Analysis
-
max time kernel
135s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 14:14
Behavioral task
behavioral1
Sample
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe
-
Size
548KB
-
MD5
048f294b52f09d67f330488ddedc7de0
-
SHA1
d4171065b666d919728e0829d4b4010e30b216be
-
SHA256
e6fd3f028bedd3e57e45634424382b3109bb25c5de4102bfe5643d84e91d5c9b
-
SHA512
ed9d61e1d11e86c435e3bfa0330f384a15891810fc8d66ca31a7b3cb7d62fc45d9d8032e38556276840a616e6de9182120bcfc1b15a8483411fa0d8b02aa0239
-
SSDEEP
12288:BxImcEv46IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:vsDq5htaSHFaZRBEYyqmaf2qwiHPKgRP
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Megljppl.exeAdndoe32.exeDoojec32.exeOjnfihmo.exeOabhfg32.exePfiddm32.exeNhegig32.exeFlpmagqi.exeKakmna32.exeKeifdpif.exeLaiipofp.exePfdjinjo.exeJahqiaeb.exeBlgifbil.exeGojiiafp.exeHoobdp32.exeJoahqn32.exeKpjgaoqm.exeKpoalo32.exeQachgk32.exeCfipef32.exeKflide32.exeNmfcok32.exeFnkfmm32.exeDijbno32.exeEeelnp32.exeNagiji32.exeOhlqcagj.exePmblagmf.exePafkgphl.exeBdpaeehj.exeEmjgim32.exeCocjiehd.exeMnhkbfme.exeBadanigc.exeHpioin32.exeMomcpa32.exeLklbdm32.exeGpelhd32.exeLoighj32.exeNpiiffqe.exePalklf32.exeFoclgq32.exeNmcpoedn.exeKqbdldnq.exePmoiqneg.exeEehicoel.exeOmmceclc.exeObjkmkjj.exeLnangaoa.exeMfnoqc32.exeNjhgbp32.exeFfqhcq32.exeEkcgkb32.exeLindkm32.exeNcpeaoih.exeAmjillkj.exeKabcopmg.exeOnapdl32.exeLcclncbh.exeOeehkn32.exeEejeiocj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adndoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpmagqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laiipofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdjinjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahqiaeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgifbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfipef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijbno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpioin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcpoedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lindkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpeaoih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabcopmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejeiocj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Jgbjbp32.exe family_berbew C:\Windows\SysWOW64\Jgeghp32.exe family_berbew C:\Windows\SysWOW64\Kkpbin32.exe family_berbew C:\Windows\SysWOW64\Knalji32.exe family_berbew C:\Windows\SysWOW64\Kcndbp32.exe family_berbew C:\Windows\SysWOW64\Kkeldnpi.exe family_berbew C:\Windows\SysWOW64\Kqbdldnq.exe family_berbew C:\Windows\SysWOW64\Kcbnnpka.exe family_berbew C:\Windows\SysWOW64\Kqfngd32.exe family_berbew C:\Windows\SysWOW64\Lklbdm32.exe family_berbew C:\Windows\SysWOW64\Lqikmc32.exe family_berbew C:\Windows\SysWOW64\Lcjcnoej.exe family_berbew C:\Windows\SysWOW64\Lkalplel.exe family_berbew C:\Windows\SysWOW64\Lnohlgep.exe family_berbew C:\Windows\SysWOW64\Lekmnajj.exe family_berbew C:\Windows\SysWOW64\Lmgabcge.exe family_berbew C:\Windows\SysWOW64\Mjkblhfo.exe family_berbew C:\Windows\SysWOW64\Mepfiq32.exe family_berbew C:\Windows\SysWOW64\Mnhkbfme.exe family_berbew C:\Windows\SysWOW64\Mkmkkjko.exe family_berbew C:\Windows\SysWOW64\Meepdp32.exe family_berbew C:\Windows\SysWOW64\Mchppmij.exe family_berbew C:\Windows\SysWOW64\Megljppl.exe family_berbew C:\Windows\SysWOW64\Mjdebfnd.exe family_berbew C:\Windows\SysWOW64\Nclikl32.exe family_berbew C:\Windows\SysWOW64\Napjdpcn.exe family_berbew C:\Windows\SysWOW64\Nlfnaicd.exe family_berbew C:\Windows\SysWOW64\Nlhkgi32.exe family_berbew C:\Windows\SysWOW64\Nmigoagp.exe family_berbew C:\Windows\SysWOW64\Nlkgmh32.exe family_berbew C:\Windows\SysWOW64\Ndflak32.exe family_berbew C:\Windows\SysWOW64\Nlmdbh32.exe family_berbew C:\Windows\SysWOW64\Omegjomb.exe family_berbew C:\Windows\SysWOW64\Oacoqnci.exe family_berbew C:\Windows\SysWOW64\Peahgl32.exe family_berbew C:\Windows\SysWOW64\Pknqoc32.exe family_berbew C:\Windows\SysWOW64\Qkipkani.exe family_berbew C:\Windows\SysWOW64\Amjillkj.exe family_berbew C:\Windows\SysWOW64\Aednci32.exe family_berbew C:\Windows\SysWOW64\Aolblopj.exe family_berbew C:\Windows\SysWOW64\Aonoao32.exe family_berbew C:\Windows\SysWOW64\Bkjiao32.exe family_berbew C:\Windows\SysWOW64\Bojomm32.exe family_berbew C:\Windows\SysWOW64\Bffcpg32.exe family_berbew C:\Windows\SysWOW64\Cfipef32.exe family_berbew C:\Windows\SysWOW64\Coadnlnb.exe family_berbew C:\Windows\SysWOW64\Ckmonl32.exe family_berbew C:\Windows\SysWOW64\Ddgplado.exe family_berbew C:\Windows\SysWOW64\Dnpdegjp.exe family_berbew C:\Windows\SysWOW64\Dkfadkgf.exe family_berbew C:\Windows\SysWOW64\Dngjff32.exe family_berbew C:\Windows\SysWOW64\Enpmld32.exe family_berbew C:\Windows\SysWOW64\Fpbflg32.exe family_berbew C:\Windows\SysWOW64\Fngcmcfe.exe family_berbew C:\Windows\SysWOW64\Fmhdkknd.exe family_berbew C:\Windows\SysWOW64\Fiodpl32.exe family_berbew C:\Windows\SysWOW64\Fefedmil.exe family_berbew C:\Windows\SysWOW64\Flpmagqi.exe family_berbew C:\Windows\SysWOW64\Gfjkjo32.exe family_berbew C:\Windows\SysWOW64\Goglcahb.exe family_berbew C:\Windows\SysWOW64\Gmimai32.exe family_berbew C:\Windows\SysWOW64\Gojiiafp.exe family_berbew C:\Windows\SysWOW64\Hoobdp32.exe family_berbew C:\Windows\SysWOW64\Hpqldc32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jgbjbp32.exeJgeghp32.exeKkpbin32.exeKnalji32.exeKcndbp32.exeKkeldnpi.exeKqbdldnq.exeKcbnnpka.exeKqfngd32.exeLklbdm32.exeLqikmc32.exeLcjcnoej.exeLkalplel.exeLnohlgep.exeLekmnajj.exeLmgabcge.exeMjkblhfo.exeMepfiq32.exeMnhkbfme.exeMkmkkjko.exeMeepdp32.exeMchppmij.exeMegljppl.exeMjdebfnd.exeNclikl32.exeNapjdpcn.exeNlfnaicd.exeNlhkgi32.exeNmigoagp.exeNlkgmh32.exeNdflak32.exeNlmdbh32.exeOeehkn32.exeOjbacd32.exeOnnmdcjm.exeOalipoiq.exeOdjeljhd.exeOlanmgig.exeOnpjichj.exeOejbfmpg.exeOhhnbhok.exeOjgjndno.exeOmegjomb.exeOlfghg32.exeOodcdb32.exeOacoqnci.exeOhmhmh32.exeOkkdic32.exeOmjpeo32.exePeahgl32.exePhodcg32.exePknqoc32.exePahilmoc.exePdfehh32.exePlmmif32.exePmoiqneg.exePefabkej.exePdhbmh32.exePkbjjbda.exePalbgl32.exePdkoch32.exePlbfdekd.exePopbpqjh.exePaoollik.exepid process 3856 Jgbjbp32.exe 432 Jgeghp32.exe 2644 Kkpbin32.exe 1368 Knalji32.exe 4496 Kcndbp32.exe 4064 Kkeldnpi.exe 4608 Kqbdldnq.exe 2656 Kcbnnpka.exe 3540 Kqfngd32.exe 4548 Lklbdm32.exe 2532 Lqikmc32.exe 2364 Lcjcnoej.exe 3220 Lkalplel.exe 2076 Lnohlgep.exe 3548 Lekmnajj.exe 3216 Lmgabcge.exe 2324 Mjkblhfo.exe 1264 Mepfiq32.exe 4680 Mnhkbfme.exe 628 Mkmkkjko.exe 1012 Meepdp32.exe 508 Mchppmij.exe 2780 Megljppl.exe 3268 Mjdebfnd.exe 1304 Nclikl32.exe 4580 Napjdpcn.exe 4124 Nlfnaicd.exe 608 Nlhkgi32.exe 2036 Nmigoagp.exe 4644 Nlkgmh32.exe 4620 Ndflak32.exe 2308 Nlmdbh32.exe 4332 Oeehkn32.exe 3908 Ojbacd32.exe 4120 Onnmdcjm.exe 2116 Oalipoiq.exe 3504 Odjeljhd.exe 1892 Olanmgig.exe 3484 Onpjichj.exe 4592 Oejbfmpg.exe 1452 Ohhnbhok.exe 2372 Ojgjndno.exe 2400 Omegjomb.exe 4344 Olfghg32.exe 3628 Oodcdb32.exe 2516 Oacoqnci.exe 3944 Ohmhmh32.exe 1360 Okkdic32.exe 4224 Omjpeo32.exe 1628 Peahgl32.exe 2560 Phodcg32.exe 2344 Pknqoc32.exe 2492 Pahilmoc.exe 4988 Pdfehh32.exe 2912 Plmmif32.exe 4004 Pmoiqneg.exe 4056 Pefabkej.exe 2480 Pdhbmh32.exe 5132 Pkbjjbda.exe 5172 Palbgl32.exe 5212 Pdkoch32.exe 5248 Plbfdekd.exe 5292 Popbpqjh.exe 5332 Paoollik.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kqbdldnq.exeLlcghg32.exeOjhiogdd.exeQemhbj32.exeEifaim32.exeClgbmp32.exeBpfkpp32.exeNmigoagp.exePeahgl32.exeBafndi32.exeQklmpalf.exeHpfbcn32.exeLindkm32.exePhonha32.exeGndick32.exeJhnojl32.exePkbjjbda.exeIomoenej.exeLnldla32.exeNfjola32.exeMhoahh32.exeNmcpoedn.exeEppjfgcp.exeHajkqfoe.exeHhdcmp32.exeLfiokmkc.exeNagiji32.exeAaohcj32.exePafkgphl.exeFeenjgfq.exeKlahfp32.exeEokqkh32.exeDdkbmj32.exeKamjda32.exeKabcopmg.exeDdgibkpc.exeEkcgkb32.exePefabkej.exeGbalopbn.exeBaannc32.exeCggimh32.exeMlofcf32.exeMcbpjg32.exeBhbcfbjk.exeFefedmil.exeGncchb32.exePmnbfhal.exeFofilp32.exeIpbaol32.exeMfpell32.exeKibeoo32.exeFoapaa32.exeOalipoiq.exeEfjbcakl.exeOnocomdo.exeLmgabcge.exePldcjeia.exeBkphhgfc.exeDafppp32.exeCglbhhga.exeNapjdpcn.exedescription ioc process File created C:\Windows\SysWOW64\Kcbnnpka.exe Kqbdldnq.exe File created C:\Windows\SysWOW64\Jlmmnd32.dll Llcghg32.exe File created C:\Windows\SysWOW64\Hpkdfd32.dll Ojhiogdd.exe File opened for modification C:\Windows\SysWOW64\Qdphngfl.exe Qemhbj32.exe File created C:\Windows\SysWOW64\Emanjldl.exe Eifaim32.exe File opened for modification C:\Windows\SysWOW64\Ckjbhmad.exe Clgbmp32.exe File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Phodcg32.exe Peahgl32.exe File created C:\Windows\SysWOW64\Bhpfqcln.exe Bafndi32.exe File created C:\Windows\SysWOW64\Amjillkj.exe Qklmpalf.exe File created C:\Windows\SysWOW64\Jpehef32.dll Hpfbcn32.exe File created C:\Windows\SysWOW64\Mjliff32.dll Lindkm32.exe File created C:\Windows\SysWOW64\Lfdqcn32.dll Phonha32.exe File created C:\Windows\SysWOW64\Eibmbgdm.dll Gndick32.exe File created C:\Windows\SysWOW64\Jpegkj32.exe Jhnojl32.exe File created C:\Windows\SysWOW64\Palbgl32.exe Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Iibccgep.exe Iomoenej.exe File opened for modification C:\Windows\SysWOW64\Lgdidgjg.exe Lnldla32.exe File opened for modification C:\Windows\SysWOW64\Npbceggm.exe Nfjola32.exe File opened for modification C:\Windows\SysWOW64\Mcdeeq32.exe Mhoahh32.exe File opened for modification C:\Windows\SysWOW64\Nmfmde32.exe Nmcpoedn.exe File opened for modification C:\Windows\SysWOW64\Enbjad32.exe Eppjfgcp.exe File opened for modification C:\Windows\SysWOW64\Hhdcmp32.exe Hajkqfoe.exe File opened for modification C:\Windows\SysWOW64\Hbihjifh.exe Hhdcmp32.exe File opened for modification C:\Windows\SysWOW64\Llcghg32.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Jchdqkfl.dll Nagiji32.exe File created C:\Windows\SysWOW64\Adndoe32.exe Aaohcj32.exe File created C:\Windows\SysWOW64\Ckjbhmad.exe Clgbmp32.exe File created C:\Windows\SysWOW64\Mdkgabfn.dll Eifaim32.exe File created C:\Windows\SysWOW64\Dblamanm.dll Pafkgphl.exe File opened for modification C:\Windows\SysWOW64\Fkofga32.exe Feenjgfq.exe File created C:\Windows\SysWOW64\Kckqbj32.exe Klahfp32.exe File created C:\Windows\SysWOW64\Nkopekaa.dll Eokqkh32.exe File created C:\Windows\SysWOW64\Kjmejc32.dll Ddkbmj32.exe File opened for modification C:\Windows\SysWOW64\Keifdpif.exe Kamjda32.exe File created C:\Windows\SysWOW64\Bjdjokcd.dll Kabcopmg.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Ocfgbfdm.dll Ekcgkb32.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Pefabkej.exe File created C:\Windows\SysWOW64\Gflhoo32.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Plikcm32.dll Baannc32.exe File created C:\Windows\SysWOW64\Conanfli.exe Cggimh32.exe File created C:\Windows\SysWOW64\Momcpa32.exe Mlofcf32.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Bhbcfbjk.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fefedmil.exe File opened for modification C:\Windows\SysWOW64\Gfjkjo32.exe Gncchb32.exe File created C:\Windows\SysWOW64\Cjceejee.dll Pmnbfhal.exe File created C:\Windows\SysWOW64\Fbdehlip.exe Fofilp32.exe File created C:\Windows\SysWOW64\Iacngdgj.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Glqfgdpo.dll Mfpell32.exe File opened for modification C:\Windows\SysWOW64\Kamjda32.exe Kibeoo32.exe File created C:\Windows\SysWOW64\Fdnhih32.exe Foapaa32.exe File created C:\Windows\SysWOW64\Dgeofeib.dll Oalipoiq.exe File created C:\Windows\SysWOW64\Ohofdmkm.dll Efjbcakl.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Onocomdo.exe File opened for modification C:\Windows\SysWOW64\Fgjhpcmo.exe Ekcgkb32.exe File created C:\Windows\SysWOW64\Bdkohe32.dll Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bkphhgfc.exe File opened for modification C:\Windows\SysWOW64\Dhphmj32.exe Dafppp32.exe File created C:\Windows\SysWOW64\Cocjiehd.exe Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Nlfnaicd.exe Napjdpcn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12356 13268 WerFault.exe Pififb32.exe -
Modifies registry class 64 IoCs
Processes:
Dnpdegjp.exeGpnfge32.exeKlndfj32.exeBkphhgfc.exeEgaejeej.exePiapkbeg.exeDijbno32.exeIomoenej.exeLljklo32.exeNgndaccj.exeOlanmgig.exePalbgl32.exeOlfghg32.exeIipfmggc.exeBmhocd32.exeHpnoncim.exePcgdhkem.exeGfjkjo32.exeMhldbh32.exeOjhpimhp.exeKoajmepf.exeBemqih32.exeEbdcld32.exeKckqbj32.exeNfjola32.exeKeifdpif.exeAmnlme32.exeEnmjlojd.exeEifaim32.exeHlnjbedi.exeJoekag32.exeEnbjad32.exeOhlqcagj.exeFoapaa32.exeJahqiaeb.exeFealin32.exeGbalopbn.exeDndgfpbo.exeJofalmmp.exeOnpjichj.exePknqoc32.exeQobhkjdi.exeDoojec32.exeAlpbecod.exeAlbpkc32.exeCfnjpfcl.exeCoadnlnb.exeBaannc32.exeKibeoo32.exeNmigoagp.exePldcjeia.exeHibjli32.exeMcaipa32.exePmhbqbae.exeAknifq32.exeMmkdcm32.exeEhbnigjj.exeBkgeainn.exeNlmdbh32.exeEfjbcakl.exeLcclncbh.exeBhmbqm32.exeEbfign32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeco32.dll" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Klndfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Bkphhgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piapkbeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnogj32.dll" Olanmgig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhpimhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqehjpfj.dll" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnlme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foapaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpopokm.dll" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibcl32.dll" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjfmcq.dll" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll" Alpbecod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kibeoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmigoagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcaipa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmhbqbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgeainn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Ebfign32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exeJgbjbp32.exeJgeghp32.exeKkpbin32.exeKnalji32.exeKcndbp32.exeKkeldnpi.exeKqbdldnq.exeKcbnnpka.exeKqfngd32.exeLklbdm32.exeLqikmc32.exeLcjcnoej.exeLkalplel.exeLnohlgep.exeLekmnajj.exeLmgabcge.exeMjkblhfo.exeMepfiq32.exeMnhkbfme.exeMkmkkjko.exeMeepdp32.exedescription pid process target process PID 632 wrote to memory of 3856 632 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Jgbjbp32.exe PID 632 wrote to memory of 3856 632 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Jgbjbp32.exe PID 632 wrote to memory of 3856 632 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Jgbjbp32.exe PID 3856 wrote to memory of 432 3856 Jgbjbp32.exe Jgeghp32.exe PID 3856 wrote to memory of 432 3856 Jgbjbp32.exe Jgeghp32.exe PID 3856 wrote to memory of 432 3856 Jgbjbp32.exe Jgeghp32.exe PID 432 wrote to memory of 2644 432 Jgeghp32.exe Kkpbin32.exe PID 432 wrote to memory of 2644 432 Jgeghp32.exe Kkpbin32.exe PID 432 wrote to memory of 2644 432 Jgeghp32.exe Kkpbin32.exe PID 2644 wrote to memory of 1368 2644 Kkpbin32.exe Knalji32.exe PID 2644 wrote to memory of 1368 2644 Kkpbin32.exe Knalji32.exe PID 2644 wrote to memory of 1368 2644 Kkpbin32.exe Knalji32.exe PID 1368 wrote to memory of 4496 1368 Knalji32.exe Kcndbp32.exe PID 1368 wrote to memory of 4496 1368 Knalji32.exe Kcndbp32.exe PID 1368 wrote to memory of 4496 1368 Knalji32.exe Kcndbp32.exe PID 4496 wrote to memory of 4064 4496 Kcndbp32.exe Kkeldnpi.exe PID 4496 wrote to memory of 4064 4496 Kcndbp32.exe Kkeldnpi.exe PID 4496 wrote to memory of 4064 4496 Kcndbp32.exe Kkeldnpi.exe PID 4064 wrote to memory of 4608 4064 Kkeldnpi.exe Kqbdldnq.exe PID 4064 wrote to memory of 4608 4064 Kkeldnpi.exe Kqbdldnq.exe PID 4064 wrote to memory of 4608 4064 Kkeldnpi.exe Kqbdldnq.exe PID 4608 wrote to memory of 2656 4608 Kqbdldnq.exe Kcbnnpka.exe PID 4608 wrote to memory of 2656 4608 Kqbdldnq.exe Kcbnnpka.exe PID 4608 wrote to memory of 2656 4608 Kqbdldnq.exe Kcbnnpka.exe PID 2656 wrote to memory of 3540 2656 Kcbnnpka.exe Kqfngd32.exe PID 2656 wrote to memory of 3540 2656 Kcbnnpka.exe Kqfngd32.exe PID 2656 wrote to memory of 3540 2656 Kcbnnpka.exe Kqfngd32.exe PID 3540 wrote to memory of 4548 3540 Kqfngd32.exe Lklbdm32.exe PID 3540 wrote to memory of 4548 3540 Kqfngd32.exe Lklbdm32.exe PID 3540 wrote to memory of 4548 3540 Kqfngd32.exe Lklbdm32.exe PID 4548 wrote to memory of 2532 4548 Lklbdm32.exe Lqikmc32.exe PID 4548 wrote to memory of 2532 4548 Lklbdm32.exe Lqikmc32.exe PID 4548 wrote to memory of 2532 4548 Lklbdm32.exe Lqikmc32.exe PID 2532 wrote to memory of 2364 2532 Lqikmc32.exe Lcjcnoej.exe PID 2532 wrote to memory of 2364 2532 Lqikmc32.exe Lcjcnoej.exe PID 2532 wrote to memory of 2364 2532 Lqikmc32.exe Lcjcnoej.exe PID 2364 wrote to memory of 3220 2364 Lcjcnoej.exe Lkalplel.exe PID 2364 wrote to memory of 3220 2364 Lcjcnoej.exe Lkalplel.exe PID 2364 wrote to memory of 3220 2364 Lcjcnoej.exe Lkalplel.exe PID 3220 wrote to memory of 2076 3220 Lkalplel.exe Lnohlgep.exe PID 3220 wrote to memory of 2076 3220 Lkalplel.exe Lnohlgep.exe PID 3220 wrote to memory of 2076 3220 Lkalplel.exe Lnohlgep.exe PID 2076 wrote to memory of 3548 2076 Lnohlgep.exe Lekmnajj.exe PID 2076 wrote to memory of 3548 2076 Lnohlgep.exe Lekmnajj.exe PID 2076 wrote to memory of 3548 2076 Lnohlgep.exe Lekmnajj.exe PID 3548 wrote to memory of 3216 3548 Lekmnajj.exe Lmgabcge.exe PID 3548 wrote to memory of 3216 3548 Lekmnajj.exe Lmgabcge.exe PID 3548 wrote to memory of 3216 3548 Lekmnajj.exe Lmgabcge.exe PID 3216 wrote to memory of 2324 3216 Lmgabcge.exe Mjkblhfo.exe PID 3216 wrote to memory of 2324 3216 Lmgabcge.exe Mjkblhfo.exe PID 3216 wrote to memory of 2324 3216 Lmgabcge.exe Mjkblhfo.exe PID 2324 wrote to memory of 1264 2324 Mjkblhfo.exe Mepfiq32.exe PID 2324 wrote to memory of 1264 2324 Mjkblhfo.exe Mepfiq32.exe PID 2324 wrote to memory of 1264 2324 Mjkblhfo.exe Mepfiq32.exe PID 1264 wrote to memory of 4680 1264 Mepfiq32.exe Mnhkbfme.exe PID 1264 wrote to memory of 4680 1264 Mepfiq32.exe Mnhkbfme.exe PID 1264 wrote to memory of 4680 1264 Mepfiq32.exe Mnhkbfme.exe PID 4680 wrote to memory of 628 4680 Mnhkbfme.exe Mkmkkjko.exe PID 4680 wrote to memory of 628 4680 Mnhkbfme.exe Mkmkkjko.exe PID 4680 wrote to memory of 628 4680 Mnhkbfme.exe Mkmkkjko.exe PID 628 wrote to memory of 1012 628 Mkmkkjko.exe Meepdp32.exe PID 628 wrote to memory of 1012 628 Mkmkkjko.exe Meepdp32.exe PID 628 wrote to memory of 1012 628 Mkmkkjko.exe Meepdp32.exe PID 1012 wrote to memory of 508 1012 Meepdp32.exe Mchppmij.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe23⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe25⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe26⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe28⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe29⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe31⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe32⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe35⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe36⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe38⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe41⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe42⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe43⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe44⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe46⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe47⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe48⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe49⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe50⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe52⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe54⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe55⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe56⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe59⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe62⤵
- Executes dropped EXE
PID:5212 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe63⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe64⤵
- Executes dropped EXE
PID:5292 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe65⤵
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe66⤵PID:5372
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe68⤵PID:5452
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe69⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe70⤵PID:5528
-
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe71⤵PID:5576
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe73⤵PID:5652
-
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe74⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe76⤵PID:5776
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe77⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe78⤵PID:5864
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe79⤵PID:5908
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe80⤵PID:5948
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe81⤵PID:5996
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe82⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe83⤵PID:6084
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe84⤵PID:6120
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe85⤵
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe86⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe88⤵PID:5444
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe89⤵PID:5516
-
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe90⤵PID:5600
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe91⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5828 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe94⤵PID:5900
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe96⤵PID:6044
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe97⤵PID:6108
-
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe98⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe99⤵PID:5404
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe100⤵PID:5468
-
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe101⤵PID:5560
-
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe102⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe103⤵PID:5924
-
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe104⤵PID:5984
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe105⤵PID:6072
-
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe106⤵PID:1268
-
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe107⤵PID:5540
-
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe108⤵PID:5204
-
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5288 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe110⤵PID:5536
-
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe111⤵PID:6080
-
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe112⤵
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe113⤵PID:3608
-
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe114⤵PID:5420
-
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe115⤵PID:6192
-
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe116⤵PID:6232
-
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe117⤵PID:6276
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe118⤵
- Modifies registry class
PID:6320 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe119⤵
- Drops file in System32 directory
PID:6364 -
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe120⤵PID:6404
-
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe121⤵PID:6452
-
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe122⤵PID:6492
-
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe123⤵PID:6540
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe124⤵PID:6584
-
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe125⤵PID:6640
-
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe126⤵PID:6692
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe127⤵PID:6736
-
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe128⤵PID:6784
-
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe129⤵PID:6828
-
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe130⤵
- Modifies registry class
PID:6872 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe131⤵PID:6916
-
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe132⤵PID:6960
-
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe133⤵PID:7016
-
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe134⤵PID:7064
-
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe135⤵PID:7120
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe136⤵PID:5500
-
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe137⤵PID:6240
-
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe138⤵PID:6340
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6392 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe140⤵PID:6512
-
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe141⤵PID:6648
-
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe142⤵PID:6748
-
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe143⤵PID:6804
-
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe144⤵PID:6864
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe145⤵
- Modifies registry class
PID:6952 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe146⤵PID:7056
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe147⤵PID:7104
-
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6172 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe149⤵PID:6400
-
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe150⤵PID:6548
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6724 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe152⤵
- Drops file in System32 directory
PID:6868 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe153⤵PID:6900
-
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7076 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe155⤵PID:6224
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe156⤵PID:6484
-
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe157⤵PID:5764
-
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6616 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe159⤵
- Drops file in System32 directory
- Modifies registry class
PID:6932 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe160⤵PID:7100
-
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe161⤵
- Drops file in System32 directory
PID:6620 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe162⤵
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe163⤵
- Drops file in System32 directory
- Modifies registry class
PID:7008 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe164⤵PID:5160
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe165⤵PID:7024
-
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe166⤵PID:7012
-
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe167⤵PID:6264
-
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe168⤵PID:5568
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe169⤵PID:7176
-
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe170⤵PID:7220
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe171⤵
- Modifies registry class
PID:7264 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe172⤵PID:7304
-
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe173⤵PID:7348
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7388 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe175⤵PID:7432
-
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe176⤵PID:7476
-
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe177⤵
- Drops file in System32 directory
PID:7516 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7560 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe179⤵PID:7600
-
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe180⤵PID:7640
-
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe181⤵PID:7680
-
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe182⤵PID:7728
-
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe183⤵
- Modifies registry class
PID:7780 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe184⤵PID:7820
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe185⤵PID:7868
-
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe186⤵PID:7904
-
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe187⤵PID:7952
-
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe188⤵PID:7996
-
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe189⤵
- Drops file in System32 directory
PID:8040 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe190⤵
- Modifies registry class
PID:8084 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe191⤵PID:8124
-
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe192⤵PID:8168
-
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe193⤵
- Drops file in System32 directory
- Modifies registry class
PID:6220 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe194⤵PID:7272
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe195⤵PID:7312
-
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe196⤵PID:7380
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7456 -
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe198⤵PID:7508
-
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe199⤵PID:7588
-
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe200⤵PID:7668
-
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7756 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe202⤵
- Modifies registry class
PID:7828 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe203⤵PID:7896
-
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe204⤵
- Modifies registry class
PID:7972 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8032 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe206⤵PID:8104
-
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe207⤵
- Modifies registry class
PID:8176 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe208⤵PID:7228
-
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe209⤵PID:7344
-
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe210⤵PID:7428
-
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe211⤵PID:7568
-
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe212⤵PID:7664
-
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe213⤵PID:988
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe214⤵PID:4352
-
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe215⤵PID:7716
-
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe216⤵PID:7844
-
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe217⤵PID:7876
-
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe218⤵PID:8008
-
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe219⤵
- Modifies registry class
PID:8136 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe220⤵PID:7288
-
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe221⤵
- Drops file in System32 directory
- Modifies registry class
PID:7540 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe222⤵PID:1880
-
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe223⤵PID:6820
-
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe224⤵PID:7736
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe225⤵PID:7916
-
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8092 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe227⤵PID:7440
-
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe228⤵PID:7628
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe229⤵PID:3900
-
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe230⤵
- Modifies registry class
PID:7960 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe231⤵PID:7356
-
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe232⤵PID:3112
-
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe233⤵PID:8116
-
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7596 -
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe235⤵PID:7592
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe236⤵
- Drops file in System32 directory
PID:7324 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe237⤵
- Modifies registry class
PID:7712 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8212 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe239⤵PID:8252
-
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8300 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe241⤵PID:8348
-
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe242⤵PID:8392