Analysis Overview
SHA256
d04cb939a5120c10c89db9592131e7fb8415e03c529101baa59e39b0520b2ca6
Threat Level: Known bad
The file 3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Malware Dropper & Backdoor - Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:04
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:04
Reported
2024-05-22 21:07
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cciemedf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cciemedf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddagfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dcfdgiid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dflkdp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cphlljge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Clcflkic.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cbnbobin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddagfm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dcfdgiid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clcflkic.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Fejgko32.exe | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooghhh32.dll | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpapln32.exe | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efncicpm.exe | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eiaiqn32.exe | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iknnbklc.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dcfdgiid.exe | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fclomp32.dll | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmhheqje.exe | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdhbam32.exe | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbnbobin.exe | C:\Windows\SysWOW64\Chemfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djnpnc32.exe | C:\Windows\SysWOW64\Ddagfm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpocfncj.exe | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dnlidb32.exe | C:\Windows\SysWOW64\Dcfdgiid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fejgko32.exe | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hepmggig.dll | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjjddchg.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dflkdp32.exe | C:\Windows\SysWOW64\Clcflkic.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ealnephf.exe | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fdoclk32.exe | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chemfl32.exe | C:\Windows\SysWOW64\Cciemedf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddagfm32.exe | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Clcflkic.exe | C:\Windows\SysWOW64\Cbnbobin.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejgcdb32.exe | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Egdnbg32.dll | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojhcelga.dll | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkgkbipp.exe | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbnccfpb.exe | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| File created | C:\Windows\SysWOW64\Hknach32.exe | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Hogmmjfo.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dcfdgiid.exe | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbidmekh.dll | C:\Windows\SysWOW64\Efppoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfefiemq.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gicbeald.exe | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqiqnfej.dll | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Goddhg32.exe | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejdmpb32.dll | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfbhnaho.exe | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gddifnbk.exe | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hmlnoc32.exe | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfabenjd.dll | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hahjpbad.exe | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebagmn32.dll | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndabhn32.dll | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hejoiedd.exe | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Faagpp32.exe | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokeef32.dll | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmibbifn.dll | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Faagpp32.exe | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkojpojq.dll | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Flmefm32.exe | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pffgja32.dll | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hogmmjfo.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iknnbklc.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnmgmhmc.dll | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Eihfjo32.exe | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll" | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfbhnaho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" | C:\Windows\SysWOW64\Eilpeooq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" | C:\Windows\SysWOW64\Cfbhnaho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cphlljge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" | C:\Windows\SysWOW64\Cbnbobin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddagfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cciemedf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dnneja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddagfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbnbobin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Cfbhnaho.exe
C:\Windows\system32\Cfbhnaho.exe
C:\Windows\SysWOW64\Cphlljge.exe
C:\Windows\system32\Cphlljge.exe
C:\Windows\SysWOW64\Cciemedf.exe
C:\Windows\system32\Cciemedf.exe
C:\Windows\SysWOW64\Chemfl32.exe
C:\Windows\system32\Chemfl32.exe
C:\Windows\SysWOW64\Cbnbobin.exe
C:\Windows\system32\Cbnbobin.exe
C:\Windows\SysWOW64\Clcflkic.exe
C:\Windows\system32\Clcflkic.exe
C:\Windows\SysWOW64\Dflkdp32.exe
C:\Windows\system32\Dflkdp32.exe
C:\Windows\SysWOW64\Dkhcmgnl.exe
C:\Windows\system32\Dkhcmgnl.exe
C:\Windows\SysWOW64\Ddagfm32.exe
C:\Windows\system32\Ddagfm32.exe
C:\Windows\SysWOW64\Djnpnc32.exe
C:\Windows\system32\Djnpnc32.exe
C:\Windows\SysWOW64\Dcfdgiid.exe
C:\Windows\system32\Dcfdgiid.exe
C:\Windows\SysWOW64\Dnlidb32.exe
C:\Windows\system32\Dnlidb32.exe
C:\Windows\SysWOW64\Dgdmmgpj.exe
C:\Windows\system32\Dgdmmgpj.exe
C:\Windows\SysWOW64\Dnneja32.exe
C:\Windows\system32\Dnneja32.exe
C:\Windows\SysWOW64\Dgfjbgmh.exe
C:\Windows\system32\Dgfjbgmh.exe
C:\Windows\SysWOW64\Eihfjo32.exe
C:\Windows\system32\Eihfjo32.exe
C:\Windows\SysWOW64\Ejgcdb32.exe
C:\Windows\system32\Ejgcdb32.exe
C:\Windows\SysWOW64\Emeopn32.exe
C:\Windows\system32\Emeopn32.exe
C:\Windows\SysWOW64\Efncicpm.exe
C:\Windows\system32\Efncicpm.exe
C:\Windows\SysWOW64\Eilpeooq.exe
C:\Windows\system32\Eilpeooq.exe
C:\Windows\SysWOW64\Emhlfmgj.exe
C:\Windows\system32\Emhlfmgj.exe
C:\Windows\SysWOW64\Efppoc32.exe
C:\Windows\system32\Efppoc32.exe
C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
C:\Windows\SysWOW64\Ealnephf.exe
C:\Windows\system32\Ealnephf.exe
C:\Windows\SysWOW64\Fhffaj32.exe
C:\Windows\system32\Fhffaj32.exe
C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
C:\Windows\SysWOW64\Fdoclk32.exe
C:\Windows\system32\Fdoclk32.exe
C:\Windows\SysWOW64\Fjilieka.exe
C:\Windows\system32\Fjilieka.exe
C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
C:\Windows\SysWOW64\Fioija32.exe
C:\Windows\system32\Fioija32.exe
C:\Windows\SysWOW64\Flmefm32.exe
C:\Windows\system32\Flmefm32.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gfefiemq.exe
C:\Windows\system32\Gfefiemq.exe
C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
C:\Windows\SysWOW64\Gkgkbipp.exe
C:\Windows\system32\Gkgkbipp.exe
C:\Windows\SysWOW64\Gbnccfpb.exe
C:\Windows\system32\Gbnccfpb.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Goddhg32.exe
C:\Windows\system32\Goddhg32.exe
C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
C:\Windows\SysWOW64\Hmlnoc32.exe
C:\Windows\system32\Hmlnoc32.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 140
Network
Files
memory/836-0-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Cfbhnaho.exe
| MD5 | a3733efbf96d8e673882e44435fdd82a |
| SHA1 | 6fc559de420224f14f747926973a9c1fc8c9f959 |
| SHA256 | 5a6aeeff9b536466edcef450d52fbf86876ab23bbedd1a4db6d1794530aaba87 |
| SHA512 | 1dbc3e9b6af1a65c579bcba51a598d24925915b9c084d2d259646bb5d7372c7dd5536cca2f2d7c937ff6bbd495c0e130e00978c3abf0e6ee5b82c4fdd0ea0529 |
memory/3064-13-0x0000000000400000-0x0000000000440000-memory.dmp
memory/836-12-0x00000000002D0000-0x0000000000310000-memory.dmp
\Windows\SysWOW64\Cphlljge.exe
| MD5 | d370ba4d72e759ed620db2a0b08e3d8d |
| SHA1 | 3981d27121b6af7479c1740a9a2dd8af864be7cf |
| SHA256 | 161f165b6b6d66c5e82fd14f8234a333303275a29e6609a8e3d719b5d889abba |
| SHA512 | c8cca8eba3506d033b544a570e3f93b0240e7d63cfce6e0d2f89b393b291bb7e8261bc487e2c1da0fcc652c400264154cd5161baf9d633fdc2fde99a55f21237 |
memory/3064-26-0x0000000000440000-0x0000000000480000-memory.dmp
memory/2796-27-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Cciemedf.exe
| MD5 | 0a038eb3267e229059e4aba4d0da2957 |
| SHA1 | 275c02666f2ebe4984fc0deb312f84a48b540316 |
| SHA256 | 91577d1bcac1b7c5f1a0943995ea75c807dd45ef319113aa63114405286ddd89 |
| SHA512 | 5288052631dfad786e7e19be67dbc14b63aeda5136e7e9cd49d5d47707c19a06cce3805a27897b22e83fb8af9f41c096cab1fefa1d5da9380f818b8b80d562c9 |
memory/2796-34-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Chemfl32.exe
| MD5 | 37440a697a6bbfb4f2936bf6b03de660 |
| SHA1 | f2ab15335840283e7f544115ab3b60565e2055d6 |
| SHA256 | 6e4ad3c25deaf26d1bb5f4b11f544969574c9d7068ab19660300f8fa624d984d |
| SHA512 | 644392f79176636438c9c2ae3e233b06ef66926656218e26c14bdd43cd618baaa9d8e2fb19fe49d0208d0947b778d902c60ece8ad6b5334d109e227d6c5b60ce |
memory/2744-50-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2744-47-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Cbnbobin.exe
| MD5 | 83d85ed96d60ea9cae287505ca50c29c |
| SHA1 | 2849444641e6544228793b824a343d48f93932d3 |
| SHA256 | 8d48e37f394fd4b766f8d3f650583b6799cbca39ec86e3a23467ae65a0054c12 |
| SHA512 | 1d003bfdb57c47e6df81dfb0e03dbba1390a495c768e2a584e2ab9247a16fab6671fc5daa21f8c5256717e9181e961a1f2f066ca9fea9e9a8e957a11f4a1d411 |
memory/2892-62-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2852-72-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Clcflkic.exe
| MD5 | a6fbb2042ad99db8d24f53438103f6b6 |
| SHA1 | 8cdef79dea739efb70512296d058584d73913d14 |
| SHA256 | f4b9fb2bb683619912786d95fe806722cef799f9efe2c7cfeeacf9ce49b7934a |
| SHA512 | 22458b309afda9103c07dc16efd9c8779cd451b562da624bb04d34a664814f39e9e937e9bd39fc07e8d79195fdf4e0ee24b27a6d5c9d7bac897fc8ab57cec9a7 |
memory/2684-81-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Dflkdp32.exe
| MD5 | 228e6c13817f81ef7d70b588a595564f |
| SHA1 | 5dadb4413632d2816c911b86378d5e7b2f7f6bcc |
| SHA256 | 2667219d3e926dcc934d2e03f529deb0b331a7d57af6ccec12f3511ad64269ed |
| SHA512 | 2260344078d227001c15eef1aac2adf7471d240e41f440525243b5f59dd3a3a23ebadfb705f0a57521a9c2257aabadc56eae04bdc45fe960bb74493619ab9a09 |
memory/2684-89-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2236-100-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Dkhcmgnl.exe
| MD5 | 6ccddb465905df1298c0bcdae260bea0 |
| SHA1 | 5f387f92448b2457f3aa43d1853a2f7d5ecbcef5 |
| SHA256 | e2c1a57ea01e18bbb136a2588ee88416d36d75ef783d6a98d3f801fce5e48681 |
| SHA512 | 85f95becfa830d2b832bd1ce2beae7193a6048bae5c9819e8a8ce650172c38616dc8f9cae297aa46515b4c16548111930daaf1e5986b057362567f78df379411 |
memory/1056-108-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Ddagfm32.exe
| MD5 | 416bdca5a0c4fbca45ec5f58343cea05 |
| SHA1 | 8c414da1a3586eb8131293bc6820c3a2d182370f |
| SHA256 | e06753e962e61f0782cccb3b86b131cbdfbec9b8460ce917519034cf15a440c3 |
| SHA512 | cbaf5a3b0e0863aa32368058eb69f632306aa46ee6e9d141baf5b00807f71d4a9c5d896743730247c8086145cffc68408311c19d35df79429f5019f446a445b0 |
memory/1056-115-0x0000000001F60000-0x0000000001FA0000-memory.dmp
memory/2816-126-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1592-135-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Djnpnc32.exe
| MD5 | cd58a1408c8ce3e432ee75507f8647e4 |
| SHA1 | e246788738184276fe8be0300d39051bf1344107 |
| SHA256 | f143d3074aa9c771a378134bf8c781c6b774a3e5f5593b64697840e854e45321 |
| SHA512 | c1a25a3816fc1072ba0d9f4676d3281dde00986bc008ac2b19af44ebb1125373a79ccdec05f64d07059b8cf7daf91004b38f7942dbcb3cb7a0ded35590d986b4 |
\Windows\SysWOW64\Dcfdgiid.exe
| MD5 | e439cf393afc95d36d96756d12a0afb5 |
| SHA1 | 33620db08b3dc67ba761576b8599f195c462db9a |
| SHA256 | 5e4c8593acacb796dd9a37a5d63d78d830fea7f7052f9a0bfda8b32bc34d6fb1 |
| SHA512 | c1432e85ba9f1473666fb05c5134776c6388a2f7dfe8e168cab4e587a6f360570487f42a6e37bbb95639fec9163317be3ada098df167d2ba67f948dbcffb621e |
memory/1592-143-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1752-150-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Dnlidb32.exe
| MD5 | e6a4545f8dc2e0076005e77778f14951 |
| SHA1 | f22485b8375a23b817aab93149e5807326045e1d |
| SHA256 | 1197a6bab1f2045ac7258382daca09b27edc5a620ee11e4c831855626d10096c |
| SHA512 | c3c384b1e9edc94b16547452508e08609eadac84397b4bbe80465ca5fa7abeae59dad9c93794ed6766aeab9ee7761d6a390688c1cbb4fc8483984374ef7fda37 |
memory/1812-162-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Dgdmmgpj.exe
| MD5 | 4f97f7dbfbdbfc0cbbc61ddd13310e75 |
| SHA1 | 86de436f2aa05d8a009aee716994f8a9c1d007fc |
| SHA256 | 1eb4bc36f5f5c31c4aa7b8618a9eca1e6945413eea3f8d30d93bb24b26cf4c01 |
| SHA512 | 00e36141eb474201132fe64aba01cb57d18b280d2f888c68034c4e04dd31e1743e35fe6f40ada6f22c83fed5381cde18312a0e2dc629f2b4421bf52fe2725754 |
\Windows\SysWOW64\Dnneja32.exe
| MD5 | d357d8cf902e08533421744a9388c51b |
| SHA1 | 649795bb68c8d860be4d92c190bc58e6dc3746b5 |
| SHA256 | c6920da269e04b5e51e456fe691b84b852d2db90b4e1d5f7f26acc2c77679689 |
| SHA512 | e62d964865ea24cca81bd2a93e4fdf5813a825f5a1768594c96630937a41a90ae4da262e5d1d9692b17ec074b7e7def9c1ff3fb0aeb789f5489133816bb69934 |
memory/1680-188-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2444-182-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Dgfjbgmh.exe
| MD5 | a082721764b4ef24bb9be3cb53eedf04 |
| SHA1 | b165bcec526a506d001efc3fbe4df6bc186e3f8d |
| SHA256 | 993badf2dedecf2e47f38f902c9e94cae5b5032f0d1731d3e0c9f61b55952cbd |
| SHA512 | bd946643e65a18a9315a35690d29011810b838ae752f73360bcef3eaa6355c051b0b739d61fb9178b2e81337eb4d7011bb0dcf4e7698d335abee7764b662ac7b |
memory/660-206-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Eihfjo32.exe
| MD5 | f042065743017f0fcee1ab6774556b2c |
| SHA1 | 5d7a21776e1fcb0d630c42218d08c627f4468d90 |
| SHA256 | ef9f695572e728058976602f5c06095ac3084817bf6f3c23a9f1c42e0d80fa9b |
| SHA512 | 401e03f797261ffa235ac8fff6a251293efbc94efeaf25bfa6248500c4555c9579017593d58036dad20726002623e2065e5c7d1c3b30954df77d3a03477c7980 |
memory/2912-214-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ejgcdb32.exe
| MD5 | 1f0e1b29851a36ae54abdf07289f7e39 |
| SHA1 | 5d14ab6b76e01d3df3a2747fe44d546cab5600b3 |
| SHA256 | 806005c1d7bb4573d2a236a9ca1854361734054b4801b41eaae992cb95631bcd |
| SHA512 | 05b049e762f1563033f07831758740511a6afec56286426d3dcdaf517ff309a36a76fa68a86ad5e27328e1492bab879a3e00cc6506f3b34d5ad3dbcf20cd2a6f |
memory/332-227-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Emeopn32.exe
| MD5 | dda183e662edca2e878e36a735c50aa0 |
| SHA1 | 6d59bcfd42c697dfa0ad4b37cdff6a563003de10 |
| SHA256 | 791c6c06f5f88cad328e892f09503e15157a923a521aa743c9630c980135310e |
| SHA512 | 6bde0f6b974c38280d1438a3e01f8c3046c68de0e3c5fba815448269ae4b5163c7bf2a14a3e6f7166b17215037d8de384e3caceba53bed16a17b494690778802 |
memory/576-233-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Efncicpm.exe
| MD5 | 7b0ed5cc15c759e2399f3ec50b8ecdd3 |
| SHA1 | e61a0a47eecb90ac0b34aefc44441cefd1db239e |
| SHA256 | 31b3a498698c849c8f1858de1b9c1280f64e65e21db20fc076ac9e17d62a29e8 |
| SHA512 | 8e7f56f2fb7c5d777d4deaf43dca5a5711f26c3b0d2d5fe44ad98c3dd1f18e7de4f137175ade4849a96c48f3045eea3c02c495c357ffcd18ded0a64108e3cb07 |
memory/576-242-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2964-246-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Eilpeooq.exe
| MD5 | 6f5dc346e2c231f477b1366ac9d6daa7 |
| SHA1 | 364ebbe16c6e6999b4eb09dba1426bc32dbac484 |
| SHA256 | ce6e8a245cf734fa82a54e32bbdf3f0816b9cc1bd090c00d6e633501706be3f8 |
| SHA512 | 6bfb601fe6772cee877a4cca28eac011bd3fd008878cf013dfefb6b78a3080f8b152d470918253f4fb019587e75a84a0d2e99b69e9340acd100b992c3a40cc02 |
memory/448-254-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2964-253-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2964-252-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Emhlfmgj.exe
| MD5 | 1889f2370383c9712a5e7469d4ec584e |
| SHA1 | 9103131399fde3738b8541f5a5c7119491ea16de |
| SHA256 | d17ab1114dac8bba78f03f662d4f7912f66206768a009d0c6dcb80b3f29856f4 |
| SHA512 | 7c7cb9b96911f22d99e3ab10191b86d1181e67a78df3ae5e741f8db6fb1c766f90f4084c483b747c1fc8a3300d7ec5e6be5ca5147a1ffb76dbee77638f8bfb5c |
memory/448-264-0x0000000000250000-0x0000000000290000-memory.dmp
memory/448-263-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1652-265-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1652-274-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Efppoc32.exe
| MD5 | 5f6390862fd368e71ef981f48a4114f9 |
| SHA1 | 3e3a0e9a667000e9be152464a385eace64b1ce1c |
| SHA256 | 785e4061f44168e2cbc89b343ada4aab271d62845bbf2f80a76693503b7680a1 |
| SHA512 | e2b56fe8e039dc4d90b25ad87cd31d27959cbd605e38c1d839b75e96292d0eef7f7515321acbfe574085d54bdb4bf47431b32f14476e2b66e3888cdbd73fc683 |
memory/1908-275-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Enkece32.exe
| MD5 | b9db5d1417f581066030e784265f28ec |
| SHA1 | 05ae2d7d8fb13c507fe99caa2aa0d69bdbf6597c |
| SHA256 | d8126d24c31b838f9ac7bf06b3b0ff7de6298b9d9cfeced9df92cdafa8058df8 |
| SHA512 | d63dd3077d0c61b1619abb89466eb5428e5104cfae95eb7c0d13114877b35a0aaab1398caeaed28b30b75c084cdc7ab7a6f8022c5affec022e281664ab5da39b |
memory/920-286-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1908-285-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/1908-284-0x0000000000290000-0x00000000002D0000-memory.dmp
C:\Windows\SysWOW64\Eiaiqn32.exe
| MD5 | f2dd091f27c637eaa4f51d7209e1c501 |
| SHA1 | 78d91fa282258bb9f6953c5150fe455816b3ad15 |
| SHA256 | 151e1e3426250a959bd2f7e50db008f00c5a8cef94eb6d81395f02aad3eaf536 |
| SHA512 | 7948d566a4868fc5284aacfff184a1caf74c2be9c7d97d16dc6e67e121573629b747aba3f2e1945cbe3e92ca56b0d5b60d820744c0e0d1670c2e774579418296 |
memory/920-296-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2880-300-0x0000000000400000-0x0000000000440000-memory.dmp
memory/920-295-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Eloemi32.exe
| MD5 | 73aa94b9e1d79839c231def7cc0878c4 |
| SHA1 | 8549460fd0f898c6821ddead8cd5447e021aa957 |
| SHA256 | bf1d221a0fa65f7114dce1e5ea4dac7c441db762c6d0571567274a45b83f6815 |
| SHA512 | 518bc86f2c24f63b6ffafa6376716314bd6b291f8eb9235da139ab2292022d24063544fe7011c147f3340772b272922ada2636979037d69ad63a58419b572ed1 |
memory/2880-307-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2936-308-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2880-306-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Ealnephf.exe
| MD5 | 33dd106a824d226bc8707289030d6eae |
| SHA1 | b0c3c559bcaf15c140e479e7a927fc61b4bdde57 |
| SHA256 | 93ca406662245821bc25ff76384d145bd70e7a860badea97f14fcc025db786a4 |
| SHA512 | 3347ceff966453df22a51fa3e27614f3f615bffca9e43a71338ab1a9801798d21d80d1c670e923856add330878e858efb7f5ce3e68af1aca68cbeddbc22e10d5 |
memory/892-323-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2936-322-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2936-321-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Fhffaj32.exe
| MD5 | 28670a9ac99cf3f372a8b7aa580ad83f |
| SHA1 | 2254a9f2d3c08f7c89af019d2066af37fd03b1a0 |
| SHA256 | 98c36ea1223b9e9ce7c9e624a9231cc4a1e44c7e2f41b74c66e11d28fe43bc62 |
| SHA512 | caa56bf20e982a2c3c8e9a1f67efff2c3ed2378fc9fdda94a00fcbd082d51bb9759cb259445f3df065914a02fc3451c13b28ec2c75ebcbc121b71a31dd8f8990 |
memory/892-331-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1656-333-0x0000000000400000-0x0000000000440000-memory.dmp
memory/892-332-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1656-339-0x00000000002E0000-0x0000000000320000-memory.dmp
C:\Windows\SysWOW64\Fnpnndgp.exe
| MD5 | 4f5e21f47695443d0c5849e76f3ed426 |
| SHA1 | a7317dffb113c9433d7f651c3a1f347bc5200ca2 |
| SHA256 | 703f2276555b0ad3772d3b7dc671112305503ef3ee8270b010f7f9c490e30ab4 |
| SHA512 | d99142cf92b44e26cbec087298b243b458af6dd8db8fc0891e1a83a5168d3fde58bf9417a95f7d83815ccb3fd162e33aaff977b4535209b1095de3e3a22a1a43 |
memory/1576-343-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1656-340-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/1576-347-0x0000000000280000-0x00000000002C0000-memory.dmp
C:\Windows\SysWOW64\Fejgko32.exe
| MD5 | 8438baf14099c20119aeab40bfb0195c |
| SHA1 | 59978e296baf140b4b12a586ca12881996fb86c0 |
| SHA256 | e755613f6e4bf4dac9ceab7fb4c0c93de714ba38fa78ed3775690450e594beed |
| SHA512 | fc1a890b7f32613b49489a59babe3b9fc4fa84e0a5c4193d324421be26aac0765c2b11421c346ddaa2b0643ba8a2f2db6ac23274d9ab4efaa2f9b39a6ce40bd3 |
memory/1576-351-0x0000000000280000-0x00000000002C0000-memory.dmp
memory/2356-355-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Faagpp32.exe
| MD5 | d395236ab0ba5f8b78d97d19ce47051b |
| SHA1 | ff7dc9deffae0feda6c240d82b31eeb2566dee77 |
| SHA256 | 4188091e9b7edbd35fd0740a69343025ed42f8192377b041a01c520c47521966 |
| SHA512 | f800c121dbb536c801392fbd23c58dbcdc4981a69692678c49028e0dd02a07cfe1ed7d79bb5bfc6b8bbe7b14402034d75f2ca18b8d72c06856e20009ba19b5ee |
memory/2356-361-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2616-363-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2356-362-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Fdoclk32.exe
| MD5 | 83c8b8fb8fe31f004171053b9495e050 |
| SHA1 | 6aabd6770e210d58535c9d946e1f40f26bad2d09 |
| SHA256 | 716e257dfa199055a255a681b2164ed22f67598b58b5f755a3a98cfdf70bb61a |
| SHA512 | d1ad00278ee1d347049e45b4d45b21f8c3895e15c4da16b1db6c46c775ce9cef6c5b2574726a1bb241c878a482bb73289658b457119b85a3534aafaae75bb14e |
memory/2616-377-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2616-378-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2740-385-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2640-384-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2640-383-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Fjilieka.exe
| MD5 | 39fa709325fed69957b37469ceabb9b3 |
| SHA1 | be8c61b4b2988b4f3eea2467b350b7fc0b19e26b |
| SHA256 | f7c27814b067e971584db5f4f7c44ccefb114c03a1223a7ef0b9ddece7aaba6f |
| SHA512 | 13911b1a52f83cd65f359d5fc204fdd5c815366367682b28d48574a1dfdb18368ada19d40ca5bfa1763f6e26067164455af7df499c2cc5d0fa74e58e64fe9d7b |
memory/2640-379-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fmhheqje.exe
| MD5 | 4d903200acbead78e508f739137da341 |
| SHA1 | acf52acb124716fb5a8e9d16f91b88cd529bf8ad |
| SHA256 | 57336b3865e8eb088d759914252d5c329df8f1a9d45d7a8430b66c8a46fb3729 |
| SHA512 | 6e9b27de7c0ee1d0284bc9ca27128b8a5dadf046981945a2e8fd25806e92388d75f50eb41c097f0b517a69cea0b7d2cee5025c0965df2165af11574b2a2d6478 |
memory/2740-395-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2740-394-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2568-399-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fioija32.exe
| MD5 | 8208d9960fbca1368a60631354404705 |
| SHA1 | 5efbd2b33b61fa08127288cc169f201426fd7d9b |
| SHA256 | d9c70ef414399482057f20b2922bbba8980758d5189bfc852f2de004a304fa87 |
| SHA512 | 7b81a2de1c7bff7ed30f6c70138b65dddc43222be1eec29a75d48e4efab5787cbb2edc3f70fb90fe82afd75c88a52109033b552b0da2f5523c0653da807bb6b5 |
memory/2524-407-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2568-406-0x0000000001F30000-0x0000000001F70000-memory.dmp
memory/2568-405-0x0000000001F30000-0x0000000001F70000-memory.dmp
C:\Windows\SysWOW64\Flmefm32.exe
| MD5 | 5f130307fb7e19566026afeb9ca1ab9a |
| SHA1 | 6ae6a79ae6db0b33e8e479dea7edd05eeea4cc30 |
| SHA256 | 69c4138a04a134c8282282a09c99c4d8e9d11e9cd9d75c229f97239738e4b3c5 |
| SHA512 | e42d2f5fdce590587d152c2cc77f76b6116b0947350d1f8faf694405e32c12506c2e20aa1cb0b4bd654570f2f9ce9a673dee08b0c7caf141d57ee5c12c8bcb04 |
memory/1988-418-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2524-417-0x0000000001F30000-0x0000000001F70000-memory.dmp
memory/2524-416-0x0000000001F30000-0x0000000001F70000-memory.dmp
memory/1988-424-0x00000000002F0000-0x0000000000330000-memory.dmp
C:\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | c2f41ab554598255e97db0eaabb4f6e3 |
| SHA1 | 42b3149399bd212f0d8e7790d5b27d3995c98b04 |
| SHA256 | 3e2956838e27a6cab55e354fc38b2d3a5234527c94d486a401713e65b8d7926a |
| SHA512 | 197d61bc1cb2fecb17adf03a4b39dc02a86663c6d8c0b293d6197fb9ed310de3498a8ae559d8bc50c4976a9da91b465557c4a17643a20e129bd2e4c7f1dde1ce |
memory/2800-429-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1988-428-0x00000000002F0000-0x0000000000330000-memory.dmp
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | 07272addbe9a73f656d468aeee605fd7 |
| SHA1 | 310f29eafaec7b8b1818fc04b18bb592e67ee884 |
| SHA256 | 353b27dc5e9f58b53b2db2dee7fa25b5e2eaf1d08031dbabc5a506b27708fbb0 |
| SHA512 | bccd10358810db1eb1ebf00d57488f3a0110dd27940e0ed08c5fda8565697e0224622086b66434af9209b9772c2514527b8899c69b86d9ce3cd32ba585b6582c |
memory/2800-443-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/1796-453-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2864-450-0x0000000000440000-0x0000000000480000-memory.dmp
memory/2864-449-0x0000000000440000-0x0000000000480000-memory.dmp
memory/2864-448-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gfefiemq.exe
| MD5 | 53eb533aa17180b8225efe4780333d25 |
| SHA1 | e3c73cf83b356caa849068dc9d2e09c2b05421f8 |
| SHA256 | afde14de6c6185c6e14dd3da919e4dbe1bbb36981d9717d005cab2dcc45dc0bd |
| SHA512 | 6ff91f53048b968d5dc74e0669295cb7e1e3da43feaba44458059bcc1655bcecc144db16e3e5892bb593c15455677fedf157275643c227fb73ec60a5177e63ec |
memory/2800-444-0x0000000000290000-0x00000000002D0000-memory.dmp
C:\Windows\SysWOW64\Gicbeald.exe
| MD5 | 5386713401dfbfe9dd2ac0c25c9fa5be |
| SHA1 | 0105429bf913c8ebf018a8a79899f6729ec2a539 |
| SHA256 | d4e751f11a60f965c18d73ce6f45a4c7f5521e5b29c45623862d9ff2b91cfa1e |
| SHA512 | 7f21f0f259c7fd92cd678c6b34b31360a4b1757f87ea6ea4e5ba258fa318034d57197630b7168a8b88df3333ae265104a29d66523a6eef73184bf50e47bc9f0c |
memory/1796-461-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1796-460-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1816-462-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gkgkbipp.exe
| MD5 | 2ebcc85529142faee0dcf502a5897802 |
| SHA1 | 27d8dc90fb1c1bddfbd62c17edd7240cbef8d10e |
| SHA256 | 95e4e0d94cd3688ab44a2955a609593f46ff17f83e0cab47e1d9202c013a15cf |
| SHA512 | 88551c197b53b86f86ec8e3c3f9276a8aee0c2c7425ec3653f1f8515286f0e5fc6216830a1c70443e4e1513d25c6f50c503a9df12f36590d2ed1c0a487a297a1 |
memory/692-477-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1816-476-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/1816-475-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/692-482-0x0000000001F70000-0x0000000001FB0000-memory.dmp
C:\Windows\SysWOW64\Gbnccfpb.exe
| MD5 | 4cb85c8cb0921e6a006af74846b975c2 |
| SHA1 | 941c6314d13356f239a9c21bb08d8b8712f3bdd0 |
| SHA256 | f13d9a49261df03fe3cbb0807e5bd342b41d8408a3e3aa074d9b015f352b9b4c |
| SHA512 | 96d9a64a8f255083cbf4923daf77b50c3793a5d7a908672e7fc9ac9c6f2cc2944aa4904adba631437d8b5c2258a40389cf7d843b18bd4ded131e4cc9209f9d10 |
memory/692-483-0x0000000001F70000-0x0000000001FB0000-memory.dmp
memory/1736-488-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | dc0a1389e48f10d973d93e743b407220 |
| SHA1 | 9735ff1aa45b2e4a984576b63028f42f9129c77a |
| SHA256 | b4b061bdb376d013ccd1e0bc2f865d9abc3a7155ac4f5ffbbca642cf4b76ed08 |
| SHA512 | 8de63d8a638f6f8a9bb4ca88d28b1c80ddfda181e6924ea828e53a4846ab5ffed7c3ce46feb6dc616ec702b544d975e827c1777b0793f3dc189c24b88b69f8b2 |
memory/1736-493-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1768-499-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1736-494-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Goddhg32.exe
| MD5 | 1ea699e05615d1137b5d54518b09bbbd |
| SHA1 | 830a71425678ee73e787619f16d8e0742f49db80 |
| SHA256 | 6dff22744c48c8dda717638caa644570e225efbbde3fc714545e30e0d5cf041b |
| SHA512 | ed251f714157baf74027f1a55fed7d52a074ba89e432a3c42bf2ec57f6316e2f88b669ab417759bcf184af87e3b17d4ca145fe124e298772c1a685c4d8b5afa7 |
C:\Windows\SysWOW64\Gdamqndn.exe
| MD5 | 2599440dcf55b0c10dcbd9cad7c87002 |
| SHA1 | 2a36cfb07d06e955efd9bb0fc3a39d8514e35784 |
| SHA256 | 0d8f0e116b7b3b3b5b117f51d2b4b178c74543fdded77e32ab06bc9adefb7df3 |
| SHA512 | 16ebe6027539bc83aa8a974fbca207d08fd71ccfb322fe2775c1dfe055be232136867d4ad0053d68bd29875252e86d603cc4e4d27342d9b4536f39e10b618527 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | 5f2f3766c0a2578a55149d5cf720c15c |
| SHA1 | e2dfa227a6a03d4297898c66ad979a82a18303e4 |
| SHA256 | 77447a3a26284cbacce6cf3f205ed9d8cb2c6377c77795faa5fc1f955cb8abc1 |
| SHA512 | bb234ac2d4fda41c6e85fa4f1c31fd3182319d01222e0d6e1c411000ab39df4aa0ebcb0b119a28766153163e35e3eab2bb3ede6117bd5294c2de5b061baa0fa6 |
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | 3fc559a6a0f9510f1ae75dad44aa8c82 |
| SHA1 | 15e75de7c8cedc0662e9f5665e03818e32adbda9 |
| SHA256 | 0e15e12bb0e458a4f25b3d5af1ec08606e2dc638e07a011f5bda4b68c1b07b73 |
| SHA512 | 5c34bbc30cc63c443d1db0a460f5c25f11a7e42afdbbe8bb2b90c01979c908d709e192a9ff9205baf2f4d30c749ab574421b00b2a4e6ee949e0af8324e3ac707 |
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | ed2f2d42d21182e1602b4098cbea191f |
| SHA1 | 1e7fdf93e5af70b3ed9b7d4ef375f1079f112be9 |
| SHA256 | 6978c3350217948604ebbaded121efb2d1cb5b989d7b9b0367580303b95aad95 |
| SHA512 | 47a4aa4ff703268c0da44949284add1f4f95d07910877f143427e691efb27a9261aab548261b27e8b7d62ba607d984635fec15cee2b2cf5f2ae8781b6167bd9c |
C:\Windows\SysWOW64\Hknach32.exe
| MD5 | fd23aee7eba77a7b4d5f95a68d6242a6 |
| SHA1 | 3c11611fa17b550a2b062d5475d87a9847ff219a |
| SHA256 | a77008bd6c7cca5a5a67fd187f40cd5e0578b1f59e516b6e3b30ae9bf3755ac9 |
| SHA512 | 33a660655a84a6a9700a9e2407aaec821e75c4a4f2e8d4146b7748e85e216e34269d265599eb8e2c62cfe966149a14ad395cf157f3af2229f25aa185080b960c |
C:\Windows\SysWOW64\Hmlnoc32.exe
| MD5 | 7f9c29ac0d560264e2a379bfb9896860 |
| SHA1 | 3638fb4b6bc3926a7b875d8b74fbaabc659e7f6c |
| SHA256 | 67bbd3b75ba276bc0abeabd83cdb266b2030f934d53fb888c0c3dfb0007e76e4 |
| SHA512 | 6a8d0ad4ae0098c543e023501bd3198b0c1f028fde0bd591548aa235a7a4d44d51faa49165583a59a41f33c7c43981795bb9c61db100abfe23969ed279ed05cc |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | 870c9d8a87455591e98bbc92cc87cb41 |
| SHA1 | 92ff8172befb509cc81d51b99abd64603ece05e1 |
| SHA256 | 0d609ca7681224a1875714757ef0e85244a0e742e0b39cb2ec7d576c236d4036 |
| SHA512 | 19ac0e3b8156b20b0b4438da4aa595d0adf864a9baa8b1bf42c586e60a4ab157ee66d22b41ae5c2e77239eff4c028bf5022597cd50181e29f499a7102fccd8d3 |
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | 31a017681943e1017d2e833cc0b341dc |
| SHA1 | cf0ffc858c0e53abc3c002b1197debd67f84382c |
| SHA256 | abc9f7072d9f732127b6c80f5378bf4d2e51f3b8d5887be2f124620688e3a6b4 |
| SHA512 | 157c3b676fb24a27eeea6c279d742f36fa3c9d3bda8c91abbc4863d323e60e1acc6063ed553df26995e3d60046208690de6aef64fd55df4ef8c16f8834722d92 |
C:\Windows\SysWOW64\Hkpnhgge.exe
| MD5 | 1a30fe9057aef16352610dac3b0ba9d7 |
| SHA1 | 14e46dc084cd311ffc3d240e8dc8dbeee43cb3e9 |
| SHA256 | 298775e83a9d69a5535a95fda290d403ce27136ddd6301d0cee78771cb68de5b |
| SHA512 | 9b794441231e7b067642d1657924cd19b5671ddde6b255198fb705d63eae8ffb3858f3f29ae00aa66d4e561806e5b7d6eb772e7e990caa9ab7bc62053e93397f |
C:\Windows\SysWOW64\Hnojdcfi.exe
| MD5 | 49efceb162fcb3e2cc475993815fe82e |
| SHA1 | 3102a3723edde8ac6bc5d415b0c25f5f1b0fac04 |
| SHA256 | 0a710e2ccdae2ef93689f9bfd3c02801982ec72151ce022edbe0269b4ceb3683 |
| SHA512 | ad4bf7ed8ae5e91cd3b1492bdb7d86383cd273a363c6362901d6e840c94adf29e0f87dd916189f0533b9cf08e061925091cac49e2149fc217ef20cde44fa751b |
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | e69dfb0e312d00d1acd299a5ee2fce4b |
| SHA1 | b9d5dad9596f8422fb25a06c0ccfe368c517b567 |
| SHA256 | 0d8c266db8f663851a9e5970014ce41e4eb216bf50b8484f2d74d23686e996db |
| SHA512 | 51f19c8703ec69dabfd89306102a280ce51699a3e08a6fe81c7f9edd01fde7c877fed541203aa467065286419a4a19ee161e205669ee5ed5a200e47fba59df8c |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | 5b12aa3ac71cbe2576d7ecc8357c50f7 |
| SHA1 | 6078e315e2b5a880b0e274b14e00421743686c2e |
| SHA256 | 4d484389eb717df136aa657d6dfb595977b655c5f37534cbca86082929c1e58e |
| SHA512 | a71413e1cb9eec1c5f49da3cae569af47a51c9b1dc85a33d38f5ec6f13af10cb7b104d18e05b20fd177ab2d6c3e4770327ea515d7d0e82109c3b94df6034c6fc |
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | ccd65aedde4e11f6b41db766126f788b |
| SHA1 | 5b4adf6ebe2dddd080f14d50b0d3736bb9de27da |
| SHA256 | aba7116648dc45ad518172c1c176a3e3915bf295a78fd20e10b14821e0071724 |
| SHA512 | ec290c118d94e01f600ae2f046e93e9aff214ff855b8c6f770dd097117c0db89cbd68798295be82537c80aac989bad8bfe6550c1dde2094e82355aa59c6b9d21 |
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | 389e55fe90c7fcfa798f9b4be9a9bca7 |
| SHA1 | 826c05ccae676752b90d54d7736dde90135f822b |
| SHA256 | a3b58b02105ec5bd33454624ef09edea3c8779c68c8a84d3b8f03a48537cc7a2 |
| SHA512 | c7d4b2e5dd4bcc273496c89a689b1fee4a1a09e3bbb7099954ea0ad2c5b2177979343b79327c7e719ae284ba029d5ffbbe7b3227b37418acc2821c39427209e7 |
C:\Windows\SysWOW64\Hobcak32.exe
| MD5 | 9fcc33e679823488cc19595be718bd25 |
| SHA1 | 469159e1db752a7f1a890b9a7d29ecb7061aa349 |
| SHA256 | 4a4a61422e6b82f60e472755dfc2d284f95de9f32863edbc222e33d32edfe31e |
| SHA512 | 940fd3a7b3b52b5bea160a88fb4a50cf1ac636a116b614bcd5a2c4149752fa98233edcbcd414446aaafad66ac2ab8ca67332221223a2c3b78a0babb73588c8b8 |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | 566d2814f0ce4366b5dbc75924efd787 |
| SHA1 | a92567eb983efb654a97f8ee01075514af070a2e |
| SHA256 | 13a87812d4b4fcf5839bf33d4ed0cde183a85ece00f7ec80f222ed24f6427e51 |
| SHA512 | 06e0c475bf6b019bf8f7715ded1f60b156093bb491a278dc62f84a77f69191424e7765bd4018ee3c1e82e4d5dff2e09bd20737866c9326c912327f5c80ebe969 |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | f4be385155f5ace33ce7c251697b6e45 |
| SHA1 | e4333dd18102e38ebc2d494542df5ed1e1cb2d2d |
| SHA256 | e79501ee5c9004ede5b18c7553fa0f516c4fda6621b023fb409d4f5269622773 |
| SHA512 | c167274d034782bf5ca620ae1513f367f6405ab878acdf070375d565103c7dee9fa75af6367c8ac360ad2ff7437d60881dcde012df0dc3c00cc0d1b17068062c |
C:\Windows\SysWOW64\Hpapln32.exe
| MD5 | 22465124fbcf8079e48c870467efbfff |
| SHA1 | 5d56e65ece4774cf8a6680898caf18f843d9a599 |
| SHA256 | 52c39ab9d9ae86bd7c1b94aa41bc0caa92f2039c6d10f74eab0b28c48b3d4b13 |
| SHA512 | f81959d059361668639934bac208817d811ec7aead95bd80dfa5dc63ccae3f1040b3263c52b6fb7ce6261cea36746ad6469cafe5615943b3689b93deb3fad674 |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | 8504b48e2554747f059c641756a4ad6d |
| SHA1 | 76b635c98ba5e57a702ebc5f2afdea02614f6f08 |
| SHA256 | 1b06d07a55d8d51305df6423db8e83c432ffa81f9f3c673ab9d2448b11ce7288 |
| SHA512 | ac69183b55f4576c242e56c13228a1338f76060851881a217447b04c6cedb48424bd5631c0ef8225e639657f907dd4ef002ce3179e87320fb07aa62553428e60 |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 0cf9f952060610783c145befa7d7d11a |
| SHA1 | 8a34c1a6fad3387fff9dd1154ac8e793b6f458ee |
| SHA256 | 18f2c64fd2212e7f33927d85c878b11b4a83b0625ae491867d8ab54872ca422e |
| SHA512 | b632762b271d770de157b0ee76fc5cb6c5a156de125facb42bbe39e0c20fdf70101c66f07ba9763bc085820d5ae3efe4c25e358873b15475ef75ffe5d1754b43 |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | 1933cb4c6ec8d294224f6989dddf5fa0 |
| SHA1 | f04ae9935ea0968ec1947911ec0153a8ff360ec0 |
| SHA256 | 1c03b6c5e6dd3158ec91647b50b2076056a317152c1aa3862eb2df607a682361 |
| SHA512 | a2b9b3fc25ce4c783da8323da9932ae4051df486b2a812126645f819c25ec6e11e5e6062a08b52306e3966d5647e6e82be239acbaf4f61db8b874ea44a43eae4 |
C:\Windows\SysWOW64\Hogmmjfo.exe
| MD5 | 9a9ce22a505047972b645565ce8fd556 |
| SHA1 | f3bd4a7de681d6fa6d98be827cd8dbb84913e227 |
| SHA256 | 67ddd17f3f7bd2d3ce666e9848fd5382b34fa8668043a7562e980d59dc797768 |
| SHA512 | 95356b36f5ccca76a37000d06d83001924fe5ab4e0242cad0072f2f60c3611d03cec959383bae5fa05c35586271250d87cd955b8e21b87f636c8b95c9a4f3233 |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | 5bfa204112b01a5b4ba1e69628d7f602 |
| SHA1 | 85f7b354c7980944882d637aaa6d5f7abc7f655f |
| SHA256 | 26bd7aac445bc91d01cbdc58e92b1ec8189be055d6e2da656979e41967302b55 |
| SHA512 | 98d31ce9814c6d6402d8ec21e5085566538c4870223d1ac1346986bf0a725ceb0d125b91768799883de936fa70f81f421d78ffb81e2be1c343166f9c6ab02a9f |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | cbd8450ff7ba9bcfd3a413ae585a17f3 |
| SHA1 | 78c26b0046b8e604704afd7790d138845d19300a |
| SHA256 | 9e5c1faf59b2fa034b8efd53eb49cc1fdf4adc274e3e1e53d1206fc55bbad071 |
| SHA512 | 42bd1d13ada7101d7172ea6a5d54c068caa064ac303094a8935d4d4cb221ddf8dd6dad31185f86ff53890f8f672778b8d185cedaefd3c96577fe0946d4abac61 |
C:\Windows\SysWOW64\Iknnbklc.exe
| MD5 | cded6edab9d12e72ddb7e106be3a21d3 |
| SHA1 | d4719596b779c3dab00d49968e962876c82217f7 |
| SHA256 | e4a374f4cb88ecdfa31a6abfd4adf0f18ebc1286f59e8541458ddfc0a358229b |
| SHA512 | 60bb11aba2893b46bd398a9a771985cdaeb976beb1e2c5be86e0194bdc8f879b20f939143248546b036838f49d09cfd57e4bc4798a8bf020b471766d9cc82245 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 2e5ebdea9a3d2439b9439e1a7c10fc50 |
| SHA1 | 75f489a40697658cc25985ed89b02c8bac1b3c7f |
| SHA256 | 64cc3078f42fc91d0e1481d6b93260f19f45603f599a040209354045c8ecca40 |
| SHA512 | 65addaa8e2cec5d3d877da90b52210187f01d5c7f7a1fd0aa40f0a66bd0e03bbbf37723f6d0b4ededa4cf575fbc3e08ab56f4e6c0566e1c9541908228c725939 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:04
Reported
2024-05-22 21:07
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Nkcmohbg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ndghmo32.exe | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkqpjidj.exe | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkfbjdpq.dll | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkcmohbg.exe | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbhkac32.exe | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogpnaafp.dll | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndidbn32.exe | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkcmohbg.exe | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbhkac32.exe | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipkobd32.dll | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndghmo32.exe | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdknoa32.dll | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbkhfc32.exe | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbkhfc32.exe | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkqpjidj.exe | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndidbn32.exe | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Opbnic32.dll | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnibdpde.dll | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b3af3ca23123bd8809657cd9c8efa60_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3328 -ip 3328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1184-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1184-5-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nbhkac32.exe
| MD5 | 6983302c0c1a08614d6ddd5b7d22af35 |
| SHA1 | 7faefb38b431f6104733c4fbf2715492df00baf7 |
| SHA256 | be971e34e9d8b0c83274e4268ddd8fd1c1de53000726ddfd0a5aca220bdff44e |
| SHA512 | 68dc2c0a98c35c6a86c19149f738ef77fddda05d6ab48173f890275de5c29f3620af63c7910b37b684e4671c2511864eeef8704a06af2522c264fe21b3ba8ba1 |
memory/2140-9-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ndghmo32.exe
| MD5 | 79fc817226516a8f85165194a82f11fa |
| SHA1 | 0e1edb45a76ced0ac84817f9df75a71f5d7f4c76 |
| SHA256 | ebf05a377dfbe0c4be7ee36cf1aadf8f7f20224d563cb1c0790174a36fa0529b |
| SHA512 | 010a1fb7859e38bbd244de465b2c99c615e6fa26ca3b85664fc91405e3c2811ed2bad86aa5e57cddf14dd5b16ff9ba38604be8e6ba04be8aca3f2ec96925a719 |
memory/1692-17-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nkqpjidj.exe
| MD5 | 8fc36eb8bab98f27cfff0c5184316fab |
| SHA1 | e9cf45b3e470e69868c85305cc5d56414a201816 |
| SHA256 | b650df182f86865a1edcf9e9091d9704940ede2d110644c23d60451349ff0818 |
| SHA512 | 4136f88d33563da6e61ef0e6df3afef8c0678ac096e50e7a1328dd5eafe55563e00b6392cc52198b1ffb95465a63c7a884f6db91c9dd66e511aeae641ae3dc5d |
memory/1992-25-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nbkhfc32.exe
| MD5 | 18c4568a778d47768c88fd545b8b905c |
| SHA1 | 98cec839923eb1004871fd80ed8246ef89aaf899 |
| SHA256 | 7d2a00373b1111ce0d07eb757c7fc530db035326c1edf2b5b701d9c3fb00952f |
| SHA512 | 79971a59537a8083201abbbe055b64e744b088590f162c0a4572b11e387be67c9e55e9d44784b08f86e619a5deaa33eed7af182df7537766f1d17e4e3b096d4a |
memory/3124-37-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ndidbn32.exe
| MD5 | d4c0f9a9d1b08bef1fce7c778adb1e92 |
| SHA1 | da33ebe364375adf74b678c03ca81e39a5885b66 |
| SHA256 | 0d2cbc0043655ea0c29cad2b58ff769864e6a6b9e08f8c0c0f32d7b6f23b1dbc |
| SHA512 | 69223127a176c5e430ba06bc564533fd563fd21221a6522ee1d91796e918d1c29bc4df6618fcfea8741e683cc993613a74d27f82d3e283d2474eece69280517d |
memory/2540-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nkcmohbg.exe
| MD5 | 30fab00161bddeea543b5b990c7f4317 |
| SHA1 | 53421fb0c5d855642808ff17b71f367b3fd84c43 |
| SHA256 | 3a3c0a0c654294a2b6d318bb1b48d3f39c53a36ee6e72ba3432da6101da7c2ac |
| SHA512 | 1f4d46d71d9544cb33295d90e156dbb1e501606840d24db57a82171cce38abf2ceb1eee6abbba4951ee326efd787692bdce6489ba67088349efd29315073a047 |
memory/3328-49-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2540-51-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3124-52-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3328-50-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1992-53-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2140-55-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1184-56-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1692-54-0x0000000000400000-0x0000000000440000-memory.dmp