Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 23:50
Behavioral task
behavioral1
Sample
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe
-
Size
548KB
-
MD5
6daeda287d1944f713fafdc0a1ba0c20
-
SHA1
f21dc6149d00d887d9123903e5d130d375b441a3
-
SHA256
8c043dd159d32543b79016c55aa840b87d7255c1e2ba3f2716b7e74608e0af64
-
SHA512
5cb9ef3ee41d0ff6016825d4c0c2009b0fee5744b986e5c598c8070e777db043dfc4cbbf5154bdbd902e249da7b5408197be2a83fff34109fad459bc4cf5ac4b
-
SSDEEP
12288:jXzVvq6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:j4q5htaSHFaZRBEYyqmaf2qwiHPKgRCW
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bafndi32.exeBbhildae.exeEgnajocq.exeIjbbfc32.exeClbdpc32.exeBiljib32.exeBjkcqdje.exePefabkej.exeDnbakghm.exeNceefd32.exeHfefdpfe.exeMidfjnge.exeCgklmacf.exeFjocbhbo.exePkholi32.exeCgagjo32.exeDknnoofg.exeMahklf32.exeNlefjnno.exePblajhje.exeIfnbph32.exeFlcfnn32.exeGgicbe32.exeIjlkfg32.exeFgmllpng.exeKmhccpci.exeJgkmgk32.exeHnbeeiji.exeDnngpj32.exeElhfbp32.exeFckaeioa.exeLkbmih32.exeLoofnccf.exeEjccgi32.exeDdjehneg.exeMjdbda32.exe6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exeNnicid32.exeOhhnbhok.exeHlppno32.exeJofalmmp.exeLjceqb32.exePjmjdm32.exeBcicjbal.exeJndmlj32.exeOnonmo32.exeBdlfjh32.exeOoangh32.exeDonecfao.exeQdihfq32.exeFnnjmbpm.exeOggbfdog.exeHjpkjh32.exeNemchn32.exePoagma32.exeGlhimp32.exeHlkfbocp.exeDdfbgelh.exeEahobg32.exeGgjjlk32.exeMafofggd.exeAglnnkid.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhildae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbbfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbdpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biljib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkcqdje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfefdpfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midfjnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgklmacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjocbhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkholi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknnoofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlefjnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnbph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcfnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgmllpng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhccpci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnngpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elhfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckaeioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbmih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejccgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjehneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdbda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlppno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcicjbal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ononmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooangh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donecfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjehneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggbfdog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poagma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkfbocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfbgelh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mafofggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midfjnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglnnkid.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Ljclki32.exe family_berbew C:\Windows\SysWOW64\Lqpamb32.exe family_berbew C:\Windows\SysWOW64\Nmgjia32.exe family_berbew C:\Windows\SysWOW64\Nmigoagp.exe family_berbew C:\Windows\SysWOW64\Nnicid32.exe family_berbew C:\Windows\SysWOW64\Oloahhki.exe family_berbew C:\Windows\SysWOW64\Ohhnbhok.exe family_berbew C:\Windows\SysWOW64\Olfghg32.exe family_berbew C:\Windows\SysWOW64\Odalmibl.exe family_berbew C:\Windows\SysWOW64\Pddhbipj.exe family_berbew C:\Windows\SysWOW64\Pefabkej.exe family_berbew C:\Windows\SysWOW64\Bafndi32.exe family_berbew C:\Windows\SysWOW64\Chglab32.exe family_berbew C:\Windows\SysWOW64\Cfnjpfcl.exe family_berbew C:\Windows\SysWOW64\Chnbbqpn.exe family_berbew C:\Windows\SysWOW64\Dbicpfdk.exe family_berbew C:\Windows\SysWOW64\Dnbakghm.exe family_berbew C:\Windows\SysWOW64\Dbbffdlq.exe family_berbew C:\Windows\SysWOW64\Eiokinbk.exe family_berbew C:\Windows\SysWOW64\Eeelnp32.exe family_berbew C:\Windows\SysWOW64\Eejeiocj.exe family_berbew C:\Windows\SysWOW64\Fflohaij.exe family_berbew C:\Windows\SysWOW64\Ffqhcq32.exe family_berbew C:\Windows\SysWOW64\Fnnjmbpm.exe family_berbew C:\Windows\SysWOW64\Gldglf32.exe family_berbew C:\Windows\SysWOW64\Glipgf32.exe family_berbew C:\Windows\SysWOW64\Hpiecd32.exe family_berbew C:\Windows\SysWOW64\Hmpcbhji.exe family_berbew C:\Windows\SysWOW64\Hfjdqmng.exe family_berbew C:\Windows\SysWOW64\Hlglidlo.exe family_berbew C:\Windows\SysWOW64\Iebngial.exe family_berbew C:\Windows\SysWOW64\Impliekg.exe family_berbew C:\Windows\SysWOW64\Jcdjbk32.exe family_berbew C:\Windows\SysWOW64\Jnlkedai.exe family_berbew C:\Windows\SysWOW64\Lfbped32.exe family_berbew C:\Windows\SysWOW64\Lgibpf32.exe family_berbew C:\Windows\SysWOW64\Mmmqhl32.exe family_berbew C:\Windows\SysWOW64\Ncnofeof.exe family_berbew C:\Windows\SysWOW64\Ojdgnn32.exe family_berbew C:\Windows\SysWOW64\Pjmjdm32.exe family_berbew C:\Windows\SysWOW64\Ppahmb32.exe family_berbew C:\Windows\SysWOW64\Akkffkhk.exe family_berbew C:\Windows\SysWOW64\Bdagpnbk.exe family_berbew C:\Windows\SysWOW64\Cdbpgl32.exe family_berbew C:\Windows\SysWOW64\Dolmodpi.exe family_berbew C:\Windows\SysWOW64\Dbocfo32.exe family_berbew C:\Windows\SysWOW64\Enkmfolf.exe family_berbew C:\Windows\SysWOW64\Edionhpn.exe family_berbew C:\Windows\SysWOW64\Fbbicl32.exe family_berbew C:\Windows\SysWOW64\Finnef32.exe family_berbew C:\Windows\SysWOW64\Khlklj32.exe family_berbew C:\Windows\SysWOW64\Lchfib32.exe family_berbew C:\Windows\SysWOW64\Lcmodajm.exe family_berbew C:\Windows\SysWOW64\Oiagde32.exe family_berbew C:\Windows\SysWOW64\Omalpc32.exe family_berbew C:\Windows\SysWOW64\Ppgomnai.exe family_berbew C:\Windows\SysWOW64\Qikbaaml.exe family_berbew C:\Windows\SysWOW64\Aibibp32.exe family_berbew C:\Windows\SysWOW64\Adjjeieh.exe family_berbew C:\Windows\SysWOW64\Bjhkmbho.exe family_berbew C:\Windows\SysWOW64\Ddfbgelh.exe family_berbew C:\Windows\SysWOW64\Dggkipii.exe family_berbew C:\Windows\SysWOW64\Ejccgi32.exe family_berbew C:\Windows\SysWOW64\Fcpakn32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Ljclki32.exeLqpamb32.exeNmgjia32.exeNmigoagp.exeNnicid32.exeOloahhki.exeOhhnbhok.exeOlfghg32.exeOdalmibl.exePddhbipj.exePefabkej.exeBafndi32.exeChglab32.exeCfnjpfcl.exeChnbbqpn.exeDbicpfdk.exeDnbakghm.exeDbbffdlq.exeEiokinbk.exeEeelnp32.exeEejeiocj.exeFflohaij.exeFfqhcq32.exeFnnjmbpm.exeGldglf32.exeGlipgf32.exeHpiecd32.exeHmpcbhji.exeHfjdqmng.exeHlglidlo.exeIebngial.exeImpliekg.exeJgkmgk32.exeJofalmmp.exeJcdjbk32.exeJniood32.exeJnlkedai.exeKoodbl32.exeKjgeedch.exeKgkfnh32.exeLfbped32.exeLjqhkckn.exeLjceqb32.exeLfjfecno.exeLgibpf32.exeMgloefco.exeMogcihaj.exeMqfpckhm.exeMmmqhl32.exeMcifkf32.exeNnojho32.exeNclbpf32.exeNcnofeof.exeNfohgqlg.exeNgndaccj.exeNceefd32.exeOaifpi32.exeOffnhpfo.exeOjdgnn32.exeOfmdio32.exePjkmomfn.exePjmjdm32.exePplobcpp.exePfiddm32.exepid process 4128 Ljclki32.exe 460 Lqpamb32.exe 3768 Nmgjia32.exe 3304 Nmigoagp.exe 4168 Nnicid32.exe 3604 Oloahhki.exe 5104 Ohhnbhok.exe 2492 Olfghg32.exe 2088 Odalmibl.exe 2928 Pddhbipj.exe 3584 Pefabkej.exe 3476 Bafndi32.exe 4560 Chglab32.exe 536 Cfnjpfcl.exe 4192 Chnbbqpn.exe 2248 Dbicpfdk.exe 64 Dnbakghm.exe 3904 Dbbffdlq.exe 1440 Eiokinbk.exe 4896 Eeelnp32.exe 3512 Eejeiocj.exe 1236 Fflohaij.exe 3172 Ffqhcq32.exe 4476 Fnnjmbpm.exe 4656 Gldglf32.exe 4584 Glipgf32.exe 1364 Hpiecd32.exe 4380 Hmpcbhji.exe 1868 Hfjdqmng.exe 3488 Hlglidlo.exe 4064 Iebngial.exe 4956 Impliekg.exe 4068 Jgkmgk32.exe 4400 Jofalmmp.exe 4760 Jcdjbk32.exe 4032 Jniood32.exe 3136 Jnlkedai.exe 3336 Koodbl32.exe 4364 Kjgeedch.exe 3752 Kgkfnh32.exe 372 Lfbped32.exe 2716 Ljqhkckn.exe 1048 Ljceqb32.exe 2404 Lfjfecno.exe 4420 Lgibpf32.exe 1600 Mgloefco.exe 2040 Mogcihaj.exe 2076 Mqfpckhm.exe 4752 Mmmqhl32.exe 2444 Mcifkf32.exe 5064 Nnojho32.exe 3920 Nclbpf32.exe 5056 Ncnofeof.exe 2344 Nfohgqlg.exe 3556 Ngndaccj.exe 2688 Nceefd32.exe 2488 Oaifpi32.exe 4384 Offnhpfo.exe 32 Ojdgnn32.exe 1564 Ofmdio32.exe 2112 Pjkmomfn.exe 744 Pjmjdm32.exe 4100 Pplobcpp.exe 1808 Pfiddm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Khiofk32.exeFneoma32.exeHmhhpkcj.exeLjqhkckn.exeMogcihaj.exeLhogamih.exeCfljnejl.exeCbkfbcpb.exeHjaioe32.exeIjbbfc32.exeKheekkjl.exeLehhqg32.exeBbpeghpe.exeAmqhbe32.exeCajjjk32.exeFpfholhc.exeDgaiffii.exeAiplmq32.exeMdbnmbhj.exeNpjnbg32.exeFjocbhbo.exeDolmodpi.exeIlfodgeg.exeNlefjnno.exeEfampahd.exeIbjqaf32.exeOqklkbbi.exeKnbinhfl.exeLkbmih32.exePbfjjlgc.exeOiagde32.exeMafofggd.exeCpqlfa32.exeIcgbob32.exeOfmdio32.exeCpfmlghd.exeJfgefg32.exeCfjeckpj.exePklamb32.exeAgqhik32.exeOhncdobq.exeLglcag32.exeBdlfjh32.exeEdaaccbj.exeGcjdam32.exeKefbdjgm.exeBbpolb32.exeLkppchfi.exeGnlenp32.exeMeoggpmd.exeMeadlo32.exeHcommoin.exeNpcaie32.exeAnjpeelk.exeAokcjngj.exeKmhccpci.exeAocmio32.exeDbgndoho.exeGlipgf32.exeNhgmcp32.exeGddqejni.exeBnlhncgi.exeCaojpaij.exedescription ioc process File created C:\Windows\SysWOW64\Khlklj32.exe Khiofk32.exe File created C:\Windows\SysWOW64\Fcbgfhii.exe Fneoma32.exe File created C:\Windows\SysWOW64\Hmkeekag.exe Hmhhpkcj.exe File opened for modification C:\Windows\SysWOW64\Ljceqb32.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Mqfpckhm.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Laglkb32.exe Lhogamih.exe File created C:\Windows\SysWOW64\Dbckcf32.exe Cfljnejl.exe File opened for modification C:\Windows\SysWOW64\Cmpjoloh.exe Cbkfbcpb.exe File opened for modification C:\Windows\SysWOW64\Hkaeih32.exe Hjaioe32.exe File created C:\Windows\SysWOW64\Jnpjlajn.exe Ijbbfc32.exe File created C:\Windows\SysWOW64\Eiidnkam.dll Kheekkjl.exe File opened for modification C:\Windows\SysWOW64\Mclhjkfa.exe Lehhqg32.exe File opened for modification C:\Windows\SysWOW64\Bngfli32.exe Bbpeghpe.exe File opened for modification C:\Windows\SysWOW64\Dbckcf32.exe Cfljnejl.exe File created C:\Windows\SysWOW64\Agimkk32.exe Amqhbe32.exe File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe Cajjjk32.exe File created C:\Windows\SysWOW64\Gilkbqmk.dll Fpfholhc.exe File created C:\Windows\SysWOW64\Ebjjjj32.dll Dgaiffii.exe File created C:\Windows\SysWOW64\Aibibp32.exe Aiplmq32.exe File created C:\Windows\SysWOW64\Mafofggd.exe Mdbnmbhj.exe File created C:\Windows\SysWOW64\Adeimibe.dll Npjnbg32.exe File opened for modification C:\Windows\SysWOW64\Ggccllai.exe Fjocbhbo.exe File created C:\Windows\SysWOW64\Dkcndeen.exe Dolmodpi.exe File created C:\Windows\SysWOW64\Fbbnhl32.dll Ilfodgeg.exe File opened for modification C:\Windows\SysWOW64\Nconfh32.exe Nlefjnno.exe File opened for modification C:\Windows\SysWOW64\Ehbihj32.exe Efampahd.exe File created C:\Windows\SysWOW64\Jifecp32.exe Ibjqaf32.exe File opened for modification C:\Windows\SysWOW64\Omalpc32.exe Oqklkbbi.exe File created C:\Windows\SysWOW64\Jihpdhgg.dll Knbinhfl.exe File created C:\Windows\SysWOW64\Malefbkc.exe Lkbmih32.exe File opened for modification C:\Windows\SysWOW64\Pkonbamc.exe Pbfjjlgc.exe File created C:\Windows\SysWOW64\Oqklkbbi.exe Oiagde32.exe File created C:\Windows\SysWOW64\Meghme32.dll Mafofggd.exe File created C:\Windows\SysWOW64\Cfjeckpj.exe Cpqlfa32.exe File opened for modification C:\Windows\SysWOW64\Jmpgghoo.exe Icgbob32.exe File opened for modification C:\Windows\SysWOW64\Pjkmomfn.exe Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe Cpfmlghd.exe File opened for modification C:\Windows\SysWOW64\Jckeokan.exe Jfgefg32.exe File created C:\Windows\SysWOW64\Cbaehl32.exe Cfjeckpj.exe File opened for modification C:\Windows\SysWOW64\Pbfjjlgc.exe Pklamb32.exe File created C:\Windows\SysWOW64\Haapme32.dll Agqhik32.exe File created C:\Windows\SysWOW64\Fhmeii32.dll Ohncdobq.exe File opened for modification C:\Windows\SysWOW64\Lmiljn32.exe Lglcag32.exe File created C:\Windows\SysWOW64\Bjhkmbho.exe Bdlfjh32.exe File created C:\Windows\SysWOW64\Aolphl32.dll Edaaccbj.exe File created C:\Windows\SysWOW64\Gclafmej.exe Gcjdam32.exe File created C:\Windows\SysWOW64\Kdkoef32.exe Kefbdjgm.exe File created C:\Windows\SysWOW64\Gajfpi32.dll Bbpolb32.exe File created C:\Windows\SysWOW64\Kkklkejm.dll Lkppchfi.exe File opened for modification C:\Windows\SysWOW64\Gjcfcakn.exe Gnlenp32.exe File opened for modification C:\Windows\SysWOW64\Mklpof32.exe Meoggpmd.exe File created C:\Windows\SysWOW64\Bnpdlbon.dll Meadlo32.exe File created C:\Windows\SysWOW64\Hhleefhe.exe Hcommoin.exe File created C:\Windows\SysWOW64\Cmnciegc.dll Npcaie32.exe File created C:\Windows\SysWOW64\Akopoi32.exe Anjpeelk.exe File created C:\Windows\SysWOW64\Bgfhnpde.exe Aokcjngj.exe File created C:\Windows\SysWOW64\Dqhckhgq.dll Kmhccpci.exe File created C:\Windows\SysWOW64\Adqeaf32.exe Aocmio32.exe File created C:\Windows\SysWOW64\Dalkek32.exe Dbgndoho.exe File opened for modification C:\Windows\SysWOW64\Hpiecd32.exe Glipgf32.exe File created C:\Windows\SysWOW64\Noaeqjpe.exe Nhgmcp32.exe File created C:\Windows\SysWOW64\Bflajb32.dll Gddqejni.exe File created C:\Windows\SysWOW64\Bhblllfo.exe Bnlhncgi.exe File created C:\Windows\SysWOW64\Cdpcal32.exe Caojpaij.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6920 6632 WerFault.exe Eldlhckj.exe -
Modifies registry class 64 IoCs
Processes:
Loofnccf.exePomncfge.exeCbiabq32.exeDgaiffii.exeDalkek32.exeMgloefco.exeChinkndp.exeFibfbm32.exePjgemi32.exeEjdonq32.exeOaifpi32.exeBaepolni.exeNhdicjfp.exeMjnnbk32.exeHjfbjdnd.exePkholi32.exeEdlann32.exeKeceoj32.exeGjcfcakn.exeKagbdenk.exePdmikb32.exeDijppjfd.exeEdionhpn.exeMdbnmbhj.exeIjlkfg32.exeMjdbda32.exeHlglidlo.exeKhlklj32.exeDphiaffa.exeFkcpql32.exeQifbll32.exeKmhccpci.exeBmhocd32.exeNfnamjhk.exeGclafmej.exeMafofggd.exeMknlef32.exeBnicai32.exeCibkohef.exeGipbck32.exeMhhcne32.exeEmgblc32.exePjkmomfn.exeDncpkjoc.exeOoangh32.exeCqiehnml.exeMqfpckhm.exeQckfid32.exeMgngih32.exeBdagpnbk.exeGlhimp32.exeFlcfnn32.exePoagma32.exeQikbaaml.exeOdalmibl.exeLgibpf32.exeGckjlf32.exeBfieagka.exeGinenk32.exeKdkoef32.exeCbnknpqj.exeJmffnq32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll" Pomncfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqmgaad.dll" Cbiabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgaiffii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dalkek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chinkndp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agacalbb.dll" Fibfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjgemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" Baepolni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdicjfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfbjdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggdhock.dll" Edlann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keceoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjcfcakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kagbdenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njiccd32.dll" Pdmikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijppjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edionhpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdbnmbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onimmoeg.dll" Ijlkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnolia32.dll" Mjdbda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll" Hlglidlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll" Dphiaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkcpql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhckhgq.dll" Kmhccpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnamjhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gclafmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mafofggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopdlj32.dll" Mknlef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnicai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeadk32.dll" Emgblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll" Dncpkjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll" Ooangh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqiehnml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll" Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgngih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegndm32.dll" Flcfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhogee32.dll" Poagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll" Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiebk32.dll" Gckjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjboe32.dll" Bfieagka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdkoef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbnknpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chinkndp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmffnq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exeLjclki32.exeLqpamb32.exeNmgjia32.exeNmigoagp.exeNnicid32.exeOloahhki.exeOhhnbhok.exeOlfghg32.exeOdalmibl.exePddhbipj.exePefabkej.exeBafndi32.exeChglab32.exeCfnjpfcl.exeChnbbqpn.exeDbicpfdk.exeDnbakghm.exeDbbffdlq.exeEiokinbk.exeEeelnp32.exeEejeiocj.exedescription pid process target process PID 4140 wrote to memory of 4128 4140 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Ljclki32.exe PID 4140 wrote to memory of 4128 4140 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Ljclki32.exe PID 4140 wrote to memory of 4128 4140 6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe Ljclki32.exe PID 4128 wrote to memory of 460 4128 Ljclki32.exe Lqpamb32.exe PID 4128 wrote to memory of 460 4128 Ljclki32.exe Lqpamb32.exe PID 4128 wrote to memory of 460 4128 Ljclki32.exe Lqpamb32.exe PID 460 wrote to memory of 3768 460 Lqpamb32.exe Nmgjia32.exe PID 460 wrote to memory of 3768 460 Lqpamb32.exe Nmgjia32.exe PID 460 wrote to memory of 3768 460 Lqpamb32.exe Nmgjia32.exe PID 3768 wrote to memory of 3304 3768 Nmgjia32.exe Nmigoagp.exe PID 3768 wrote to memory of 3304 3768 Nmgjia32.exe Nmigoagp.exe PID 3768 wrote to memory of 3304 3768 Nmgjia32.exe Nmigoagp.exe PID 3304 wrote to memory of 4168 3304 Nmigoagp.exe Nnicid32.exe PID 3304 wrote to memory of 4168 3304 Nmigoagp.exe Nnicid32.exe PID 3304 wrote to memory of 4168 3304 Nmigoagp.exe Nnicid32.exe PID 4168 wrote to memory of 3604 4168 Nnicid32.exe Oloahhki.exe PID 4168 wrote to memory of 3604 4168 Nnicid32.exe Oloahhki.exe PID 4168 wrote to memory of 3604 4168 Nnicid32.exe Oloahhki.exe PID 3604 wrote to memory of 5104 3604 Oloahhki.exe Ohhnbhok.exe PID 3604 wrote to memory of 5104 3604 Oloahhki.exe Ohhnbhok.exe PID 3604 wrote to memory of 5104 3604 Oloahhki.exe Ohhnbhok.exe PID 5104 wrote to memory of 2492 5104 Ohhnbhok.exe Olfghg32.exe PID 5104 wrote to memory of 2492 5104 Ohhnbhok.exe Olfghg32.exe PID 5104 wrote to memory of 2492 5104 Ohhnbhok.exe Olfghg32.exe PID 2492 wrote to memory of 2088 2492 Olfghg32.exe Odalmibl.exe PID 2492 wrote to memory of 2088 2492 Olfghg32.exe Odalmibl.exe PID 2492 wrote to memory of 2088 2492 Olfghg32.exe Odalmibl.exe PID 2088 wrote to memory of 2928 2088 Odalmibl.exe Pddhbipj.exe PID 2088 wrote to memory of 2928 2088 Odalmibl.exe Pddhbipj.exe PID 2088 wrote to memory of 2928 2088 Odalmibl.exe Pddhbipj.exe PID 2928 wrote to memory of 3584 2928 Pddhbipj.exe Pefabkej.exe PID 2928 wrote to memory of 3584 2928 Pddhbipj.exe Pefabkej.exe PID 2928 wrote to memory of 3584 2928 Pddhbipj.exe Pefabkej.exe PID 3584 wrote to memory of 3476 3584 Pefabkej.exe Bafndi32.exe PID 3584 wrote to memory of 3476 3584 Pefabkej.exe Bafndi32.exe PID 3584 wrote to memory of 3476 3584 Pefabkej.exe Bafndi32.exe PID 3476 wrote to memory of 4560 3476 Bafndi32.exe Chglab32.exe PID 3476 wrote to memory of 4560 3476 Bafndi32.exe Chglab32.exe PID 3476 wrote to memory of 4560 3476 Bafndi32.exe Chglab32.exe PID 4560 wrote to memory of 536 4560 Chglab32.exe Cfnjpfcl.exe PID 4560 wrote to memory of 536 4560 Chglab32.exe Cfnjpfcl.exe PID 4560 wrote to memory of 536 4560 Chglab32.exe Cfnjpfcl.exe PID 536 wrote to memory of 4192 536 Cfnjpfcl.exe Chnbbqpn.exe PID 536 wrote to memory of 4192 536 Cfnjpfcl.exe Chnbbqpn.exe PID 536 wrote to memory of 4192 536 Cfnjpfcl.exe Chnbbqpn.exe PID 4192 wrote to memory of 2248 4192 Chnbbqpn.exe Dbicpfdk.exe PID 4192 wrote to memory of 2248 4192 Chnbbqpn.exe Dbicpfdk.exe PID 4192 wrote to memory of 2248 4192 Chnbbqpn.exe Dbicpfdk.exe PID 2248 wrote to memory of 64 2248 Dbicpfdk.exe Dnbakghm.exe PID 2248 wrote to memory of 64 2248 Dbicpfdk.exe Dnbakghm.exe PID 2248 wrote to memory of 64 2248 Dbicpfdk.exe Dnbakghm.exe PID 64 wrote to memory of 3904 64 Dnbakghm.exe Dbbffdlq.exe PID 64 wrote to memory of 3904 64 Dnbakghm.exe Dbbffdlq.exe PID 64 wrote to memory of 3904 64 Dnbakghm.exe Dbbffdlq.exe PID 3904 wrote to memory of 1440 3904 Dbbffdlq.exe Eiokinbk.exe PID 3904 wrote to memory of 1440 3904 Dbbffdlq.exe Eiokinbk.exe PID 3904 wrote to memory of 1440 3904 Dbbffdlq.exe Eiokinbk.exe PID 1440 wrote to memory of 4896 1440 Eiokinbk.exe Eeelnp32.exe PID 1440 wrote to memory of 4896 1440 Eiokinbk.exe Eeelnp32.exe PID 1440 wrote to memory of 4896 1440 Eiokinbk.exe Eeelnp32.exe PID 4896 wrote to memory of 3512 4896 Eeelnp32.exe Eejeiocj.exe PID 4896 wrote to memory of 3512 4896 Eeelnp32.exe Eejeiocj.exe PID 4896 wrote to memory of 3512 4896 Eeelnp32.exe Eejeiocj.exe PID 3512 wrote to memory of 1236 3512 Eejeiocj.exe Fflohaij.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6daeda287d1944f713fafdc0a1ba0c20_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe23⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe24⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Fnnjmbpm.exeC:\Windows\system32\Fnnjmbpm.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe26⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe28⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe29⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe30⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe32⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe33⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe36⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe37⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe38⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe39⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe40⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe41⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe42⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe45⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe50⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe51⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe52⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe53⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe54⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe55⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe56⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe59⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe60⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe64⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe65⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe66⤵PID:988
-
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe67⤵PID:4208
-
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe68⤵PID:3160
-
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe69⤵PID:2984
-
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe70⤵PID:316
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe71⤵PID:3132
-
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe72⤵
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe73⤵PID:2036
-
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe74⤵PID:4344
-
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe75⤵PID:5164
-
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe76⤵PID:5244
-
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe77⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe78⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe79⤵PID:5376
-
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe80⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe81⤵PID:5468
-
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe82⤵PID:5524
-
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe83⤵PID:5564
-
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe84⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe85⤵PID:5652
-
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe86⤵PID:5692
-
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe87⤵PID:5736
-
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe88⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe89⤵PID:5828
-
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe90⤵PID:5868
-
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe91⤵PID:5912
-
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe92⤵PID:5952
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe93⤵PID:5996
-
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe94⤵PID:6040
-
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe95⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe96⤵PID:6124
-
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe97⤵PID:5160
-
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe98⤵PID:5276
-
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe99⤵PID:5372
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe100⤵PID:5508
-
C:\Windows\SysWOW64\Ganldgib.exeC:\Windows\system32\Ganldgib.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe102⤵PID:5648
-
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe105⤵PID:5844
-
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe107⤵PID:5988
-
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe109⤵PID:6112
-
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe110⤵PID:5280
-
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe111⤵PID:5408
-
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe112⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe114⤵PID:5776
-
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe116⤵PID:5936
-
C:\Windows\SysWOW64\Kpiqfima.exeC:\Windows\system32\Kpiqfima.exe117⤵PID:6064
-
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe118⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe119⤵PID:5460
-
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe120⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe121⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe122⤵PID:5312
-
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe123⤵PID:5812
-
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe124⤵PID:5724
-
C:\Windows\SysWOW64\Lchfib32.exeC:\Windows\system32\Lchfib32.exe125⤵PID:6164
-
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6224 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe127⤵PID:6268
-
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe128⤵PID:6312
-
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe129⤵PID:6376
-
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe130⤵
- Modifies registry class
PID:6420 -
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe131⤵PID:6468
-
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe132⤵PID:6516
-
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe133⤵PID:6556
-
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe134⤵
- Modifies registry class
PID:6608 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe135⤵PID:6656
-
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe136⤵PID:6720
-
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe137⤵
- Drops file in System32 directory
PID:6764 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe138⤵
- Drops file in System32 directory
PID:6820 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe139⤵PID:6868
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe140⤵PID:6916
-
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe141⤵PID:6960
-
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe142⤵PID:7008
-
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe143⤵PID:7060
-
C:\Windows\SysWOW64\Pcegclgp.exeC:\Windows\system32\Pcegclgp.exe144⤵PID:7104
-
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe145⤵PID:7160
-
C:\Windows\SysWOW64\Pblajhje.exeC:\Windows\system32\Pblajhje.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6216 -
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe147⤵PID:6300
-
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe148⤵PID:6348
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe149⤵PID:6428
-
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe150⤵
- Modifies registry class
PID:6500 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe151⤵PID:6576
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe152⤵
- Drops file in System32 directory
PID:6620 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe153⤵PID:6728
-
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe154⤵PID:6792
-
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6856 -
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe156⤵PID:6924
-
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe157⤵
- Modifies registry class
PID:6992 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe158⤵PID:7068
-
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe159⤵PID:7124
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6188 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe161⤵
- Drops file in System32 directory
PID:6304 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe162⤵
- Drops file in System32 directory
PID:6416 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe163⤵PID:3284
-
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe164⤵PID:3796
-
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe165⤵PID:6596
-
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6756 -
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe167⤵PID:6832
-
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe168⤵PID:6952
-
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe169⤵
- Drops file in System32 directory
PID:7040 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe170⤵PID:7152
-
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe171⤵
- Modifies registry class
PID:6260 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3616 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6548 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6784 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe175⤵PID:6852
-
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe176⤵
- Modifies registry class
PID:7076 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe177⤵PID:6160
-
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe178⤵PID:4360
-
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6664 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe180⤵
- Drops file in System32 directory
PID:7028 -
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe181⤵PID:6900
-
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6580 -
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7020 -
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe184⤵
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe185⤵PID:1444
-
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe186⤵PID:6704
-
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe187⤵PID:4952
-
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6588 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe189⤵PID:6600
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe190⤵
- Drops file in System32 directory
PID:7200 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe191⤵
- Modifies registry class
PID:7248 -
C:\Windows\SysWOW64\Ggjjlk32.exeC:\Windows\system32\Ggjjlk32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7292 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe193⤵PID:7340
-
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe194⤵PID:7384
-
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe195⤵PID:7432
-
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe196⤵
- Drops file in System32 directory
PID:7480 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe197⤵PID:7536
-
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe198⤵
- Modifies registry class
PID:7592 -
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe199⤵
- Drops file in System32 directory
PID:7656 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe200⤵PID:7708
-
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe201⤵PID:7768
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe202⤵PID:7812
-
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe203⤵PID:7856
-
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7900 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe205⤵PID:7948
-
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe206⤵PID:8000
-
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe207⤵PID:8048
-
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe208⤵PID:8100
-
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe209⤵PID:8144
-
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe210⤵
- Modifies registry class
PID:8188 -
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe211⤵PID:7232
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe212⤵
- Drops file in System32 directory
PID:7312 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe213⤵
- Modifies registry class
PID:7376 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe214⤵PID:7440
-
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe215⤵PID:2572
-
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe216⤵PID:7584
-
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe217⤵PID:7636
-
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe218⤵PID:4936
-
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe219⤵
- Drops file in System32 directory
PID:7800 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe220⤵PID:7864
-
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe221⤵PID:7928
-
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe222⤵PID:8008
-
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe223⤵PID:8092
-
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe224⤵
- Drops file in System32 directory
- Modifies registry class
PID:8168 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:7216 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe226⤵PID:7336
-
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7452 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe228⤵PID:7580
-
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe229⤵PID:7640
-
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe230⤵
- Drops file in System32 directory
PID:7756 -
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe231⤵PID:7896
-
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe232⤵PID:8032
-
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8108 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe234⤵PID:7192
-
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe235⤵PID:7368
-
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe236⤵PID:4024
-
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe237⤵
- Drops file in System32 directory
PID:7680 -
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe238⤵PID:7876
-
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe239⤵PID:1388
-
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe240⤵PID:7228
-
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe241⤵PID:3900
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe242⤵PID:7648