Analysis
-
max time kernel
122s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:52
Behavioral task
behavioral1
Sample
ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
ceeb2b3593d400d3bbbd30c8ae00efe0
-
SHA1
705da7e8c2c1244f54abb8ad2da646026c832b67
-
SHA256
11755b584c3f24787a7e9fb8d47b824d7983fac511d291db66de375df29f4e30
-
SHA512
f470811593788f6093311c6141763172f615c42017d25096d91d12b7e2cef1d26fa2d6718e2bf2297097f1df4f38e2f7ff843405ed684f7e011bb7ba5fa8bdd2
-
SSDEEP
24576:kTTSwwL2vzecI50+YNpsKv2EvZHp3oWB+:uTSwwL2vKcIKLXZ3+
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Biljib32.exeIakajagl.exeNhhlog32.exeLechkaga.exeNjcpok32.exeJhdcmf32.exeFjlmdmqj.exeKpeibdfp.exePccahbmn.exeGonilenb.exeKlddgfbl.exeKmegkp32.exeBodfkpfg.exeDekapfke.exeBnppkj32.exeFgencf32.exeMnapnl32.exeMnpice32.exeLbebilli.exeAlpnde32.exeMmlphfed.exeIojgkbib.exeKmmedi32.exeBclppboi.exeCibkohef.exeIkmepj32.exeIfpemmdd.exeGihpkd32.exeOgajid32.exeDfphmp32.exeIjadljdg.exeHkaeih32.exeIbdplaho.exeKaihonhl.exeCpipkl32.exeFidbgm32.exeDhejij32.exeEcefjckj.exeBjfogbjb.exeMdnlkl32.exeNiihlkdm.exeEoollocp.exeLbmqmi32.exeHnddqp32.exeOianmm32.exeImbaobmp.exeGheodg32.exeFkcibnmd.exeOjkepmqp.exeAmjbbfgo.exeAeopfl32.exeFjnjjlog.exeLgmnqmam.exeDjoohk32.exeDpcpei32.exeGkhbbi32.exePignccea.exeHpgkeodo.exeAopmpq32.exeMgngih32.exeJbieebha.exeBjmnho32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biljib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakajagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhlog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechkaga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdcmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmdmqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeibdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonilenb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klddgfbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodfkpfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekapfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgencf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbebilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmlphfed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojgkbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclppboi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikmepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifpemmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihpkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogajid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfphmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijadljdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibdplaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonilenb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpipkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidbgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhejij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecefjckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfogbjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdnlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niihlkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoollocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmqmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnddqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbaobmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gheodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcibnmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkepmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjbbfgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeopfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnjjlog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmnqmam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djoohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pignccea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgkeodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopmpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgngih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbieebha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnho32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Nqpcjj32.exe family_berbew C:\Windows\SysWOW64\Ombcji32.exe family_berbew C:\Windows\SysWOW64\Opclldhj.exe family_berbew C:\Windows\SysWOW64\Pccahbmn.exe family_berbew C:\Windows\SysWOW64\Pdmdnadc.exe family_berbew C:\Windows\SysWOW64\Amjbbfgo.exe family_berbew C:\Windows\SysWOW64\Bdmmeo32.exe family_berbew C:\Windows\SysWOW64\Bkphhgfc.exe family_berbew C:\Windows\SysWOW64\Cdkifmjq.exe family_berbew C:\Windows\SysWOW64\Dahmfpap.exe family_berbew C:\Windows\SysWOW64\Ddifgk32.exe family_berbew C:\Windows\SysWOW64\Ebfign32.exe family_berbew C:\Windows\SysWOW64\Edgbii32.exe family_berbew C:\Windows\SysWOW64\Gpmomo32.exe family_berbew C:\Windows\SysWOW64\Gihpkd32.exe family_berbew C:\Windows\SysWOW64\Haaaaeim.exe family_berbew C:\Windows\SysWOW64\Ilibdmgp.exe family_berbew C:\Windows\SysWOW64\Jemfhacc.exe family_berbew C:\Windows\SysWOW64\Jllhpkfk.exe family_berbew C:\Windows\SysWOW64\Klekfinp.exe family_berbew C:\Windows\SysWOW64\Lpepbgbd.exe family_berbew C:\Windows\SysWOW64\Mhjhmhhd.exe family_berbew C:\Windows\SysWOW64\Mokfja32.exe family_berbew C:\Windows\SysWOW64\Nqoloc32.exe family_berbew C:\Windows\SysWOW64\Ocdnln32.exe family_berbew C:\Windows\SysWOW64\Ojemig32.exe family_berbew C:\Windows\SysWOW64\Ppgomnai.exe family_berbew C:\Windows\SysWOW64\Pbjddh32.exe family_berbew C:\Windows\SysWOW64\Qapnmopa.exe family_berbew C:\Windows\SysWOW64\Afockelf.exe family_berbew C:\Windows\SysWOW64\Aibibp32.exe family_berbew C:\Windows\SysWOW64\Bjfogbjb.exe family_berbew C:\Windows\SysWOW64\Cdhffg32.exe family_berbew C:\Windows\SysWOW64\Dggkipii.exe family_berbew C:\Windows\SysWOW64\Eaceghcg.exe family_berbew C:\Windows\SysWOW64\Egegjn32.exe family_berbew C:\Windows\SysWOW64\Gcnnllcg.exe family_berbew C:\Windows\SysWOW64\Ibnjkbog.exe family_berbew C:\Windows\SysWOW64\Ieeimlep.exe family_berbew C:\Windows\SysWOW64\Jlfhke32.exe family_berbew C:\Windows\SysWOW64\Lbebilli.exe family_berbew C:\Windows\SysWOW64\Mkepineo.exe family_berbew C:\Windows\SysWOW64\Mdbnmbhj.exe family_berbew C:\Windows\SysWOW64\Nofoki32.exe family_berbew C:\Windows\SysWOW64\Ocfdgg32.exe family_berbew C:\Windows\SysWOW64\Pcfmneaa.exe family_berbew C:\Windows\SysWOW64\Aehbmk32.exe family_berbew C:\Windows\SysWOW64\Bcnleb32.exe family_berbew C:\Windows\SysWOW64\Bfoegm32.exe family_berbew C:\Windows\SysWOW64\Cibkohef.exe family_berbew C:\Windows\SysWOW64\Dpjompqc.exe family_berbew C:\Windows\SysWOW64\Flfbcndo.exe family_berbew C:\Windows\SysWOW64\Fpfholhc.exe family_berbew C:\Windows\SysWOW64\Gflcnanp.exe family_berbew C:\Windows\SysWOW64\Hnokjm32.exe family_berbew C:\Windows\SysWOW64\Japmcfcc.exe family_berbew C:\Windows\SysWOW64\Khcgfo32.exe family_berbew C:\Windows\SysWOW64\Lacbpccn.exe family_berbew C:\Windows\SysWOW64\Ohbfeh32.exe family_berbew C:\Windows\SysWOW64\Qnpgdmjd.exe family_berbew C:\Windows\SysWOW64\Afkipi32.exe family_berbew C:\Windows\SysWOW64\Bnppkj32.exe family_berbew C:\Windows\SysWOW64\Cnebmgjj.exe family_berbew C:\Windows\SysWOW64\Diamko32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nqpcjj32.exeOmbcji32.exeOpclldhj.exePccahbmn.exePdmdnadc.exeAmjbbfgo.exeBdmmeo32.exeBkphhgfc.exeCdkifmjq.exeDahmfpap.exeDdifgk32.exeEbfign32.exeEdgbii32.exeGpmomo32.exeGihpkd32.exeHaaaaeim.exeIlibdmgp.exeJemfhacc.exeJllhpkfk.exeKlekfinp.exeLpepbgbd.exeMhjhmhhd.exeMokfja32.exeNqoloc32.exeOcdnln32.exeOjemig32.exePpgomnai.exePbjddh32.exeQapnmopa.exeAfockelf.exeAibibp32.exeBjfogbjb.exeCdhffg32.exeCigkdmel.exeCkidcpjl.exeDpjfgf32.exeDnngpj32.exeDggkipii.exeDkedonpo.exeEnemaimp.exeEaceghcg.exeEphbhd32.exeEgegjn32.exeFdkdibjp.exeFqbeoc32.exeFkgillpj.exeFkjfakng.exeFcekfnkb.exeFnjocf32.exeGjaphgpl.exeGgepalof.exeGdiakp32.exeGcnnllcg.exeGkhbbi32.exeHnhkdd32.exeHbfdjc32.exeHnmeodjc.exeHkaeih32.exeIbnjkbog.exeInfhebbh.exeIbdplaho.exeIeeimlep.exeJjgkab32.exeJlfhke32.exepid process 4996 Nqpcjj32.exe 2108 Ombcji32.exe 2184 Opclldhj.exe 4428 Pccahbmn.exe 3000 Pdmdnadc.exe 2284 Amjbbfgo.exe 4900 Bdmmeo32.exe 916 Bkphhgfc.exe 3660 Cdkifmjq.exe 2124 Dahmfpap.exe 368 Ddifgk32.exe 3452 Ebfign32.exe 5032 Edgbii32.exe 948 Gpmomo32.exe 1464 Gihpkd32.exe 5044 Haaaaeim.exe 4484 Ilibdmgp.exe 4252 Jemfhacc.exe 1392 Jllhpkfk.exe 2596 Klekfinp.exe 2288 Lpepbgbd.exe 3044 Mhjhmhhd.exe 1336 Mokfja32.exe 3992 Nqoloc32.exe 2280 Ocdnln32.exe 2308 Ojemig32.exe 4348 Ppgomnai.exe 2100 Pbjddh32.exe 1368 Qapnmopa.exe 1292 Afockelf.exe 4568 Aibibp32.exe 2004 Bjfogbjb.exe 4516 Cdhffg32.exe 4656 Cigkdmel.exe 4988 Ckidcpjl.exe 1684 Dpjfgf32.exe 1480 Dnngpj32.exe 2864 Dggkipii.exe 2988 Dkedonpo.exe 3676 Enemaimp.exe 3580 Eaceghcg.exe 396 Ephbhd32.exe 3372 Egegjn32.exe 2192 Fdkdibjp.exe 1468 Fqbeoc32.exe 4324 Fkgillpj.exe 2992 Fkjfakng.exe 4660 Fcekfnkb.exe 1456 Fnjocf32.exe 2324 Gjaphgpl.exe 3888 Ggepalof.exe 2572 Gdiakp32.exe 1616 Gcnnllcg.exe 4160 Gkhbbi32.exe 1492 Hnhkdd32.exe 1268 Hbfdjc32.exe 1960 Hnmeodjc.exe 1176 Hkaeih32.exe 4240 Ibnjkbog.exe 1828 Infhebbh.exe 3764 Ibdplaho.exe 1976 Ieeimlep.exe 2740 Jjgkab32.exe 5096 Jlfhke32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ifoijonj.exeIdpbhc32.exeEkahhn32.exePldcdhpi.exeOpclldhj.exeFnjocf32.exeAihaifam.exeDfcqjg32.exeHcgjhega.exeMjfoja32.exeFiclmf32.exeBekmei32.exeFoplnb32.exeAbpcicpi.exeEbfign32.exeHecadm32.exeApdkmn32.exeHfcinq32.exeIfihdi32.exePgmkbg32.exeAkcjel32.exeDlfhhgpp.exeHaaaaeim.exeAeeomegd.exeJbpkfa32.exeBdpqcg32.exeIajbinaf.exeOianmm32.exeGjaphgpl.exePbbgicnd.exeFgncff32.exeEmikpeig.exeDnqaheai.exeMidfiq32.exeMiabik32.exeKnkcmild.exeGgfombmd.exeKgopbj32.exeGcimfg32.exeIabodcnj.exeBjcfeola.exeEkcemmgo.exeDmefafql.exeElbhde32.exeKhcgfo32.exeEgeemiml.exeBdfilkbb.exeFqbeoc32.exeEgpgehnb.exeOcmjcjad.exeEcfeldcj.exeKpeibdfp.exeQcbmegol.exeFdpgen32.exeEmnbmoef.exeObgccn32.exeAfockelf.exeAmmnclcj.exeMlkldmjf.exeBfpkbfdi.exeHkggfe32.exeMicheb32.exeJbkjcgaj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Iepihf32.exe Ifoijonj.exe File opened for modification C:\Windows\SysWOW64\Idbonc32.exe Idpbhc32.exe File opened for modification C:\Windows\SysWOW64\Ekcemmgo.exe Ekahhn32.exe File created C:\Windows\SysWOW64\Plgpjhnf.exe Pldcdhpi.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Opclldhj.exe File created C:\Windows\SysWOW64\Qjfpkhpm.dll Fnjocf32.exe File opened for modification C:\Windows\SysWOW64\Bodfkpfg.exe Aihaifam.exe File opened for modification C:\Windows\SysWOW64\Dffmogji.exe Dfcqjg32.exe File created C:\Windows\SysWOW64\Fkloka32.dll Hcgjhega.exe File created C:\Windows\SysWOW64\Chhciafp.dll Mjfoja32.exe File opened for modification C:\Windows\SysWOW64\Flddoa32.exe Ficlmf32.exe File opened for modification C:\Windows\SysWOW64\Bgkipl32.exe Bekmei32.exe File created C:\Windows\SysWOW64\Gmclgghc.exe Foplnb32.exe File created C:\Windows\SysWOW64\Ahmlaj32.exe Abpcicpi.exe File created C:\Windows\SysWOW64\Edgbii32.exe Ebfign32.exe File created C:\Windows\SysWOW64\Ckggbk32.dll Hecadm32.exe File created C:\Windows\SysWOW64\Cqochl32.dll Apdkmn32.exe File created C:\Windows\SysWOW64\Hcgjhega.exe Hfcinq32.exe File created C:\Windows\SysWOW64\Lelmqm32.dll Ifihdi32.exe File opened for modification C:\Windows\SysWOW64\Pgphggpe.exe Pgmkbg32.exe File created C:\Windows\SysWOW64\Mcpkmlpo.dll Akcjel32.exe File created C:\Windows\SysWOW64\Bcbgkm32.dll Dlfhhgpp.exe File opened for modification C:\Windows\SysWOW64\Ilibdmgp.exe Haaaaeim.exe File created C:\Windows\SysWOW64\Pdgjaf32.dll Aeeomegd.exe File created C:\Windows\SysWOW64\Kbbhka32.exe Jbpkfa32.exe File opened for modification C:\Windows\SysWOW64\Cnhell32.exe Bdpqcg32.exe File created C:\Windows\SysWOW64\Qkjbfi32.dll Iajbinaf.exe File created C:\Windows\SysWOW64\Npqplk32.dll Oianmm32.exe File opened for modification C:\Windows\SysWOW64\Ahmlaj32.exe Abpcicpi.exe File opened for modification C:\Windows\SysWOW64\Ggepalof.exe Gjaphgpl.exe File created C:\Windows\SysWOW64\Hpacoj32.dll Pbbgicnd.exe File created C:\Windows\SysWOW64\Oknplpbh.dll Fgncff32.exe File opened for modification C:\Windows\SysWOW64\Emlgedge.exe Emikpeig.exe File opened for modification C:\Windows\SysWOW64\Dodjemee.exe Dnqaheai.exe File opened for modification C:\Windows\SysWOW64\Nfhfbedd.exe Midfiq32.exe File created C:\Windows\SysWOW64\Nlbkjf32.exe Miabik32.exe File created C:\Windows\SysWOW64\Bjiqiemm.dll Knkcmild.exe File opened for modification C:\Windows\SysWOW64\Gdmmlf32.exe Ggfombmd.exe File opened for modification C:\Windows\SysWOW64\Lkmihi32.exe Kgopbj32.exe File created C:\Windows\SysWOW64\Gbpnedga.dll Gcimfg32.exe File created C:\Windows\SysWOW64\Icakofel.exe Iabodcnj.exe File created C:\Windows\SysWOW64\Hmbqdiko.dll Bjcfeola.exe File opened for modification C:\Windows\SysWOW64\Egjebn32.exe Ekcemmgo.exe File created C:\Windows\SysWOW64\Dmgbgf32.exe Dmefafql.exe File created C:\Windows\SysWOW64\Dbfpoddf.dll Elbhde32.exe File created C:\Windows\SysWOW64\Pelkha32.dll Khcgfo32.exe File created C:\Windows\SysWOW64\Eckfaj32.exe Egeemiml.exe File created C:\Windows\SysWOW64\Gfamco32.dll Bdfilkbb.exe File created C:\Windows\SysWOW64\Fjinnekj.dll Fqbeoc32.exe File opened for modification C:\Windows\SysWOW64\Enllgbcl.exe Egpgehnb.exe File created C:\Windows\SysWOW64\Oqakln32.exe Ocmjcjad.exe File opened for modification C:\Windows\SysWOW64\Eomfae32.exe Ecfeldcj.exe File opened for modification C:\Windows\SysWOW64\Kfanen32.exe Kpeibdfp.exe File created C:\Windows\SysWOW64\Ammnclcj.exe Qcbmegol.exe File created C:\Windows\SysWOW64\Fgppgi32.exe Fdpgen32.exe File created C:\Windows\SysWOW64\Ejabgcdp.exe Emnbmoef.exe File opened for modification C:\Windows\SysWOW64\Oehldi32.exe Obgccn32.exe File created C:\Windows\SysWOW64\Aibibp32.exe Afockelf.exe File created C:\Windows\SysWOW64\Anmjmojl.exe Ammnclcj.exe File opened for modification C:\Windows\SysWOW64\Mhbmin32.exe Mlkldmjf.exe File created C:\Windows\SysWOW64\Aapkcn32.dll Bfpkbfdi.exe File created C:\Windows\SysWOW64\Bdqhfcem.dll Hkggfe32.exe File created C:\Windows\SysWOW64\Mejijcea.exe Micheb32.exe File created C:\Windows\SysWOW64\Jpojml32.exe Jbkjcgaj.exe -
Modifies registry class 64 IoCs
Processes:
Lmneemaq.exeBcpdidol.exeQhofjbnl.exeGpodkdll.exeBgeadjai.exeNofmndkd.exeDpjfgf32.exeMigcpneb.exeAgkgceeh.exeBnclamqe.exeLdqfddml.exeNpmjij32.exeKlddgfbl.exeCanocm32.exeIhgnfnjl.exeOeicopoo.exeBbifobho.exeEphbhd32.exeIfleji32.exeCqiehnml.exeHedhoc32.exeKjqfmn32.exePfenga32.exeDabpgbpm.exeBicjjncd.exeLgfojd32.exeNqoloc32.exeOflmnh32.exeFkjfakng.exeHcdfho32.exeGbhpajlj.exeCoegih32.exeBjokno32.exeKflnpild.exeGflcnanp.exePkonbamc.exeBnppkj32.exeIhkpgg32.exeIfjfhh32.exeChpangnk.exeGpmomo32.exeNdnnianm.exeMjkiephp.exeKhlinedh.exeHbcklkee.exeGdncfl32.exeDfcqjg32.exeNqpcjj32.exeJlfhke32.exeOioahn32.exeBcjlld32.exePbddobla.exeCjofambd.exeJbieebha.exeHpgkeodo.exeIlpaei32.exeNpbhqj32.exeFalmabki.exeGmclgghc.exeNockfgao.exeEagahnob.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndjec32.dll" Lmneemaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpdidol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhofjbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmddajlf.dll" Gpodkdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdph32.dll" Bgeadjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeqinf.dll" Dpjfgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migcpneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkgceeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnclamqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldqfddml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpaam32.dll" Klddgfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmcod32.dll" Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpigk32.dll" Ihgnfnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeicopoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbifobho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifleji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhoaqa32.dll" Cqiehnml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpcpigl.dll" Kjqfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfenga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabpgbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bicjjncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceonmdp.dll" Lgfojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll" Nqoloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oflmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhpajlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befkma32.dll" Qhofjbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coegih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjokno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflnpild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkonbamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnppkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjfhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpangnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclkag32.dll" Gpmomo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkiephp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlinedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odadlpdf.dll" Hbcklkee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdncfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfcqjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpcjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oioahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbddobla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjofambd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbieebha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgkeodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilpaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkmhe32.dll" Npbhqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoecdo32.dll" Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falmabki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmclgghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmoaa32.dll" Bjokno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nockfgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eagahnob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exeNqpcjj32.exeOmbcji32.exeOpclldhj.exePccahbmn.exePdmdnadc.exeAmjbbfgo.exeBdmmeo32.exeBkphhgfc.exeCdkifmjq.exeDahmfpap.exeDdifgk32.exeEbfign32.exeEdgbii32.exeGpmomo32.exeGihpkd32.exeHaaaaeim.exeIlibdmgp.exeJemfhacc.exeJllhpkfk.exeKlekfinp.exeLpepbgbd.exedescription pid process target process PID 8 wrote to memory of 4996 8 ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe Nqpcjj32.exe PID 8 wrote to memory of 4996 8 ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe Nqpcjj32.exe PID 8 wrote to memory of 4996 8 ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe Nqpcjj32.exe PID 4996 wrote to memory of 2108 4996 Nqpcjj32.exe Ombcji32.exe PID 4996 wrote to memory of 2108 4996 Nqpcjj32.exe Ombcji32.exe PID 4996 wrote to memory of 2108 4996 Nqpcjj32.exe Ombcji32.exe PID 2108 wrote to memory of 2184 2108 Ombcji32.exe Opclldhj.exe PID 2108 wrote to memory of 2184 2108 Ombcji32.exe Opclldhj.exe PID 2108 wrote to memory of 2184 2108 Ombcji32.exe Opclldhj.exe PID 2184 wrote to memory of 4428 2184 Opclldhj.exe Pccahbmn.exe PID 2184 wrote to memory of 4428 2184 Opclldhj.exe Pccahbmn.exe PID 2184 wrote to memory of 4428 2184 Opclldhj.exe Pccahbmn.exe PID 4428 wrote to memory of 3000 4428 Pccahbmn.exe Pdmdnadc.exe PID 4428 wrote to memory of 3000 4428 Pccahbmn.exe Pdmdnadc.exe PID 4428 wrote to memory of 3000 4428 Pccahbmn.exe Pdmdnadc.exe PID 3000 wrote to memory of 2284 3000 Pdmdnadc.exe Amjbbfgo.exe PID 3000 wrote to memory of 2284 3000 Pdmdnadc.exe Amjbbfgo.exe PID 3000 wrote to memory of 2284 3000 Pdmdnadc.exe Amjbbfgo.exe PID 2284 wrote to memory of 4900 2284 Amjbbfgo.exe Bdmmeo32.exe PID 2284 wrote to memory of 4900 2284 Amjbbfgo.exe Bdmmeo32.exe PID 2284 wrote to memory of 4900 2284 Amjbbfgo.exe Bdmmeo32.exe PID 4900 wrote to memory of 916 4900 Bdmmeo32.exe Bkphhgfc.exe PID 4900 wrote to memory of 916 4900 Bdmmeo32.exe Bkphhgfc.exe PID 4900 wrote to memory of 916 4900 Bdmmeo32.exe Bkphhgfc.exe PID 916 wrote to memory of 3660 916 Bkphhgfc.exe Cdkifmjq.exe PID 916 wrote to memory of 3660 916 Bkphhgfc.exe Cdkifmjq.exe PID 916 wrote to memory of 3660 916 Bkphhgfc.exe Cdkifmjq.exe PID 3660 wrote to memory of 2124 3660 Cdkifmjq.exe Dahmfpap.exe PID 3660 wrote to memory of 2124 3660 Cdkifmjq.exe Dahmfpap.exe PID 3660 wrote to memory of 2124 3660 Cdkifmjq.exe Dahmfpap.exe PID 2124 wrote to memory of 368 2124 Dahmfpap.exe Ddifgk32.exe PID 2124 wrote to memory of 368 2124 Dahmfpap.exe Ddifgk32.exe PID 2124 wrote to memory of 368 2124 Dahmfpap.exe Ddifgk32.exe PID 368 wrote to memory of 3452 368 Ddifgk32.exe Ebfign32.exe PID 368 wrote to memory of 3452 368 Ddifgk32.exe Ebfign32.exe PID 368 wrote to memory of 3452 368 Ddifgk32.exe Ebfign32.exe PID 3452 wrote to memory of 5032 3452 Ebfign32.exe Edgbii32.exe PID 3452 wrote to memory of 5032 3452 Ebfign32.exe Edgbii32.exe PID 3452 wrote to memory of 5032 3452 Ebfign32.exe Edgbii32.exe PID 5032 wrote to memory of 948 5032 Edgbii32.exe Gpmomo32.exe PID 5032 wrote to memory of 948 5032 Edgbii32.exe Gpmomo32.exe PID 5032 wrote to memory of 948 5032 Edgbii32.exe Gpmomo32.exe PID 948 wrote to memory of 1464 948 Gpmomo32.exe Gihpkd32.exe PID 948 wrote to memory of 1464 948 Gpmomo32.exe Gihpkd32.exe PID 948 wrote to memory of 1464 948 Gpmomo32.exe Gihpkd32.exe PID 1464 wrote to memory of 5044 1464 Gihpkd32.exe Haaaaeim.exe PID 1464 wrote to memory of 5044 1464 Gihpkd32.exe Haaaaeim.exe PID 1464 wrote to memory of 5044 1464 Gihpkd32.exe Haaaaeim.exe PID 5044 wrote to memory of 4484 5044 Haaaaeim.exe Ilibdmgp.exe PID 5044 wrote to memory of 4484 5044 Haaaaeim.exe Ilibdmgp.exe PID 5044 wrote to memory of 4484 5044 Haaaaeim.exe Ilibdmgp.exe PID 4484 wrote to memory of 4252 4484 Ilibdmgp.exe Jemfhacc.exe PID 4484 wrote to memory of 4252 4484 Ilibdmgp.exe Jemfhacc.exe PID 4484 wrote to memory of 4252 4484 Ilibdmgp.exe Jemfhacc.exe PID 4252 wrote to memory of 1392 4252 Jemfhacc.exe Jllhpkfk.exe PID 4252 wrote to memory of 1392 4252 Jemfhacc.exe Jllhpkfk.exe PID 4252 wrote to memory of 1392 4252 Jemfhacc.exe Jllhpkfk.exe PID 1392 wrote to memory of 2596 1392 Jllhpkfk.exe Klekfinp.exe PID 1392 wrote to memory of 2596 1392 Jllhpkfk.exe Klekfinp.exe PID 1392 wrote to memory of 2596 1392 Jllhpkfk.exe Klekfinp.exe PID 2596 wrote to memory of 2288 2596 Klekfinp.exe Lpepbgbd.exe PID 2596 wrote to memory of 2288 2596 Klekfinp.exe Lpepbgbd.exe PID 2596 wrote to memory of 2288 2596 Klekfinp.exe Lpepbgbd.exe PID 2288 wrote to memory of 3044 2288 Lpepbgbd.exe Mhjhmhhd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ceeb2b3593d400d3bbbd30c8ae00efe0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe23⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe24⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3992 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe26⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe27⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe28⤵
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe29⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe30⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe31⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe33⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Bjfogbjb.exeC:\Windows\system32\Bjfogbjb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe35⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe36⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe37⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe39⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe40⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe41⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe42⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe43⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe45⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe46⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe48⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe50⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe53⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe55⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe57⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe58⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe59⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe61⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe62⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe64⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe65⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe67⤵PID:572
-
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe68⤵PID:2716
-
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe69⤵PID:3640
-
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe70⤵PID:536
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe71⤵PID:5124
-
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe72⤵PID:5164
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe73⤵PID:5232
-
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe75⤵PID:5316
-
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe76⤵PID:5356
-
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe77⤵PID:5396
-
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe78⤵PID:5436
-
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe79⤵PID:5476
-
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe80⤵PID:5520
-
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe81⤵PID:5560
-
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe82⤵
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe83⤵PID:5648
-
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe84⤵PID:5692
-
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe85⤵PID:5736
-
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe86⤵PID:5780
-
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe87⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe88⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe89⤵PID:5916
-
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe90⤵PID:5960
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe91⤵PID:6020
-
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe92⤵PID:6092
-
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe93⤵PID:3648
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe95⤵PID:5348
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe96⤵PID:5460
-
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe97⤵PID:5512
-
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe99⤵PID:5668
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5680 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe101⤵PID:5832
-
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe102⤵PID:5900
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe103⤵PID:5940
-
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe105⤵PID:5140
-
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe106⤵PID:5424
-
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe107⤵PID:5528
-
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe108⤵PID:5724
-
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe109⤵PID:5800
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe110⤵PID:5888
-
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe111⤵PID:6000
-
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe112⤵PID:5224
-
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe115⤵PID:5816
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe116⤵PID:5968
-
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe117⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe118⤵PID:5768
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe119⤵PID:5980
-
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe120⤵PID:5616
-
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe121⤵PID:5880
-
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe122⤵PID:4612
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe123⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe124⤵PID:5456
-
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe125⤵PID:3148
-
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe126⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe127⤵PID:1680
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe128⤵PID:6184
-
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe129⤵
- Modifies registry class
PID:6240 -
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe130⤵PID:6284
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe131⤵
- Drops file in System32 directory
PID:6328 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe132⤵
- Drops file in System32 directory
PID:6372 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe133⤵PID:6416
-
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe134⤵PID:6464
-
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe135⤵
- Drops file in System32 directory
PID:6508 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe136⤵PID:6560
-
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe137⤵PID:6604
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe138⤵PID:6648
-
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe139⤵PID:6692
-
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe140⤵PID:6736
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe141⤵PID:6784
-
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe142⤵PID:6824
-
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe143⤵PID:6868
-
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe144⤵PID:6912
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe145⤵PID:6956
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe146⤵
- Drops file in System32 directory
PID:7000 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe147⤵
- Drops file in System32 directory
PID:7044 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe148⤵PID:7088
-
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe149⤵PID:7132
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe150⤵PID:5676
-
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe151⤵PID:6208
-
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6228 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe153⤵PID:6296
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe154⤵PID:6364
-
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6432 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe156⤵PID:6500
-
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe157⤵PID:2384
-
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe158⤵PID:6636
-
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe159⤵PID:6704
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe160⤵PID:6768
-
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe161⤵PID:6852
-
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe162⤵PID:6908
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe163⤵PID:6984
-
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe164⤵PID:7056
-
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe165⤵PID:7116
-
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe166⤵PID:6164
-
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe167⤵
- Modifies registry class
PID:6236 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe168⤵PID:6316
-
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe169⤵PID:6448
-
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe170⤵PID:6544
-
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe171⤵
- Drops file in System32 directory
PID:6624 -
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe172⤵PID:6748
-
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6864 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe174⤵PID:4832
-
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe175⤵PID:7028
-
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4480 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe177⤵
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7160 -
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe179⤵PID:6324
-
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe180⤵PID:6460
-
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe181⤵PID:6556
-
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe182⤵PID:6716
-
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe183⤵PID:4956
-
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe184⤵PID:6996
-
C:\Windows\SysWOW64\Decdeama.exeC:\Windows\system32\Decdeama.exe185⤵PID:4012
-
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe186⤵PID:3104
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe187⤵PID:3188
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe188⤵PID:6520
-
C:\Windows\SysWOW64\Epehnhbj.exeC:\Windows\system32\Epehnhbj.exe189⤵PID:2160
-
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe190⤵PID:7032
-
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe191⤵PID:2152
-
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe192⤵PID:6272
-
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4732 -
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe194⤵PID:4216
-
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe195⤵PID:6832
-
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe196⤵PID:5908
-
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6408 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe198⤵
- Modifies registry class
PID:6888 -
C:\Windows\SysWOW64\Hhleefhe.exeC:\Windows\system32\Hhleefhe.exe199⤵PID:4204
-
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe200⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe201⤵PID:5156
-
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe202⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Ifleji32.exeC:\Windows\system32\Ifleji32.exe203⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe204⤵PID:5088
-
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe205⤵PID:1424
-
C:\Windows\SysWOW64\Jjcqffkm.exeC:\Windows\system32\Jjcqffkm.exe206⤵PID:1464
-
C:\Windows\SysWOW64\Jggapj32.exeC:\Windows\system32\Jggapj32.exe207⤵PID:5044
-
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe208⤵PID:2120
-
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe209⤵PID:4232
-
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe210⤵PID:4484
-
C:\Windows\SysWOW64\Kaihonhl.exeC:\Windows\system32\Kaihonhl.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4420 -
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe212⤵PID:7212
-
C:\Windows\SysWOW64\Lmdbooik.exeC:\Windows\system32\Lmdbooik.exe213⤵PID:7256
-
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe214⤵PID:7300
-
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe215⤵PID:7348
-
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe216⤵
- Modifies registry class
PID:7392 -
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe217⤵
- Modifies registry class
PID:7436 -
C:\Windows\SysWOW64\Mjfoja32.exeC:\Windows\system32\Mjfoja32.exe218⤵
- Drops file in System32 directory
PID:7480 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe219⤵PID:7524
-
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe220⤵
- Modifies registry class
PID:7568 -
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe221⤵PID:7612
-
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe222⤵PID:7656
-
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe223⤵PID:7704
-
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe224⤵PID:7748
-
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7792 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe226⤵PID:7836
-
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe227⤵PID:7880
-
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe228⤵PID:7924
-
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe229⤵PID:7968
-
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe230⤵PID:8012
-
C:\Windows\SysWOW64\Phmnfp32.exeC:\Windows\system32\Phmnfp32.exe231⤵PID:8056
-
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe232⤵PID:8112
-
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe233⤵PID:8164
-
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe234⤵PID:4872
-
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe235⤵PID:7244
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe236⤵PID:7312
-
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe237⤵PID:4744
-
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe238⤵PID:7376
-
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe239⤵PID:7460
-
C:\Windows\SysWOW64\Agcdnjcl.exeC:\Windows\system32\Agcdnjcl.exe240⤵PID:7512
-
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe241⤵
- Modifies registry class
PID:7580 -
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe242⤵PID:7640