Analysis Overview
SHA256
6d7304c0699b412ddd483f4ae5e1c2c16bc10970ad4065da837d9f8006bf4165
Threat Level: Known bad
The file 13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 00:25
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 00:25
Reported
2024-06-02 00:27
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dqjepm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gopkmhjk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ebbgid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Hlcgeo32.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjnifgah.dll | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Emcbkn32.exe | C:\Windows\SysWOW64\Dfijnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhkpmjln.exe | C:\Windows\SysWOW64\Fpdhklkl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gobgcg32.exe | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooghhh32.dll | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqiqnfej.dll | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ioijbj32.exe | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmlapp32.exe | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hghmjpap.dll | C:\Windows\SysWOW64\Gonnhhln.exe | N/A |
| File created | C:\Windows\SysWOW64\Hahjpbad.exe | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgcmfjnn.dll | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| File created | C:\Windows\SysWOW64\Glaoalkh.exe | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfijnd32.exe | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmcoja32.exe | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gogangdc.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddcdkl32.exe | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqonkmdh.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eflgccbp.exe | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eeempocb.exe | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfabenjd.dll | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File created | C:\Windows\SysWOW64\Fenhecef.dll | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Enkece32.exe | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Feeiob32.exe | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmlnoc32.exe | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgdbhi32.exe | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gicbeald.exe | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaqcoc32.exe | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dqjepm32.exe | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Elmigj32.exe | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdcbfq32.dll | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdfflm32.exe | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File created | C:\Windows\SysWOW64\Phofkg32.dll | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihoafpmp.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqonkmdh.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fddmgjpo.exe | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpekfank.dll | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkhcmgnl.exe | C:\Windows\SysWOW64\Dgmglh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eloemi32.exe | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hahjpbad.exe | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Alogkm32.dll | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amammd32.dll | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anapbp32.dll | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emcbkn32.exe | C:\Windows\SysWOW64\Dfijnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elmigj32.exe | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhhcgj32.exe | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fddmgjpo.exe | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbbkja32.exe | C:\Windows\SysWOW64\Dodonf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fejgko32.exe | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnnclg32.dll | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlakpp32.exe | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbidmekh.dll | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hknach32.exe | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ioijbj32.exe | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clphjpmh.dll | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffpmnf32.exe | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcaciakh.dll | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnmgmhmc.dll | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gmgdddmq.exe | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gddifnbk.exe | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hejoiedd.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dqjepm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" | C:\Windows\SysWOW64\Dqjepm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gopkmhjk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} | C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll" | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ebbgid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eeempocb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fmcoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll" | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dbbkja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" | C:\Windows\SysWOW64\Gieojq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Ckffgg32.exe
C:\Windows\system32\Ckffgg32.exe
C:\Windows\SysWOW64\Dgmglh32.exe
C:\Windows\system32\Dgmglh32.exe
C:\Windows\SysWOW64\Dkhcmgnl.exe
C:\Windows\system32\Dkhcmgnl.exe
C:\Windows\SysWOW64\Dodonf32.exe
C:\Windows\system32\Dodonf32.exe
C:\Windows\SysWOW64\Dbbkja32.exe
C:\Windows\system32\Dbbkja32.exe
C:\Windows\SysWOW64\Djnpnc32.exe
C:\Windows\system32\Djnpnc32.exe
C:\Windows\SysWOW64\Ddcdkl32.exe
C:\Windows\system32\Ddcdkl32.exe
C:\Windows\SysWOW64\Dkmmhf32.exe
C:\Windows\system32\Dkmmhf32.exe
C:\Windows\SysWOW64\Dqjepm32.exe
C:\Windows\system32\Dqjepm32.exe
C:\Windows\SysWOW64\Dchali32.exe
C:\Windows\system32\Dchali32.exe
C:\Windows\SysWOW64\Dfijnd32.exe
C:\Windows\system32\Dfijnd32.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Eqonkmdh.exe
C:\Windows\system32\Eqonkmdh.exe
C:\Windows\SysWOW64\Eflgccbp.exe
C:\Windows\system32\Eflgccbp.exe
C:\Windows\SysWOW64\Ejgcdb32.exe
C:\Windows\system32\Ejgcdb32.exe
C:\Windows\SysWOW64\Emeopn32.exe
C:\Windows\system32\Emeopn32.exe
C:\Windows\SysWOW64\Ebbgid32.exe
C:\Windows\system32\Ebbgid32.exe
C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
C:\Windows\SysWOW64\Eecqjpee.exe
C:\Windows\system32\Eecqjpee.exe
C:\Windows\SysWOW64\Elmigj32.exe
C:\Windows\system32\Elmigj32.exe
C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
C:\Windows\SysWOW64\Eeempocb.exe
C:\Windows\system32\Eeempocb.exe
C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
C:\Windows\SysWOW64\Fhffaj32.exe
C:\Windows\system32\Fhffaj32.exe
C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
C:\Windows\SysWOW64\Fhhcgj32.exe
C:\Windows\system32\Fhhcgj32.exe
C:\Windows\SysWOW64\Fnbkddem.exe
C:\Windows\system32\Fnbkddem.exe
C:\Windows\SysWOW64\Fpdhklkl.exe
C:\Windows\system32\Fpdhklkl.exe
C:\Windows\SysWOW64\Fhkpmjln.exe
C:\Windows\system32\Fhkpmjln.exe
C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
C:\Windows\SysWOW64\Ffpmnf32.exe
C:\Windows\system32\Ffpmnf32.exe
C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
C:\Windows\SysWOW64\Flmefm32.exe
C:\Windows\system32\Flmefm32.exe
C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
C:\Windows\SysWOW64\Feeiob32.exe
C:\Windows\system32\Feeiob32.exe
C:\Windows\SysWOW64\Fmlapp32.exe
C:\Windows\system32\Fmlapp32.exe
C:\Windows\SysWOW64\Gonnhhln.exe
C:\Windows\system32\Gonnhhln.exe
C:\Windows\SysWOW64\Gfefiemq.exe
C:\Windows\system32\Gfefiemq.exe
C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
C:\Windows\SysWOW64\Glaoalkh.exe
C:\Windows\system32\Glaoalkh.exe
C:\Windows\SysWOW64\Gopkmhjk.exe
C:\Windows\system32\Gopkmhjk.exe
C:\Windows\SysWOW64\Gangic32.exe
C:\Windows\system32\Gangic32.exe
C:\Windows\SysWOW64\Gieojq32.exe
C:\Windows\system32\Gieojq32.exe
C:\Windows\SysWOW64\Gldkfl32.exe
C:\Windows\system32\Gldkfl32.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Goddhg32.exe
C:\Windows\system32\Goddhg32.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Geolea32.exe
C:\Windows\system32\Geolea32.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gogangdc.exe
C:\Windows\system32\Gogangdc.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
C:\Windows\SysWOW64\Hmlnoc32.exe
C:\Windows\system32\Hmlnoc32.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hdfflm32.exe
C:\Windows\system32\Hdfflm32.exe
C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
C:\Windows\SysWOW64\Hicodd32.exe
C:\Windows\system32\Hicodd32.exe
C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hlcgeo32.exe
C:\Windows\system32\Hlcgeo32.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 140
Network
Files
memory/1040-0-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Ckffgg32.exe
| MD5 | 2fc5f928030c7b6b59cb290f17355493 |
| SHA1 | b3e5761cb1c16202b14c0bd4cafe26f7449ababa |
| SHA256 | b78a7d7964c76f0b52775733463bb46452a24db251e7a3a48cc0b0d1650723e7 |
| SHA512 | 6f33235fefb769b0b3c7645ff99ea72264d5e8ad9ed8a3b12d1e43e33f238e2ccea70eed1fac796b4e8ce7870a1684f0fa4efbb2fcc3eeda1d8a011e2065f400 |
memory/1040-6-0x00000000002E0000-0x0000000000327000-memory.dmp
C:\Windows\SysWOW64\Dkhcmgnl.exe
| MD5 | 5bb8ca83e4ba99aaf10946dda09891c7 |
| SHA1 | db576023bfdd7cb880c180a724e3fc3b51b01182 |
| SHA256 | 7beaca3713af4c4e362ce8ee9aaeac20b4b1bec7275de3933af66769f69da99f |
| SHA512 | 026a17545fed4c089a7f09df399f1e5a70b1b492d707a662ec6849ee99ee3b1aa7b794c4bd9d9fb962d64551abbef9b3fb39a9eb24929e50e1124d2b6df5cc28 |
\Windows\SysWOW64\Dbbkja32.exe
| MD5 | 074eeb5707506480f0c4e49fe015a703 |
| SHA1 | 7d94879cac897740457997ef7bc8c3c45786c4b1 |
| SHA256 | c943f6fd2696644dcb78eefa8a55436faaad18465a05611aa4e6acf86b262cd2 |
| SHA512 | 36380fd6b0c69ac70a3768655b680d25608b51214b96780eee688d3ccd3ffb417435ad80649c90a1961d26e7655fc3be73a2b741c71ee38ec1d407a42cc571eb |
memory/2396-61-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2396-58-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Pkjapnke.dll
| MD5 | f15cd40ab40b5705e9e918e07578c50f |
| SHA1 | f0e94c4a5c35cebbfd8ad9fecadefa0ea30cf9c3 |
| SHA256 | d52f349ec6a892562d196469b6c02b5484fc2543f52cd0cdeb873759888d8457 |
| SHA512 | b8fe1ae7520dddee39e2830a1b84b5676a3725637e2023af7695bbfe421a98b76aa594a8b871070b847ed393bfa140ec5b5c7d8c25666ee215cbf0048efe0bec |
C:\Windows\SysWOW64\Dodonf32.exe
| MD5 | f4339edc2187990328d24fc29a350f06 |
| SHA1 | 4432c9fc0a35835089eda9248b2f6c6e5d77d91d |
| SHA256 | 37def8a96f0b6e8cb8c41fd07579cb960529dfd23740d17ad8a1b7adf23d1af3 |
| SHA512 | b4bb4db5504de84274d015d80230316dc182a90914dcd91ad7f40d610e545468c489ef91a24030dad8425e0353a1caaf6adcced2b3f0b632d7c3283f99afa262 |
memory/2640-70-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Djnpnc32.exe
| MD5 | 907c738c756386ee8103d3a73f3103c9 |
| SHA1 | 4be963815bd4237d5219295f58e2a6c27a0fdf33 |
| SHA256 | cdacf2a1e4ab499a57bbae30ed0060e9a508f2e2e89897ece3ba7737e778bcb2 |
| SHA512 | 014a6a20827d8f15a92b498ca50e46478848481bb156e799b3322805df7e18e3f4a3f55721b6fda8e28e675da3adfc2b0e60e5d006cb2c4577708eeaadc6d1de |
C:\Windows\SysWOW64\Ddcdkl32.exe
| MD5 | edf6b70627c0ef691cb75c984fc7342c |
| SHA1 | 82a0d4681dbfa174e2a0cd0a1f06019db78e5ca1 |
| SHA256 | 752b87b76ebce6a61039a3b708168468ef3ce49dfa88499e5febe2a3becf1a3c |
| SHA512 | 7de0994dec392ea09fbcd89f5dad13161a44d2e19b28481c717baecdf1ee3beda31cd018b2a16117e8d42f6cb04a9db36f4d76ef1197aeb0553721058e378e39 |
memory/472-95-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dkmmhf32.exe
| MD5 | adda3801f53bacc6299390ef3171ce3d |
| SHA1 | f7301e460b02e558e0d2edb86db0f0fcd96bc9c0 |
| SHA256 | 94e85a3c4a699e7915d8c7eb217a4798e1b2ef198f1aeeb73f0ceb922f5b5640 |
| SHA512 | 35a060336a2df224b8af0341c9f37b623b1fac0e5d0961ba8bc0428e1570e7bb34fe32db4b51f42e92cc2465cd79ce848ba864b9b766ebb5f258cef0ade0199e |
memory/1800-128-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2424-127-0x0000000000350000-0x0000000000397000-memory.dmp
C:\Windows\SysWOW64\Dqjepm32.exe
| MD5 | ea8415479ac01abf07ee9dffef75215b |
| SHA1 | a96d59a82e68fd4600d5310593ad19c91207490a |
| SHA256 | e8af689e4bd5d1cde8f4d2b691597e1277f70fbc486a8898e9306e30fde78e7c |
| SHA512 | 0568c98e50d3dd94b566f039ef80d1c896cbd82a37dc6c0f1a4a5c53f6be6ab5b7ddffef1af7b48fa2350441fc9a01131250639d3a8c258fd64ad79b1d5c816a |
\Windows\SysWOW64\Dchali32.exe
| MD5 | 12fe2d43102f3f7f41f3d5b03bf14405 |
| SHA1 | ab675b5ee76c57d09ded1e9278f2780f93769868 |
| SHA256 | 4d75d693bdec9c8094a149e4a4bee8788c505d753816738d3c6b198b0c51fd93 |
| SHA512 | 70faff1b7e33dc4bb2ee05bf3f4d2329270413ae5a942d6925e1b1fa64d41b7297ec1c4ad2a6ea16be89908529be5ab6ff674125e79537648e7fe41b7162a817 |
C:\Windows\SysWOW64\Dfijnd32.exe
| MD5 | f07bb42742232849778a3a74c6b3dfce |
| SHA1 | 578a7ef9120cd2ea951e1b9b3730f4a5c26068b8 |
| SHA256 | bd18d4262be05cb78fce0668bdfed1186e25f2294c653ebc0db23f50798dbcbd |
| SHA512 | 0818112ea59a35a21768c02f7842428f620331eaae46779df9ada9ec64b54c5f0af3d75cbb313c864a1e2dc40258e544949848502d2153aab850c549c3cc13d0 |
\Windows\SysWOW64\Eqonkmdh.exe
| MD5 | 03cafa251b677e9b6ff965e10f41bec0 |
| SHA1 | 28dc04b9d650484cafc394c393f7f96463e68a95 |
| SHA256 | 15ec6ee6fcdcacf6c464a11c57c3b24cb98cabdc253aac4255e251742d56da53 |
| SHA512 | ce5ee022f3333800a069dc1758798f8cc18e1d7644adc60dddde52d58b5021c83fb53bb396dd7382e38522455f662a9db63c1b0c7c570f8c3a770df6beed6ba0 |
\Windows\SysWOW64\Eflgccbp.exe
| MD5 | 09f3232a26191cd4333d7614a599544b |
| SHA1 | 4b58962abf17fb0c1ccc8551794fe056baf3a7de |
| SHA256 | 8434201e610aa6953456a8940c2f471dc74c1a8d9b09a420e480f1ceb9567b3a |
| SHA512 | c293a6ea405de5ad94e1acdc77a655285af554d610fa816d4d25f2336f68cba8e670b1b51d9605809a72c4168005f9b068772e5e480d4f72b93f60868ee0bcd9 |
memory/3028-205-0x0000000000450000-0x0000000000497000-memory.dmp
C:\Windows\SysWOW64\Ejgcdb32.exe
| MD5 | 0e221a9fe614fbbe6325b992bd44718f |
| SHA1 | d55d5312b5f39879cfbb18fc3f119c7ecf749ca7 |
| SHA256 | f9b5074fbb3563a62fd57233964ff56d4480a459f5369c0fcf7ace46c23c31a6 |
| SHA512 | b581a12c7ffdc93e51750b96d30d5a1047d9a65d890c976936a60f4c9bf0ecb40de1a8b4215cbc3b9a2af742d9992a029a421b9af391dbeea732f969119f6561 |
\Windows\SysWOW64\Emeopn32.exe
| MD5 | fc5308bec8681c65309a92001326c967 |
| SHA1 | ec760869ddb37b9523e43241781d6ae229441a46 |
| SHA256 | 4255fcac559a84e15500358c4d5e8239eaba584e7a68c05e1861e14a20611634 |
| SHA512 | e950a5eee954b3b71c2beec021557b4c0333ebb96c8d09bddb793efa74ea5bd2ab45a27da84f26b76a3497c8439a8d8826e864b75d9e2b3b4a8a094cc9499dd8 |
memory/1420-222-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ebbgid32.exe
| MD5 | e04cb04fd8e66ba2ce883a35367d162e |
| SHA1 | 91b8e3308cf0c65eb65cc3e7fd7d50d7fb6c375b |
| SHA256 | 35f1fd4b4799abce2e6ca741d37654e0fe1667b7961a28ce01475c2b92254b40 |
| SHA512 | 489ff1b49e3d135dbca8016538ee17f86bab4865ae09856be00770fb8f7b85c01b38980d3520ad7d5782baa177e2f1e59acb77b87da2aa364fb0f7ff315ed6bc |
memory/2680-230-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1604-241-0x0000000000400000-0x0000000000447000-memory.dmp
memory/936-252-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Enkece32.exe
| MD5 | a44e13dcac038949ce1c69aea140b5ee |
| SHA1 | c7658e8bd495d610ba539487424a941e87f4fed1 |
| SHA256 | a699b6f8fe864bf9e7dc2269e4cc175d5304bafae60b9a268417482bca8d24d8 |
| SHA512 | ba7194d33132d19dc139610d34406f62183e623480462fabf179fb078744dfa937f8ff8968b6ee309e71d58fbc574aeef25a3ac741dd66d2edbde0dbfafd919c |
C:\Windows\SysWOW64\Eajaoq32.exe
| MD5 | a99addcf5ee7e989b09036b8095a33dc |
| SHA1 | 6b79d695e03503fc0a38c6416708883578453894 |
| SHA256 | 1e4163c2684ca27a7e0d1774695f42ea29a5f777a4599db8c189348f7c4f484c |
| SHA512 | d256bc2aba0b44be526280f3a121189d3e884f6868118bb780239c700353007f8757bd35efd6094ca1df2944ea2d02c1cf33dd525c42cc8fed944430ea5469e6 |
memory/2980-295-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Eeempocb.exe
| MD5 | d5edda17bf1e19397672042c0afcabef |
| SHA1 | 5976903f66c783bf2f22b4ca2b66a490d47973ee |
| SHA256 | eef1a9fb751932fb8ee818eeb481855aafd2af5e145ea9f5d7a4dbc94c104884 |
| SHA512 | 959816a92d3efe789d6a487c90f5a0deb73d1d730e376e04d45fd0e47c5a05a48875cd76a32e0a9c05eb645cb19c76ef12e366c342d85b44ed6d243b23ed199d |
C:\Windows\SysWOW64\Ebinic32.exe
| MD5 | 46d305adcd160a92f8cbb9c0b9ee01a4 |
| SHA1 | 68457d987a123dc2e6d29cf9ad625937c3131d7a |
| SHA256 | 76559cfdadbbf79d08b6a131b1c9ae63d68dc0cec1695561406c38dcc94639c2 |
| SHA512 | cf46cf8f4c0d44bc168c94df9cf9c924801105948dd49650ac62d7cba2eb3e8f34edd67026abd18c3f67db913b5df49e1603bb277bc4238bad682fbfae77422c |
memory/2288-311-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2980-310-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2288-315-0x0000000000350000-0x0000000000397000-memory.dmp
C:\Windows\SysWOW64\Fnpnndgp.exe
| MD5 | c38df79130decfdcee0255c22522493a |
| SHA1 | 9a9332411826f5395f0a4d6a1f374403c2143a43 |
| SHA256 | bb093fe514db6865a2560e8822432d330ab5516b8bff726a044c374a623b977b |
| SHA512 | eb787df58a0e687c765e9ee3901b01b1e2a98a78e9cd054baec551770611861b684f266d0cf085dec68ef53e250c84f265a0095b526313bcb2c23d5fa60f1ee5 |
memory/2728-347-0x00000000002E0000-0x0000000000327000-memory.dmp
memory/2724-359-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2356-385-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Fpdhklkl.exe
| MD5 | 3b2d418d204e3d2bc167b438f1fa205d |
| SHA1 | 413fffdc19095fead1af6818b441b8299709ab26 |
| SHA256 | 620128703d5fef2036f4f1f44fa14428ada29f246b812b437cf8743dbc2bc9c0 |
| SHA512 | fae35236606a97196a2b2a88c22606f0af99c1eb94007233d0b639025327447ed2c71ec787ce22d52a274c9d3dc71312eef0c9c77129b35e0f73cb1713e2c704 |
memory/2356-391-0x0000000000280000-0x00000000002C7000-memory.dmp
memory/2432-405-0x00000000002A0000-0x00000000002E7000-memory.dmp
memory/2608-418-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1568-436-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2668-435-0x0000000000380000-0x00000000003C7000-memory.dmp
memory/2668-434-0x0000000000380000-0x00000000003C7000-memory.dmp
memory/380-472-0x0000000001FD0000-0x0000000002017000-memory.dmp
memory/688-479-0x0000000000320000-0x0000000000367000-memory.dmp
C:\Windows\SysWOW64\Feeiob32.exe
| MD5 | 236c66a8db5cf46b02fda084f38b7965 |
| SHA1 | 7841355760f4ecaf31518a1aac8c66fd0e04bcc6 |
| SHA256 | ac2c5283d8b80a592ec6e1a3197cabaf9e9bcbdaa97d0810314eb302fd41588e |
| SHA512 | 6cc3fb5bf621952230ebe52224ea3e2a3653e12dd5761432ab1e7726c997e08a689f7d6a3845767f91c7d32b42767a40216fea291272060f65494710f6e4c24a |
C:\Windows\SysWOW64\Fmlapp32.exe
| MD5 | ff0c01bd6ea5f8424cac6589b85f8578 |
| SHA1 | 39d99d097411404c86b6b908550cc477152038c8 |
| SHA256 | eed92ae52276d69792e6b1acd6248e331c02e3d83e9609b3a4d6874152fdc427 |
| SHA512 | aaaba0fbc32d44eddff4a3ecb5d2a3ccf642ac64d9557a3f833a53bd06822e515ed0c84ee5310b82f1d546058a1e7317e8c5e5145f01c7b4cb8545ae3b7c6ab3 |
C:\Windows\SysWOW64\Gicbeald.exe
| MD5 | d4b85eb5b2bb6aabbad07997643e9532 |
| SHA1 | 9d93b57e57c8d975f992f92d460750067daf87b7 |
| SHA256 | cbe58d99483ae56cb363e62d8c3621a8290346264f41679e6cad934196aa0370 |
| SHA512 | 1c0b37784c58e09a6fdd652af8f359e05aeb712be77f75ed5c87df2213c78194abe58ca03c2516eccf843bd669ac3fee0693dfb9389e11e0018a324e865fc25d |
C:\Windows\SysWOW64\Glaoalkh.exe
| MD5 | 948281f056fca64de82ccb84e01f6500 |
| SHA1 | 3c77fab966e6f725ce3608854d6b8dbbc525b104 |
| SHA256 | bfd3415d1c8c4165e208e2b6786badd095c1c016a8476e776952427db723fd05 |
| SHA512 | d01fb4fdba20dab8ea6d2cbb0894883c5eed9944da9ea25f422b7b0931a24272c6123f5fccfb6c8cdb00dbe924c06b8b5d62eb28e7e196aecd19642a7feec29b |
C:\Windows\SysWOW64\Gangic32.exe
| MD5 | fe1b50d93f040580ceb864bd7cc3abc3 |
| SHA1 | 8086427f4068bb66c4c1b53c195925a40270bb63 |
| SHA256 | be63f4b7fe324d2ce0e3a3ced131375dc26f2921fda0c9623e0d65badb16309b |
| SHA512 | 6146c33b700f805bbae3f3f91e17ec269c187a5ef976876950473eb8d48c0fef9510be749757d462b48a3ade05bb344d96348df2599004c86c947a288e3e96e1 |
C:\Windows\SysWOW64\Gieojq32.exe
| MD5 | 4f814e575d09649f671b2a2c6c92fd74 |
| SHA1 | 768940d7c65a58c8ab4f6ed4e8084d8995553671 |
| SHA256 | 99af378e88c11009593b7f699b46fd8cb09e9a2d6cfbc26277573e2ac02fda58 |
| SHA512 | d0871cbba355044445f643d13e0abab1b1b1a359c2b1b96ddf18e3e1ba573f4d7ff9085feac8b9311fd0a48b0846fd040d1306039cda7c321c425ef7c1a3abaa |
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | b99a5647d2f286d8916df07e9c98aa5d |
| SHA1 | 15e7fda90d87b3eba674446345deb39b908b7e80 |
| SHA256 | cd11061d7437b84efe6b1d37ddb5176637898169561f9ac8e847c5ccd499b91f |
| SHA512 | b90191d9c34ca50497799a720c743db6c3710d7a27fe90cfb29bf97ca0c582c5c3e41476cd45e81e7a761c722356aa9d80d985f618e59d6a1554d0796401b15c |
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | 01e93607df9109ea48da7e9f42bffb73 |
| SHA1 | d0c283febf39b22b80f3b891a32be49f95294213 |
| SHA256 | 27504adaf6be19a2da18fb931f3d2f6882e0ce7a517d2f62b9c96be55ec34c94 |
| SHA512 | d8d247ba0ae28d62f3802273cd9eecba78df1b50083b487adcd905c5ba883b54a602b82fe47aac1640bebf2dbc0315b4438068bd7ef0bb5c2c1eda43fcc11c90 |
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | ef753573c4bd512474a0e68ab6714728 |
| SHA1 | 7305863abba17a90f3e281e475fc37c69d0ebabc |
| SHA256 | 5fe871fd545e704bdb53239c7f404cf553a48bb2c3e63f984a6f821b14f12dad |
| SHA512 | c9590e5e047fc3618599a2c2ba7b449510013d0e341ed1aeeb9180ea838a6505baba497d6ecff1f6a000c2c093bde9a3b7fd18b6830b33a57e0579c1a55bb909 |
C:\Windows\SysWOW64\Gogangdc.exe
| MD5 | e0766af3ffc69a290bbf6bd8bdd61eec |
| SHA1 | ebb47d8d24394802e72b85e4ac546bb3e7ce219e |
| SHA256 | 1f1e1f7731c1a7d7033e7186ffe0303db50894cfeda51e51153ea34d391f3d33 |
| SHA512 | 848e89044689ff0fbcc11d3207cbc99a10d1933f5fd456ce5824f9d04596026c2c227f242a2007910c9f1860eb08c80fe9797895cc1a6bc2c66bcd4df591453f |
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | a55cdd4e7889aeeb7ed5469ee747c2d6 |
| SHA1 | 00a7f6b7a4f822535cf8455bef93225c3548f346 |
| SHA256 | b4089560a792a224cb98605fef5751a1e59f39e3cf873d9382a90455256b2ea0 |
| SHA512 | 9bfbc351b3e6d0b77d74cdd3423def38cab0d62490c56b1cba68649e49de6dc82e50c69beb02cc6cdc2d2bddf16c04d9390ab7c96361315c2359c7d0b068e1a1 |
C:\Windows\SysWOW64\Hknach32.exe
| MD5 | 9c65d576099fa6939c9b30347c3341ac |
| SHA1 | 06804a00b95b12d1fd7be2ee608e5e18c6735b64 |
| SHA256 | 63b67202a778594276b45c95411d310ac5b2306ebffb12998c5481225e866053 |
| SHA512 | 75fa79a6beeb6dc2eaf3994c3bb759652cbee42171ed65f925558ed1da7924cdc3cd2d1f1f9d876ff928bed441aeea72087dfeb58b701fd7065932b5ba043e10 |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | 6986d40ca576b53becf4c6cf5af37a77 |
| SHA1 | 140df72250c4f9131d9a83bc7abc33659d06ac9e |
| SHA256 | 21f106a3ddf4be530814af200b21971548efb11fb4e3e842059ae2ef4d9b444a |
| SHA512 | 8cc70dae30a6cc562114223c8ff06995a1f33c6c314cc44782b51c95bcecbf702b42c8e2d6558a03b1bbc7abfb80e6243975b5bfd3e78781d77a7f0b895296c7 |
C:\Windows\SysWOW64\Hgdbhi32.exe
| MD5 | 7feea644d3b0e5432f2fb249f94e0677 |
| SHA1 | b98600de375e0df282d9f7a2fbbfd9566a941e08 |
| SHA256 | 8e931eda7a7f1a7a6bb392e3de6d842dcb3ab0af596038c0adff7c62ebc96afe |
| SHA512 | e66907405462e57dc112465b58f5576631124a44218e34c6966cc62c458f43c9abeb686a4628b267d0d2be610f69dad1be2cafe750912b873bf067f316e106b1 |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | af48e3d542e4a12e6439cc5233ea6e66 |
| SHA1 | 9e2de578afa18425867b648965de21dbb1c0dca3 |
| SHA256 | c2d0551c523d801c551bc8a984f6b12b5f072ca4c329beb63626595318f5a4ec |
| SHA512 | 9bb409ee1431a8c582e7af008865be79af873764b4c937e96168307b53c5b91afac255f77f72f361d5234ee4c8363bfe29c150ef6da7f32857ed6036ed91553a |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | 8f997f18e292ecb2d86d4687e7ff171d |
| SHA1 | 44c828f84e9b19701961f44744c50ef99a80c792 |
| SHA256 | cda685abcfc5042e726f2ce281e0a9cffd8b55b16b3ade27ede52aa6a92aba3e |
| SHA512 | 32d9e05f20b60b2296bd0f1e4b6c54aa49b8ac3c2a7f8b5d71b6f0826db07fd50c043d80c8e8b4ada41b9b7b59bf43ec5fd80f8699ddad76285e62ac884023fa |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | f670d31a780f5bd9b998436e2acf7304 |
| SHA1 | 33da9f9fdf112ae48acffeab67fa8318e797e1e6 |
| SHA256 | f00ed80e48affa138ab87fa983c78821bfaeb209c37961ca24196b6017cd3cbc |
| SHA512 | 760dcc2d98843c61b149033634a30b214c06e201afb9a343e71bc41fe033432989c51aae9ee9fff35ba6ed9c0d70effabff8021220017b17b024ecbfab2585cc |
C:\Windows\SysWOW64\Hpapln32.exe
| MD5 | 8b24c8e5879775eff0db2657e89a92a6 |
| SHA1 | 115e77ff106fa042b0a8450bf319118a721ad60e |
| SHA256 | 18bd74043d971c2020428de3904bdc81955fe7b9de8531bbf3f36a18a6a8fdeb |
| SHA512 | 7631384fd7544104453ea15cec42f518e9910a2a18d3f6fe2eccb47a555292017e3da36d6ea31ad99588325636fcbfe6d10af94658ec7918b70690f3d5ff8c70 |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | b9599fee8467e22b443872dd09792afc |
| SHA1 | 017a0727cfa7e0e1f2764eb922aa0701d54f03b8 |
| SHA256 | 44eeb433ded53d17e4edfa11f1e22bf5f53cb7c1ebd9906aa7da6124c565743c |
| SHA512 | 453e97146bc39e1e5a4b519a8465c962c9fae9ddf57d6f7b344e8b00845cb159a4467bc88a7dcba74fcd18170f5eaf7dc2c85faa9f87d28d405629e3c3dc890d |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | 4a6334122e54d1b915d7ad5549d03452 |
| SHA1 | eb6c247178f1a03ffa6418b4cf682dfdbdb897e1 |
| SHA256 | fe1ff11ca967a3fce8d18577af92f6b6b6c05a96f617c070090d178b1921f24e |
| SHA512 | e6da868a74c1371974e838f8437edac70507b115ba4265b8cff5c81a54de58f4b878f8f1dba21296336517cbf0e5e5868615ded3816de9c26fdcca086271d737 |
C:\Windows\SysWOW64\Ilknfn32.exe
| MD5 | cfd05a5b6f22227dcbb0fe13beed7534 |
| SHA1 | 843b0b29b32245c50e931d4dd74a4b7d34dcdff4 |
| SHA256 | c62d1376a51cd5b6b4ac4a40f34be66778fc4218de4f19950be90b30ceab3617 |
| SHA512 | 984130811cd397efa821d6dcdee5f6dee2852d9170ab44c9bca2d00c5da811c49d996be3c4ffa8b40ba7517fe19eb59d606a0d79f79a852b7033e2212ff5d7f7 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 8a3ca04938f9f83c1c96df5a7a8ad2b4 |
| SHA1 | f6525bdcb0597242f97227be482849e08bf43390 |
| SHA256 | e047dc4b9a68610367a6bf73f21c85148cab5e433bdbd66de85267c0c1ab9d44 |
| SHA512 | 4694703f649014cb2269ede6627aa669f445c0e402503a95bbd7cb8f85469ddd70eb8e581c6f3ae5df7d31ae9e63d573907792f829b411256414a7a5d0ca2e86 |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | 3cf5c1d0aeadf7171fafa3f34e5d972a |
| SHA1 | 3faea8ad46317a1baae50f3d49b65e4535cbc63c |
| SHA256 | 9e21096445a547c7997b8506fea82d337502f5387e46e31cf37dfcaa2e348c20 |
| SHA512 | bba8ea8480a05996d797466d32de336f10043573f6b20fdd7286cb670a5715894773679f4b99bde27ccdeae1fd4c5d7378ab3b7394530a8db4e8c3c8b819aa63 |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | 01f2efa6d21d10cd04ef1e174a167e16 |
| SHA1 | d1d63617556d582ca328d5ab95be8f05b204ba60 |
| SHA256 | 71fcb458eca2953b7fc8948babb29208dde69bac0320c4bc7402b66442a59bae |
| SHA512 | 701a8efd1174059f70924988d7f3ce05977666ccefb03a0ccb921554b5b6da85bbf29b767ff4f7ad573739fb575cb8acc585de604a593dcb03a1233e547dc4b5 |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | 4fb65e9840f7a48430a217608b8065c1 |
| SHA1 | 761c6bd5e652244b0e53818c6bf929d3314a37ec |
| SHA256 | 4a0f8719dae980318a4b93fd12950e15d2b17a4ca18645f2b8b1b6df3dde360f |
| SHA512 | 93077ff78a096228a647eb2060b43e7e1bc2f3f466f101b2abcd502fa5acf123fdc805a1bb9b4116373090ddf09a3790e2fe12b62ec88a87bb5f032494a5c0a0 |
C:\Windows\SysWOW64\Icbimi32.exe
| MD5 | fa326a393fdfc0229636b5e5df73b8f8 |
| SHA1 | 062d92f7284e64f22e1f731bb7e7d36dc0ddbb50 |
| SHA256 | b6c49e0bebe67789b8335b8841c7ccb8c6dde7c05de8b2a5724e2218174f0d6f |
| SHA512 | bd87d76f3d7404076cb427d52a0cec13085bf46545ee5b20939706900fd6240b8231c13c31948fcb7f03395d09b451e0815b591e52fd58263350cd837dd8160e |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | a781228f0532ddd7045ccc38fb937e9a |
| SHA1 | 2d000a2fdfd955366a2b36433ea0c33dc567a5b1 |
| SHA256 | 6bdd3fd1a469984d272a25b72b2251e8c4ec92fb535802ec781e70819b5f482a |
| SHA512 | 1d8276a320b28bf557425a4d8248b8193a0313074dec353311ffc07ec53bf4cff86bec248f8ed02f79dcff9f6420ab4022db5c2d62b8545f17f2515178099a5e |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | bca003f9eb4c9ac9b8818e2fd2203120 |
| SHA1 | 2cb027bc6e7d3fba70b8ad5a11a9042a6c18c18f |
| SHA256 | 9524504f48109c6063fc391623a5009698302242f1ffd3fc6f1f4324666234eb |
| SHA512 | c9c03f9455cc1b099221666e9c8d49ff1205f8e39b1490841a220dba9509678c98fc07860921b69579d355858a92234c8abb50e94f6f6aa08f5f4d1fca33cb3b |
C:\Windows\SysWOW64\Hacmcfge.exe
| MD5 | dcdd5306318ff247cca0544e4f63eeb2 |
| SHA1 | bd3b6537c7e6b233dbb0f61c737adf5b19e98384 |
| SHA256 | 4ae46aeff840c1bf53aadf0e344a199ef05c0b3c9ac943607d8cbcdbaa712078 |
| SHA512 | 8318a45de0fd16179e8db48a0641a095c679e1bb36a1413fb073ded826b5f6c7ec5ceb26651209f30b208e3cfb30ba05b7592757b175ce6bf3a9c86cac04ad0c |
C:\Windows\SysWOW64\Hjhhocjj.exe
| MD5 | 845e6c6ec42d440f21187a5696bd9c23 |
| SHA1 | 05fb5c7ceafb92801af2b23488fb7cc1a020cdf8 |
| SHA256 | e0a5ace099b516a5e027d7d77b9efc02eabe292408fe0883beaf90957e1cee2d |
| SHA512 | cfecfba813717fdfdf017c54ea592d9498cca81d2350bf76750675c6ce6b152f34b5eea56112cf69c0a9f92f0910f83b552c8fb771698a9c7b58f2f1af173915 |
C:\Windows\SysWOW64\Hobcak32.exe
| MD5 | dd7fef59d0567205c2965358719b1e2a |
| SHA1 | 33e3bc2f2efd5c9f555a1a0ee38c4b8fe456a533 |
| SHA256 | 8ea27185a6a1966d7154ca104e81fd82878e87823023d9779a81d9621a77bb3e |
| SHA512 | 779a3d2bac924a73c9846890083f92478e31ef7e88f7565c3d8ed46743c1b5bcfd96568745a563c495be6c9a8351c0b9452b2472c6777579a0732732b2753adf |
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | ed230100af67d869173fc545c3ca5f87 |
| SHA1 | 5c2ed0a535868912117b7be275896d25bfba2946 |
| SHA256 | bcce989f0f2ef31b5718afc5c286ccd5d61e5ee3c4ca0713fbd252c949818b24 |
| SHA512 | 50b4c5922758d5880a30cc8e04605a444cfc2a0a504ae08fce92649c584c371aeac0b80c5369da26e312c7903047cca313ea23ed722c99b079de44f465202088 |
C:\Windows\SysWOW64\Hlcgeo32.exe
| MD5 | 36344dae790e4918fc8b1d0be3acfbcf |
| SHA1 | 5aeb1ba66725b81a99a1a1167f4bc65fd983d9b0 |
| SHA256 | bc6c448ccfab8281fda048b9cc2311da0731119a3fea4d7b14748361ec1ec526 |
| SHA512 | d21bb010fdc04c41b5faee1ea36ce4e179f4b424a56c6cc57753a71f9e266fc19309ed94bd781075f0a17f9e620afa95ee7a53018c064c0759aae8de6367b4ab |
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | c0965f0caa8445275bab475a5192629c |
| SHA1 | 7857795433da7e814377797b3319645959b5c49e |
| SHA256 | 7c5cf522e2022c8088f42857f60359714e04077a7172c8ca310f7b2269e812a0 |
| SHA512 | bbb25728c3805c7ffde91fea6e3bddb41ede6ca7e2dbf904493abe92b34a5620c9b6cbdfa1d2dec14205ba7f48156e23e1c1f96bd88d922bedcf7346d9f886bf |
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | 2f42bc5a85d2b51a35e6041da69776df |
| SHA1 | e2ab2f98f5e19faa24da9905b73cd68539e36ad8 |
| SHA256 | 72c70b0754097caea200af5dec49e120a5c5a2552f39eda87f3c8611b4b04032 |
| SHA512 | 936bb8e5a47ee7005833b90819bb610b92b95e183d09badffd5cf15223072168a0897323ec2d79d2f8612560d550e4996d1a5a8f75116f06940c5db87fa64061 |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | 4c391f9efe8235ba2122c1a414ab6e71 |
| SHA1 | 76bfbee7c44932e2d1e49b46b725192735a5fc28 |
| SHA256 | 6b26c12220b4d3eaa422e6e1d06f7c5a2c71f874e1ec656d83d998b080ddb67b |
| SHA512 | 22789c84b8ea012b27b5a82c0e9814c028d15837a3f1d3e5f3962bff762c19b363f0b3e61edde5f74acb8a4657954f02f45b8651991c1df0320e0f4747ad73ba |
C:\Windows\SysWOW64\Hlakpp32.exe
| MD5 | 332f2a092d7f793b0e3fce29af270475 |
| SHA1 | 71e662b8a222e41335ec512f9240388bbdb11a89 |
| SHA256 | 284d3109c3b08ef7f3cad8794a2b1cd3b78947e0d11b5eda967ad71526bbac87 |
| SHA512 | 46aa07d18876700b949592858da2061859668e4c03dd05211f08046ead1648ead4b6f30cfe6fe54aea2ba6cc1b8f2ef87877aaf7267772707cc4571a44342f97 |
C:\Windows\SysWOW64\Hicodd32.exe
| MD5 | 177a21138daff6ed4ad86c6cd12a887b |
| SHA1 | 7ddc7ec981e5fb95215513f81a5c96c570077230 |
| SHA256 | 65e87a527b29b136aa8705d639d73942dba17b03ace8485540586bf237c0e908 |
| SHA512 | 3dd0df4d69847c9baa2dc3759e7102031a3afd68cef57d5ec8fd30db497e6b3933a27551661271ea760194731909bcf02730cb4fc0ed20783ee32782fde6cf00 |
C:\Windows\SysWOW64\Hdfflm32.exe
| MD5 | 01c18e0ab7ed2e87c55a34b0357496c6 |
| SHA1 | e3dc4e1c93ed75614664839d77b5558b6e0e1514 |
| SHA256 | 357f04d31cc2b012d35a0f77ab2b333300c01fe75338a14192c895295fce2487 |
| SHA512 | 3e2c25572da2d025ac052fe5c501901b4fab407b943e1148cdb684fb8f4ad31b7bc008bee5eb09ee920c0af55637022550105e85bfdeec9388709b8ce438fdc6 |
C:\Windows\SysWOW64\Hmlnoc32.exe
| MD5 | 8765f90fecfdc3235359313ddfb0a228 |
| SHA1 | 643a0d0fa9464c803471d36de974243ea91e8360 |
| SHA256 | c8d7f4138bd95b62d138e5c307268149f0516eda52692389f212854987709626 |
| SHA512 | b813b8bf8d29da60b9ae8a75f34d6484b2dc34ee9d859777c627c506023086985924babb82e3945996ba94c0e48f2f2be50af168ffdd853b33d3a8fb28381a7b |
C:\Windows\SysWOW64\Ghoegl32.exe
| MD5 | 67842771215839232218f6c7a23ec476 |
| SHA1 | 14fdf458d5316a342875abd516ab58a3ddd65aaf |
| SHA256 | 107122f41d8d2ba650b6b923887ddb6a4c0a063ac797c9a6399ef8073d642120 |
| SHA512 | b3a9c1174aaeca83d545d70a0333398c6031aa1fbca33f69b2c6359f6c715519d52453f79ed4897e3f3df5fbea9581ce29f901d53d691051f1fd9fdebbe324fe |
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | 38c52c17836dff3df7bbc93500a3de37 |
| SHA1 | 2a15c01f14b470c3d2ffcec2ef76841585bae3a5 |
| SHA256 | a5363a2839e23cdd6c4a8f5fc75872800891c7375cdb6254eb94ac6f6c311b7f |
| SHA512 | b28aa1bfc7698871acf6919d4146afc50a17a6bb19f920cfaf8a6b76f1a1a287f1dc7eb29fd1ff367261c532ed6b5ad5243107a2d9d3ffe976d944c86d678d37 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | d091424e944468a16416b721a7639e31 |
| SHA1 | 8fb95e376fd633887a5dd5afee4ac99f4bb64cf2 |
| SHA256 | cb933def64f0a0324c61d46109ea56e0f7815da8b10c80fed9d818ecf489bf29 |
| SHA512 | 4b73f4022d1f098834c8e73deb18dd288ddab5d42879d4aafc0eff50ac0337c7ab1eef83643117c1f6fa13542e972550d613987dd26f11623a53a4626d7e80d0 |
C:\Windows\SysWOW64\Ghmiam32.exe
| MD5 | 28e8fd04181cb284fa0465310f66cc17 |
| SHA1 | 93f3b1cea5a4d6a04d9b6bb20393b14740f7b72b |
| SHA256 | 3a04552ed1914c625eabceecbe6a486b6f538f67ab47f521e1becf3cac548297 |
| SHA512 | 759ae1efe3b7ecbf08902bba91f425100e62f2be79be720251a2856630c296a661eddf10af8f0e40e5f2966ea63e31e6bbf2696e8de7b73a4d3cd00a26f0517f |
C:\Windows\SysWOW64\Geolea32.exe
| MD5 | 949b634b605c293e1c0b42c6b0150472 |
| SHA1 | 6ca23dd08380e4e572ff0ecf4e1f1721e9bdf101 |
| SHA256 | bc74b5c659400a8ff3c4840203d62fcc368ca7cab34c82303857843a071f9d09 |
| SHA512 | 4720d8c16274f1474d1a6a10072fc4f65de237ea4928fb4a7724fb44ec78f589b7bb58a5eb177112bc9c2cb235cc62e1409ebef0425fa30495441434803fab77 |
C:\Windows\SysWOW64\Goddhg32.exe
| MD5 | 925586679d3aad2e510af63578efb7a3 |
| SHA1 | e81ab49627814d09bc769282d4c3b28f89bbeeee |
| SHA256 | f05d352d3ded28b8ae70a24dfa8c5296e046b0092ce5aba3647660b1886c6ef3 |
| SHA512 | d7e433c83363e2af342ff3d8f6726b7dd5581cb4c46ea75c16ba6dd69ccc555c0c5326dea019ae74eed4a8fdb27ba3a20c652b42e590ae7d5c3636c9b4937daa |
C:\Windows\SysWOW64\Gelppaof.exe
| MD5 | c63b007caed8377351d23a8311b02e8d |
| SHA1 | 19927e9b34722d3e3e7c2a48281957c888e4f77a |
| SHA256 | 782bc86e126df63ab0783df0681fdce2d743f0dc28ee58ac4c3015e187c63b8b |
| SHA512 | 809b636f657ebe51748d755fdbd9fc165ffbe3367b14c105d2fe858bd5cfc8e36e3ca530425bcca84541e1477565be060f7536260be1e6df60bcf03edad46935 |
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | f7dd638d5c36e39606c9752719e2e9fc |
| SHA1 | aedb4e41f00a28e31cc95371d3c8d0375c3e941b |
| SHA256 | e1377de432d7f2ecc3d18da6ec80051a6490be80e00fc6e69079db0ff6a552d1 |
| SHA512 | a82f8abcd07de95f149f0b0ba09666c603b6348108433e4ac8697c5a977f531dc60daff77bf214c3b1ef228e7a4e63e1320a7bb631f692328fcb9602048cfc6f |
C:\Windows\SysWOW64\Gldkfl32.exe
| MD5 | 7db22cf54d07a5a2c52e2fc9b29eac3b |
| SHA1 | 6ec10995b44f90a8500ba6f49d710399bf1b0e51 |
| SHA256 | f5623598baaca1c9a05d13a97a2133cab738aa8a7ad3a6e1bd8688cd0ca7cb1f |
| SHA512 | 83366c4c365f60e385b26f31154bb66abd35cc050fa4ab706f95c73174ae97042f1af0484d925f9954546f81d0ae2ce54c1c4929ba878d134c471f4cb68e8cd0 |
C:\Windows\SysWOW64\Gopkmhjk.exe
| MD5 | 16f6ab1ea1f06bbb19e31ca3a74dd85d |
| SHA1 | 0bccc8e329ed9488896c67f60d18116b946b80b3 |
| SHA256 | c69bcdac9ef63c540faf4bed31594c3cc321a1bee52feb2a5e13f8c547dff84f |
| SHA512 | e244ef134896e6f179bac0b93199223b3e0998423df0cbf695cf4479349901d20af9d57e9b651cce4b2db4d43ff29176af00f3a412e19ff56d4551ec8fa764d5 |
C:\Windows\SysWOW64\Gfefiemq.exe
| MD5 | c33f12ede210f79670122e663b66a34e |
| SHA1 | 092f200bacf284b22e42ed4dc8d34f5c28a91be9 |
| SHA256 | c9ce49a97dd0f66745ae3934e67d4a023be049a645ef16cb627aa6fae49c15c7 |
| SHA512 | a9ee1103eb9726e775cf72e8b4f4ead6d7d4761223c783473935ab8e3021535086eb0466c0bf6f56e326ca3dd80afde51d5634f2003c2fb6e73c4ce0b4019274 |
C:\Windows\SysWOW64\Gonnhhln.exe
| MD5 | 27d325af469abef7be2a4425d50ebec2 |
| SHA1 | 82eee32986e4403a0f09be237eab026df3167ad5 |
| SHA256 | 00a63e43509bd9e566807de159f09b5fe3acf750fd73982cbf976025ff4788b4 |
| SHA512 | d28cc5d1d92b1eb74cd94dfd208fee41353d2e75e1b840919bf7fdf51bf3e481230459405818793c8766b8f7fce415fdadec4977543c1af07500d23daeed89dd |
memory/688-478-0x0000000000320000-0x0000000000367000-memory.dmp
C:\Windows\SysWOW64\Fddmgjpo.exe
| MD5 | cf9cd5cde709cc2e0443132328eb61c4 |
| SHA1 | 5b8ee29f39b3ada82eaf98129c38caaf26cc4d0e |
| SHA256 | fa31095e1fd47a0e5f5570210d6b31dd221effefb0cb39225e362e1b166a09c2 |
| SHA512 | 5c77abb418b5c7288122cc80354adc96e007fa5b327585be6fbc2b2dd39ba776ff91fea889d50e111e9c0c907f53b554c977146d49552dbb7189c6b86ce0075c |
memory/688-473-0x0000000000400000-0x0000000000447000-memory.dmp
memory/380-467-0x0000000001FD0000-0x0000000002017000-memory.dmp
memory/380-466-0x0000000000400000-0x0000000000447000-memory.dmp
memory/860-465-0x0000000000250000-0x0000000000297000-memory.dmp
memory/860-464-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Flmefm32.exe
| MD5 | 78ffb2a69a38a6308608ab69981dd8a1 |
| SHA1 | 5ad07ece3a362ceb302bbdd7882a412a117df377 |
| SHA256 | 031ed7a08d43b160bb144ab0a3c1ae6b237ecff17b99c4ffb42aa37f820283f1 |
| SHA512 | 676d3ebf28b2bbab6c31928dc267529e3160ece5d33647de5f3391794c31c892782266d74855d1a9d0fb47c11864d48abc57b720ff7efb2247d487ecd02a48ea |
C:\Windows\SysWOW64\Fmjejphb.exe
| MD5 | ec827dfbeadffc31cf9997ede32facf9 |
| SHA1 | 25b45e9a38525a7589272064b523049902bebc4e |
| SHA256 | f39143c3580c14e8f168ece8473d5895ecf3b3ec2d215ac09de9353a3ccf482c |
| SHA512 | 9b2dc7e52104b2f26bafc910f88b6b3538b821451fb5987d2fb7a874a52bfec8e9f4b9a9cdff209c877dfd76fee0bd486dbf2601cc6aeb2014523a51593b4364 |
memory/860-447-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1568-446-0x00000000002E0000-0x0000000000327000-memory.dmp
memory/1568-445-0x00000000002E0000-0x0000000000327000-memory.dmp
C:\Windows\SysWOW64\Ffpmnf32.exe
| MD5 | 838213b80c770c0be759861dca417f21 |
| SHA1 | d54f0b856096c627a44f841510efca664010318e |
| SHA256 | 29d3c43056d89ae40f6ba73fbf2f554a81bd27453b096db702405fc331c1c0d1 |
| SHA512 | 2309b431adeb83cdbd0471813af85349ed09abea37fa13a6c358f1b5d306782f4c7817e33d3a7da72ac4c1e4e51d0b666c2da816e78fcf75fd1c1b87c5cd8124 |
C:\Windows\SysWOW64\Fbdqmghm.exe
| MD5 | 0c79cbf8cac6f6c5ffda3e257e51479f |
| SHA1 | 26ba299831f663f7ea638da2bdd14299ac97196a |
| SHA256 | 411f8aa80072e465ddae0d6462488b3876cbb0c89e333637773fc3a20a3991f2 |
| SHA512 | 87ef4d97e0ca785852f195fe1fce86961000ad102a3c411e6bad60f1dec9592a4e492fb8ea5e538404ddac209ae31c7ffb75e01c51c9234259b6b53cb26978c2 |
memory/2668-425-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2608-424-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2608-423-0x0000000000450000-0x0000000000497000-memory.dmp
C:\Windows\SysWOW64\Fmhheqje.exe
| MD5 | bee50feffe3b7e40d0d3a09be307b850 |
| SHA1 | 8fb7745fc760d2d0771eb96e65bf014dc3b1c2fd |
| SHA256 | 21350f421e4e3a0d57bc7e503dd8dc7e550e7b8d58a6384793fe36b8ff61f0e2 |
| SHA512 | f5f92b599a565f9d4bb6522d7818357094f06903af3aff1c9ef06ba1f61c028ecb76ae8657f78f3d97fbce79b8c68fcdd7304eaf1d62959d71143e8547a31683 |
memory/2244-417-0x0000000000360000-0x00000000003A7000-memory.dmp
memory/2244-416-0x0000000000360000-0x00000000003A7000-memory.dmp
C:\Windows\SysWOW64\Filldb32.exe
| MD5 | 0778e8ccb8bd1b08735032dbc5d570e5 |
| SHA1 | 3ae68a53b501fa9185b1ddf53fbe6397c9b30b8f |
| SHA256 | 4e719b38700b444b6a93f4816dfba3c631c0e996b9639ec4c649d71fd54ea5cd |
| SHA512 | 0bdd1a62c13425168dfcd2f03d3e7b702c5090686f8c090808f664a479bb4d39a294bf4e5ba5f5a94e4f0036295d74765eaeab182a7ec1928945cfaeb1a8f412 |
memory/2244-407-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2432-406-0x00000000002A0000-0x00000000002E7000-memory.dmp
C:\Windows\SysWOW64\Fhkpmjln.exe
| MD5 | ae74bf519d340bfe409954952ea5f569 |
| SHA1 | a0edbb97f7be920c196d1a0fad3c8bbf5c9d66f8 |
| SHA256 | ed44ebe69cd7fc040752838269e4089ccd628bd14925e1f99c978ff30eb3ee9a |
| SHA512 | 365bcb05847f173f25240ac588683b64dd32c1a3640ef5b528ebc4341113cd5688acfca95dbd9e85273e211a8608c0cb527a856a65c22e3c90c1ec703c5bd50e |
memory/2432-392-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2356-390-0x0000000000280000-0x00000000002C7000-memory.dmp
memory/2852-383-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2852-379-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Fnbkddem.exe
| MD5 | 5f4cf96e558198f00a80d2309fd7c7f4 |
| SHA1 | d9d1afa1d7819c6333bb91e6726e0d151524b149 |
| SHA256 | 501906aa70cd7726eb4e4f021ef4af3fafeb1dc6c09583cf9f9e43c5d1c81c41 |
| SHA512 | 96b904fbdc42bfc537c930d21db8ff54ebf6a63a64644e374666b87cdd2c8e055f9f979b205b9c1cf9cd3a3a11bbe4c8bbfa0915645782d86c34fd89d7f13e3b |
memory/2852-374-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2724-373-0x0000000000350000-0x0000000000397000-memory.dmp
memory/2724-372-0x0000000000350000-0x0000000000397000-memory.dmp
C:\Windows\SysWOW64\Fhhcgj32.exe
| MD5 | 8046b9e096660ab67d7c58a2ebc67777 |
| SHA1 | 935f8d96d2e7fddfc08d419900bfee24f3cf7a78 |
| SHA256 | 2a8b3cf78b70c9b0353cf2a502bf1eb0d37cfcd366038b6d511380f1a85296d1 |
| SHA512 | 6ca19305645cd59cf6b78ee9d7306dcb6c4fc912767c561faadb41f0c711c06f8bb020ac04875ed63cb13478cf3e9e5d424ec1ea835842d22f8d1cbb0b23883d |
memory/2384-358-0x00000000002D0000-0x0000000000317000-memory.dmp
memory/2384-357-0x00000000002D0000-0x0000000000317000-memory.dmp
C:\Windows\SysWOW64\Fejgko32.exe
| MD5 | 4989c2522ac5b4c3f149c99ba2fed53a |
| SHA1 | 412152a08dac96b660b484a57d6dc3a8c1e0cf89 |
| SHA256 | 057cb9e26b1c28ee82c015b74fff477d69b57d5b647de63e213aae5afc41b729 |
| SHA512 | 6a808f645360a253e947e7066d12058a36e5bdd6236aa05a6e7e87ad805aacccb3f029c6b63894f5a6f032521a14db058e0d27be44f246a0650bda5cc4965f60 |
memory/2384-352-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2728-346-0x00000000002E0000-0x0000000000327000-memory.dmp
C:\Windows\SysWOW64\Fmcoja32.exe
| MD5 | 96cf0d12f848a702f6742c8a293a6e39 |
| SHA1 | 0dbb3aca94070355c9027f832acdfd1da100fb57 |
| SHA256 | 4448e7675110c10e0e9e096700e4e221a90a8155e37512be86e01b18a23bf57b |
| SHA512 | 2149c6e45436c36ccbd52374c7a5571b990ae4129e2bc1c4f583596ab597083af5e7160988e79781e1f28f6ce2b6f3a0ab3223a67dac4c1f3015a1ba9b06f562 |
memory/2728-341-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1984-340-0x0000000000350000-0x0000000000397000-memory.dmp
memory/1984-331-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2708-330-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Fhffaj32.exe
| MD5 | 4da6b3ed45c0083eb858c9cfd57e1766 |
| SHA1 | cabd6ac1b32b261f573867726c713e047d58de81 |
| SHA256 | 40667fdf045cac074e0e93b93cac58aba5bfccead878d8a30b9c77cc17fe2a41 |
| SHA512 | 61dbafa546e972c9321608457c7893bc9a5057bcc563f553be8300b9601700ec9344c9bf1e59a2ec35df8d2659a0d0229b96912af3163ef9f70e8c03add2b90e |
memory/2708-318-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2288-316-0x0000000000350000-0x0000000000397000-memory.dmp
memory/2980-308-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Eloemi32.exe
| MD5 | a1736d39ac513d38fcf7575c4515f3b0 |
| SHA1 | 2d66cf3344234db7b7835ab3e8348b9ef44a3aab |
| SHA256 | 5094d0a94881db9b270d08369b1c62df8cd54fcf2cd25672471f7ae7c0fd7788 |
| SHA512 | 9219cac39e66d6b0b937174247c87b7e25198f9acba75484e6ffb2aaa0d79ae9857900d130b03d93428ec116fab3ab56f970220ca6a634b5140da2950153cf05 |
memory/1464-291-0x00000000003B0000-0x00000000003F7000-memory.dmp
memory/1464-289-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1260-288-0x0000000000450000-0x0000000000497000-memory.dmp
memory/1260-287-0x0000000000450000-0x0000000000497000-memory.dmp
memory/1260-278-0x0000000000400000-0x0000000000447000-memory.dmp
memory/620-277-0x0000000000300000-0x0000000000347000-memory.dmp
memory/620-276-0x0000000000300000-0x0000000000347000-memory.dmp
memory/620-263-0x0000000000400000-0x0000000000447000-memory.dmp
memory/936-262-0x0000000000290000-0x00000000002D7000-memory.dmp
memory/936-261-0x0000000000290000-0x00000000002D7000-memory.dmp
C:\Windows\SysWOW64\Elmigj32.exe
| MD5 | e191d5d0bfaef33eff32d1d28239b05d |
| SHA1 | 39725f5190b43e5198a2ab9324b2fcd56a22688b |
| SHA256 | 5326b0c6661417b566685ee5343e7715765e0e3e25ca84d3ca1c23ec6ded1a64 |
| SHA512 | a4536f7f4d76d9102fba996cb0262030b78d8ec347544733816a055d27b2929a29382c0fd68edc4a0bc86337f1c0092f0109f7f86998ff45be64607142f99529 |
memory/1604-251-0x00000000002F0000-0x0000000000337000-memory.dmp
memory/1604-250-0x00000000002F0000-0x0000000000337000-memory.dmp
C:\Windows\SysWOW64\Eecqjpee.exe
| MD5 | 55ed28caab4cbb2fd9024a2ad9e90689 |
| SHA1 | 8c909cd14b6b169ff7a84966d9ee41471430191e |
| SHA256 | 79c76b161dcf0d7554971050509bca477f522e7c3f6b02e096da8cf879eff664 |
| SHA512 | 1af955fb58988e53b7ec34b279fd874be6bd780bacdd701e97ecb90fd16cadcfbc5289fc5afc640c38aa894a1dda5c00511121e685e87b70c786d205db60db44 |
memory/2680-240-0x00000000003B0000-0x00000000003F7000-memory.dmp
memory/2680-239-0x00000000003B0000-0x00000000003F7000-memory.dmp
C:\Windows\SysWOW64\Epfhbign.exe
| MD5 | d70dc7af395035904e17811f661acd6d |
| SHA1 | d3a34c40251ac5a54f687806d60ab6b7bafb09c9 |
| SHA256 | c619b25cadfb89f168cc5339558736d511eb407041fa9dfc1dcd0068b1475be9 |
| SHA512 | 2562f2247fdecbde6bdd65348e969f270b56c5ca671e013091d17db44ae9c7e88c53971490cf2a253fe640717094152c605351f9236eb72cb8c0be9ae3cc56f4 |
memory/1420-229-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2204-218-0x0000000000260000-0x00000000002A7000-memory.dmp
memory/2204-217-0x0000000000260000-0x00000000002A7000-memory.dmp
memory/3028-203-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2204-202-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3028-201-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2688-193-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2688-175-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Emcbkn32.exe
| MD5 | 17daa121036cf57888c76c800a5ce6ef |
| SHA1 | 647dc47111bbfd5f6e61a619fc7c7cd4c8213ea9 |
| SHA256 | 27fb35ef4248998df3a45fa0bfcf9238803654c9e2f8753f295e6fbe87ac7a9d |
| SHA512 | 13eb838b407eb74da1b0c3e85e0e552714b5f4fc3edcd85b4f65d0b4e543767f52a2bb4c92c33fa5536e6ebdf85fe26fdfd0ce2e4d0a0c4f620f373a510ee661 |
memory/544-162-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1596-154-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2136-141-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2424-109-0x0000000000400000-0x0000000000447000-memory.dmp
memory/472-108-0x00000000002E0000-0x0000000000327000-memory.dmp
memory/1692-89-0x00000000003A0000-0x00000000003E7000-memory.dmp
memory/1692-85-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2640-75-0x00000000003B0000-0x00000000003F7000-memory.dmp
memory/2568-47-0x0000000000310000-0x0000000000357000-memory.dmp
memory/2568-39-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2516-31-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2924-30-0x00000000003B0000-0x00000000003F7000-memory.dmp
C:\Windows\SysWOW64\Dgmglh32.exe
| MD5 | 3194a04449cfb3faf44e0a1b87297b9f |
| SHA1 | 4aa03cf8083f67af7066a9abeff10be65904f59e |
| SHA256 | 719deb06684a83ebe46699102ac401a33ac4c66fcd5f2d2330386c8604f99357 |
| SHA512 | 1a8fafb7c0252e3dce1dc15bd30cdeab6f88ca92e5e881c618483564b6c0b3e551118608d5d05d64735f66fbe6d1fad2ae4c8dee59c64aabe8a405f87e06ea66 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 00:25
Reported
2024-06-02 00:27
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Opqofe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bahdob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dhbebj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afcmfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Iogopi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncqlkemc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Phonha32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ihkjno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmmlla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ncchae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ghojbq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qmdblp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbknebqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnnnfalp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mogcihaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Adfgdpmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ebdlangb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hnnljj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpbjfjci.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Omalpc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcedmkmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hjaioe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebfign32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ilkoim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iefphb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bmbnnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fnalmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fgqgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gclafmej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Oakbehfe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ebfign32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpegkj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ockdmmoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pcgdhkem.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fcbnpnme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpnakk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjjfdfbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Epffbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhplpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jnnnfalp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjgkab32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enopghee.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdkoef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Heegad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mqhfoebo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nqaiecjd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojnfihmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Piocecgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qmdblp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klddlckd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekajec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ppdbgncl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ampaho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ggepalof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jaemilci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Klddlckd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adfgdpmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebdlangb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nhhdnf32.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Iholohii.exe | C:\Windows\SysWOW64\Infhebbh.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpolbbim.dll | C:\Windows\SysWOW64\Mjcngpjh.exe | N/A |
| File created | C:\Windows\SysWOW64\Daeifj32.exe | C:\Windows\SysWOW64\Dgpeha32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmkock32.dll | C:\Windows\SysWOW64\Gdknpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmmlla32.exe | C:\Windows\SysWOW64\Piocecgj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhaiafem.dll | C:\Windows\SysWOW64\Ecbeip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjohgj32.dll | C:\Windows\SysWOW64\Keifdpif.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgfbbb32.exe | C:\Windows\SysWOW64\Bfaigclq.exe | N/A |
| File created | C:\Windows\SysWOW64\Epffbd32.exe | C:\Windows\SysWOW64\Ecbeip32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Galoohke.exe | C:\Windows\SysWOW64\Fbgbnkfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjfbjdnd.exe | C:\Windows\SysWOW64\Hbknebqi.exe | N/A |
| File created | C:\Windows\SysWOW64\Celipg32.dll | C:\Windows\SysWOW64\Hjfbjdnd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qmeigg32.exe | C:\Windows\SysWOW64\Pnkbkk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fqeioiam.exe | C:\Windows\SysWOW64\Figgdg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpcgahca.dll | C:\Windows\SysWOW64\Ccblbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pakdbp32.exe | C:\Windows\SysWOW64\Pcgdhkem.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjbaohka.dll | C:\Windows\SysWOW64\Daeifj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Loemnnhe.exe | C:\Windows\SysWOW64\Klddlckd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ampillfk.dll | C:\Windows\SysWOW64\Apodoq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cggimh32.exe | C:\Windows\SysWOW64\Bahdob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Modpib32.exe | C:\Windows\SysWOW64\Lpochfji.exe | N/A |
| File created | C:\Windows\SysWOW64\Figgdg32.exe | C:\Windows\SysWOW64\Ekajec32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afcmfe32.exe | C:\Windows\SysWOW64\Ajmladbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfaadk32.dll | C:\Windows\SysWOW64\Ihaidhgf.exe | N/A |
| File created | C:\Windows\SysWOW64\Mogcihaj.exe | C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\Obqhpfck.dll | C:\Windows\SysWOW64\Mjaabq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aepjgm32.dll | C:\Windows\SysWOW64\Ncchae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Leoejh32.exe | C:\Windows\SysWOW64\Loemnnhe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncchae32.exe | C:\Windows\SysWOW64\Ncqlkemc.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpcgpihi.exe | C:\Windows\SysWOW64\Bmbnnn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddklbd32.exe | C:\Windows\SysWOW64\Dckoia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocgjojai.dll | C:\Windows\SysWOW64\Nmhijd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojgljk32.dll | C:\Windows\SysWOW64\Pjjfdfbb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajmladbl.exe | C:\Windows\SysWOW64\Ajjokd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkbkmqed.exe | C:\Windows\SysWOW64\Kbgfhnhi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Phonha32.exe | C:\Windows\SysWOW64\Ocohmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Adfgdpmi.exe | C:\Windows\SysWOW64\Aogbfi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jaajhb32.exe | C:\Windows\SysWOW64\Jpnakk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfolacnc.exe | C:\Windows\SysWOW64\Babcil32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcedmkmp.exe | C:\Windows\SysWOW64\Hkjohi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfmjjmdm.dll | C:\Windows\SysWOW64\Hcedmkmp.exe | N/A |
| File created | C:\Windows\SysWOW64\Apodoq32.exe | C:\Windows\SysWOW64\Adfgdpmi.exe | N/A |
| File created | C:\Windows\SysWOW64\Klndfj32.exe | C:\Windows\SysWOW64\Jhplpl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpdbcaok.dll | C:\Windows\SysWOW64\Klndfj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Obqanjdb.exe | C:\Windows\SysWOW64\Oihmedma.exe | N/A |
| File created | C:\Windows\SysWOW64\Kqkplq32.dll | C:\Windows\SysWOW64\Ppdbgncl.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjaioe32.exe | C:\Windows\SysWOW64\Hcedmkmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jjgkab32.exe | C:\Windows\SysWOW64\Jnpjlajn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkaclqkk.exe | C:\Windows\SysWOW64\Galoohke.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbbnpn32.dll | C:\Windows\SysWOW64\Modpib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnaqob32.dll | C:\Windows\SysWOW64\Nhegig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejahec32.dll | C:\Windows\SysWOW64\Hbknebqi.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnajppda.exe | C:\Windows\SysWOW64\Dhbebj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfgbakef.dll | C:\Windows\SysWOW64\Piocecgj.exe | N/A |
| File created | C:\Windows\SysWOW64\Eahobg32.exe | C:\Windows\SysWOW64\Egbken32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eahobg32.exe | C:\Windows\SysWOW64\Egbken32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekheml32.dll | C:\Windows\SysWOW64\Klmnkdal.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjcngpjh.exe | C:\Windows\SysWOW64\Mjaabq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpfkpp32.exe | C:\Windows\SysWOW64\Apodoq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kofdhd32.exe | C:\Windows\SysWOW64\Kifojnol.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjjfdfbb.exe | C:\Windows\SysWOW64\Ppdbgncl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jnpjlajn.exe | C:\Windows\SysWOW64\Jnnnfalp.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnahhegq.dll | C:\Windows\SysWOW64\Opqofe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbgdmb32.dll | C:\Windows\SysWOW64\Doagjc32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ldikgdpe.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll" | C:\Windows\SysWOW64\Dnajppda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enopghee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Edihdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdknpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobnge32.dll" | C:\Windows\SysWOW64\Hgeihiac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll" | C:\Windows\SysWOW64\Hjfbjdnd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ncqlkemc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Obqanjdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Figgdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcdeeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jpegkj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gnmlhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oakbehfe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Modpib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll" | C:\Windows\SysWOW64\Afcmfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jnpjlajn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hjfbjdnd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ilkoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmmlla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll" | C:\Windows\SysWOW64\Enopghee.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ieeimlep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll" | C:\Windows\SysWOW64\Jaemilci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" | C:\Windows\SysWOW64\Mogcihaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cggimh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhacomg.dll" | C:\Windows\SysWOW64\Ajjokd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajmladbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ecbeip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gglfbkin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejahec32.dll" | C:\Windows\SysWOW64\Hbknebqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll" | C:\Windows\SysWOW64\Fqeioiam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll" | C:\Windows\SysWOW64\Eahobg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ihaidhgf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mjaabq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ajmladbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ecbeip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Enopghee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" | C:\Windows\SysWOW64\Jnpjlajn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Klmnkdal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aogbfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll" | C:\Windows\SysWOW64\Dhphmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cpogkhnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll" | C:\Windows\SysWOW64\Ihaidhgf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dnajppda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebdlangb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gkaclqkk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qmdblp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" | C:\Windows\SysWOW64\Bmidnm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ncnofeof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Opqofe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ihaidhgf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Iefphb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ebdlangb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Klddlckd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ncchae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Adfgdpmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" | C:\Windows\SysWOW64\Nhegig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Padnaq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" | C:\Windows\SysWOW64\Leabphmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bahdob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" | C:\Windows\SysWOW64\Padnaq32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13319956a82d518d8c2816d9f3c39bb0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\Mogcihaj.exe
C:\Windows\system32\Mogcihaj.exe
C:\Windows\SysWOW64\Mjaabq32.exe
C:\Windows\system32\Mjaabq32.exe
C:\Windows\SysWOW64\Mjcngpjh.exe
C:\Windows\system32\Mjcngpjh.exe
C:\Windows\SysWOW64\Ncnofeof.exe
C:\Windows\system32\Ncnofeof.exe
C:\Windows\SysWOW64\Ncqlkemc.exe
C:\Windows\system32\Ncqlkemc.exe
C:\Windows\SysWOW64\Ncchae32.exe
C:\Windows\system32\Ncchae32.exe
C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
C:\Windows\SysWOW64\Oakbehfe.exe
C:\Windows\system32\Oakbehfe.exe
C:\Windows\SysWOW64\Opqofe32.exe
C:\Windows\system32\Opqofe32.exe
C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
C:\Windows\SysWOW64\Pnkbkk32.exe
C:\Windows\system32\Pnkbkk32.exe
C:\Windows\SysWOW64\Qmeigg32.exe
C:\Windows\system32\Qmeigg32.exe
C:\Windows\SysWOW64\Aogbfi32.exe
C:\Windows\system32\Aogbfi32.exe
C:\Windows\SysWOW64\Adfgdpmi.exe
C:\Windows\system32\Adfgdpmi.exe
C:\Windows\SysWOW64\Apodoq32.exe
C:\Windows\system32\Apodoq32.exe
C:\Windows\SysWOW64\Bpfkpp32.exe
C:\Windows\system32\Bpfkpp32.exe
C:\Windows\SysWOW64\Bahdob32.exe
C:\Windows\system32\Bahdob32.exe
C:\Windows\SysWOW64\Cggimh32.exe
C:\Windows\system32\Cggimh32.exe
C:\Windows\SysWOW64\Caojpaij.exe
C:\Windows\system32\Caojpaij.exe
C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
C:\Windows\SysWOW64\Dhphmj32.exe
C:\Windows\system32\Dhphmj32.exe
C:\Windows\SysWOW64\Dhbebj32.exe
C:\Windows\system32\Dhbebj32.exe
C:\Windows\SysWOW64\Dnajppda.exe
C:\Windows\system32\Dnajppda.exe
C:\Windows\SysWOW64\Doagjc32.exe
C:\Windows\system32\Doagjc32.exe
C:\Windows\SysWOW64\Dkhgod32.exe
C:\Windows\system32\Dkhgod32.exe
C:\Windows\SysWOW64\Ebdlangb.exe
C:\Windows\system32\Ebdlangb.exe
C:\Windows\SysWOW64\Ebfign32.exe
C:\Windows\system32\Ebfign32.exe
C:\Windows\SysWOW64\Ekajec32.exe
C:\Windows\system32\Ekajec32.exe
C:\Windows\SysWOW64\Figgdg32.exe
C:\Windows\system32\Figgdg32.exe
C:\Windows\SysWOW64\Fqeioiam.exe
C:\Windows\system32\Fqeioiam.exe
C:\Windows\SysWOW64\Fbgbnkfm.exe
C:\Windows\system32\Fbgbnkfm.exe
C:\Windows\SysWOW64\Galoohke.exe
C:\Windows\system32\Galoohke.exe
C:\Windows\SysWOW64\Gkaclqkk.exe
C:\Windows\system32\Gkaclqkk.exe
C:\Windows\SysWOW64\Gnblnlhl.exe
C:\Windows\system32\Gnblnlhl.exe
C:\Windows\SysWOW64\Gijmad32.exe
C:\Windows\system32\Gijmad32.exe
C:\Windows\SysWOW64\Ghojbq32.exe
C:\Windows\system32\Ghojbq32.exe
C:\Windows\SysWOW64\Hahokfag.exe
C:\Windows\system32\Hahokfag.exe
C:\Windows\SysWOW64\Heegad32.exe
C:\Windows\system32\Heegad32.exe
C:\Windows\SysWOW64\Hnnljj32.exe
C:\Windows\system32\Hnnljj32.exe
C:\Windows\SysWOW64\Hhimhobl.exe
C:\Windows\system32\Hhimhobl.exe
C:\Windows\SysWOW64\Ihkjno32.exe
C:\Windows\system32\Ihkjno32.exe
C:\Windows\SysWOW64\Iogopi32.exe
C:\Windows\system32\Iogopi32.exe
C:\Windows\SysWOW64\Ilkoim32.exe
C:\Windows\system32\Ilkoim32.exe
C:\Windows\SysWOW64\Iefphb32.exe
C:\Windows\system32\Iefphb32.exe
C:\Windows\SysWOW64\Jpnakk32.exe
C:\Windows\system32\Jpnakk32.exe
C:\Windows\SysWOW64\Jaajhb32.exe
C:\Windows\system32\Jaajhb32.exe
C:\Windows\SysWOW64\Jpbjfjci.exe
C:\Windows\system32\Jpbjfjci.exe
C:\Windows\SysWOW64\Jpegkj32.exe
C:\Windows\system32\Jpegkj32.exe
C:\Windows\SysWOW64\Jhplpl32.exe
C:\Windows\system32\Jhplpl32.exe
C:\Windows\SysWOW64\Klndfj32.exe
C:\Windows\system32\Klndfj32.exe
C:\Windows\SysWOW64\Kheekkjl.exe
C:\Windows\system32\Kheekkjl.exe
C:\Windows\SysWOW64\Keifdpif.exe
C:\Windows\system32\Keifdpif.exe
C:\Windows\SysWOW64\Kifojnol.exe
C:\Windows\system32\Kifojnol.exe
C:\Windows\SysWOW64\Kofdhd32.exe
C:\Windows\system32\Kofdhd32.exe
C:\Windows\SysWOW64\Lhqefjpo.exe
C:\Windows\system32\Lhqefjpo.exe
C:\Windows\SysWOW64\Lchfib32.exe
C:\Windows\system32\Lchfib32.exe
C:\Windows\SysWOW64\Ljbnfleo.exe
C:\Windows\system32\Ljbnfleo.exe
C:\Windows\SysWOW64\Lpochfji.exe
C:\Windows\system32\Lpochfji.exe
C:\Windows\SysWOW64\Modpib32.exe
C:\Windows\system32\Modpib32.exe
C:\Windows\SysWOW64\Mcdeeq32.exe
C:\Windows\system32\Mcdeeq32.exe
C:\Windows\SysWOW64\Mqhfoebo.exe
C:\Windows\system32\Mqhfoebo.exe
C:\Windows\SysWOW64\Momcpa32.exe
C:\Windows\system32\Momcpa32.exe
C:\Windows\SysWOW64\Nhegig32.exe
C:\Windows\system32\Nhegig32.exe
C:\Windows\SysWOW64\Nhhdnf32.exe
C:\Windows\system32\Nhhdnf32.exe
C:\Windows\SysWOW64\Nbphglbe.exe
C:\Windows\system32\Nbphglbe.exe
C:\Windows\SysWOW64\Nqaiecjd.exe
C:\Windows\system32\Nqaiecjd.exe
C:\Windows\SysWOW64\Nmhijd32.exe
C:\Windows\system32\Nmhijd32.exe
C:\Windows\SysWOW64\Nmjfodne.exe
C:\Windows\system32\Nmjfodne.exe
C:\Windows\SysWOW64\Ojnfihmo.exe
C:\Windows\system32\Ojnfihmo.exe
C:\Windows\SysWOW64\Ojqcnhkl.exe
C:\Windows\system32\Ojqcnhkl.exe
C:\Windows\SysWOW64\Omalpc32.exe
C:\Windows\system32\Omalpc32.exe
C:\Windows\SysWOW64\Ockdmmoj.exe
C:\Windows\system32\Ockdmmoj.exe
C:\Windows\SysWOW64\Oihmedma.exe
C:\Windows\system32\Oihmedma.exe
C:\Windows\SysWOW64\Obqanjdb.exe
C:\Windows\system32\Obqanjdb.exe
C:\Windows\SysWOW64\Ppdbgncl.exe
C:\Windows\system32\Ppdbgncl.exe
C:\Windows\SysWOW64\Pjjfdfbb.exe
C:\Windows\system32\Pjjfdfbb.exe
C:\Windows\SysWOW64\Padnaq32.exe
C:\Windows\system32\Padnaq32.exe
C:\Windows\SysWOW64\Piocecgj.exe
C:\Windows\system32\Piocecgj.exe
C:\Windows\SysWOW64\Pmmlla32.exe
C:\Windows\system32\Pmmlla32.exe
C:\Windows\SysWOW64\Pcgdhkem.exe
C:\Windows\system32\Pcgdhkem.exe
C:\Windows\SysWOW64\Pakdbp32.exe
C:\Windows\system32\Pakdbp32.exe
C:\Windows\SysWOW64\Qmdblp32.exe
C:\Windows\system32\Qmdblp32.exe
C:\Windows\SysWOW64\Qbajeg32.exe
C:\Windows\system32\Qbajeg32.exe
C:\Windows\SysWOW64\Ajjokd32.exe
C:\Windows\system32\Ajjokd32.exe
C:\Windows\SysWOW64\Ajmladbl.exe
C:\Windows\system32\Ajmladbl.exe
C:\Windows\SysWOW64\Afcmfe32.exe
C:\Windows\system32\Afcmfe32.exe
C:\Windows\SysWOW64\Ampaho32.exe
C:\Windows\system32\Ampaho32.exe
C:\Windows\SysWOW64\Afhfaddk.exe
C:\Windows\system32\Afhfaddk.exe
C:\Windows\SysWOW64\Bmbnnn32.exe
C:\Windows\system32\Bmbnnn32.exe
C:\Windows\SysWOW64\Bpcgpihi.exe
C:\Windows\system32\Bpcgpihi.exe
C:\Windows\SysWOW64\Babcil32.exe
C:\Windows\system32\Babcil32.exe
C:\Windows\SysWOW64\Bfolacnc.exe
C:\Windows\system32\Bfolacnc.exe
C:\Windows\SysWOW64\Bmidnm32.exe
C:\Windows\system32\Bmidnm32.exe
C:\Windows\SysWOW64\Bfaigclq.exe
C:\Windows\system32\Bfaigclq.exe
C:\Windows\SysWOW64\Cgfbbb32.exe
C:\Windows\system32\Cgfbbb32.exe
C:\Windows\SysWOW64\Cpogkhnl.exe
C:\Windows\system32\Cpogkhnl.exe
C:\Windows\SysWOW64\Caqpkjcl.exe
C:\Windows\system32\Caqpkjcl.exe
C:\Windows\SysWOW64\Ccblbb32.exe
C:\Windows\system32\Ccblbb32.exe
C:\Windows\SysWOW64\Dgpeha32.exe
C:\Windows\system32\Dgpeha32.exe
C:\Windows\SysWOW64\Daeifj32.exe
C:\Windows\system32\Daeifj32.exe
C:\Windows\SysWOW64\Dnljkk32.exe
C:\Windows\system32\Dnljkk32.exe
C:\Windows\SysWOW64\Dckoia32.exe
C:\Windows\system32\Dckoia32.exe
C:\Windows\SysWOW64\Ddklbd32.exe
C:\Windows\system32\Ddklbd32.exe
C:\Windows\SysWOW64\Ecbeip32.exe
C:\Windows\system32\Ecbeip32.exe
C:\Windows\SysWOW64\Epffbd32.exe
C:\Windows\system32\Epffbd32.exe
C:\Windows\SysWOW64\Ejojljqa.exe
C:\Windows\system32\Ejojljqa.exe
C:\Windows\SysWOW64\Ephbhd32.exe
C:\Windows\system32\Ephbhd32.exe
C:\Windows\SysWOW64\Egbken32.exe
C:\Windows\system32\Egbken32.exe
C:\Windows\SysWOW64\Eahobg32.exe
C:\Windows\system32\Eahobg32.exe
C:\Windows\SysWOW64\Enopghee.exe
C:\Windows\system32\Enopghee.exe
C:\Windows\SysWOW64\Edihdb32.exe
C:\Windows\system32\Edihdb32.exe
C:\Windows\SysWOW64\Fnalmh32.exe
C:\Windows\system32\Fnalmh32.exe
C:\Windows\SysWOW64\Fkemfl32.exe
C:\Windows\system32\Fkemfl32.exe
C:\Windows\SysWOW64\Fdmaoahm.exe
C:\Windows\system32\Fdmaoahm.exe
C:\Windows\SysWOW64\Fcbnpnme.exe
C:\Windows\system32\Fcbnpnme.exe
C:\Windows\SysWOW64\Fgqgfl32.exe
C:\Windows\system32\Fgqgfl32.exe
C:\Windows\SysWOW64\Gnmlhf32.exe
C:\Windows\system32\Gnmlhf32.exe
C:\Windows\SysWOW64\Ggepalof.exe
C:\Windows\system32\Ggepalof.exe
C:\Windows\SysWOW64\Gclafmej.exe
C:\Windows\system32\Gclafmej.exe
C:\Windows\SysWOW64\Gdknpp32.exe
C:\Windows\system32\Gdknpp32.exe
C:\Windows\SysWOW64\Gqbneq32.exe
C:\Windows\system32\Gqbneq32.exe
C:\Windows\SysWOW64\Gglfbkin.exe
C:\Windows\system32\Gglfbkin.exe
C:\Windows\SysWOW64\Hkjohi32.exe
C:\Windows\system32\Hkjohi32.exe
C:\Windows\SysWOW64\Hcedmkmp.exe
C:\Windows\system32\Hcedmkmp.exe
C:\Windows\SysWOW64\Hjaioe32.exe
C:\Windows\system32\Hjaioe32.exe
C:\Windows\SysWOW64\Hgeihiac.exe
C:\Windows\system32\Hgeihiac.exe
C:\Windows\SysWOW64\Hbknebqi.exe
C:\Windows\system32\Hbknebqi.exe
C:\Windows\SysWOW64\Hjfbjdnd.exe
C:\Windows\system32\Hjfbjdnd.exe
C:\Windows\SysWOW64\Icogcjde.exe
C:\Windows\system32\Icogcjde.exe
C:\Windows\SysWOW64\Iencmm32.exe
C:\Windows\system32\Iencmm32.exe
C:\Windows\SysWOW64\Infhebbh.exe
C:\Windows\system32\Infhebbh.exe
C:\Windows\SysWOW64\Iholohii.exe
C:\Windows\system32\Iholohii.exe
C:\Windows\SysWOW64\Ihaidhgf.exe
C:\Windows\system32\Ihaidhgf.exe
C:\Windows\SysWOW64\Ieeimlep.exe
C:\Windows\system32\Ieeimlep.exe
C:\Windows\SysWOW64\Jnnnfalp.exe
C:\Windows\system32\Jnnnfalp.exe
C:\Windows\SysWOW64\Jnpjlajn.exe
C:\Windows\system32\Jnpjlajn.exe
C:\Windows\SysWOW64\Jjgkab32.exe
C:\Windows\system32\Jjgkab32.exe
C:\Windows\SysWOW64\Jhkljfok.exe
C:\Windows\system32\Jhkljfok.exe
C:\Windows\SysWOW64\Jacpcl32.exe
C:\Windows\system32\Jacpcl32.exe
C:\Windows\SysWOW64\Jaemilci.exe
C:\Windows\system32\Jaemilci.exe
C:\Windows\SysWOW64\Jlkafdco.exe
C:\Windows\system32\Jlkafdco.exe
C:\Windows\SysWOW64\Klmnkdal.exe
C:\Windows\system32\Klmnkdal.exe
C:\Windows\SysWOW64\Kbgfhnhi.exe
C:\Windows\system32\Kbgfhnhi.exe
C:\Windows\SysWOW64\Kkbkmqed.exe
C:\Windows\system32\Kkbkmqed.exe
C:\Windows\SysWOW64\Kdkoef32.exe
C:\Windows\system32\Kdkoef32.exe
C:\Windows\SysWOW64\Klddlckd.exe
C:\Windows\system32\Klddlckd.exe
C:\Windows\SysWOW64\Loemnnhe.exe
C:\Windows\system32\Loemnnhe.exe
C:\Windows\SysWOW64\Leoejh32.exe
C:\Windows\system32\Leoejh32.exe
C:\Windows\SysWOW64\Leabphmp.exe
C:\Windows\system32\Leabphmp.exe
C:\Windows\SysWOW64\Ledoegkm.exe
C:\Windows\system32\Ledoegkm.exe
C:\Windows\SysWOW64\Lkqgno32.exe
C:\Windows\system32\Lkqgno32.exe
C:\Windows\SysWOW64\Ldikgdpe.exe
C:\Windows\system32\Ldikgdpe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6556 -ip 6556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 224
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/392-0-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Mogcihaj.exe
| MD5 | d5ce80b36930f6a94ad498871606eac6 |
| SHA1 | 591397d7c70e27e3330d7fe8dfdd5c1b11b6acc7 |
| SHA256 | b506807c8ba9a20e9f19bab42739dcf72e4483161cb280e7620460a9f6e5813c |
| SHA512 | 1974a2e93ca912d40b2921738fdfa6d97573290bbd9e13cf67d1f3b0d9b3aa09c09f37da5d4d00ca13cc87f528d5d40db9f8b8af2f63da2f1eb06527ee950381 |
memory/1516-7-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Mjaabq32.exe
| MD5 | 6a458d5c3a702f3d40a62f7cadae4f35 |
| SHA1 | 2158c873463522ecad36bf19162d63d1c7c18f2f |
| SHA256 | f117fd33ffb9b72f498c41ffb2a75dfd7564e5feee90756cd6ab8e7ac0d754d0 |
| SHA512 | 7727fccf1237b8e27a2bcc865eec821e0212255e791abb4aa2cf4b144afc53a2fabf80cfcdeea572924a9c5b871fb4faec70d6e36c10583d46e3f12d727fc87f |
memory/2452-15-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Mjcngpjh.exe
| MD5 | 2f98008d077f1f660349e34492b6730b |
| SHA1 | 62f4202a46bc90eccdeca90864721d82f95f84a9 |
| SHA256 | ba68a8871f9dcd18454df514195772200bee2e64d1a10c7a64cf5ace524278ad |
| SHA512 | 3d2e9dccae8d4e01f01f3848054ea15c69586b07f0b30347a48aca99bcb3541c6c594b62f6e5676b012b50b1a232c88d50eed9f1b504832f96498f65b24a5c8d |
memory/3580-24-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ncnofeof.exe
| MD5 | 02bc35af71e3fc06f285e71bc933bde5 |
| SHA1 | a8165acfb70d961501237b616bb8376872e99426 |
| SHA256 | e93ec0a3577b1c157dc3a8e53e71eeb07bbebfcd2dd0252e9b4b1558502f4f7d |
| SHA512 | eafae61bb39c5cda83afaf56bea06c733405f1aba08de1da4641faf6ed8aadd65897684fe6e0518dbfc731414427f127e15635ccb1742aa2f6dc178171d737c6 |
memory/1384-31-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Binlfp32.dll
| MD5 | b821cd88a9a7f13936e117e1896ba489 |
| SHA1 | 04fc763c5ce2cf0604649cd9bc6b74a87b753433 |
| SHA256 | cdb548b420f56b677a2ef18bc3a4beb576cd427d4798b6e203f3c072111194ba |
| SHA512 | 67c1b00d396a3b6111dfc761832568efc5e5e693a0f51520df36d5ecdb328390e2cd856a1f250a0c95821060db1e7823a99262a3df1a0442330520e9167274a5 |
C:\Windows\SysWOW64\Ncqlkemc.exe
| MD5 | 0a6280796619ec86a6b02cd86ac8a4e0 |
| SHA1 | 0b8a2967eb38ef6e0ff10b1aa9230c3aea63eec8 |
| SHA256 | 35798426c7106ca61fecb33aaa28829027696f0fe2c5b74e496e5425758c89d9 |
| SHA512 | e9fac890bf66f2007991967242b6057451a28c22c04937948dd2c084e0dd673a278aff0b3971f429b74506fd113169172ec5907bbaf91ddc5b5bb8432d9fe588 |
memory/4108-39-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ncchae32.exe
| MD5 | 83b61d408e18930d3d9ba5bad7cc974a |
| SHA1 | 18c84862ee815aa0f531f91e0b7dc0669ec04335 |
| SHA256 | 9b88827e55495bc54686a4b7ade78cc1e27742a358b973dce3db70171ccbb0ec |
| SHA512 | ae1310ffa6d0d57d0281e4c7354b4bd97b1d23f9814a14c38cd6453cfdf7809d01a684745ce75e42b308ba5d5bdcd1d7632b8e914670bdfb92a8a994acfb8565 |
memory/1356-47-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ojomcopk.exe
| MD5 | 0e926a65813ec75a0cfc6e0429cdca4a |
| SHA1 | 84711d79cbbb2811a4507a939617c113f17361ed |
| SHA256 | 46edd0b61d65d65864919a1dcee8ed37a5d78676bdd6ca572f29569dc6f62580 |
| SHA512 | 371980c0898d613621ef36074dc4287a483f379eb3d2601c573c05f6ff0e24f74d9e13cbb05432eaa0ac3b156f11723b2da46d721b59024e8c35070521e54f7d |
memory/2424-55-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Oakbehfe.exe
| MD5 | a7787d4cbfd223cce3c917d1ec6970e6 |
| SHA1 | f8fe5a0f7f30e052d09084f7bb8c4b19f4e5efa6 |
| SHA256 | bcd161df27de91c3f6dc810410baa84b690f33cdc985fa94c0f8ba8568d49c24 |
| SHA512 | dba69d7434899c81c2542919e28356629e422309da1a2a6f69c1bd7438c532fc52ac17c761a5ea856359865180cf73ad79de87a8720f3b70c2935b3eaf642270 |
C:\Windows\SysWOW64\Oakbehfe.exe
| MD5 | 3ef25ab577a4c47af84bcd2d5c790c84 |
| SHA1 | f7c5ae70f10d7103741fc6f416002976e2f34af3 |
| SHA256 | ce1ccde3b695a5c9643c280a37c970b9a28d4d19856d8e6113c134ea235cda2f |
| SHA512 | 5ec977b98a5ed7ce9aa9fd9e762a2739119241e571f36667e9fd36a40399e2618c73714b57f433dd782fa9075c4a4c2b3ebf7823c10a16a1d48300a13c2eb53b |
memory/1268-63-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Opqofe32.exe
| MD5 | 3f4985d1fddee060d9441b7668be95d4 |
| SHA1 | 7156eb2002e1cb2c74d8311b18844d0b5f37e31f |
| SHA256 | dc4e4d47db021b5fad4703ad176a32246494c4eef60ab16ce3ca91e924c6f70d |
| SHA512 | f25c94292ae740a0fee0b425666ee653b89deead4eae85a67307892329b20a59414e7b1fb873225d10e9cc5b2072d8a34b1d35bedceabc2cfb1f27be2a73fc49 |
memory/3476-72-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ocohmc32.exe
| MD5 | a3bba0188a8d04370aa903dad155021c |
| SHA1 | 6fc2ba8c56b7fb593930cb9fb90361b2766cbd52 |
| SHA256 | 0b4a678443342d2d7ffae6fab94038047734bb60375fdcafac9a42bbca8bd295 |
| SHA512 | 333bba82cc5e500739d381ef9e07f4a365733bdc235fee018817f03c74934fccd06957d837864109f58142ddab6973f2cbe159f0b773a5abf6f1a0a18f9e8b7e |
memory/2220-79-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Phonha32.exe
| MD5 | 62d65e340a3b96bec6cf6e27df05d67b |
| SHA1 | ce16f6afcb75c87d380ee1192c5b0d63ae0d6092 |
| SHA256 | 8ae3f44389a397770ed1c6fa8b9af4587bf3e742ece53b2a9f30eee6042f85e4 |
| SHA512 | 227417a1aaa3e46343d492d49f1fec4feceb31145aa15ab6894cb5489ed5a209e3ec2192aa89c027bea02d70379483d53c13e7ba353b5b3990685712c6d136d8 |
memory/684-88-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Pnkbkk32.exe
| MD5 | cc8b6ca586a93a5ff590440b4f5a03b1 |
| SHA1 | 9e08f5abfe0ed3c833bf371912e5c1bfd44b6ce1 |
| SHA256 | 452189c35abbae98a2cb84f7c572eda9b174d7023858a66d53e9d3db6464ee4c |
| SHA512 | 287e5db79d0ec7b19c1850aeb6957374e3e47420b659a1893e18b07aa1c35dae2ac07ef35c94cabed9ccd4ea8bd042eac0cd8a89d45ce3b173945ed802c32c20 |
memory/1708-95-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Qmeigg32.exe
| MD5 | e282854b79c03b6691d51c34844b8886 |
| SHA1 | 9062b302c1d8e68bced57591ebab7dd03e68d2cc |
| SHA256 | 82d0522bc4223a600711db24cfa4af72cd51ac2ed9d56bb1ce08d3ddbe3dd0bc |
| SHA512 | e75445f787d754ee012a127614776034b8ad29746cc58e790b92857cfaeca3d45a9eefcc935864b25c03bad0a9553742d8701ebb5c02fb7e07f5c1dc714fadbf |
memory/2056-104-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Aogbfi32.exe
| MD5 | 1f7090911f58cab2fac8e0e4e100c7f8 |
| SHA1 | 0d48fea7533b3271b6a77e133c76b930e3d4ab50 |
| SHA256 | b4476dd5fd37ca74a750c653969845cfef630bdc92f16316f90ffd730f7f7c30 |
| SHA512 | 59c3314610d730099d5d74c47683b259a7ed885535f23ec81735a74e2d64ccf82462850ec530e2221f991ab53cc3d267b30234ab01f6999c760789a9980057f2 |
memory/3504-111-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Adfgdpmi.exe
| MD5 | f08317d5ce0b3980801b02c8e1c4442a |
| SHA1 | b00d05d3d1dbdc1abbf936551e65641de8a59e6e |
| SHA256 | 6f7df16d488cb3919be9a1c2021b7aedb0dacea51f7efaa185334f75e1e0bfe0 |
| SHA512 | 7fd84ce9c3053ed075e91ea542dbd6bb58197c09f535230454db88ac482805d5b4fe902abab082dc1dd2e250e3a24f45b050034650ce92dc5703d997a53d2a0c |
memory/3588-119-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Apodoq32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Apodoq32.exe
| MD5 | ccfe1a9ef231e83b684316e7c8dab5a2 |
| SHA1 | 5d126e45e15c90e25c914703a7ffbf5d8ac892da |
| SHA256 | c0df69300a81591c9db709eed80478a7de330a0144b0f747ec5d7a7f35b8ccd0 |
| SHA512 | 7638b7fa3a6e0b546b183b6428b6d42a5f6092904eb171a7d5d158c49aea261e7f5b76759cddc98fe20c5fdad360ff332101b6049fef50e13327b7f6b12f6032 |
memory/4988-127-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Bpfkpp32.exe
| MD5 | 139526ee29eb41616152cd9fc6ca8e3d |
| SHA1 | 267c9a1ab98b18368f1a30f145f1c024af169cb4 |
| SHA256 | 0a123cd12d82e282782036ac5ee309112969784afeef6ba8946c3fddf9deb407 |
| SHA512 | b56c307a91dde30d85ff4e0d767a1297295ca813cb779c7d03c3dc7cf4d24070232787433b544f6b68dde2073c90517d0d2529f3df8c4dd80805a170b4a52836 |
memory/2212-135-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Bahdob32.exe
| MD5 | 6d4d4466ce4a11ad37b49a0354854d40 |
| SHA1 | fbe959a2d3c8f97fbc39063e68dbee0ced747480 |
| SHA256 | ed1f548cceaf1e18500cef7a788ca8d7fd7d535d45630a8aeff0d622241a3fd4 |
| SHA512 | 9f757378e57c22ac29074d612f754afaceea902e3019a4e0b60f3a7b62fa0d3139a10f98fafbb21c4f02a9b6c4f65e1518dca2f8b90c2e8b2abe56b0e7ebb180 |
C:\Windows\SysWOW64\Bahdob32.exe
| MD5 | bc34c5cb6bcb1ab24a391a357a03b728 |
| SHA1 | c4c435c05f7ffd9dfac6e57d262b3e4b6b5adc09 |
| SHA256 | 45484a73e9c36cb4fd4219b317a0b26b8065405ad6444630f54572fad42f655c |
| SHA512 | 3095d6489d29b6b89498d0246587a1530ee8b740fa2d94fa154c8f10ad25b0c25492e24c2a98123f654c51024326c22509d59366eb32ee805c7e80e0db6fd5d6 |
memory/4532-143-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Cggimh32.exe
| MD5 | bfa87fe4328bb3503af34634147b347f |
| SHA1 | cb4ceb980599e5da609954f695b692616fcb5758 |
| SHA256 | a784ae62cec6a541ffe142a5035582f0848d79616e0244faa844d1204e21992a |
| SHA512 | d64f1bf26495a7ecd51e31aa0341b413ac011c6babe8e19ceebd08592cf323f1cdfa700f447305996cfa8e51ee0d2aae1b2f7b5f4b3e4b393a3edd0e78fdd7a5 |
memory/2696-151-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Caojpaij.exe
| MD5 | a287f4ea9470f552d91a6f710e63fdeb |
| SHA1 | c20173b4036be2b2e9338b69a931ef2f9721332c |
| SHA256 | de62744056ff16ed1b67944b726e446e2bd998d66f823bc39bd4bf03c64fb669 |
| SHA512 | adb2c7929af1c438a5675112604aae5f10da946d1bdedb2a16f1b0f7643039fcd108fb9112c1805e05852aaffef4247166d763739b3f33e484d7d44978503702 |
memory/2104-159-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Caageq32.exe
| MD5 | 143873ba484b26a2be2040a671592d75 |
| SHA1 | 15c10aeb1fa94672a203b3ad1510557d6fb0da34 |
| SHA256 | 45f29cd05266e2e1d95a27baf99c2e3a7deaaf1e6a9fe444c9c4bd6f5b06981f |
| SHA512 | 88d06d2ed8a4481d240e2903c1f272ae9cad9c2fd68f6633d454683567ef40319f9f7c11d846a283958ee84b60026c053096a0cd44b8687b1f18b1e913493391 |
memory/4516-168-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Cgqlcg32.exe
| MD5 | f98f61fe536bc0460371c30cc9fe005c |
| SHA1 | ec6aab6bd9cb67a848a85a082372efc31abfbdc4 |
| SHA256 | 1a160a855a1d2d76b10722ef0cbeb2f90118caa463f326898758818b40010379 |
| SHA512 | 5c21cbd1f4516320d13229a730392f401852c2e48f7c99928d60566b21b9f21aba8da66557c472a34b851d400fd870314c73afe5b7bf1181b8bb6b2b09eb895d |
memory/680-176-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dhphmj32.exe
| MD5 | fce037cc9b96decd34b0a689e9de9b0c |
| SHA1 | 3a44e103c2cbddc86524ff0914cf870fd0a667fa |
| SHA256 | af2223b2d969f613e141c3c63048b0c9abc3411c75b5b45aca1a10664a8d020e |
| SHA512 | 04c60ac02ec8b6ef062a6c58ce8fb09b152a26735de764768ca03b5e6b645116971e1b2f78443606b0f199243ddc63a2a67bd977dced5256d3283673a9b896b0 |
memory/4800-184-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dhbebj32.exe
| MD5 | e983abc0c39ed3c1d93fa73b95c1b153 |
| SHA1 | a5a73f06ce3767af92f67757eaca1cd2e6874057 |
| SHA256 | 3c05dbef0f13445fb0633d3695c4f010fef19abf5ad825850f58d7a0b403e86b |
| SHA512 | 7596c6bced050e46f06df7db000fae1824de655debeb486c2597d0818518f629a0e69ac34002ce0650eda8435cf53c49c3af06694ea8810388ecd8a1181de907 |
memory/1388-192-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dnajppda.exe
| MD5 | e7e50a5bbc0e75451e9fdeaad35d4716 |
| SHA1 | e51e04a7e2d645a312714097f6dc1d11566ccd57 |
| SHA256 | f8a11cefa0b5e7b75c8e1414b6000eca529a41b7c10cd82083fa1e600222f21b |
| SHA512 | 08d94887fc5eb16f35bb28a10a642e969afa8aa6dca7081cc00a2dc716d114ff1349afe230948a100580f68dc507eb10d63b6b3c53bde72835488789119c697d |
C:\Windows\SysWOW64\Doagjc32.exe
| MD5 | 9fce8e34451b181b6f2ae470bd1babf8 |
| SHA1 | 2b1205c3872dc71750f35eaaace7dffaaebfd05e |
| SHA256 | 7f4f23b9d658fe7992a10a3781c99baaaf59f9e7a7e3d99ce63c1613087a00f6 |
| SHA512 | a8a959679331d61daabc5f2909e919fb2195bca1ae77694cc6097468bb4bd621a3e44a1ac301e58eac453598a9f2677d3fef9c3ff771efe8aaf5e3b601b799b0 |
memory/1476-205-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1884-208-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dkhgod32.exe
| MD5 | 69e6b6d79cefe4c8b279389fe2c374d0 |
| SHA1 | d3654948d1bd1442f1c44eea2ded7b46d4c48e93 |
| SHA256 | 431796f36e41e782846d946690847dfb3f3c5a2c0a74c40af031b1959d15f098 |
| SHA512 | e021bd974ccb22b0c485c820a1fbbbf921c5768c931b92abefb5c0aa3003a46dc04bc9923dada1e10ae6b845563812d4c4979198372e36944d9e86a94d880ce2 |
memory/4380-216-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ebdlangb.exe
| MD5 | 9b7644c8cc4ac34d8948b28825c61408 |
| SHA1 | 73eb77fc0f7c00a33ebc26fadea7f6cd7aef24df |
| SHA256 | 9dd5e08e05221b60f65a2c48580b0b608eaf11725bf7999c8a6aa5ecef1191bf |
| SHA512 | 143f0215aa59fbe5b80ba10b3c1d85aad04c416c22b5ee082f0a5ad5a2be0fade21a87a8814a5f948ab71169f4fb6665331c68d85e1e34c80537e2bd4432eab2 |
memory/1880-224-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ebfign32.exe
| MD5 | 3f0640c165c5ee6f569cfefc78776ad9 |
| SHA1 | 4379c9d2ad5f815a88bfd9fda4ac1da0582d253d |
| SHA256 | 3f039deafcc44f7f8a6e9cf9713560a26bcedfdf2775ab21891b4e7ad52a260e |
| SHA512 | 4cd1aa8ccff7c0c22768c7f34f462f1bf471577560de6a29fa0358a2000bd45d5d5b16a2b7936cf04cc9961c7b9f749dc279e4436299ea12a31b865da2a8c92a |
memory/212-231-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ekajec32.exe
| MD5 | 1c8da5538e69b56a54accded9de6de3a |
| SHA1 | ff340fcb928af42a17eeceecf68eb5a198f657c1 |
| SHA256 | 7ec68f3b5fcd46a6426705454ca7194dbb05935a3566358d1d90633ecfff0c1f |
| SHA512 | cfa539f622e5a5834b22e686c3164454c5106acf44daab514abeb08916809486722a7c66ff287a6419b4e754c9a9ed3ba1239567630feb38b9b55eac0f7c052b |
memory/4928-239-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Figgdg32.exe
| MD5 | 3bb15bf1861fa3818696a790271858c5 |
| SHA1 | 995d012c5bd5d5c26cb20913a97e48eef595c9a3 |
| SHA256 | 34465d0c043c54ac6689d0686a3c21c59051d6578ff4523e9943f360e1eee854 |
| SHA512 | d07ca062d78e9912ff884db8994e92917aeb3c17b94244d53cd89534408abce88cd3c4a161347bd861c6013cf4d96300bd5eb22813d72f76ae0c41db1c2dd40f |
memory/3500-247-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Fqeioiam.exe
| MD5 | 6c49ca3e1b23b32c7a05dcb9870972ad |
| SHA1 | 1fc9ca072431c6ca2e6e8d84a9636dc74a4b7221 |
| SHA256 | 616dcc21c7d6265fe397bc727a53dffc3f1fb1b56bbefef1e3c2f8427bdd0447 |
| SHA512 | 9bf0f22cbae469c1ca1920952de39ae4e8aa5aa08e619e295f43201f5a2613db3002103bafe88ccd7f91a754db883d6efe7e3d47ee78e85e63520ea1813d8e5c |
memory/1812-255-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2500-262-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3876-272-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4528-274-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Gnblnlhl.exe
| MD5 | 2bf566b91f1dc091684c65b790683ac8 |
| SHA1 | f915ed0c015bc343f01f3b3f3a1b360578143d05 |
| SHA256 | c737426f61e6bf9e9da5a8ee5a6a88df8e48fc0fd72bed31471e42d1283290eb |
| SHA512 | 553e0d31744630c45669e49b2f6bd1a2916fd419c29ab91ad2c4b22318478ea977698cb5b8a1378692375404d6efc7345bae3a08a84669bcba355fcec6c5041c |
memory/1532-280-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1760-286-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ghojbq32.exe
| MD5 | 197ea3527c33024b98935a73a21789c9 |
| SHA1 | 001d0fa5278096c1e1a31ef37cf6654e180c4c2c |
| SHA256 | 5478f1a85c771e135c1b248d77d073fa47e8ed2d1d95fc5efea2432dc6231771 |
| SHA512 | e8bab222ff1069b9290ace6a3c360b9a0c4a970cf2e5bcb1ab8550d0705265dda8f67378ce25a82f3be0ad441a4bd3da3d15862c95672f57468d97331c082715 |
memory/3620-292-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4592-298-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3804-304-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1176-310-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5092-316-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ihkjno32.exe
| MD5 | 3d61e4c044ab4dafe82ce089700419e9 |
| SHA1 | de3ff2883d60e6c69b1b157498d3704ded055809 |
| SHA256 | 692c8637d62b15f0838152612347bd10353fbc620cd62d6e2fa4f18c6dafc70f |
| SHA512 | 04789217f5509d087cab65d214b2a4168ad3b746b405592213b8b0f99cefabfdf62d61199325b6742d1b312447c61c0d9c24faabb60d1679ac7b4cebd2d9f41c |
memory/4600-322-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1512-328-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5084-334-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Iefphb32.exe
| MD5 | e6d67348afb1c0022bf8563c6cb6a161 |
| SHA1 | d3e05eaf0c0d47f4e98425a009fb6aeb4360fd62 |
| SHA256 | 137162dd1b98d88375e52c64d8eb3208e2144116a1e9681099d2ee2d6e1b20e1 |
| SHA512 | d62d57a5753fea600ad1de9cfe58e367874aec19a4971d28abdc86578d419f306b772c75b5f94153299fb296fb77bec263efab63caf7cdded58eea2adf637630 |
memory/2256-340-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1956-346-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1392-352-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2216-358-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3720-364-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5104-370-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2672-376-0x0000000000400000-0x0000000000447000-memory.dmp
memory/400-382-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3256-388-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Kifojnol.exe
| MD5 | 9d34926916d0999200319191176aa37e |
| SHA1 | 823349c71dc09b8b889a2b9d5f0b2f702ed29afd |
| SHA256 | b3439ee3d6153f056e36b02068e7ff99749892355a608256d31109f36934962b |
| SHA512 | c0512ba5821b9846421225d447bf710d97dac643989175b71e8b0e639829656da02dd448932c339c85bc5a85bf2aa0eca32fc592df5859a10bcfaf37eb7df24b |
memory/1136-394-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3996-400-0x0000000000400000-0x0000000000447000-memory.dmp
memory/688-406-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1632-412-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3352-418-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2744-424-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1096-430-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Mcdeeq32.exe
| MD5 | 94c6fbb75b33b3c55a4a18cffde4e05b |
| SHA1 | ebd319046f9af5e799449cc809762898ba82878f |
| SHA256 | 87c4be270654f8a68b8b4209de0758693d59eeab68bd3a7196a283d7d5500fd2 |
| SHA512 | 9947dc83fbe9c14fe1dd360ecbf05a0171143c8a63fb1375c9dfd5b46c651eefc6db856edbfec5764a3686a12a4d37cdcd13d64a23c2d7510f6d8e8c162305f0 |
memory/4812-436-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4668-442-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2448-448-0x0000000000400000-0x0000000000447000-memory.dmp
memory/700-454-0x0000000000400000-0x0000000000447000-memory.dmp
memory/64-464-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1480-466-0x0000000000400000-0x0000000000447000-memory.dmp
memory/640-472-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3528-479-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3772-484-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3972-490-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1976-496-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3308-502-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5136-508-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5220-518-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5276-520-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5348-529-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5392-532-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5432-544-0x0000000000400000-0x0000000000447000-memory.dmp
memory/392-542-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5472-545-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5524-552-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1516-551-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5568-559-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2452-558-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5628-566-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3580-565-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1384-572-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5672-573-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5716-580-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4108-579-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5760-587-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1356-586-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ajmladbl.exe
| MD5 | 6b187fd9780248cda23e13b30ce10e38 |
| SHA1 | d31170bf8a8f7749ed188581d288385667c6c32a |
| SHA256 | 190cda316cf82c270d5901572a257c93d4e7ffc6e070d1951df14d6256d354f4 |
| SHA512 | 49b333249111d6f60cb103377225075fd35d81e5fa5ad5507aa46ace04fec81eab44bc73b97b1f5fc488c6c24665d78de1354a3447e0e10a2121caccd5e78929 |
memory/2424-593-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5808-594-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ampaho32.exe
| MD5 | 802a842661b13e086d45bba3e896474f |
| SHA1 | cf241007652cfa711211cbdc7155c5589334fba2 |
| SHA256 | 9bc4838fa5b38dff701d255f44db83c939eb89e97c2b7cba5e692fb3ab829695 |
| SHA512 | fe3f271ace2f797138482abd778b39a902810a4aa291d5ea74cbb2e4f52c25bc582bd3c206696107a8adc3424f4dc96140208825217a412db52c714a6e526126 |
C:\Windows\SysWOW64\Cpogkhnl.exe
| MD5 | 666323a64cfcb6992a1f56f9b007c32d |
| SHA1 | 1db8256426a86334c7a6ac4af9d9826fe9c0530a |
| SHA256 | 28862145a3b2eff06ab4148dfc6f1d43cd55b183d2f20f4c2779ad7ae0659eb6 |
| SHA512 | 78f0fe0b671eb3ddfefbb6124d49741f25ca7d9d9da6745f81840ed2d74fc00b941be7d755b1ebc88881ef19e24cacd807cfecc4f2753873b04d0a6da3cad8f6 |
C:\Windows\SysWOW64\Dnljkk32.exe
| MD5 | 7487e9a355cd0bba029482b0c8a1adeb |
| SHA1 | 3b843737a47980e0832f4a4fbbd7a532acb5c87a |
| SHA256 | dd96ce8bcb20099372a4648ced13dd82c42a07f7f27f2b13ff12e5090ddbf8e8 |
| SHA512 | d257d0df71559bd90cff7348672836b7e3ae36a3db2810398802c5d2ac62be0df5cdb2cc825ccc0e5b2e679ce941bc21598a673388e63f94d7fb0275ba4d9e65 |
C:\Windows\SysWOW64\Eahobg32.exe
| MD5 | d169505f39affbdbab10ab45570497c4 |
| SHA1 | 7ab0c10cb0f8c4b517d35f67e6639204463fe274 |
| SHA256 | 0bf4f862b989aecc1bf6ee536c0bec6f98a3609f3114118b558379d3a459e22d |
| SHA512 | 6e48b432906bbea3b056b821505f7da6bc2c5b5911f80fcb7c68cc7033f9277aad5dfb92538db92614da3b8381557706852103f82b10ac327fb5bdcc24a3d937 |
C:\Windows\SysWOW64\Fdmaoahm.exe
| MD5 | 5629c9bc12c1d1845c77e11824a2e402 |
| SHA1 | c73c6fd9e1f456d8d780752303c0a06c4afa1e47 |
| SHA256 | 5c5dd71894e9b07e9ee95a81a5fb5d77d527e1f6b25754ab015eb635a37c7c46 |
| SHA512 | e8a94e27721d11ee1e18c5ddf7559d59a208402f91e5b92a0917592f4ca1cb3ff822ad9da031837af99d0139f35e699cef9694cc61ed820751205dbc134d7502 |
C:\Windows\SysWOW64\Fgqgfl32.exe
| MD5 | 7e989f59689bd73e3c53915a462957cb |
| SHA1 | fd77e863833667b750c8a565498538ac4273b937 |
| SHA256 | 7bfe2f942b8e0b9d64d72156d57d0a4d7fe75f27cb4466ab9321b34774f4f8e9 |
| SHA512 | 5d33c18b7c38e5f756d396515d76940370894c926e31b67df3851f030af3d470f62de255d704d65f7e52a3d06f6b40d77aceb409f0cd356cbfc33b34918ec71f |
C:\Windows\SysWOW64\Hjaioe32.exe
| MD5 | 673ea0cd987e39c9d7629b0bdb3f4da6 |
| SHA1 | 8c7ebc0b3b5d809f1e006428b2baa5b6f10bd576 |
| SHA256 | f6225b8a418085c8535b8b548ec39936a8f6bed64186e00af2727cc349f4225d |
| SHA512 | b10987319b58ae03f92974500335e06fe43ce61c31c41679743cd01b45b009b78fd4828717857faaa07ea0b2026bc52657bdf5a3e4fa2378cad1420ab0099617 |
C:\Windows\SysWOW64\Jlkafdco.exe
| MD5 | 08bef4c2604048225e5c35297419df89 |
| SHA1 | 846260c619fa87a776673ea640557f7b6ea04f6e |
| SHA256 | bcc8d3b5ee9481d410fd946f51562a5deb03cabeda10027bc952b7e7135baf4f |
| SHA512 | eecaa354de1f7013388c757cae3ef59d07ec0208dd9a38fcafb8436f5a78941dd56efa750cd49c48bd620d04c0e21d3ac7979b453054809dc5c1afb427bebb6c |
C:\Windows\SysWOW64\Klddlckd.exe
| MD5 | c7432410a22ad81734c08bc12660f6f3 |
| SHA1 | 21256caf4192b457d4f3565d9abbdff756336008 |
| SHA256 | 05a226afa660053d52d1620a2c5705d88e9a2da8c50628d37d43c10519dc493f |
| SHA512 | 896e13f74896a457ac036c75f584776f174c81d2c3790d3cbc1c81aaac90ea13ae9a1a6e3081dbb5d3586684ea483ee1116a36240a37c072073a11f7b938ef75 |
C:\Windows\SysWOW64\Leabphmp.exe
| MD5 | a3a43dedeacf483f750bc9f55fdee092 |
| SHA1 | ea605d9217160d84fb4de1987fc566c418e2f565 |
| SHA256 | cba191140cc9ab3efd3622a1d5ab19018aa8ae3e758faac8b0ea8a7651877a2c |
| SHA512 | f0194427561521229d5cd7a2aa0fe27891b9600b16c4c3fd943488628bc621be33d1de41d4706b4b1eadc945da6a0dce6eb1c067d34a0cc24758d9a1a80be649 |
C:\Windows\SysWOW64\Ldikgdpe.exe
| MD5 | ef8481b7e2cfc18275a22fa1f4182df3 |
| SHA1 | bd5e5ff3b7392fee6693df7ee5002f2873699338 |
| SHA256 | 858b3d05abdd99676445317093b408cd72f16c45a09a4b16a15765b89a4171ab |
| SHA512 | e8a2e8b31fd937ff98115bdfce5cb2e0a2f54223d02d34a904ef388e49966d100f03a3a1be69b4074d2b1ade57b21dbc70921585a8b0800ccd40b028e11c7234 |