Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:30
Behavioral task
behavioral1
Sample
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
22ba5b7d0429dab421d2cf588bd2bcf0
-
SHA1
35cd0f0a318e1593ef4b75851c57b62d98dcd4b4
-
SHA256
0513f94f6dd484d6248a5b7723f37b87ff344c5759222de904dff432fd6e4fab
-
SHA512
aa348a7b81b713efd3856c318c32ddb6df95bd325c8cf5f47b6da0f08fec4ea76aa2e3f9abbd846d1acb53fbfca85d8a5d527f36d77ba717cf63d6cf8f9067db
-
SSDEEP
24576:cIXgvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:cIwkB9f0VP91v92W805IPSOdKgzEoxrS
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mieeka32.exeMbqkfhfh.exeLiqibm32.exeNcnook32.exeNjjmni32.exeHjlaoioh.exeFaiplcmk.exeLjfhjn32.exeCkphamkp.exeHmpnqj32.exeOhnljine.exeFnjhccnd.exeBkoiqjdj.exeCehlcikj.exeNgifef32.exeOpbcdieb.exeCgdlfk32.exeFbiooolb.exeLlimgb32.exeDokqfl32.exeMphoob32.exeBiadoeib.exeIaedanal.exeMbcjimda.exeBhmbqm32.exeBpdfpmoo.exeFihecici.exeOfcale32.exePbljoafi.exeMmodfqhf.exeNicjaino.exeDekobaki.exeDmefafql.exeIolhkh32.exeGflapl32.exeInhion32.exeDqdgop32.exeDgfdojfm.exeKfhnme32.exeCiqmjkno.exeLkflpe32.exeBipcei32.exeJpojml32.exeQgkeep32.exeJjgcbb32.exePdpmkhjl.exeLdgnbg32.exeDlkiaece.exeEbbinp32.exeKkelmc32.exeMnanpfdo.exeJdgjgh32.exeBjkacoji.exeIfpemmdd.exeHmioicek.exeEleimp32.exeGgafgo32.exeBglgdi32.exeApaofk32.exeAehpof32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mieeka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbqkfhfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqibm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjlaoioh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faiplcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljfhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckphamkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmpnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohnljine.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjhccnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkoiqjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cehlcikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngifef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opbcdieb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdlfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbiooolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llimgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mphoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biadoeib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaedanal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcjimda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmbqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fihecici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbljoafi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmodfqhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicjaino.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekobaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefafql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gflapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inhion32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgfdojfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfhnme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciqmjkno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkflpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bipcei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpojml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgkeep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgcbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldgnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlkiaece.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbinp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkelmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnanpfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdgjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjkacoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpemmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmioicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eleimp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggafgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglgdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apaofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aehpof32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Jghpbk32.exe family_berbew C:\Windows\SysWOW64\Klahfp32.exe family_berbew C:\Windows\SysWOW64\Kofkbk32.exe family_berbew C:\Windows\SysWOW64\Llodgnja.exe family_berbew C:\Windows\SysWOW64\Llodgnja.exe family_berbew C:\Windows\SysWOW64\Ocohmc32.exe family_berbew C:\Windows\SysWOW64\Akkffkhk.exe family_berbew C:\Windows\SysWOW64\Amqhbe32.exe family_berbew C:\Windows\SysWOW64\Bhmbqm32.exe family_berbew C:\Windows\SysWOW64\Bkphhgfc.exe family_berbew C:\Windows\SysWOW64\Bkphhgfc.exe family_berbew C:\Windows\SysWOW64\Cdpcal32.exe family_berbew C:\Windows\SysWOW64\Dgcihgaj.exe family_berbew C:\Windows\SysWOW64\Dqbcbkab.exe family_berbew C:\Windows\SysWOW64\Fnbcgn32.exe family_berbew C:\Windows\SysWOW64\Fgcjfbed.exe family_berbew C:\Windows\SysWOW64\Fgcjfbed.exe family_berbew C:\Windows\SysWOW64\Heegad32.exe family_berbew C:\Windows\SysWOW64\Hemmac32.exe family_berbew C:\Windows\SysWOW64\Hemmac32.exe family_berbew C:\Windows\SysWOW64\Ipdndloi.exe family_berbew C:\Windows\SysWOW64\Iolhkh32.exe family_berbew C:\Windows\SysWOW64\Iolhkh32.exe family_berbew C:\Windows\SysWOW64\Jeapcq32.exe family_berbew C:\Windows\SysWOW64\Kheekkjl.exe family_berbew C:\Windows\SysWOW64\Khiofk32.exe family_berbew C:\Windows\SysWOW64\Kadpdp32.exe family_berbew C:\Windows\SysWOW64\Lhcali32.exe family_berbew C:\Windows\SysWOW64\Loacdc32.exe family_berbew C:\Windows\SysWOW64\Loacdc32.exe family_berbew C:\Windows\SysWOW64\Mjidgkog.exe family_berbew C:\Windows\SysWOW64\Mcfbkpab.exe family_berbew C:\Windows\SysWOW64\Nmaciefp.exe family_berbew C:\Windows\SysWOW64\Njjmni32.exe family_berbew C:\Windows\SysWOW64\Obgohklm.exe family_berbew C:\Windows\SysWOW64\Obnehj32.exe family_berbew C:\Windows\SysWOW64\Omfekbdh.exe family_berbew C:\Windows\SysWOW64\Ppikbm32.exe family_berbew C:\Windows\SysWOW64\Afockelf.exe family_berbew C:\Windows\SysWOW64\Aibibp32.exe family_berbew C:\Windows\SysWOW64\Bboffejp.exe family_berbew C:\Windows\SysWOW64\Dinael32.exe family_berbew C:\Windows\SysWOW64\Dgihop32.exe family_berbew C:\Windows\SysWOW64\Egnajocq.exe family_berbew C:\Windows\SysWOW64\Fqikob32.exe family_berbew C:\Windows\SysWOW64\Gdknpp32.exe family_berbew C:\Windows\SysWOW64\Hgcmbj32.exe family_berbew C:\Windows\SysWOW64\Jhhodg32.exe family_berbew C:\Windows\SysWOW64\Kbgfhnhi.exe family_berbew C:\Windows\SysWOW64\Khkdad32.exe family_berbew C:\Windows\SysWOW64\Leabphmp.exe family_berbew C:\Windows\SysWOW64\Nheqnpjk.exe family_berbew C:\Windows\SysWOW64\Oljoen32.exe family_berbew C:\Windows\SysWOW64\Oheienli.exe family_berbew C:\Windows\SysWOW64\Pkoemhao.exe family_berbew C:\Windows\SysWOW64\Afnlpohj.exe family_berbew C:\Windows\SysWOW64\Cdlhgpag.exe family_berbew C:\Windows\SysWOW64\Dpoiho32.exe family_berbew C:\Windows\SysWOW64\Egpgehnb.exe family_berbew C:\Windows\SysWOW64\Fgkfqgce.exe family_berbew C:\Windows\SysWOW64\Gfjfhbpb.exe family_berbew C:\Windows\SysWOW64\Gdmcki32.exe family_berbew C:\Windows\SysWOW64\Hdbmfhbi.exe family_berbew C:\Windows\SysWOW64\Infqklol.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jghpbk32.exeKlahfp32.exeKofkbk32.exeLlodgnja.exeOcohmc32.exeAkkffkhk.exeAmqhbe32.exeBhmbqm32.exeBkphhgfc.exeCdpcal32.exeDgcihgaj.exeDqbcbkab.exeFnbcgn32.exeFgcjfbed.exeHeegad32.exeHemmac32.exeIpdndloi.exeIolhkh32.exeJeapcq32.exeKheekkjl.exeKhiofk32.exeKadpdp32.exeLhcali32.exeLoacdc32.exeMjidgkog.exeMcfbkpab.exeNmaciefp.exeNjjmni32.exeObgohklm.exeObnehj32.exeOmfekbdh.exePpikbm32.exePbjddh32.exeAfockelf.exeAmkhmoap.exeAibibp32.exeApnndj32.exeBboffejp.exeBkmeha32.exeBbhildae.exeCdhffg32.exeCdjblf32.exeCancekeo.exeCmedjl32.exeDinael32.exeDgbanq32.exeDickplko.exeDkbgjo32.exeDgihop32.exeEkgqennl.exeEgnajocq.exeEnjfli32.exeEgbken32.exeEqkondfl.exeEjccgi32.exeFclhpo32.exeFnalmh32.exeFgiaemic.exeFqbeoc32.exeFjjjgh32.exeFcbnpnme.exeFbdnne32.exeFgqgfl32.exeFqikob32.exepid process 4896 Jghpbk32.exe 840 Klahfp32.exe 3012 Kofkbk32.exe 3388 Llodgnja.exe 4484 Ocohmc32.exe 3296 Akkffkhk.exe 1284 Amqhbe32.exe 5036 Bhmbqm32.exe 1364 Bkphhgfc.exe 796 Cdpcal32.exe 1396 Dgcihgaj.exe 3656 Dqbcbkab.exe 3784 Fnbcgn32.exe 3804 Fgcjfbed.exe 4748 Heegad32.exe 4768 Hemmac32.exe 2636 Ipdndloi.exe 4744 Iolhkh32.exe 4388 Jeapcq32.exe 2724 Kheekkjl.exe 2788 Khiofk32.exe 4600 Kadpdp32.exe 4256 Lhcali32.exe 3180 Loacdc32.exe 1260 Mjidgkog.exe 5040 Mcfbkpab.exe 4936 Nmaciefp.exe 4928 Njjmni32.exe 4232 Obgohklm.exe 556 Obnehj32.exe 3812 Omfekbdh.exe 2912 Ppikbm32.exe 1136 Pbjddh32.exe 3864 Afockelf.exe 4772 Amkhmoap.exe 3800 Aibibp32.exe 3168 Apnndj32.exe 3584 Bboffejp.exe 2668 Bkmeha32.exe 1708 Bbhildae.exe 2208 Cdhffg32.exe 3488 Cdjblf32.exe 3120 Cancekeo.exe 2592 Cmedjl32.exe 3340 Dinael32.exe 4872 Dgbanq32.exe 1688 Dickplko.exe 4704 Dkbgjo32.exe 5016 Dgihop32.exe 1752 Ekgqennl.exe 748 Egnajocq.exe 4476 Enjfli32.exe 3124 Egbken32.exe 2316 Eqkondfl.exe 3580 Ejccgi32.exe 3152 Fclhpo32.exe 4596 Fnalmh32.exe 392 Fgiaemic.exe 1484 Fqbeoc32.exe 228 Fjjjgh32.exe 912 Fcbnpnme.exe 4336 Fbdnne32.exe 640 Fgqgfl32.exe 4560 Fqikob32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fhngfcdi.exeFbnmkk32.exeCpbgnlfo.exeLbenho32.exeIokocmnf.exeGkeakl32.exeJefgak32.exeEbifha32.exeNfcoekhe.exeNnfpcada.exeAgjhadmh.exeJjoibadl.exeHpiobc32.exeKibmqond.exeEbbfpjbn.exeJamhflqq.exeKeakqeal.exeIolhkh32.exeIcfediio.exeFckacknf.exeGpaqkgba.exeDakieedj.exeBmkcjd32.exeFdopkhfk.exeKpankd32.exeFqbeoc32.exeAjjcoqdl.exeBfngmd32.exeFbjjkble.exeDjoohk32.exeHgpbhmna.exeCjejdglp.exeMlifnphl.exeIebfmfdg.exeFochecog.exeNjploeoi.exeBhehmbbj.exeGbgibgpf.exeHlipal32.exeAjjjjghg.exeAbdoqd32.exeAdadbi32.exeNeafdjak.exeAebhaede.exeDgcihgaj.exeHbldinjb.exeCommjgga.exeJkjclk32.exePpikbm32.exeQajhigcj.exeOihapg32.exeBjfjee32.exeLkbkkbdj.exeJpkfmfok.exeGiinjg32.exeGiqlbqcc.exeHnhkdd32.exeKpilekqj.exeBipcei32.exeOnhoehpp.exeBjpaheio.exeBiadoeib.exeDajnol32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Fafkoiji.exe Fhngfcdi.exe File opened for modification C:\Windows\SysWOW64\Fkiapn32.exe Fbnmkk32.exe File created C:\Windows\SysWOW64\Cohdoh32.exe Cpbgnlfo.exe File created C:\Windows\SysWOW64\Iadpjifl.dll Lbenho32.exe File created C:\Windows\SysWOW64\Iokbekgb.dll Iokocmnf.exe File created C:\Windows\SysWOW64\Hhiaepfl.exe Gkeakl32.exe File created C:\Windows\SysWOW64\Clmicmbn.dll Jefgak32.exe File created C:\Windows\SysWOW64\Deeipj32.dll Ebifha32.exe File created C:\Windows\SysWOW64\Fgfdeo32.dll Nfcoekhe.exe File created C:\Windows\SysWOW64\Pmdflo32.dll Nnfpcada.exe File created C:\Windows\SysWOW64\Cjocojon.dll Agjhadmh.exe File created C:\Windows\SysWOW64\Kcgnkgkl.exe Jjoibadl.exe File created C:\Windows\SysWOW64\Hpkkhc32.exe Hpiobc32.exe File created C:\Windows\SysWOW64\Klqbimkc.dll Kibmqond.exe File created C:\Windows\SysWOW64\Emjgcc32.exe Ebbfpjbn.exe File created C:\Windows\SysWOW64\Eagnpn32.dll Jamhflqq.exe File created C:\Windows\SysWOW64\Ldphjaof.dll Keakqeal.exe File opened for modification C:\Windows\SysWOW64\Jeapcq32.exe Iolhkh32.exe File created C:\Windows\SysWOW64\Hpqomfcl.dll Icfediio.exe File created C:\Windows\SysWOW64\Mcpeehaj.dll Fckacknf.exe File opened for modification C:\Windows\SysWOW64\Gpcmagpo.exe Gpaqkgba.exe File created C:\Windows\SysWOW64\Dkcnnk32.exe Dakieedj.exe File created C:\Windows\SysWOW64\Adiigf32.dll Bmkcjd32.exe File created C:\Windows\SysWOW64\Iegpaf32.dll Fdopkhfk.exe File opened for modification C:\Windows\SysWOW64\Lljked32.exe Kpankd32.exe File opened for modification C:\Windows\SysWOW64\Fjjjgh32.exe Fqbeoc32.exe File created C:\Windows\SysWOW64\Anekdd32.dll Ajjcoqdl.exe File opened for modification C:\Windows\SysWOW64\Bbdhbepl.exe Bfngmd32.exe File opened for modification C:\Windows\SysWOW64\Fhgccijm.exe Fbjjkble.exe File created C:\Windows\SysWOW64\Djalnkbo.exe Djoohk32.exe File created C:\Windows\SysWOW64\Hphfac32.exe Hgpbhmna.exe File created C:\Windows\SysWOW64\Cfogohpa.exe Cjejdglp.exe File opened for modification C:\Windows\SysWOW64\Mebkge32.exe Mlifnphl.exe File opened for modification C:\Windows\SysWOW64\Iaifbg32.exe Iebfmfdg.exe File created C:\Windows\SysWOW64\Oefaplcm.dll Fochecog.exe File opened for modification C:\Windows\SysWOW64\Ocknmjcf.exe Njploeoi.exe File created C:\Windows\SysWOW64\Cfmacoep.exe Bhehmbbj.exe File created C:\Windows\SysWOW64\Foagel32.dll Gbgibgpf.exe File created C:\Windows\SysWOW64\Hfmpgi32.dll Hlipal32.exe File opened for modification C:\Windows\SysWOW64\Agnkck32.exe Ajjjjghg.exe File opened for modification C:\Windows\SysWOW64\Anjpeelk.exe Abdoqd32.exe File created C:\Windows\SysWOW64\Anjikoip.exe Adadbi32.exe File created C:\Windows\SysWOW64\Oolgbpei.exe Neafdjak.exe File created C:\Windows\SysWOW64\Fljfei32.dll Aebhaede.exe File opened for modification C:\Windows\SysWOW64\Dqbcbkab.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Ihhmaehj.exe Hbldinjb.exe File created C:\Windows\SysWOW64\Bdifbc32.dll Commjgga.exe File opened for modification C:\Windows\SysWOW64\Jklpakam.exe Jkjclk32.exe File opened for modification C:\Windows\SysWOW64\Pbjddh32.exe Ppikbm32.exe File created C:\Windows\SysWOW64\Aehpof32.exe Qajhigcj.exe File opened for modification C:\Windows\SysWOW64\Plijbblh.exe Oihapg32.exe File created C:\Windows\SysWOW64\Bdlncn32.exe Bjfjee32.exe File created C:\Windows\SysWOW64\Lgikpc32.exe Lkbkkbdj.exe File created C:\Windows\SysWOW64\Hioifocj.dll Jpkfmfok.exe File created C:\Windows\SysWOW64\Gdobgp32.exe Giinjg32.exe File created C:\Windows\SysWOW64\Pabmfmkg.dll File created C:\Windows\SysWOW64\Qeekhd32.dll Giqlbqcc.exe File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe Hnhkdd32.exe File created C:\Windows\SysWOW64\Mcpooenf.dll Kpilekqj.exe File created C:\Windows\SysWOW64\Bomknp32.exe Bipcei32.exe File opened for modification C:\Windows\SysWOW64\Pgcpdn32.exe Onhoehpp.exe File created C:\Windows\SysWOW64\Behbkmgb.exe Bjpaheio.exe File created C:\Windows\SysWOW64\Cjcmognb.exe Biadoeib.exe File created C:\Windows\SysWOW64\Jhhgefed.dll Dajnol32.exe -
Modifies registry class 64 IoCs
Processes:
Hheoci32.exeFgqgfl32.exeHkgnpn32.exeEaonccme.exeQmkfoj32.exeAlioloje.exeKeakqeal.exeObgohklm.exeBpmobi32.exeGgafgo32.exeNicjaino.exeEkoddodi.exeMclpbqal.exePhfcdcfg.exeHphfac32.exeFnjhccnd.exeMimphakb.exeCfogohpa.exeAhbjij32.exeAnjikoip.exeHoljjd32.exeHbhbie32.exeKpankd32.exeAnkgpk32.exeEbfiqcjm.exeCfpfqiha.exeIbqndm32.exeJghpbk32.exeJabiie32.exeDgaiffii.exeLgikpc32.exeGdjpff32.exeAfnlpohj.exeLdmlih32.exeFchdnkpi.exeEagahnob.exeFhjoilop.exeNeafdjak.exeJcoioabf.exeDjoohk32.exeDjalnkbo.exePqknbmhc.exeEjkndijd.exeHdlphjaf.exeChibfa32.exeDgcihgaj.exeOdnngclb.exeGdknpp32.exeLhcali32.exeBkmeha32.exeGhgljg32.exeLjoiibbm.exeFjfnphpf.exeDhndil32.exeHkkhjj32.exeQpolahdj.exeBghddp32.exeAlnmdojp.exeHekgppma.exeJndenjmo.exePpjbfi32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hheoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhpanjp.dll" Hkgnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibblioai.dll" Eaonccme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebncnbm.dll" Qmkfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alioloje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keakqeal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpmobi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nicjaino.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekoddodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apdicjnk.dll" Mclpbqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgpbknd.dll" Phfcdcfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjickj32.dll" Fnjhccnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mimphakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahbjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anjikoip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Holjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbhbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocll32.dll" Kpankd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ankgpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidkie32.dll" Ebfiqcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfpfqiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibqndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcjqc32.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfeffcd.dll" Jabiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgaiffii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgikpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdjpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afnlpohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldmlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fchdnkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albipmnm.dll" Eagahnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlpeo32.dll" Fhjoilop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neafdjak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcoioabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjnkn32.dll" Djoohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbage32.dll" Djalnkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqknbmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikdpi32.dll" Ejkndijd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdlphjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chibfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlddclp.dll" Cfpfqiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaqbf32.dll" Odnngclb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqeln32.dll" Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apalniie.dll" Ljoiibbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmgckid.dll" Fjfnphpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhkdob32.dll" Dhndil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkkhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpolahdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bghddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alnmdojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hekgppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jndenjmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppjbfi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exeJghpbk32.exeKlahfp32.exeKofkbk32.exeLlodgnja.exeOcohmc32.exeAkkffkhk.exeAmqhbe32.exeBhmbqm32.exeBkphhgfc.exeCdpcal32.exeDgcihgaj.exeDqbcbkab.exeFnbcgn32.exeFgcjfbed.exeHeegad32.exeHemmac32.exeIpdndloi.exeIolhkh32.exeJeapcq32.exeKheekkjl.exeKhiofk32.exedescription pid process target process PID 636 wrote to memory of 4896 636 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Jghpbk32.exe PID 636 wrote to memory of 4896 636 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Jghpbk32.exe PID 636 wrote to memory of 4896 636 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Jghpbk32.exe PID 4896 wrote to memory of 840 4896 Jghpbk32.exe Klahfp32.exe PID 4896 wrote to memory of 840 4896 Jghpbk32.exe Klahfp32.exe PID 4896 wrote to memory of 840 4896 Jghpbk32.exe Klahfp32.exe PID 840 wrote to memory of 3012 840 Klahfp32.exe Kofkbk32.exe PID 840 wrote to memory of 3012 840 Klahfp32.exe Kofkbk32.exe PID 840 wrote to memory of 3012 840 Klahfp32.exe Kofkbk32.exe PID 3012 wrote to memory of 3388 3012 Kofkbk32.exe Llodgnja.exe PID 3012 wrote to memory of 3388 3012 Kofkbk32.exe Llodgnja.exe PID 3012 wrote to memory of 3388 3012 Kofkbk32.exe Llodgnja.exe PID 3388 wrote to memory of 4484 3388 Llodgnja.exe Ocohmc32.exe PID 3388 wrote to memory of 4484 3388 Llodgnja.exe Ocohmc32.exe PID 3388 wrote to memory of 4484 3388 Llodgnja.exe Ocohmc32.exe PID 4484 wrote to memory of 3296 4484 Ocohmc32.exe Akkffkhk.exe PID 4484 wrote to memory of 3296 4484 Ocohmc32.exe Akkffkhk.exe PID 4484 wrote to memory of 3296 4484 Ocohmc32.exe Akkffkhk.exe PID 3296 wrote to memory of 1284 3296 Akkffkhk.exe Amqhbe32.exe PID 3296 wrote to memory of 1284 3296 Akkffkhk.exe Amqhbe32.exe PID 3296 wrote to memory of 1284 3296 Akkffkhk.exe Amqhbe32.exe PID 1284 wrote to memory of 5036 1284 Amqhbe32.exe Bhmbqm32.exe PID 1284 wrote to memory of 5036 1284 Amqhbe32.exe Bhmbqm32.exe PID 1284 wrote to memory of 5036 1284 Amqhbe32.exe Bhmbqm32.exe PID 5036 wrote to memory of 1364 5036 Bhmbqm32.exe Bkphhgfc.exe PID 5036 wrote to memory of 1364 5036 Bhmbqm32.exe Bkphhgfc.exe PID 5036 wrote to memory of 1364 5036 Bhmbqm32.exe Bkphhgfc.exe PID 1364 wrote to memory of 796 1364 Bkphhgfc.exe Cdpcal32.exe PID 1364 wrote to memory of 796 1364 Bkphhgfc.exe Cdpcal32.exe PID 1364 wrote to memory of 796 1364 Bkphhgfc.exe Cdpcal32.exe PID 796 wrote to memory of 1396 796 Cdpcal32.exe Dgcihgaj.exe PID 796 wrote to memory of 1396 796 Cdpcal32.exe Dgcihgaj.exe PID 796 wrote to memory of 1396 796 Cdpcal32.exe Dgcihgaj.exe PID 1396 wrote to memory of 3656 1396 Dgcihgaj.exe Dqbcbkab.exe PID 1396 wrote to memory of 3656 1396 Dgcihgaj.exe Dqbcbkab.exe PID 1396 wrote to memory of 3656 1396 Dgcihgaj.exe Dqbcbkab.exe PID 3656 wrote to memory of 3784 3656 Dqbcbkab.exe Fnbcgn32.exe PID 3656 wrote to memory of 3784 3656 Dqbcbkab.exe Fnbcgn32.exe PID 3656 wrote to memory of 3784 3656 Dqbcbkab.exe Fnbcgn32.exe PID 3784 wrote to memory of 3804 3784 Fnbcgn32.exe Fgcjfbed.exe PID 3784 wrote to memory of 3804 3784 Fnbcgn32.exe Fgcjfbed.exe PID 3784 wrote to memory of 3804 3784 Fnbcgn32.exe Fgcjfbed.exe PID 3804 wrote to memory of 4748 3804 Fgcjfbed.exe Heegad32.exe PID 3804 wrote to memory of 4748 3804 Fgcjfbed.exe Heegad32.exe PID 3804 wrote to memory of 4748 3804 Fgcjfbed.exe Heegad32.exe PID 4748 wrote to memory of 4768 4748 Heegad32.exe Hemmac32.exe PID 4748 wrote to memory of 4768 4748 Heegad32.exe Hemmac32.exe PID 4748 wrote to memory of 4768 4748 Heegad32.exe Hemmac32.exe PID 4768 wrote to memory of 2636 4768 Hemmac32.exe Ipdndloi.exe PID 4768 wrote to memory of 2636 4768 Hemmac32.exe Ipdndloi.exe PID 4768 wrote to memory of 2636 4768 Hemmac32.exe Ipdndloi.exe PID 2636 wrote to memory of 4744 2636 Ipdndloi.exe Iolhkh32.exe PID 2636 wrote to memory of 4744 2636 Ipdndloi.exe Iolhkh32.exe PID 2636 wrote to memory of 4744 2636 Ipdndloi.exe Iolhkh32.exe PID 4744 wrote to memory of 4388 4744 Iolhkh32.exe Jeapcq32.exe PID 4744 wrote to memory of 4388 4744 Iolhkh32.exe Jeapcq32.exe PID 4744 wrote to memory of 4388 4744 Iolhkh32.exe Jeapcq32.exe PID 4388 wrote to memory of 2724 4388 Jeapcq32.exe Kheekkjl.exe PID 4388 wrote to memory of 2724 4388 Jeapcq32.exe Kheekkjl.exe PID 4388 wrote to memory of 2724 4388 Jeapcq32.exe Kheekkjl.exe PID 2724 wrote to memory of 2788 2724 Kheekkjl.exe Khiofk32.exe PID 2724 wrote to memory of 2788 2724 Kheekkjl.exe Khiofk32.exe PID 2724 wrote to memory of 2788 2724 Kheekkjl.exe Khiofk32.exe PID 2788 wrote to memory of 4600 2788 Khiofk32.exe Kadpdp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kofkbk32.exeC:\Windows\system32\Kofkbk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Hemmac32.exeC:\Windows\system32\Hemmac32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Iolhkh32.exeC:\Windows\system32\Iolhkh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe23⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe25⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe26⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe27⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe28⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe31⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe32⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe34⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe35⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe36⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe37⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe38⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe39⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe41⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe42⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe43⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe44⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe45⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe46⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe47⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe48⤵PID:1572
-
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe49⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe50⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe51⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe52⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe53⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe54⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Egbken32.exeC:\Windows\system32\Egbken32.exe55⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe56⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe57⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe58⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe59⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe60⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe62⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe63⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe64⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe66⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe67⤵PID:4036
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe68⤵PID:1112
-
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe69⤵PID:1440
-
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe70⤵
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe71⤵PID:2324
-
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe72⤵PID:4824
-
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe73⤵
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe74⤵PID:5100
-
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe75⤵PID:2628
-
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe76⤵PID:1152
-
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe77⤵PID:2068
-
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe79⤵PID:4124
-
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe80⤵PID:3084
-
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe81⤵PID:5124
-
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe82⤵PID:5168
-
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe83⤵PID:5208
-
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe84⤵PID:5252
-
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe85⤵PID:5304
-
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe86⤵PID:5352
-
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe87⤵PID:5424
-
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe88⤵PID:5484
-
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe90⤵PID:5568
-
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe91⤵PID:5608
-
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe92⤵PID:5672
-
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe93⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe94⤵PID:5784
-
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe95⤵PID:5828
-
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe96⤵PID:5868
-
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe97⤵PID:5912
-
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe98⤵PID:5964
-
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe99⤵PID:6008
-
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe100⤵PID:6056
-
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe101⤵PID:6124
-
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe102⤵PID:5140
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe103⤵PID:5216
-
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe104⤵PID:5280
-
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe105⤵PID:5320
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe107⤵PID:5556
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe108⤵PID:5712
-
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe109⤵PID:5792
-
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe110⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe111⤵PID:5956
-
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe112⤵PID:6004
-
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe113⤵PID:6104
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe114⤵PID:5204
-
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe115⤵PID:5244
-
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe116⤵PID:5476
-
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe117⤵PID:5684
-
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe118⤵PID:5896
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe120⤵PID:872
-
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe121⤵PID:5560
-
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe122⤵PID:5980
-
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3628 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe124⤵PID:5804
-
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe126⤵PID:5620
-
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe127⤵PID:5192
-
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe128⤵PID:4996
-
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe129⤵PID:2704
-
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe130⤵PID:6168
-
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe131⤵PID:6216
-
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe132⤵PID:6264
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe133⤵PID:6316
-
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe134⤵PID:6360
-
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe135⤵PID:6412
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe136⤵PID:6460
-
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe137⤵PID:6504
-
C:\Windows\SysWOW64\Gfjfhbpb.exeC:\Windows\system32\Gfjfhbpb.exe138⤵PID:6552
-
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe139⤵PID:6596
-
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe140⤵PID:6640
-
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe141⤵PID:6692
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6740 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe143⤵PID:6812
-
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe144⤵PID:6860
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe145⤵PID:6916
-
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe146⤵PID:6964
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe147⤵PID:7008
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe148⤵
- Drops file in System32 directory
PID:7056 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe149⤵PID:7100
-
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe150⤵PID:7144
-
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe151⤵
- Modifies registry class
PID:6184 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe152⤵
- Modifies registry class
PID:6252 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe153⤵PID:6344
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe154⤵PID:6448
-
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe155⤵PID:6516
-
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe156⤵PID:6584
-
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe157⤵PID:6704
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe158⤵PID:6804
-
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe159⤵PID:6892
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe160⤵PID:6292
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7040 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe162⤵PID:7132
-
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe163⤵PID:6212
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe164⤵PID:6396
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6528 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe166⤵PID:4896
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe167⤵PID:6592
-
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe168⤵PID:6676
-
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe169⤵PID:6888
-
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe170⤵PID:7016
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7128 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe172⤵PID:6300
-
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe173⤵PID:6492
-
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe174⤵PID:6576
-
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe175⤵PID:6688
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe176⤵PID:4400
-
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe177⤵PID:7108
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe178⤵PID:6156
-
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe179⤵PID:6588
-
C:\Windows\SysWOW64\Ankgpk32.exeC:\Windows\system32\Ankgpk32.exe180⤵
- Modifies registry class
PID:6796 -
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe181⤵PID:6952
-
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe182⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe183⤵PID:3460
-
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6164 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe185⤵PID:6608
-
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe186⤵PID:3296
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe187⤵PID:2344
-
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe188⤵PID:7096
-
C:\Windows\SysWOW64\Chfaenfb.exeC:\Windows\system32\Chfaenfb.exe189⤵PID:6856
-
C:\Windows\SysWOW64\Cnbfgh32.exeC:\Windows\system32\Cnbfgh32.exe190⤵PID:3020
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe191⤵PID:1712
-
C:\Windows\SysWOW64\Deokja32.exeC:\Windows\system32\Deokja32.exe192⤵PID:4084
-
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe193⤵PID:5368
-
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe194⤵PID:6368
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe195⤵PID:1820
-
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe196⤵PID:652
-
C:\Windows\SysWOW64\Efjgpc32.exeC:\Windows\system32\Efjgpc32.exe197⤵PID:1556
-
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe198⤵PID:5384
-
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe199⤵PID:7192
-
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe200⤵PID:7236
-
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe201⤵
- Drops file in System32 directory
PID:7280 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe202⤵PID:7336
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe203⤵PID:7384
-
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe204⤵
- Drops file in System32 directory
PID:7428 -
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe205⤵PID:7468
-
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe206⤵PID:7512
-
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe207⤵PID:7560
-
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe208⤵PID:7604
-
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7660 -
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe210⤵PID:7700
-
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe211⤵
- Modifies registry class
PID:7748 -
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe212⤵PID:7792
-
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe213⤵PID:7836
-
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe214⤵PID:7884
-
C:\Windows\SysWOW64\Hjlaoioh.exeC:\Windows\system32\Hjlaoioh.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7932 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe216⤵
- Drops file in System32 directory
PID:7972 -
C:\Windows\SysWOW64\Hphfac32.exeC:\Windows\system32\Hphfac32.exe217⤵
- Modifies registry class
PID:8024 -
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe218⤵PID:8072
-
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe219⤵PID:8132
-
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe220⤵PID:8176
-
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe221⤵PID:7204
-
C:\Windows\SysWOW64\Iodjcnca.exeC:\Windows\system32\Iodjcnca.exe222⤵PID:7288
-
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe223⤵PID:7348
-
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe224⤵PID:7412
-
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe225⤵PID:7500
-
C:\Windows\SysWOW64\Jmopmalc.exeC:\Windows\system32\Jmopmalc.exe226⤵PID:7568
-
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe227⤵PID:7620
-
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe228⤵PID:7692
-
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe229⤵PID:7780
-
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe230⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe231⤵PID:7940
-
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7996 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe233⤵PID:8060
-
C:\Windows\SysWOW64\Likcdpop.exeC:\Windows\system32\Likcdpop.exe234⤵PID:8120
-
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe235⤵PID:848
-
C:\Windows\SysWOW64\Lfaqcclf.exeC:\Windows\system32\Lfaqcclf.exe236⤵PID:7220
-
C:\Windows\SysWOW64\Lpjelibg.exeC:\Windows\system32\Lpjelibg.exe237⤵PID:7344
-
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe238⤵
- Modifies registry class
PID:7424 -
C:\Windows\SysWOW64\Ldgnbg32.exeC:\Windows\system32\Ldgnbg32.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7524 -
C:\Windows\SysWOW64\Midfjnge.exeC:\Windows\system32\Midfjnge.exe240⤵PID:1940
-
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe241⤵PID:7680
-
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe242⤵PID:7816