nbhkac32.exe
PID 2140 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 2140 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 2140 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Ndghmo32.exe
PID 1692 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 1692 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 1692 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nkqpjidj.exe
PID 1992 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nbkhfc32.exe
PID 1992 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nbkhfc32.exe
PID 1992 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Nkqpjidj.exe C:\Windows\SysWOW64\Nbkhfc32.exe
PID 3124 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 3124 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 3124 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 2540 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 2540 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nkcmohbg.exe
PID 2540 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1184-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1184-5-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 6983302c0c1a08614d6ddd5b7d22af35
SHA1 7faefb38b431f6104733c4fbf2715492df00baf7
SHA256 be971e34e9d8b0c83274e4268ddd8fd1c1de53000726ddfd0a5aca220bdff44e
SHA512 68dc2c0a98c35c6a86c19149f738ef77fddda05d6ab48173f890275de5c29f3620af63c7910b37b684e4671c2511864eeef8704a06af2522c264fe21b3ba8ba1

memory/2140-9-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ndghmo32.exe

MD5 79fc817226516a8f85165194a82f11fa
SHA1 0e1edb45a76ced0ac84817f9df75a71f5d7f4c76
SHA256 ebf05a377dfbe0c4be7ee36cf1aadf8f7f20224d563cb1c0790174a36fa0529b
SHA512 010a1fb7859e38bbd244de465b2c99c615e6fa26ca3b85664fc91405e3c2811ed2bad86aa5e57cddf14dd5b16ff9ba38604be8e6ba04be8aca3f2ec96925a719

memory/1692-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nkqpjidj.exe

MD5 8fc36eb8bab98f27cfff0c5184316fab
SHA1 e9cf45b3e470e69868c85305cc5d56414a201816
SHA256 b650df182f86865a1edcf9e9091d9704940ede2d110644c23d60451349ff0818
SHA512 4136f88d33563da6e61ef0e6df3afef8c0678ac096e50e7a1328dd5eafe55563e00b6392cc52198b1ffb95465a63c7a884f6db91c9dd66e511aeae641ae3dc5d

memory/1992-25-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nbkhfc32.exe

MD5 18c4568a778d47768c88fd545b8b905c
SHA1 98cec839923eb1004871fd80ed8246ef89aaf899
SHA256 7d2a00373b1111ce0d07eb757c7fc530db035326c1edf2b5b701d9c3fb00952f
SHA512 79971a59537a8083201abbbe055b64e744b088590f162c0a4572b11e387be67c9e55e9d44784b08f86e619a5deaa33eed7af182df7537766f1d17e4e3b096d4a

memory/3124-37-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 d4c0f9a9d1b08bef1fce7c778adb1e92
SHA1 da33ebe364375adf74b678c03ca81e39a5885b66
SHA256 0d2cbc0043655ea0c29cad2b58ff769864e6a6b9e08f8c0c0f32d7b6f23b1dbc
SHA512 69223127a176c5e430ba06bc564533fd563fd21221a6522ee1d91796e918d1c29bc4df6618fcfea8741e683cc993613a74d27f82d3e283d2474eece69280517d

memory/2540-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 30fab00161bddeea543b5b990c7f4317
SHA1 53421fb0c5d855642808ff17b71f367b3fd84c43
SHA256 3a3c0a0c654294a2b6d318bb1b48d3f39c53a36ee6e72ba3432da6101da7c2ac
SHA512 1f4d46d71d9544cb33295d90e156dbb1e501606840d24db57a82171cce38abf2ceb1eee6abbba4951ee326efd787692bdce6489ba67088349efd29315073a047

memory/3328-49-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2540-51-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3124-52-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3328-50-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1992-53-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2140-55-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1184-56-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1692-54-0x0000000000400000-0x0000000000440000-memory.dmp