Analysis Overview
SHA256
01ee5dfc93b1ab96f600e79b6cecea4d7d89e1061f1fe91c5ef2c7b99f1d905a
Threat Level: Known bad
The file 09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 23:19
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 23:19
Reported
2024-06-01 23:22
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epdkli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Epdkli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Hahjpbad.exe | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hckcmjep.exe | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fjdbnf32.exe | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkoabpeg.dll | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hepmggig.dll | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| File created | C:\Windows\SysWOW64\Epdkli32.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kifjcn32.dll | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgbebiao.exe | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmafennb.exe | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmafennb.exe | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Epieghdk.exe | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqiqnfej.dll | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Glqllcbf.dll | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epdkli32.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gacpdbej.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gacpdbej.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgdbhi32.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fbdqmghm.exe | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgdbhi32.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epieghdk.exe | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpbpbqda.dll | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Efncicpm.exe | C:\Windows\SysWOW64\Epdkli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgmhlp32.dll | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gieojq32.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elpbcapg.dll | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjenmobn.dll | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iebpge32.dll | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hejoiedd.exe | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| File created | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmibbifn.dll | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbniiffi.dll | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hckcmjep.exe | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgodbh32.exe | C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgdmmgpj.exe | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmqgncdn.dll | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File created | C:\Windows\SysWOW64\Omabcb32.dll | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpdhmlbj.dll | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eiaiqn32.exe | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fejgko32.exe | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpapln32.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Polebcgg.dll | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fejgko32.exe | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpknlk32.exe | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdcbfq32.dll | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbdqmghm.exe | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njmekj32.dll | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnkajfop.dll | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgaqgh32.exe | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hllopfgo.dll | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gogangdc.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhflmk32.dll | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eiaiqn32.exe | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| File created | C:\Windows\SysWOW64\Dchfknpg.dll | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfoihbdp.dll | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chhpdp32.dll | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" | C:\Windows\SysWOW64\Epdkli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" | C:\Windows\SysWOW64\Dgdmmgpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epdkli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Dgodbh32.exe
C:\Windows\system32\Dgodbh32.exe
C:\Windows\SysWOW64\Dgaqgh32.exe
C:\Windows\system32\Dgaqgh32.exe
C:\Windows\SysWOW64\Dgdmmgpj.exe
C:\Windows\system32\Dgdmmgpj.exe
C:\Windows\SysWOW64\Dmafennb.exe
C:\Windows\system32\Dmafennb.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Epdkli32.exe
C:\Windows\system32\Epdkli32.exe
C:\Windows\SysWOW64\Efncicpm.exe
C:\Windows\system32\Efncicpm.exe
C:\Windows\SysWOW64\Epieghdk.exe
C:\Windows\system32\Epieghdk.exe
C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
C:\Windows\SysWOW64\Fjdbnf32.exe
C:\Windows\system32\Fjdbnf32.exe
C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
C:\Windows\SysWOW64\Feeiob32.exe
C:\Windows\system32\Feeiob32.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gieojq32.exe
C:\Windows\system32\Gieojq32.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gogangdc.exe
C:\Windows\system32\Gogangdc.exe
C:\Windows\SysWOW64\Hgbebiao.exe
C:\Windows\system32\Hgbebiao.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
C:\Windows\SysWOW64\Hckcmjep.exe
C:\Windows\system32\Hckcmjep.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 140
Network
Files
memory/2980-0-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Dgodbh32.exe
| MD5 | d2ad7e430e1f75b810851a475ce3e1bd |
| SHA1 | efa38a60fc9e89f7560a328e628ba917f929fa04 |
| SHA256 | fd275edfc0d6d8e18c0468f549b02d41b7822af5d0b1b14e6266fcc08436c5e2 |
| SHA512 | 9d3c34d28452b10d3e3074ba53d066f24c99aeb818d74fe07ee6b1efdc41e8d14f84938e0b61061eaf863f57956087ecb17e9e6cc0c72b6a76f8d13400f039a3 |
memory/2980-6-0x0000000000480000-0x00000000004B4000-memory.dmp
\Windows\SysWOW64\Dgaqgh32.exe
| MD5 | 100c0cb3745a6dd1929e46d49031f777 |
| SHA1 | 15f6b9ab4b5cf69fc6f5f5288af86946ffe89ef2 |
| SHA256 | 36bfac386438cc8e3883a99d9b2d9c8c797caa74d83bb133b668485941a78c19 |
| SHA512 | d2cffca6895f1ca6bad868bc26ba0883b83f3977155bdb23a070343aa1c3882f89db81c9511c43537b41767c26287591bd500c60b410e7185d15a91592349503 |
memory/2284-27-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1228-26-0x0000000000250000-0x0000000000284000-memory.dmp
memory/1228-25-0x0000000000250000-0x0000000000284000-memory.dmp
\Windows\SysWOW64\Dgdmmgpj.exe
| MD5 | b75bd3afce77c654ff3085ae1e213b6e |
| SHA1 | a7f2db8a81fd81e44cd8976a40b605986325ca47 |
| SHA256 | 652712beaad87055dc9716d40764be46e60023920d26eedda309b5f81676c328 |
| SHA512 | 142b66c909c3055e02ec531da136a1209c5e03662775387b02dce0876aa83dcbc1be3ad1f7372730242e7bf7406f27aedb8b1018061c9979c3357e4b8983a89b |
memory/2808-41-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Dmafennb.exe
| MD5 | 9007db0141c43c6f44667358ebcb3708 |
| SHA1 | 87d73f62db2d21b36df9bfb3bb962bf62d2c81f3 |
| SHA256 | 898c114cbe09505914ddd6ea8b34469eee0fa7c6270e1ea9e81e755f7e318536 |
| SHA512 | 6fa5a053edda4e89c9ed4baca312842eb1e401d9599c5c2316b9e30bfd322659ff3a5ed8b8d2430b2560dcd4ef36a30123901e042492817e3d6b8d30ee932979 |
memory/2284-40-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2152-54-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mmqgncdn.dll
| MD5 | bfda311143aa579c9915aedbc4e39b12 |
| SHA1 | 2c5acfe45b726413ee705d3a30299d0a5e87aa10 |
| SHA256 | ce204b2bb9e31b1aa3fbb8f2273a3ed9417b8398f382a4a6b557b4b0cf7f9fc6 |
| SHA512 | 787f213dff0bea30ee195441f052994a8db363b8ae6b36a3e3b62d9d2d181a3caab8941f8d4d01205bf21ed6932427f87a277ee91642709453eda514f964c230 |
\Windows\SysWOW64\Emcbkn32.exe
| MD5 | 706c33011009502e5b9e82fa0651c347 |
| SHA1 | 8656c9a8d7b0b4e65a9fdb09f79b933fbb7f2d8a |
| SHA256 | 383c515e01a95491269b13a9bde3f46bc7811951fd853dacfa1ce6f75e6d8fa6 |
| SHA512 | accb3b26784bf146ddf3d880e2c2221ea2cb0997efab21ba4c662939d2dcab702fccbf5517871e2f1d97c370400e80e706e5014515e56361c156d65c893465cb |
memory/2536-67-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Epdkli32.exe
| MD5 | 7dd3f22f020c55e863b984b51e63b81d |
| SHA1 | 9d164af3dd320506cb17bd645a8546ee9ee29a99 |
| SHA256 | 8e96c8d9625786cc05e50508d1605d58b93357d6b80f5855416ab6c0f980079c |
| SHA512 | 5d5b0b21c2271221bc4b2e4c0558810e7afee79da4af37943e1b3b8357bfbf1c850e45202199e752b8cf17d57cae1b1de99adb9844192935e3a4a4a4ae106d38 |
memory/2132-95-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Efncicpm.exe
| MD5 | 3dbfb29c6a81530dcf97788bab2115e0 |
| SHA1 | abd7804393d27bad3441d781b98f1f82ac8d9f2f |
| SHA256 | d6a894e4e3c5ddd7d50d9f553e9141f300a62f379ebf5b993d35dee88880cb00 |
| SHA512 | df147e2acbbbf3f1ab4532dfd04ed728342eba188a7c46e1ccd8d54e18109c03c3c6c6c7431de323c356f945a7ba2f0cd4df2b877c4b3aa6eddea1eee2f611ec |
memory/2508-93-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2508-82-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2536-79-0x00000000002C0000-0x00000000002F4000-memory.dmp
\Windows\SysWOW64\Epieghdk.exe
| MD5 | e2b69d10ecc7b4a16574e1c407c356fe |
| SHA1 | 416bbf58885d863378fc393b3367ccad0b1f67b1 |
| SHA256 | 8245ffccc29cda1d44cc453502fd2911accbb7addca25c5253a45bfefab8ce3d |
| SHA512 | 0b0f2181196dca86d97e47d49216385a2a44c441238f73ac66117fff3c7a89f72b3db536b34e1d754aec073507d161290357376526549b5096b1d4fb58f5bd6d |
memory/2132-103-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2884-113-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Eiaiqn32.exe
| MD5 | fa3e3c1bf4fa2e2bd6333c835ee6d893 |
| SHA1 | 6c06eba34bfe118c5a6a9b080b0ab17772316b26 |
| SHA256 | 4892c6d3ce0ed02890868203cc767d6534f0aa7575a1dce70a83e43228a648b5 |
| SHA512 | 1eeddfee99ff591aad65246ecc44ce8fb6855ada17589360ead1ca0c30438d71adbb75928c0cb27fc2648d2259c90dad5959e8da2d2c12a3ada6fadc3a911268 |
memory/2884-117-0x0000000000480000-0x00000000004B4000-memory.dmp
memory/3024-123-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Fjdbnf32.exe
| MD5 | 621321c3dd1277a2b57cc27b1f053c61 |
| SHA1 | 604499f667ccae8b478e3318e0e3ea290e2522cb |
| SHA256 | 168e935266b4e1e3abdc804c7560f51efa316969050ead0b1f3be83077979897 |
| SHA512 | 7b0369f3818d16a2ee30408056ed80fcef693614f3d0c5acb32dbfc5b3cda0888a0ab805e1c9141b8f9b20b5bc4074a17780574eadfe328f86e831edf6ec03f4 |
memory/3024-135-0x0000000000250000-0x0000000000284000-memory.dmp
memory/1316-137-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Fejgko32.exe
| MD5 | 5ce255ec25a6195cabf88d469db2d739 |
| SHA1 | 3b11994f1a31a367c494e31c33971ec64976557c |
| SHA256 | 2f4d543cd9511c0ff63051f78162bec3f4f753c07a91805d30942052f72a7bf4 |
| SHA512 | b44b74d9748b70d3f0bcbbf861eb58c76978352bc2ce7e83a773c6b0c06bee5c747ade40cdef03d956119df23f7904827dba70694d6a7990cdf6638ce1461ffa |
memory/1636-151-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1316-150-0x0000000000250000-0x0000000000284000-memory.dmp
\Windows\SysWOW64\Filldb32.exe
| MD5 | ed79e2dc78347be2ce9df54dd8a01147 |
| SHA1 | 252b63973ff5732a7aff7512e0c4fa9a601230ee |
| SHA256 | e64436746cdfe5841446b5398f15e8dfecc63a85ecaba6a3f399626951d76741 |
| SHA512 | 33b516792ea30ff9f44f23ea340fde2a055c575ae01ae615031cf4d688097c4a8631b3add87a1f0fab5d595fe5162319bfbbfc4618ce4f8bdcdc83d333b40e55 |
memory/1636-158-0x00000000004B0000-0x00000000004E4000-memory.dmp
memory/1592-178-0x0000000000400000-0x0000000000434000-memory.dmp
memory/328-177-0x00000000002D0000-0x0000000000304000-memory.dmp
C:\Windows\SysWOW64\Fbdqmghm.exe
| MD5 | 5638733101eb9e10a7e83c78309015e6 |
| SHA1 | 9307d277e9da8ab3178be1c728f716340a2705f0 |
| SHA256 | 367be812d91462a2e94f014c67022eb202681c6777f66cef291492fac7005145 |
| SHA512 | c11d65d4aaf14c7d66ac54cd35546b80c7d4cc53ae88bbdd50647ec8016ebd8405190ebe70d4dced18ffd3f0479b60c306d8c459c663224812c2a86e1f1bcee4 |
\Windows\SysWOW64\Feeiob32.exe
| MD5 | de47c5b1a313d2bad9917021fc309e49 |
| SHA1 | 15d9db3f8480a3ae9b4f91475253a7c729b649fc |
| SHA256 | fd5c4d0bf4957c3c130b9ee937d38a439cff1bf03f528374ab18c22bf72c9711 |
| SHA512 | baecc7ff6b4e1606b6fdc69243c12d9639f4b8f32a5e7310d0f02ccacf98df759bc500fd5b83acbe5d8bedbbc639d349d640b420903fdb531ffacbcd11a1c5a1 |
memory/1592-190-0x00000000002E0000-0x0000000000314000-memory.dmp
\Windows\SysWOW64\Gpknlk32.exe
| MD5 | 6956a065b5189ec694a714dc3d311442 |
| SHA1 | 941198ea0fd5a27498a3dd78836c05d01e7c0847 |
| SHA256 | 35b599ed9ac51ce62f8238be6b7357e11a4358cb6e28856c5e69a0efb814d1e2 |
| SHA512 | 5c1808254c9eb2c5db2c5aad83ddf5d0b3a18da0f99c925df3ce0bedeae1f4c66e9d0272e6be33eed015cf8c9855a745d019db45bef3120d06d51204ce86fa93 |
memory/2084-192-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2492-205-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Gieojq32.exe
| MD5 | e2b324635d9f76e47b230392b1999bfd |
| SHA1 | 1ef392047bc31cc1c598630a9932881cc7d1242b |
| SHA256 | 256687f8b442e02da40b3516efeaf51d5b03774b09f34242257481263028e4d3 |
| SHA512 | 17f215d850b501eb338de4f748d87b9ede5e44c7257d3ff24119f8eafe949f29493e48042650a5296b7767725edc8f1124baff3933ea425dc512c26ce33484ca |
memory/2492-212-0x0000000000290000-0x00000000002C4000-memory.dmp
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 5214225412ee817c8688f4c6234c88c7 |
| SHA1 | 74b8cf7a997c98d1f3eefc86f87eee625f84fc10 |
| SHA256 | a9f58cde6706320e0592b14b4248f985806e26b25b578c7835ddceeba8491cd4 |
| SHA512 | 54412674c59c562c81c75670f5407cd1c893bede0a5c15d6428ea1bc479c3595c64a154b1c8db469889c283d114ad8c9976f9bd8934f550b8da7da4c7715d9f3 |
memory/688-233-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1028-229-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2492-228-0x0000000000290000-0x00000000002C4000-memory.dmp
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | c728cbc4e44b5206c02b08c7c6159d52 |
| SHA1 | aa72b395fe0d9d0328dc8875b92a9617389f1858 |
| SHA256 | 268cb4d6ea1bc9a460ab6192e6ae2dea54f78ae173fdd5c07aa7fd3cba3938e1 |
| SHA512 | b00f52b7c78324c009ac175a5b38c37c15414444c080ca5e634b402d5696e9eeffec4be2fb93779a0ab70573c462c32431a17dca5479602b085ff7180a11cc72 |
memory/2472-240-0x0000000000400000-0x0000000000434000-memory.dmp
memory/688-239-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Gacpdbej.exe
| MD5 | 259fcb4937d89597b128562fc867ce71 |
| SHA1 | 17bfb9fa03842f8aaccc70a8c0df025acecc594c |
| SHA256 | 47d9df207e7e1c0b0475d94abf3e50338b2ec96a2e91875906cc05e620f327cc |
| SHA512 | e6e49f76aef2ebdb3f3430322ac712db260bdcbf9367125024ade3db8021da565ca739015506ad4b1fd8e17ad531e8746c0651797e2e1b1c49013412a396ec33 |
memory/1792-250-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2472-249-0x0000000000260000-0x0000000000294000-memory.dmp
memory/1792-259-0x00000000002D0000-0x0000000000304000-memory.dmp
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | 6a28910e7fd3bb03dfa678d59ad67600 |
| SHA1 | 7da905b35ed2f248cc5f29c714a85a7372a2d649 |
| SHA256 | 53ce9367ec0e06c8655c77c3663e99105f38129812f86d32e64f9a4886d66a37 |
| SHA512 | 739b7cbd588c7cd1f07a6161caa2e450ca91cb995d749aa89266da1bd2bd58b22e2ae7ec98e6ec4657436d419169eb3cfec75813cea9a61d3e08efe1b835668b |
C:\Windows\SysWOW64\Gogangdc.exe
| MD5 | 95e0909f27d3c4bfff49c81e3e0a253c |
| SHA1 | 1fd17d74e5deb297ced8affd01086f6dd2614166 |
| SHA256 | 6e97d9917f9a1c1f10f60ff5fbdcaaf67eb6cf0b22d40ad5f8a0d480d3232419 |
| SHA512 | 62c28570983590f3fbb336bce43748288fe5aa07951e365bf41b30e6506f5b1eb3eefa5f54210c964f4824f51f32116b76206e0dd23915e6d44f257a97692f3f |
memory/1728-268-0x00000000002B0000-0x00000000002E4000-memory.dmp
memory/1348-269-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hgbebiao.exe
| MD5 | 3ff1bb8b0e7969dfc147511106b49bec |
| SHA1 | 3e5e77144e6d753d382103b67a600976136ccc2e |
| SHA256 | 2b13eb6df504873a1cc5c6e36bf19c8c3e383d4f881883f2e61c48dee2f0919f |
| SHA512 | b5ffdcf580a68c3b58c22356b61f5c960fa6137bc1ed3e25285234bbe9990c265a551e2bd2974669ef59c8fcc0c8107aab80bc2a3174d96b1d3b3c87e891588e |
memory/744-288-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1724-287-0x0000000000280000-0x00000000002B4000-memory.dmp
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | 1900272a8d035a127a3c55978005dac8 |
| SHA1 | 53716d0bd329a2167ae5d803c56226e71b1e638d |
| SHA256 | de8f1b09ae5cd6b6b20594ccff4ca2d82104055967878641e49c00eba906920b |
| SHA512 | e22b873ab45a15ccbfcfd038694ee175a43a8a7a0578eea60fc5b3d5bd534216cfe7507f7acd820ade25979982bfbec1bfe39624bc5a388154090f2ed9b8b156 |
memory/1724-283-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-297-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | f9474cbce274d1af27d5884309638a7b |
| SHA1 | 4efd6b16318aec6ec51e9d1dfe4f670744eb42d1 |
| SHA256 | fda40c853e8e45bf19ddfd4f75aa87fc7655e015ba1cd76dffc72cb837778a30 |
| SHA512 | 1e022f7653fb90210deb165327ff92807d8625ee9bce9e820484051b314c1f84f5798c5842cb63f3be454cd44bf741850c92d3f8d7c90833ed12cc890058d257 |
memory/2128-309-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2972-308-0x0000000000440000-0x0000000000474000-memory.dmp
memory/2972-307-0x0000000000440000-0x0000000000474000-memory.dmp
C:\Windows\SysWOW64\Hgdbhi32.exe
| MD5 | dafcb2004599489333187a496d532ee7 |
| SHA1 | f3be70ec78d422d277c6761420dcdcb864d84558 |
| SHA256 | 81de1b951034153632a76fa44e6df92ce46acde978ea37a5bac7e10a8256c690 |
| SHA512 | 82662a97d00c5b771379ea15e0f4de2eff8e592c1a3613f2a90a728b8d49376a55343e2c729042a2e957acb249e2b9dacae59934c24c9c3cdbc9f89cea4a6310 |
memory/2972-302-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hckcmjep.exe
| MD5 | 66328638a816f2b046cd7951f8628365 |
| SHA1 | 3fdbb3b4dcf5f18c2b612d8e1ac241bab3cf6561 |
| SHA256 | 216ba97961c097fa06042838fecb7d8dd3a2adcf7bdac0d55220682ab085d75d |
| SHA512 | 838395246d08dee1b6d9014692f631f05e0ab51080ca2786f1220eb82727652f4b1ac8c89bc461c5b04c16eddb7d3d092d90433a8d4cb530f5fa0c6d5a9f796b |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | e12ed60cc571042ab8841f7c38ad66f0 |
| SHA1 | 1e5b0dd6c1f4a777947c98f46c8c0d2c452f155b |
| SHA256 | feb73d70ff72bc636627a1751686b950ff6ebde959a1125c435fcad836cbf0bb |
| SHA512 | b22c6a1dadd54ef17c23daf756b966c2bf4715ac711b1bed1c37b220aa081f16cd1e0635cf0ce1024e987795591e1b962c77145bb510f4eeed30294a3a32c614 |
memory/2196-334-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2196-330-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2184-329-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2196-328-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2128-327-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2128-326-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | 3890d7ec58d69007dea829f2394eaf99 |
| SHA1 | 693a1435ff6b209e92f668acec5c92a0c87138c3 |
| SHA256 | 717a4cef555caca50d040ef1d7e227d6edd9c05a7372eb5adefb103681fa9c37 |
| SHA512 | 46aac860b9fa385a206da640a0b7ac8ec4b933715891f79b538abf502646a39f47bae9b7cd4d927b71e112f587ac8470e5a6db90d3f6aa47528d25c6b43e469f |
memory/2600-348-0x00000000002E0000-0x0000000000314000-memory.dmp
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | abfe1ff35ab6e4f533329aa9309b7456 |
| SHA1 | 0cf4c3d06f7b2968475dc89113b4ae6283d6647d |
| SHA256 | b1bd12f12c5ca3b9e05be01ec9c56ca49bbac1c0c28de197e4a38c726455ffc8 |
| SHA512 | 7a1760a24dceb27993c410d03fb18428ab345f1e6d275bcfd7b72a85758db5cd7f6c5bdffdd211a67ddb248212862deea53008e6ccfedddc6c58622e9b2025f4 |
memory/2600-346-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2184-345-0x0000000000290000-0x00000000002C4000-memory.dmp
memory/2184-344-0x0000000000290000-0x00000000002C4000-memory.dmp
memory/1736-353-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2600-352-0x00000000002E0000-0x0000000000314000-memory.dmp
C:\Windows\SysWOW64\Hpapln32.exe
| MD5 | c19449d631ec236576f42661b5b9bc4c |
| SHA1 | ad7ad2fa8c98acd3802a476bf22704b2bb5fafc2 |
| SHA256 | 4b4d8c86026f231afd87fb0ab3a272174ccce31675c4b8fecd765f17918bd5e2 |
| SHA512 | 9a4b73dd39bae5619fb3f2913a1acb7be7194ae1a11b054ef1fdfc68fa099bac1b828b54c7622752094f0a45556aae1ab0334e85a87bf1cf32750d6a8a0b9a90 |
memory/2768-367-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1736-363-0x0000000000260000-0x0000000000294000-memory.dmp
memory/1736-362-0x0000000000260000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | fa520323e2da6172e34531cad225f51e |
| SHA1 | 5a6b0ced0e06c089b2dd6cef83f64f2fbe76b0e3 |
| SHA256 | 3b92ac0c13847885e5165a67a1852af02182047abdc4e3a30486a60d304dc3cc |
| SHA512 | 4bc2618f92f1e0446bbe178193edddb4d4b1070153b45c82f61574be08c7a31bd5e6cd4293ebb80a6896e215db19c96f2de96ea97af6a3b3e1e0aa9cedf62506 |
memory/2828-375-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2768-374-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2768-373-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | 5c1799a9337384ebaf181fa0e5559347 |
| SHA1 | 9023a418520d7f608994082f341d3bf3aeb7b182 |
| SHA256 | 1dc140ef8c1000a8d6860d187043c5a78795b4e1f3c81be4f159e601587f9f11 |
| SHA512 | a548e26c0d428546c8ff003fa2121cd1722332a0a17ea4a0b627c6681a033971c4fec54c8c02b849a3a1c018bda462ef580285adce4a75ddc25a926a17bad289 |
memory/2540-390-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2828-389-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2828-388-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | 0b2c0142939cdb1c3da85a7089e76f0b |
| SHA1 | 8c22486a6cf8a7caf5abc77a4fe03c474c345c93 |
| SHA256 | ec88cb122092c44561b9aaab571b2ca9931b0a4053068982592aaf510fc39f63 |
| SHA512 | ccf877987538f61b4418e5709612e5a41bdc47ce9b807dafd411d2afd6b84285e9c49ac74058aa9412e33a65cd0ab6b56f0177f54a0f8e2ccae52afc653bb10b |
memory/2688-396-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2540-395-0x0000000000270000-0x00000000002A4000-memory.dmp
memory/2688-402-0x0000000000440000-0x0000000000474000-memory.dmp
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | d7793a993b4687c242bdfd989dccff83 |
| SHA1 | a829b8d65e620db96f5e2219487d98fd8a22f518 |
| SHA256 | 21789f30391bf4b783cf9d418828622df96db8e6e495515c4e5a7eca6311190c |
| SHA512 | 710fe649a2040329743801b2b1349e458106e5043adb6c14815c877eb54c8901f6fb28bfcd5380d992b6b7182257be3b38fe90d8cd1f265eb2fee45651d29fd9 |
memory/2688-406-0x0000000000440000-0x0000000000474000-memory.dmp
memory/2332-407-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2980-408-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1228-409-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2284-410-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2808-411-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2152-412-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2536-413-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2508-414-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2132-415-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2884-416-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3024-417-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1316-418-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1636-419-0x0000000000400000-0x0000000000434000-memory.dmp
memory/328-420-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1592-421-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2084-422-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2492-423-0x0000000000400000-0x0000000000434000-memory.dmp
memory/688-424-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2472-425-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1792-426-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-427-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1348-428-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-429-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2972-430-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2128-431-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 23:19
Reported
2024-06-01 23:22
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdiooblp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Icifbang.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ibnccmbo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cliaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mmpijp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ndokbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abkjdnoa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhkapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipdqba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nljofl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ednaqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhcpgmjf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dbllbibl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Gdcdbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hfcicmqp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Icgjmapi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqhacgdh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chpada32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dhidjpqc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmhhehlb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkidenlg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbcilkjg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gfembo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chbnia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dekhneap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dadeieea.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dafbne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpnchp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpqiemge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlampmdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ncfdie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhaebcen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Daolnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fckajehi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipbdmaah.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dlgmpogj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ojllan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hbgmcnhf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bobcpmfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cojjqlpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdkldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkgqfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Echknh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iiaephpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bagflcje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Iemppiab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Lfkaag32.exe | C:\Windows\SysWOW64\Lpqiemge.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndaggimg.exe | C:\Windows\SysWOW64\Nljofl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobiobnp.dll | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlampmdo.exe | C:\Windows\SysWOW64\Mibpda32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndfqbhia.exe | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cklaknjd.exe | C:\Windows\SysWOW64\Cliaoq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gokdeeec.exe | C:\Windows\SysWOW64\Ghaliknf.exe | N/A |
| File created | C:\Windows\SysWOW64\Mibpda32.exe | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dohfbj32.exe | C:\Windows\SysWOW64\Dlijfneg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkblkg32.dll | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbjoljdo.exe | C:\Windows\SysWOW64\Conclk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ehnglm32.exe | C:\Windows\SysWOW64\Edbklofb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aminee32.exe | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| File created | C:\Windows\SysWOW64\Nniadn32.dll | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnlhfn32.exe | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdiooblp.exe | C:\Windows\SysWOW64\Cefoce32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fojlngce.exe | C:\Windows\SysWOW64\Fllpbldb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmhhehlb.exe | C:\Windows\SysWOW64\Heapdjlp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkalchij.exe | C:\Windows\SysWOW64\Fhcpgmjf.exe | N/A |
| File created | C:\Windows\SysWOW64\Cleqadmh.dll | C:\Windows\SysWOW64\Andgoobc.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnnjen32.exe | C:\Windows\SysWOW64\Bdhfhe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fojlngce.exe | C:\Windows\SysWOW64\Fllpbldb.exe | N/A |
| File created | C:\Windows\SysWOW64\Fllifblf.dll | C:\Windows\SysWOW64\Jbeidl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jianff32.exe | C:\Windows\SysWOW64\Jfcbjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acbmpm32.dll | C:\Windows\SysWOW64\Ednaqo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffimfqgm.exe | C:\Windows\SysWOW64\Fckajehi.exe | N/A |
| File created | C:\Windows\SysWOW64\Pacghh32.dll | C:\Windows\SysWOW64\Imdgqfbd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfolbmje.exe | C:\Windows\SysWOW64\Pqbdjfln.exe | N/A |
| File created | C:\Windows\SysWOW64\Keoakjca.dll | C:\Windows\SysWOW64\Chpada32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eemnjbaj.exe | C:\Windows\SysWOW64\Ecoangbg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lllcen32.exe | C:\Windows\SysWOW64\Lingibiq.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpqiemge.exe | C:\Windows\SysWOW64\Lmbmibhb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldanqkki.exe | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdkfmkdc.dll | C:\Windows\SysWOW64\Kdgljmcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kqoieqhe.dll | C:\Windows\SysWOW64\Elbmlmml.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjddiqoc.dll | C:\Windows\SysWOW64\Jfcbjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnbinq32.dll | C:\Windows\SysWOW64\Kbhoqj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdihjfbe.dll | C:\Windows\SysWOW64\Fcckif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdnjgmle.exe | C:\Windows\SysWOW64\Fbpnkama.exe | N/A |
| File created | C:\Windows\SysWOW64\Clncadfb.dll | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lommhphi.dll | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjfaeh32.exe | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abemjmgg.exe | C:\Windows\SysWOW64\Aaepqjpd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dccbbhld.exe | C:\Windows\SysWOW64\Dohfbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eaklidoi.exe | C:\Windows\SysWOW64\Echknh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amhpcomb.dll | C:\Windows\SysWOW64\Liimncmf.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdhfhe32.exe | C:\Windows\SysWOW64\Bbgipldd.exe | N/A |
| File created | C:\Windows\SysWOW64\Conclk32.exe | C:\Windows\SysWOW64\Clpgpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljodkeij.dll | C:\Windows\SysWOW64\Lpqiemge.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfabnjjp.exe | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijhkffjm.dll | C:\Windows\SysWOW64\Conclk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojaelm32.exe | C:\Windows\SysWOW64\Ogbipa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pgnilpah.exe | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abkjdnoa.exe | C:\Windows\SysWOW64\Agffge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhemmlhc.exe | C:\Windows\SysWOW64\Fkalchij.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgkjhe32.exe | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfjjppmm.exe | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chbnia32.exe | C:\Windows\SysWOW64\Cdfbibnb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhqcam32.exe | C:\Windows\SysWOW64\Febgea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lfhdlh32.exe | C:\Windows\SysWOW64\Lmppcbjd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgkjhe32.exe | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Olfobjbg.exe | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aclpap32.exe | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfcicmqp.exe | C:\Windows\SysWOW64\Hbgmcnhf.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cklaknjd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dkoggkjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ibnccmbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daaicfgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ehimanbq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfhlejnh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bdolhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Imfdff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" | C:\Windows\SysWOW64\Lbjlfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgnafam.dll" | C:\Windows\SysWOW64\Dhidjpqc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kepelfam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Conclk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cdkldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dboigi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinpgcmg.dll" | C:\Windows\SysWOW64\Daolnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kefkme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Miifeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll" | C:\Windows\SysWOW64\Pgefeajb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cknnpm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll" | C:\Windows\SysWOW64\Edpnfo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" | C:\Windows\SysWOW64\Eemnjbaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ikbnacmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll" | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" | C:\Windows\SysWOW64\Acqimo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cbjoljdo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Deanodkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" | C:\Windows\SysWOW64\Jcgbco32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mdhdajea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" | C:\Windows\SysWOW64\Nfjjppmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cklaknjd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dlgmpogj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfkkboc.dll" | C:\Windows\SysWOW64\Edbklofb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Febgea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" | C:\Windows\SysWOW64\Gcojed32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbaipkbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll" | C:\Windows\SysWOW64\Blfdia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cehkhecb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ecoangbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll" | C:\Windows\SysWOW64\Gicinj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iemppiab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" | C:\Windows\SysWOW64\Jfcbjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll" | C:\Windows\SysWOW64\Odkjng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abemjmgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jcgbco32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bhaebcen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll" | C:\Windows\SysWOW64\Gohhpe32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09b410a6ed3f36af91142aae29719a60_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Qecppkdm.exe
C:\Windows\system32\Qecppkdm.exe
C:\Windows\SysWOW64\Qkmhlekj.exe
C:\Windows\system32\Qkmhlekj.exe
C:\Windows\SysWOW64\Qchmagie.exe
C:\Windows\system32\Qchmagie.exe
C:\Windows\SysWOW64\Agffge32.exe
C:\Windows\system32\Agffge32.exe
C:\Windows\SysWOW64\Abkjdnoa.exe
C:\Windows\system32\Abkjdnoa.exe
C:\Windows\SysWOW64\Acocaf32.exe
C:\Windows\system32\Acocaf32.exe
C:\Windows\SysWOW64\Andgoobc.exe
C:\Windows\system32\Andgoobc.exe
C:\Windows\SysWOW64\Aeopki32.exe
C:\Windows\system32\Aeopki32.exe
C:\Windows\SysWOW64\Aaepqjpd.exe
C:\Windows\system32\Aaepqjpd.exe
C:\Windows\SysWOW64\Abemjmgg.exe
C:\Windows\system32\Abemjmgg.exe
C:\Windows\SysWOW64\Bhaebcen.exe
C:\Windows\system32\Bhaebcen.exe
C:\Windows\SysWOW64\Bjpaooda.exe
C:\Windows\system32\Bjpaooda.exe
C:\Windows\SysWOW64\Bbgipldd.exe
C:\Windows\system32\Bbgipldd.exe
C:\Windows\SysWOW64\Bdhfhe32.exe
C:\Windows\system32\Bdhfhe32.exe
C:\Windows\SysWOW64\Bnnjen32.exe
C:\Windows\system32\Bnnjen32.exe
C:\Windows\SysWOW64\Bdkcmdhp.exe
C:\Windows\system32\Bdkcmdhp.exe
C:\Windows\SysWOW64\Blbknaib.exe
C:\Windows\system32\Blbknaib.exe
C:\Windows\SysWOW64\Bblckl32.exe
C:\Windows\system32\Bblckl32.exe
C:\Windows\SysWOW64\Bdmpcdfm.exe
C:\Windows\system32\Bdmpcdfm.exe
C:\Windows\SysWOW64\Bhikcb32.exe
C:\Windows\system32\Bhikcb32.exe
C:\Windows\SysWOW64\Bobcpmfc.exe
C:\Windows\system32\Bobcpmfc.exe
C:\Windows\SysWOW64\Bbnpqk32.exe
C:\Windows\system32\Bbnpqk32.exe
C:\Windows\SysWOW64\Bemlmgnp.exe
C:\Windows\system32\Bemlmgnp.exe
C:\Windows\SysWOW64\Bdolhc32.exe
C:\Windows\system32\Bdolhc32.exe
C:\Windows\SysWOW64\Blfdia32.exe
C:\Windows\system32\Blfdia32.exe
C:\Windows\SysWOW64\Bkidenlg.exe
C:\Windows\system32\Bkidenlg.exe
C:\Windows\SysWOW64\Cbqlfkmi.exe
C:\Windows\system32\Cbqlfkmi.exe
C:\Windows\SysWOW64\Ceoibflm.exe
C:\Windows\system32\Ceoibflm.exe
C:\Windows\SysWOW64\Cdainc32.exe
C:\Windows\system32\Cdainc32.exe
C:\Windows\SysWOW64\Cliaoq32.exe
C:\Windows\system32\Cliaoq32.exe
C:\Windows\SysWOW64\Cklaknjd.exe
C:\Windows\system32\Cklaknjd.exe
C:\Windows\SysWOW64\Cbcilkjg.exe
C:\Windows\system32\Cbcilkjg.exe
C:\Windows\SysWOW64\Cddecc32.exe
C:\Windows\system32\Cddecc32.exe
C:\Windows\SysWOW64\Chpada32.exe
C:\Windows\system32\Chpada32.exe
C:\Windows\SysWOW64\Cknnpm32.exe
C:\Windows\system32\Cknnpm32.exe
C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
C:\Windows\SysWOW64\Cahfmgoo.exe
C:\Windows\system32\Cahfmgoo.exe
C:\Windows\SysWOW64\Cdfbibnb.exe
C:\Windows\system32\Cdfbibnb.exe
C:\Windows\SysWOW64\Chbnia32.exe
C:\Windows\system32\Chbnia32.exe
C:\Windows\SysWOW64\Ckpjfm32.exe
C:\Windows\system32\Ckpjfm32.exe
C:\Windows\SysWOW64\Cefoce32.exe
C:\Windows\system32\Cefoce32.exe
C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
C:\Windows\SysWOW64\Clpgpp32.exe
C:\Windows\system32\Clpgpp32.exe
C:\Windows\SysWOW64\Conclk32.exe
C:\Windows\system32\Conclk32.exe
C:\Windows\SysWOW64\Cbjoljdo.exe
C:\Windows\system32\Cbjoljdo.exe
C:\Windows\SysWOW64\Cehkhecb.exe
C:\Windows\system32\Cehkhecb.exe
C:\Windows\SysWOW64\Cdkldb32.exe
C:\Windows\system32\Cdkldb32.exe
C:\Windows\SysWOW64\Chghdqbf.exe
C:\Windows\system32\Chghdqbf.exe
C:\Windows\SysWOW64\Ckedalaj.exe
C:\Windows\system32\Ckedalaj.exe
C:\Windows\SysWOW64\Doqpak32.exe
C:\Windows\system32\Doqpak32.exe
C:\Windows\SysWOW64\Dbllbibl.exe
C:\Windows\system32\Dbllbibl.exe
C:\Windows\SysWOW64\Daolnf32.exe
C:\Windows\system32\Daolnf32.exe
C:\Windows\SysWOW64\Dekhneap.exe
C:\Windows\system32\Dekhneap.exe
C:\Windows\SysWOW64\Dhidjpqc.exe
C:\Windows\system32\Dhidjpqc.exe
C:\Windows\SysWOW64\Dkgqfl32.exe
C:\Windows\system32\Dkgqfl32.exe
C:\Windows\SysWOW64\Docmgjhp.exe
C:\Windows\system32\Docmgjhp.exe
C:\Windows\SysWOW64\Dboigi32.exe
C:\Windows\system32\Dboigi32.exe
C:\Windows\SysWOW64\Daaicfgd.exe
C:\Windows\system32\Daaicfgd.exe
C:\Windows\SysWOW64\Demecd32.exe
C:\Windows\system32\Demecd32.exe
C:\Windows\SysWOW64\Dhkapp32.exe
C:\Windows\system32\Dhkapp32.exe
C:\Windows\SysWOW64\Dlgmpogj.exe
C:\Windows\system32\Dlgmpogj.exe
C:\Windows\SysWOW64\Dkjmlk32.exe
C:\Windows\system32\Dkjmlk32.exe
C:\Windows\SysWOW64\Doeiljfn.exe
C:\Windows\system32\Doeiljfn.exe
C:\Windows\SysWOW64\Dadeieea.exe
C:\Windows\system32\Dadeieea.exe
C:\Windows\SysWOW64\Deoaid32.exe
C:\Windows\system32\Deoaid32.exe
C:\Windows\SysWOW64\Dhnnep32.exe
C:\Windows\system32\Dhnnep32.exe
C:\Windows\SysWOW64\Dlijfneg.exe
C:\Windows\system32\Dlijfneg.exe
C:\Windows\SysWOW64\Dohfbj32.exe
C:\Windows\system32\Dohfbj32.exe
C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
C:\Windows\SysWOW64\Dafbne32.exe
C:\Windows\system32\Dafbne32.exe
C:\Windows\SysWOW64\Deanodkh.exe
C:\Windows\system32\Deanodkh.exe
C:\Windows\SysWOW64\Dhpjkojk.exe
C:\Windows\system32\Dhpjkojk.exe
C:\Windows\SysWOW64\Dkoggkjo.exe
C:\Windows\system32\Dkoggkjo.exe
C:\Windows\SysWOW64\Dedkdcie.exe
C:\Windows\system32\Dedkdcie.exe
C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
C:\Windows\SysWOW64\Ekacmjgl.exe
C:\Windows\system32\Ekacmjgl.exe
C:\Windows\SysWOW64\Echknh32.exe
C:\Windows\system32\Echknh32.exe
C:\Windows\SysWOW64\Eaklidoi.exe
C:\Windows\system32\Eaklidoi.exe
C:\Windows\SysWOW64\Ehedfo32.exe
C:\Windows\system32\Ehedfo32.exe
C:\Windows\SysWOW64\Elppfmoo.exe
C:\Windows\system32\Elppfmoo.exe
C:\Windows\SysWOW64\Ecjhcg32.exe
C:\Windows\system32\Ecjhcg32.exe
C:\Windows\SysWOW64\Eeidoc32.exe
C:\Windows\system32\Eeidoc32.exe
C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
C:\Windows\SysWOW64\Elbmlmml.exe
C:\Windows\system32\Elbmlmml.exe
C:\Windows\SysWOW64\Eoaihhlp.exe
C:\Windows\system32\Eoaihhlp.exe
C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
C:\Windows\SysWOW64\Eapedd32.exe
C:\Windows\system32\Eapedd32.exe
C:\Windows\SysWOW64\Ednaqo32.exe
C:\Windows\system32\Ednaqo32.exe
C:\Windows\SysWOW64\Ehimanbq.exe
C:\Windows\system32\Ehimanbq.exe
C:\Windows\SysWOW64\Ekhjmiad.exe
C:\Windows\system32\Ekhjmiad.exe
C:\Windows\SysWOW64\Ecoangbg.exe
C:\Windows\system32\Ecoangbg.exe
C:\Windows\SysWOW64\Eemnjbaj.exe
C:\Windows\system32\Eemnjbaj.exe
C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
C:\Windows\SysWOW64\Ehljfnpn.exe
C:\Windows\system32\Ehljfnpn.exe
C:\Windows\SysWOW64\Eofbch32.exe
C:\Windows\system32\Eofbch32.exe
C:\Windows\SysWOW64\Eadopc32.exe
C:\Windows\system32\Eadopc32.exe
C:\Windows\SysWOW64\Edbklofb.exe
C:\Windows\system32\Edbklofb.exe
C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
C:\Windows\SysWOW64\Fkmchi32.exe
C:\Windows\system32\Fkmchi32.exe
C:\Windows\SysWOW64\Fcckif32.exe
C:\Windows\system32\Fcckif32.exe
C:\Windows\SysWOW64\Fafkecel.exe
C:\Windows\system32\Fafkecel.exe
C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
C:\Windows\SysWOW64\Fllpbldb.exe
C:\Windows\system32\Fllpbldb.exe
C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
C:\Windows\SysWOW64\Fdgdgnbm.exe
C:\Windows\system32\Fdgdgnbm.exe
C:\Windows\SysWOW64\Fhcpgmjf.exe
C:\Windows\system32\Fhcpgmjf.exe
C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
C:\Windows\SysWOW64\Fhemmlhc.exe
C:\Windows\system32\Fhemmlhc.exe
C:\Windows\SysWOW64\Fckajehi.exe
C:\Windows\system32\Fckajehi.exe
C:\Windows\SysWOW64\Ffimfqgm.exe
C:\Windows\system32\Ffimfqgm.exe
C:\Windows\SysWOW64\Fhgjblfq.exe
C:\Windows\system32\Fhgjblfq.exe
C:\Windows\SysWOW64\Flceckoj.exe
C:\Windows\system32\Flceckoj.exe
C:\Windows\SysWOW64\Foabofnn.exe
C:\Windows\system32\Foabofnn.exe
C:\Windows\SysWOW64\Fbpnkama.exe
C:\Windows\system32\Fbpnkama.exe
C:\Windows\SysWOW64\Fdnjgmle.exe
C:\Windows\system32\Fdnjgmle.exe
C:\Windows\SysWOW64\Glebhjlg.exe
C:\Windows\system32\Glebhjlg.exe
C:\Windows\SysWOW64\Gkhbdg32.exe
C:\Windows\system32\Gkhbdg32.exe
C:\Windows\SysWOW64\Gcojed32.exe
C:\Windows\system32\Gcojed32.exe
C:\Windows\SysWOW64\Gbbkaako.exe
C:\Windows\system32\Gbbkaako.exe
C:\Windows\SysWOW64\Gdqgmmjb.exe
C:\Windows\system32\Gdqgmmjb.exe
C:\Windows\SysWOW64\Gkkojgao.exe
C:\Windows\system32\Gkkojgao.exe
C:\Windows\SysWOW64\Gbdgfa32.exe
C:\Windows\system32\Gbdgfa32.exe
C:\Windows\SysWOW64\Gdcdbl32.exe
C:\Windows\system32\Gdcdbl32.exe
C:\Windows\SysWOW64\Gmjlcj32.exe
C:\Windows\system32\Gmjlcj32.exe
C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
C:\Windows\SysWOW64\Gfbploob.exe
C:\Windows\system32\Gfbploob.exe
C:\Windows\SysWOW64\Ghaliknf.exe
C:\Windows\system32\Ghaliknf.exe
C:\Windows\SysWOW64\Gokdeeec.exe
C:\Windows\system32\Gokdeeec.exe
C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
C:\Windows\SysWOW64\Gicinj32.exe
C:\Windows\system32\Gicinj32.exe
C:\Windows\SysWOW64\Heapdjlp.exe
C:\Windows\system32\Heapdjlp.exe
C:\Windows\SysWOW64\Hmhhehlb.exe
C:\Windows\system32\Hmhhehlb.exe
C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
C:\Windows\SysWOW64\Hfqlnm32.exe
C:\Windows\system32\Hfqlnm32.exe
C:\Windows\SysWOW64\Hmjdjgjo.exe
C:\Windows\system32\Hmjdjgjo.exe
C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
C:\Windows\SysWOW64\Hfcicmqp.exe
C:\Windows\system32\Hfcicmqp.exe
C:\Windows\SysWOW64\Iiaephpc.exe
C:\Windows\system32\Iiaephpc.exe
C:\Windows\SysWOW64\Icgjmapi.exe
C:\Windows\system32\Icgjmapi.exe
C:\Windows\SysWOW64\Ibjjhn32.exe
C:\Windows\system32\Ibjjhn32.exe
C:\Windows\SysWOW64\Iicbehnq.exe
C:\Windows\system32\Iicbehnq.exe
C:\Windows\SysWOW64\Ikbnacmd.exe
C:\Windows\system32\Ikbnacmd.exe
C:\Windows\SysWOW64\Icifbang.exe
C:\Windows\system32\Icifbang.exe
C:\Windows\SysWOW64\Iejcji32.exe
C:\Windows\system32\Iejcji32.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
C:\Windows\SysWOW64\Iemppiab.exe
C:\Windows\system32\Iemppiab.exe
C:\Windows\SysWOW64\Imdgqfbd.exe
C:\Windows\system32\Imdgqfbd.exe
C:\Windows\SysWOW64\Ipbdmaah.exe
C:\Windows\system32\Ipbdmaah.exe
C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
C:\Windows\SysWOW64\Ieolehop.exe
C:\Windows\system32\Ieolehop.exe
C:\Windows\SysWOW64\Imfdff32.exe
C:\Windows\system32\Imfdff32.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
C:\Windows\SysWOW64\Jfoiokfb.exe
C:\Windows\system32\Jfoiokfb.exe
C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
C:\Windows\SysWOW64\Jbeidl32.exe
C:\Windows\system32\Jbeidl32.exe
C:\Windows\SysWOW64\Jioaqfcc.exe
C:\Windows\system32\Jioaqfcc.exe
C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
C:\Windows\SysWOW64\Jcefno32.exe
C:\Windows\system32\Jcefno32.exe
C:\Windows\SysWOW64\Jfcbjk32.exe
C:\Windows\system32\Jfcbjk32.exe
C:\Windows\SysWOW64\Jianff32.exe
C:\Windows\system32\Jianff32.exe
C:\Windows\SysWOW64\Jlpkba32.exe
C:\Windows\system32\Jlpkba32.exe
C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
C:\Windows\SysWOW64\Jidklf32.exe
C:\Windows\system32\Jidklf32.exe
C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
C:\Windows\SysWOW64\Jfhlejnh.exe
C:\Windows\system32\Jfhlejnh.exe
C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
C:\Windows\SysWOW64\Jlednamo.exe
C:\Windows\system32\Jlednamo.exe
C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
C:\Windows\SysWOW64\Kpbmco32.exe
C:\Windows\system32\Kpbmco32.exe
C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
C:\Windows\SysWOW64\Kepelfam.exe
C:\Windows\system32\Kepelfam.exe
C:\Windows\SysWOW64\Kdqejn32.exe
C:\Windows\system32\Kdqejn32.exe
C:\Windows\SysWOW64\Kbceejpf.exe
C:\Windows\system32\Kbceejpf.exe
C:\Windows\SysWOW64\Kpgfooop.exe
C:\Windows\system32\Kpgfooop.exe
C:\Windows\SysWOW64\Kipkhdeq.exe
C:\Windows\system32\Kipkhdeq.exe
C:\Windows\SysWOW64\Kpjcdn32.exe
C:\Windows\system32\Kpjcdn32.exe
C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
C:\Windows\SysWOW64\Kibgmdcn.exe
C:\Windows\system32\Kibgmdcn.exe
C:\Windows\SysWOW64\Klqcioba.exe
C:\Windows\system32\Klqcioba.exe
C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
C:\Windows\SysWOW64\Lbjlfi32.exe
C:\Windows\system32\Lbjlfi32.exe
C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
C:\Windows\SysWOW64\Lekehdgp.exe
C:\Windows\system32\Lekehdgp.exe
C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
C:\Windows\SysWOW64\Lpqiemge.exe
C:\Windows\system32\Lpqiemge.exe
C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
C:\Windows\SysWOW64\Liimncmf.exe
C:\Windows\system32\Liimncmf.exe
C:\Windows\SysWOW64\Lpcfkm32.exe
C:\Windows\system32\Lpcfkm32.exe
C:\Windows\SysWOW64\Lgmngglp.exe
C:\Windows\system32\Lgmngglp.exe
C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lingibiq.exe
C:\Windows\system32\Lingibiq.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Mgagbf32.exe
C:\Windows\system32\Mgagbf32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mibpda32.exe
C:\Windows\system32\Mibpda32.exe
C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
C:\Windows\SysWOW64\Mmpijp32.exe
C:\Windows\system32\Mmpijp32.exe
C:\Windows\SysWOW64\Mpoefk32.exe
C:\Windows\system32\Mpoefk32.exe
C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mlefklpj.exe
C:\Windows\system32\Mlefklpj.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Miifeq32.exe
C:\Windows\system32\Miifeq32.exe
C:\Windows\SysWOW64\Mlhbal32.exe
C:\Windows\system32\Mlhbal32.exe
C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
C:\Windows\SysWOW64\Ncbknfed.exe
C:\Windows\system32\Ncbknfed.exe
C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
C:\Windows\SysWOW64\Ngpccdlj.exe
C:\Windows\system32\Ngpccdlj.exe
C:\Windows\SysWOW64\Njnpppkn.exe
C:\Windows\system32\Njnpppkn.exe
C:\Windows\SysWOW64\Ncfdie32.exe
C:\Windows\system32\Ncfdie32.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
C:\Windows\SysWOW64\Nlaegk32.exe
C:\Windows\system32\Nlaegk32.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
C:\Windows\SysWOW64\Odkjng32.exe
C:\Windows\system32\Odkjng32.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Olfobjbg.exe
C:\Windows\system32\Olfobjbg.exe
C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
C:\Windows\SysWOW64\Oqhacgdh.exe
C:\Windows\system32\Oqhacgdh.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pqbdjfln.exe
C:\Windows\system32\Pqbdjfln.exe
C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
C:\Windows\SysWOW64\Pgnilpah.exe
C:\Windows\system32\Pgnilpah.exe
C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
C:\Windows\SysWOW64\Adgbpc32.exe
C:\Windows\system32\Adgbpc32.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Acnlgp32.exe
C:\Windows\system32\Acnlgp32.exe
C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
C:\Windows\SysWOW64\Acqimo32.exe
C:\Windows\system32\Acqimo32.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bagflcje.exe
C:\Windows\system32\Bagflcje.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8436 -ip 8436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8436 -s 416
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/552-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Qecppkdm.exe
| MD5 | 9c97369dcb521801354a652253ed3e6a |
| SHA1 | 5f320cd1aec0b8646b8627083e99a6ebc30ea190 |
| SHA256 | 89a9173ba6f4ded23b417d5ad923ce554611e083ff353a35d72fd5ee13359aa8 |
| SHA512 | 5cc562a3c32525f504638b5e82f906eda750c897f8af8ebf3d07cb2dff99ad1271640ddfe457511fbcf140c4f0153bf7d9787455997b237f2c20b63f7fe306cb |
memory/4668-8-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Qkmhlekj.exe
| MD5 | 455b3f0581d07b9ed7feab4659aa2e10 |
| SHA1 | 7b8a07e82b94ea97bfe672de5cfffb34583985cb |
| SHA256 | 6e4e17dcb0c64aaa2a453e58d7581a63f71037cb98557a80a47f1a09075fc202 |
| SHA512 | 9647cca7d0def080b7972931a5f1e163d717ed2b156a0fe74f426c02bd77c077b8f374882cd2a23608224ee5a3c2029d5742583c38a79e684b40beb8df75e11f |
memory/1136-16-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Qchmagie.exe
| MD5 | 50a4392160986b3bdf73413cb10e850b |
| SHA1 | 5078d8b37311765cc3bfbdd5c9cedfd1e90b1f54 |
| SHA256 | b077221f9f2fd9a7c775fd9bd370303148dc303b95b0850b6ceecd19004b853d |
| SHA512 | d196561959b457d7a8d50aefeaeb8f9a8b8d0ed71a99e3735ba79e8dee3c704bb78dd41bda77b49bb5c98ad6f3e11de2c558bfae1cc4c769ca2b063101ae7167 |
memory/3188-24-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Agffge32.exe
| MD5 | 86905872ec2bb49e145288bc6344db6e |
| SHA1 | a5dc05c5fa5aabf3e10824bb2e7de80c07aa7af3 |
| SHA256 | c52a6df188a9457fdd3f43c70f20612dc0e201b9f1c03b54063bad1eb3126800 |
| SHA512 | c964b85818e8396721b5ff9d23a0b08766e539980d1cede733c79eef681267414e6a4cdfbe4346abaaf3e6fa6e401439973d9084e49bf696131e94649ee6af8c |
C:\Windows\SysWOW64\Lcfcfldc.dll
| MD5 | 9156bbdda940612cbdc02abcb44fbb41 |
| SHA1 | 6a5b2d4628623f9536bac3eb32bcd8df26336e84 |
| SHA256 | 32a2f6674a2122d1fe8ba6b6158f7b86416a9269b97e1e600ae1ff9efa31bef1 |
| SHA512 | 17b111be3cb5ea93b54dd09b491db2cd471e836d52c13ff64a305fec9fe2a9c266eecc0a389bc3467d28a79497ce9809f3e3b5c466604d30f67044e197c5cba6 |
memory/456-32-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Abkjdnoa.exe
| MD5 | 2aea34b38099547d074b83f8400e44a4 |
| SHA1 | c0dd4b1ad7c773c9678d6e0cc9a794c771dbf40f |
| SHA256 | b461452179fda9b7b58f178772b3d26e1006df782e8961fe612771fe8233b2a8 |
| SHA512 | 51974de6fd4a58729b8b461feb419a63a9ac0e10e6ec4ad880b59b733e0d9d28370d874e09bb9fc736978ea53c48424d7ee6e5ea14cb5d80b8ebfd2a56b3f67a |
memory/2920-40-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Acocaf32.exe
| MD5 | 1b2d8ccce3e25bc2d5e297f7fda823c8 |
| SHA1 | ac44e37fb4d680f244bba5761fc066a4a1cf1799 |
| SHA256 | b15d38545560f055b1b1cecee98cc74a0cb75640fa80a9da0d43f773e4b4e8f7 |
| SHA512 | f84e7f64b13a13977fbf570fbd3d1f30893a29a73dee81e3b2c3e95e05991854a42e255c4d549f9692befcc3c21064754e9e2777567690b065ce617a0bc91c9f |
memory/3172-47-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Andgoobc.exe
| MD5 | dee962545afdbd3c811ae601481f3ff4 |
| SHA1 | 8e7874bbb44f01ad6f4e831832230123d1fc69a9 |
| SHA256 | 024692ef75bb8b99d105e3befed39261feb8c6c14b536b1258ec9f43486c565f |
| SHA512 | 9b151abb5d242041ccd6af5b4cf9c661139b6674d2c9dbeb9e2a1e2927f1f282b1f9dfd03f42686529103b8935a566d406238dfbf51a52e4430162acf1526b24 |
memory/4840-60-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Aeopki32.exe
| MD5 | 843be66e8901e62ba4a4bcbd54470774 |
| SHA1 | 13f0b1b49fd35168d45bf27793b5b587f45bf5ef |
| SHA256 | f89d10e22766729579068f4f23bae3bbd7cf5bfde3356205fc925e83e88b2569 |
| SHA512 | 429e27ce399783b2c752f6735603bbd81ba396d1fccabe9c9ad7ca7e397044bf730941b72a613c8755153be3f330f726702b7891b69d3b5f24b211a7af9017c0 |
memory/4844-64-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Aaepqjpd.exe
| MD5 | b825c4865148643b04e60ad028a6ecfd |
| SHA1 | 1ff58f4a5b8ec5d11010108d3a523dd83db6852c |
| SHA256 | d020c703d8fd5f22cbbab08c0a61a3e4747cd0ec913dc6752becb0a764ec0fca |
| SHA512 | 40522ab93d93b9abc947117bc5bf0ceb06b830af1c5f84057f7860779da1f8c0429c6a1bdabc49a0bb89e78618e3fe9baf8da7f20048b4de0653cf737ee7ac96 |
memory/4108-71-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Abemjmgg.exe
| MD5 | f217d4cd67e532ac49c2d3ffbdc34f14 |
| SHA1 | 14a3b2d576b01d118c473220df8ffe076b9047e8 |
| SHA256 | 82ace6c0fe46052861175c4b3aa45fb91718d243e71fdc163a8aa3d41ad4a692 |
| SHA512 | 6f62ccd7cc7ea164ef6467fc652cc2157adc3ab23983251c57d53152fa0e188a8131e89818770f5edf10c5dd1dc401b7e56337c584969da375ac1d049182744c |
memory/1840-80-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bhaebcen.exe
| MD5 | 6eb49c89a7079f67ea6154fce9731ef7 |
| SHA1 | 164f48990441446194c5f54e0a99d34916b9e5d0 |
| SHA256 | 535f9dba59b1545e026c0b79b10e62520fcd07f95e67e1a71abb9a1b8aae7806 |
| SHA512 | e9ee3c3a3c7bad8aaa654839c4ace09290c7e6a13a6def71417f700d6328b4d70b765ce347f2fdb864dd67c1b351f4dc10742ef7cc3a467af646acece3a14060 |
memory/4416-92-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bjpaooda.exe
| MD5 | 567105d323ddf99ad7fe82232a44346d |
| SHA1 | 53c48ad4180d38c54e1d0aca41df370e0da23f4d |
| SHA256 | 1f18062ce27a83909b1de4c4c70fd23aba0706f9302d506d3e70a826cdc98cb0 |
| SHA512 | b90c76ed58af1f6d8665c8bfac109db3791c668ab3a808ebc96ff2fdfd03b0f2928916ffb59c9628d46947c9955ecbdf9e7e6fcff16d93e311e70c8de28850c4 |
memory/2964-99-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bbgipldd.exe
| MD5 | 162cf0c918c352a4ec054e0d40c3d223 |
| SHA1 | 084151b34bed30aca3029cca1d575f2874b06430 |
| SHA256 | b72fa705a03e53570c31b1258855084889695f9293b4c25a99ed2b6e63503deb |
| SHA512 | 35cfe3078f40c32f48f549e7f35e5d8b12c6a4b86765360596b61c7839ee597f736c59c9237d8f128119982b2448c738433ad21163f4d356bbe056e5818ec7ff |
C:\Windows\SysWOW64\Bdhfhe32.exe
| MD5 | 306f335872c642f30185ccaefd49254c |
| SHA1 | c787f842b3ad5c326a3435810fae483fde01f230 |
| SHA256 | 2bbda22ee0d5e3da3ec6af0145f6686c911e49488af28fc7b1fcc1e821b353bc |
| SHA512 | b1e5facc485f3f4b96c66ac31f82ad794d702cac7c6a804fc57b04c23405c029bc71b041a79cd968eb96a96e57f9269d5452a49060c98c9a60cf735d4e349077 |
memory/3204-116-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bnnjen32.exe
| MD5 | 3906faca4a56a1e9ac47a2517ee8edb6 |
| SHA1 | 19e797fc964e4fdc0f446ffd494f7b97762245ed |
| SHA256 | e066495fdbf9a741dcedbabaf933f05862b97ad65f465e067b90a997376d90aa |
| SHA512 | ecccafa4ee87aa043c13fcdf765fd7cc508a6d70ad18f03694db8cc4981f7d7e3952da363796a4e466a5ac6a9410504b9fc8794453052e95579edaaccf1e8c01 |
C:\Windows\SysWOW64\Bdkcmdhp.exe
| MD5 | 971f6615743ab4c1ae96ad6fcd1e39c2 |
| SHA1 | 5e2a8e5129ac148f58357e08b9cf717d3e5ced9b |
| SHA256 | 61c580a3e95bef8c76573bad002647785902666367d322adc24e92a564afff7e |
| SHA512 | eed38833875336deae658ded81819b89f33ecfcae0abb8adc2c693f929c3a712edcda3670dcfac633f2bff003ee1fdeeaab8591a98630979369e2a009ccf0595 |
C:\Windows\SysWOW64\Bblckl32.exe
| MD5 | 55f7acf0489953fdc35a33e9a4e1ad15 |
| SHA1 | e99816dd0f6980c40c6df9c8933fab215d584125 |
| SHA256 | be18c573bddc85e1f51df4c9a34e79875976e707075875f6d798bad3ffc68101 |
| SHA512 | d3a9d18bd9b2e7e16e289119fad3725cdbae1fae192f222d8027dbafa3a47c6033825002694cd7a497fc5d5195a550a7d08b6c7a8e5f0cd0c4479d3b31d0fa1a |
C:\Windows\SysWOW64\Bhikcb32.exe
| MD5 | 7187daaf89547feb0008ae80ef585345 |
| SHA1 | 462046a1aecd966198a3cbf81fe4577f0caec1cd |
| SHA256 | 3bbe725e4b508932ce2fb29f338b2904ab3a83adaf281920db2052a0a189f711 |
| SHA512 | 8c45b763ed626d1787e7a4444c9186b5bc3745d1656a0ecd06cc43d1b0ddb86a2f14de4970cf14cfee55b17c652bb1d8018ec323bd778dc9c8bf3e727c079a41 |
C:\Windows\SysWOW64\Bemlmgnp.exe
| MD5 | 358f71f7f7a20f8bc2a826fff04aebb6 |
| SHA1 | cf4bb14b9a3e3fea6bbbeb1b92808f7749407a28 |
| SHA256 | 53af0e028b472917a771f70536d9272db922329cfdb4c560df759d7f85dfdf40 |
| SHA512 | 3bfd8a48de94a1312b6fb58fc21ad0f1c9ed83efc45a642f5b27765455194ae5109eada510dd8691de99973907f8cb1b1442036826ae8eb53476f363312e03e6 |
C:\Windows\SysWOW64\Blfdia32.exe
| MD5 | 00f30061ea75a84fa025536fa39efa0e |
| SHA1 | e8d227269d6410de1f395dc0e464db4410d79a0a |
| SHA256 | 3ca95fb5019049bef58b037d1f785309c36568999476bbe4d42a19f4acd3202e |
| SHA512 | 23222a3d4271efbb000054d86a330eb49f4936065e1f5f0f911f260e0945ba3db05f778367c5fb83c519da257f121df7f9a08009bd53f9b28387a3e8d81b395f |
C:\Windows\SysWOW64\Cbqlfkmi.exe
| MD5 | 4b7d7c2c0e879c6f958bc289cc0c8586 |
| SHA1 | 1e95e20888c32b39a6040cfbe68ccd78decdc097 |
| SHA256 | ec3dae84ee4098c454fa2a54c7513d308f207cb61a119bf72c059ca7306b7ad9 |
| SHA512 | c144c893095253a874a204082dd096d6ebc88aeab2def09bebefc3afd40b96c4629d6dbde46ea811099867d9e12e719e53c541194c41976491d2770a082b7256 |
C:\Windows\SysWOW64\Cliaoq32.exe
| MD5 | 6e7f5aadf2135e7b6c72490e60f8ec71 |
| SHA1 | 02ac01c8a151136ffb72a1913d75bd7648dae43e |
| SHA256 | 2a0112aa338314ff9ee714909a0ed5ac0d7e8d39d2d9927c7c1592c5e264be5f |
| SHA512 | 60e4e726ffca550b0a2046638c4dd28e03c3f44ad0a98dedfdf8200337b998fd703b870c6c68f0f0ba96851acf610a4eb614cfc86717ee849c1967f6bb9e8aa2 |
C:\Windows\SysWOW64\Cbcilkjg.exe
| MD5 | 6a92336c564de2dd06dbfa183ab88d65 |
| SHA1 | 964759985dd8193ed6f5cdfb537a6a6a27dad8d3 |
| SHA256 | 066f4f0b0756d55b04ec1050f89f95dbb4cdc55a37f1e0e5c321948c3dc9f9b7 |
| SHA512 | 31996655afdb80e9d85ac1c37436db5fa614f3f0a111c6b5e23fcd99ddc13cf69c5066cbc319652745610303b856ebf0be75ee9b035c3c759404b25128f84e8f |
memory/3532-435-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2480-458-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2308-462-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2472-495-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5180-689-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5540-699-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5508-698-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5464-697-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5432-696-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5392-695-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5360-694-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5324-693-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5284-692-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5252-691-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5216-690-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5140-688-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4608-687-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3440-686-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3504-685-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4952-684-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2100-683-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1760-682-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1884-681-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5072-680-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4768-679-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1984-678-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1348-507-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2664-506-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1320-505-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5096-504-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1016-503-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2356-502-0x0000000000400000-0x0000000000434000-memory.dmp
memory/532-501-0x0000000000400000-0x0000000000434000-memory.dmp
memory/220-494-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-493-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4984-492-0x0000000000400000-0x0000000000434000-memory.dmp
memory/784-491-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4904-490-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3084-489-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1440-488-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1688-487-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1676-486-0x0000000000400000-0x0000000000434000-memory.dmp
memory/772-485-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2160-484-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4736-483-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1756-482-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2732-481-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2604-480-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1964-479-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2620-478-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3452-477-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2112-476-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4344-474-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3252-473-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4760-472-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3944-471-0x0000000000400000-0x0000000000434000-memory.dmp
memory/628-470-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1980-469-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3972-468-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2408-463-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3052-461-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2152-460-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4604-457-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5024-456-0x0000000000400000-0x0000000000434000-memory.dmp
memory/452-455-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1096-459-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2164-454-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4480-451-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4012-450-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4320-449-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2056-448-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3320-447-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2384-444-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4248-441-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1988-440-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1744-439-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4032-438-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4040-437-0x0000000000400000-0x0000000000434000-memory.dmp
memory/788-436-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3468-434-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3520-452-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Cklaknjd.exe
| MD5 | b835b1495878889c112938f5c93ba0c0 |
| SHA1 | afc582184ecd925c80fa3d494a44604b962e99e7 |
| SHA256 | 357f1f3d393884b7791925b4aedb97dd07a03d29398f871f498d4fc27d6d1c06 |
| SHA512 | 6b78d9eeed9335f80f2f160a11df3f004677f303a75ccbd5f23f4a629da2c41853dccb6c60073acb3cd894b6c9e463d40f5c3c8d5bd9ff7c728a4ab3492cb3a5 |
C:\Windows\SysWOW64\Cdainc32.exe
| MD5 | 6dfd5510a35418bd0f751f7938dce2ba |
| SHA1 | 59cbe94c84a6d6963b97c2856773b84e0aa81ff5 |
| SHA256 | 2e8bec187c0f250d54476ef3eb25071b9d8966e0974388f379cf51a1e5fcb5fc |
| SHA512 | cd0d5eda8a7c09565a04c9a561a6af9db261dc3e4dfe50ec151f7952cd7da17dc798c887370d342b5021420a3fd6ee0abd31c245aa89a1c8e2ab8fc6e79b34db |
C:\Windows\SysWOW64\Ceoibflm.exe
| MD5 | a6f91b4b1de8faead0ca77dc513372ae |
| SHA1 | bf2d23d2db313f9e49f8c43327abdc1d139622a0 |
| SHA256 | 782c1ec27c30ca81c1fcf718e2a1910778d5d46f6500362b75c87e2dfb258e3c |
| SHA512 | e4099f275a1ade68ed2109ea471005d0dadf782e686620db3b32814e05d1bb41f4711be275a60b2daa4a7650aea6c8fcbd0873869504a10c256f986b77056c43 |
C:\Windows\SysWOW64\Bkidenlg.exe
| MD5 | bc7c4c546d181cc2bafe149e214bfd3b |
| SHA1 | 844ca30a22051026d5a64fe9be9d6b608e469c3e |
| SHA256 | dd18209ae739475cfabe011966e3ff6793a0078a5958764a15d6b44486808423 |
| SHA512 | 450b1acfe35ce859cb786216c8a9ad57542d0521503c2a631af2a016b93ca908e8dc9ef28e05598870f2c2c0278d994114934c7c73c3b048e510f53d57313722 |
C:\Windows\SysWOW64\Bdolhc32.exe
| MD5 | 94f1148df5bab6b789d6cd729e1291f5 |
| SHA1 | 8491cb0afe8f9c65961b549980a2aa8448c7f7cf |
| SHA256 | 03f3add9b023c1e0145a83f0a574b258f1690f6a2ffcfee33cf7d5c0104be900 |
| SHA512 | 179393bb69f7c3a2438f1919ecdbd1eb27948c026f2d34848f9389107ff949ddcb869639708b7397520af71ac3fdc3d55c92d145cecbbfc5fd3659de290922db |
C:\Windows\SysWOW64\Bbnpqk32.exe
| MD5 | 1d1d882adb400279b715ffc3925222cd |
| SHA1 | 368077bc9248bf825c3992d5792b74140902d811 |
| SHA256 | be0b604d0cf1554715cf689d363afe7c2a1bbfcad24a26571d1508547b21bf35 |
| SHA512 | 33fd4e64c80c9fdb1039c5db83e232f63ec6eadbbe8ed5e1e7921650ac3749ef03ad28124b621e4e6721ca19e32a27bbf29a0510405f4db0065467163b5b1c9b |
C:\Windows\SysWOW64\Bobcpmfc.exe
| MD5 | 3318eb289d9edcbd3d3ebc8c4f73d15a |
| SHA1 | e9275198fa8232ae4794d64995ff2cb78fec89c6 |
| SHA256 | 3ddfa13386f5442e64a14f0669b3f51e01b27b2658eda34b3705445ef8e87f76 |
| SHA512 | e83843cdd70649792f16f61b7fa06bcad17eb77197cdb25681e9abbbf08819a21df4df3dee479b92d0de0a1d58b65b1aec413e1c97d6ab57f633003c5e21ba3f |
C:\Windows\SysWOW64\Bdmpcdfm.exe
| MD5 | 14b581c8419a8154ad20e5705d8afd82 |
| SHA1 | 8e2883b6a805a5c13baa0492da7db5c02c2c959c |
| SHA256 | 8d88719964f1c43747e94c44c304b0968b1bf76f39e6cd412bf6cef80c55bcbd |
| SHA512 | 08a22d08cd813acddb80c22620c907c91164adfbcf7a99c82151663ff53ff92afef4bbfd8a2195297e049628f4934675bde784499cce408b0d4b708cc23e3938 |
C:\Windows\SysWOW64\Blbknaib.exe
| MD5 | baba530ba4de87cf5cd4c3355f780772 |
| SHA1 | 251ef4e457f5027fd66a84ade7db98a4bb89a900 |
| SHA256 | eb1ab27e8e84eed318016c56576b0c1ad72c40d5789d60b4e6e2f721d5520339 |
| SHA512 | 71fd496fb2511e33c189ea178fa5a31574cfb5f9f29faf53de5e81b0f00f359a5fcc8b4ba550c0c5985ecaada134d7a7120026c5d43850610cfabcfaf86fe3df |
memory/2360-109-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jbeidl32.exe
| MD5 | 69ec60906a29265bd9c40fc1a35afe6c |
| SHA1 | 5807bedbce9a0c02f8209981642dcc4830fd380a |
| SHA256 | 12b928bad87db5562d2839b3e88d3184412d619bc9b9ca7b1e49c37867d5b558 |
| SHA512 | 2561feff28a317a775be114e328a7ea8bdb412797f98ccea80ff6905c3c411f2c9b3ecbcb712f48ae9887dd957fe15fd29fd87525e9baa7545b508ed21994ca4 |
C:\Windows\SysWOW64\Kepelfam.exe
| MD5 | f8f9393e574fb3ace27f13c2cb96f89b |
| SHA1 | cb350a3da85d849f4013bab935b1bf57455b2e24 |
| SHA256 | a2c0aae2d544278b010ea6d882fcd3a8d9c5b6b9ea57e1548ad46644151ed35c |
| SHA512 | fa2a833fc17bd7429289a6cc11cbf296793e0241a8e116bba759315c6d44438f7cffb3dee7cc728afb495c91fd7b41a39a0891df3130b839aea00c1962c79f2f |
C:\Windows\SysWOW64\Kbceejpf.exe
| MD5 | 70bfc118a0d3ba7cfa195d60263a18bb |
| SHA1 | a2d6160d512a7bf59d49c6bf4dab12c9aea815bb |
| SHA256 | e28033ed795ea75ade57cf5a3b100b3556c723f41cf5785d6dd48c85b39193df |
| SHA512 | 8a03936edd92cfcbc97d06c9bd90aedfd19a7d2e9f79ca51eb50e60726872acd261b6d373b9ea13d27e5aaee1d1752410c1f8b24061f6fa80869545bca6ba3ad |
C:\Windows\SysWOW64\Kpgfooop.exe
| MD5 | 82eaaa3567564fc16295b083a0cc8d72 |
| SHA1 | 586e091d06571effa2b5d70586cac6231e20313a |
| SHA256 | 2a1588e6127b37e1a6d5a24424525ad523cc010043d9fe96003024039f1028e5 |
| SHA512 | 5245e3672e708daa0d421a5a29c9afe337a08ba1d712998eb6b247aff690d2d3408c45b65acc6675d1ab2c5c735b8b1bc1b188ea20713973119b3a85d53ca4c0 |
C:\Windows\SysWOW64\Lpcfkm32.exe
| MD5 | efc3bc983a2cba8bc482ddd2722c9e38 |
| SHA1 | 0c723e672ef3774722848f92bc5889561d5ce918 |
| SHA256 | 4eeaf7ef4102e60b3ef48058e887c0e97fe28f96947d491e76feefe484d2ef4d |
| SHA512 | 113f112eec77f6eb7463c151d15ebad5775b91c8e5f19bb67ad4a598fc094ded1eef0d0bf7a501c233631e674a6fae373985aa826bd94a624e08c2724da3dcf8 |
C:\Windows\SysWOW64\Lllcen32.exe
| MD5 | 4a113ebe9b7e22c0fc9df5c54e28c34b |
| SHA1 | db45b5613bd93d24b562a1042108fb76e287b4b5 |
| SHA256 | 21442015243030c6f5517a887633ff7a01dc60d715f405f2af8180632604f2ca |
| SHA512 | 5726a856e9243556db932a3ba6621400df890e36f3ac128da72c0436b6d1e49358a1e6d7cd84c94d9439be73c42e96b3034a72bc3e03be186bc8874066d05902 |
C:\Windows\SysWOW64\Ndaggimg.exe
| MD5 | 04891ebc22e82e0f7477029d7014a35e |
| SHA1 | 189ea474d27d57cc3b0687048430e27bad2f54ac |
| SHA256 | 898ffc77d3088c19b69bea782ea3a7077115a4244d537fbd9000c22d4033ada3 |
| SHA512 | 2b7c2dbfa80d7b2e696d33542833f3f83c49e0fabb79ade9566d54f2ac0842e33b974ea377eddf1309672e3334b58c2a4a88e351524682ecd8af0a645c719610 |
C:\Windows\SysWOW64\Ndfqbhia.exe
| MD5 | d546bbbf6497c19d34abf844da837181 |
| SHA1 | eac7c74fab0c6cdcc18d9b9b818e8f171541604e |
| SHA256 | 0d25625f59f6c9cf6fd580536ae5933caa84bd934e0382270c5c6261ae4a4c0a |
| SHA512 | 1d826643754edfc646d4b055d5b287d4cfaab6960ef475bbc4a0faf40111935c2598fac6e8910f119553153b4c7314a1399649cb45da98006d620d9859adeefb |
C:\Windows\SysWOW64\Njciko32.exe
| MD5 | 51f7a4aa5ca1a85b5b5c85126f0e475e |
| SHA1 | b6f1e263cfc7bc8cc13eae875142a0461e0b335d |
| SHA256 | 479283c6ef62672de247a02f5ecc21bdae66dd7cef5ed3e6fb5276c5d491aa75 |
| SHA512 | 7fba6cf6df71b0f40aab64a66af991af44de8126615e56483123df18f6a7d7b393a34be7026b71116e689ea3b16ea0edf9aa5c63a135ca15f2f5d9312bd96a9a |
C:\Windows\SysWOW64\Nfjjppmm.exe
| MD5 | 562275d5c9c9b47a0100bac58fe5675f |
| SHA1 | 266b8e9c394cd25c31fc3428ba591f885794a109 |
| SHA256 | cf4509e3059ce12d4700688d67b26614b48236c4afc19be9fd3ae104958c76d3 |
| SHA512 | 30707e8e25b1b0b11b26297314ce154031325707986948c5e3e88f0f315f47544cc2e60bfba59dd55fba25cdce61fee32c6ca00deff98fbf6fcfc3d99a07483e |
C:\Windows\SysWOW64\Olfobjbg.exe
| MD5 | d8a653ec9b385aac35e6b38f04939a27 |
| SHA1 | 2af35cfd7bf33730b04aa174d0676cb2a1ee2744 |
| SHA256 | 63c7f1298f6eac3c3331181f2ee37a1ed5c32290d6f7a4ebbad624e96961bbb3 |
| SHA512 | 51070d2de1ac547674012fbc873dc7628e2c6968277a1bd4cddbe222653aea8e425dfbb43e1de1a9ff7415eb91e8cce5c5fa382f28d9365c7d57f989ecd5e735 |
C:\Windows\SysWOW64\Ogbipa32.exe
| MD5 | 8ab6b9e575384de6b344e154533dc401 |
| SHA1 | e81578ad01983bbb7eea1fb863e515ee716550f3 |
| SHA256 | 278309bcc05422774a6aa73c07c6efa0c9a820cdc327487bf823b86c53511a5f |
| SHA512 | 73c170d688c3e4fa4468fd613ddcfb7b5e65d52f666dcb8c32a8cfdc09438f816c0c292609cfb1b0062956d4f6ee559758652862a0c0e0335a8bf2ce6a1e90c1 |
C:\Windows\SysWOW64\Ojaelm32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Pfjcgn32.exe
| MD5 | dd45f0cdddbe8772da588e060bcd4f39 |
| SHA1 | 2c02c182f4e31f0335616ee46e6d95475d8494bd |
| SHA256 | f5b294d76c706c914fd4115c04d706dc6ec16b2bdcf1f44b9fa33770f37a4537 |
| SHA512 | c7b7cb6ba3c2d848267dcdb0153faf67158f3311bed0c9fdfffc57695beb503806daf626619c674882d1c307897350c50238116670fe3066e24c37afecc3088b |
C:\Windows\SysWOW64\Pqpgdfnp.exe
| MD5 | 5656892723764d8e68155ff89601abc5 |
| SHA1 | 1092797bea48ff330ff3dfe714f25417c576fc90 |
| SHA256 | 0cf50b7e8c111210a32e6d3738250f97a59c8598af3ce1863ad9f19b8b85e122 |
| SHA512 | d872034ef5b13a81961818c103c412406812221143d1f23e9f2532395846562a0268cf0256ecf5a25a65d750a4c1f67aa624fe5c7afad9c37c4d0ee9f2eea738 |
C:\Windows\SysWOW64\Qmkadgpo.exe
| MD5 | a0a743aa1e4d5c6f21762ca592429f5a |
| SHA1 | 8566273b5cd6c911b6b32ee4ee8a0f095b26c397 |
| SHA256 | c645ff370bdc8c833470af013cfe06896d643c2f7545f1999efa8718d72e70c3 |
| SHA512 | 1b57114f8175e9936b1ca14ec2201a8f4e83af09d1a3d13eb872129e57a4073d898d33cdb6e3e8b3a782bc531749eb6c91de3658b16f1956592a0d4bad6603a7 |
C:\Windows\SysWOW64\Ajfhnjhq.exe
| MD5 | 08bd650f8e612ec69292e157115f23c5 |
| SHA1 | e88abb524b723c96467901e035a22874f6ae88a0 |
| SHA256 | 4a0af269bb984dba66455e5969cc835b5515713a0752ac2b8647dea9d1841f2a |
| SHA512 | aa0384ae27117af8988e1a620975e4cd2813570daa791504f85f503f350634a80593663f92f2517a2eeb818cd166a9f275dfd3f6629929ae2e7abc1270cc9e84 |
C:\Windows\SysWOW64\Acqimo32.exe
| MD5 | ff7252318699626acf49f982b7fc87fc |
| SHA1 | 89f821997055f7fc94bde2693a2fdb8476160f87 |
| SHA256 | c45e30b4cecabe824ae838ce44ebd10f19c3f3e9df4774ea66f036f959bd7880 |
| SHA512 | aa888f1641bfdf33828caea2b8ed7c8568e1641838286861c6d1ef074f07f31f12560a86825a4abb8885abc83afd7fbbd5aa4da3cecdc25a3d5fa8c95415c190 |
C:\Windows\SysWOW64\Aadifclh.exe
| MD5 | 6a93d71441bf33e51a7756e6576add15 |
| SHA1 | d57da49a39b3e08510c5337147951d7f65873d7e |
| SHA256 | e40b644989d3165f6592c19583b9f57c2fb050348ac04f5deeb1930bd75fde3e |
| SHA512 | 3c4eb38a2e70c0d3dd5f92ff57523f68ae93ec52048f49580223f578ff6e82294d5462fb582b963bd2dc777d02067035f7629c95b124f15b8580d8cd08f934ac |
C:\Windows\SysWOW64\Balpgb32.exe
| MD5 | edf242ecbb7ec687fe02fd04dcef5bb2 |
| SHA1 | 8e0b705aadaff3014c87a5c13baf2495f2b4c44d |
| SHA256 | cdce296cc91e13665858231ac2de6aa952742065e4a0abe1dde0d0ffd369c335 |
| SHA512 | da70f084014a35d4b615e4daad17d1fe7284ed52df96a3f65949bc3d1d861d65504b86b49a398e40de64afc0302434363ac48b2e212688471d697012cbebc3c7 |
C:\Windows\SysWOW64\Cjinkg32.exe
| MD5 | e4b9e68eb018a468558446fc638c3bef |
| SHA1 | ddc7705ff0a92c763349bfa23b773cb124690b7a |
| SHA256 | 06b6ad34b2270a29151edd05c45abd225860417feb8ad9aad5251b814bc41e67 |
| SHA512 | 583f375aef81b43aa9605ef71764ba26b82abb3b5c9c2566aed7b084574585da3d3c0fb16ca7d355ce99be695892163a69582c6d07fa8c4cc7ab755f2bee57ca |
C:\Windows\SysWOW64\Cmqmma32.exe
| MD5 | b012b7fb2c7fb1e92a5d033389f1dbd2 |
| SHA1 | df92869feb7fb82d7af011a1125a2c5f94c50be6 |
| SHA256 | a86dec7a0ccc0743e84568bc43de86480f1091e98e5f646f94a8cc05c095168a |
| SHA512 | e64f022983e85b350b3d1e686c66006c02b27035490f127e54887aff7a363e81141029bf11074511bec6c5b82d644c152ef9bf705f2e5f5afa68a80d293f112d |
C:\Windows\SysWOW64\Dmjocp32.exe
| MD5 | 02e4dff9f3b735bca43d0e568d9e6aa5 |
| SHA1 | db30f5aa18a924a93c251ed2ec704071cefb2100 |
| SHA256 | 45c31d5b1551e9d34031ef3b17cb3acfcfaefef31375366ea0a1bb9a04ad2c20 |
| SHA512 | af0fd544fefccd00d9b22b731e76df1ac397238ae184575291819e313173504b62dc25baf25b1552bb983e895bbb312b51049daf0aa24f4584e98bd2ccd876e9 |