Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:46
Behavioral task
behavioral1
Sample
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe
-
Size
448KB
-
MD5
73edbe2205beca00bade57fc1c19d700
-
SHA1
0e5418e1d1638dea2bfbfd0fd0070c12590a5257
-
SHA256
0ebd19329fad54956bb161e4af5b66b4b3cf3a37c6e8e951c18f946ef38e5be8
-
SHA512
1996dcfc14462be6ff15fc1a10f68f896af6c20405495a2acdb29d272da71b0acca8fca402f40db90cb172ee2076c115e462dcb16f5056c16fdc711b171ad35c
-
SSDEEP
6144:ts8VDlu6oQjEbG7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzk:ts8ZToa7aOlxzr3cOK3TajRfXFMKNxC
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oohnonij.exeGbofcghl.exeNjkkbehl.exeMgeakekd.exeOaifpi32.exeLekehdgp.exeHjedffig.exeKiejmi32.exeLbpdblmo.exeAgbkmijg.exeGhklce32.exeAmaqjp32.exeMaggnali.exeAolblopj.exeBffkij32.exeKeqdmihc.exeJnlbojee.exeLhfmdj32.exeJqhafffk.exeBddcenpi.exePlpqil32.exeOepifi32.exeJdedak32.exeAhenokjf.exeDlkbjqgm.exeFijkdmhn.exeLpnlpnih.exeFfceip32.exeOdocigqg.exeQkjgegae.exeJilfifme.exeOlfobjbg.exeJkomneim.exeOkjnnj32.exeMmbanbmg.exeQkipkani.exeMjaabq32.exePfandnla.exeChdialdl.exeJmmjgejj.exeLigqhc32.exeOcgmpccl.exeNjiegl32.exeLqbncb32.exePlpjoe32.exeAdfnofpd.exeKjgeedch.exeGdeqhl32.exeCjinkg32.exeEhjlaaig.exeDihlbf32.exeLkeekk32.exeNfgmjqop.exeEkpmbddq.exeGdfoio32.exeKnenkbio.exeBfhhoi32.exeJqlefl32.exeNdhmhh32.exeJgbchj32.exeHblkjo32.exeElnoopdj.exeFnipbc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohnonij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghklce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maggnali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqdmihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfmdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpqil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahenokjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijkdmhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkjgegae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkipkani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chdialdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ligqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adfnofpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjlaaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekpmbddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipbc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Bdhfhe32.exe family_berbew C:\Windows\SysWOW64\Behbag32.exe family_berbew C:\Windows\SysWOW64\Blbknaib.exe family_berbew C:\Windows\SysWOW64\Bobcpmfc.exe family_berbew C:\Windows\SysWOW64\Baaplhef.exe family_berbew C:\Windows\SysWOW64\Cdainc32.exe family_berbew C:\Windows\SysWOW64\Cknnpm32.exe family_berbew C:\Windows\SysWOW64\Cbefaj32.exe family_berbew C:\Windows\SysWOW64\Cbgbgj32.exe family_berbew C:\Windows\SysWOW64\Conclk32.exe family_berbew C:\Windows\SysWOW64\Chghdqbf.exe family_berbew C:\Windows\SysWOW64\Daolnf32.exe family_berbew C:\Windows\SysWOW64\Ddmhja32.exe family_berbew C:\Windows\SysWOW64\Dkjmlk32.exe family_berbew C:\Windows\SysWOW64\Dlijfneg.exe family_berbew C:\Windows\SysWOW64\Dllfkn32.exe family_berbew C:\Windows\SysWOW64\Dedkdcie.exe family_berbew C:\Windows\SysWOW64\Dhbgqohi.exe family_berbew C:\Windows\SysWOW64\Ekcpbj32.exe family_berbew C:\Windows\SysWOW64\Eamhodmf.exe family_berbew C:\Windows\SysWOW64\Eekaebcm.exe family_berbew C:\Windows\SysWOW64\Ecoangbg.exe family_berbew C:\Windows\SysWOW64\Ehljfnpn.exe family_berbew C:\Windows\SysWOW64\Eepjpb32.exe family_berbew C:\Windows\SysWOW64\Fcckif32.exe family_berbew C:\Windows\SysWOW64\Fojlngce.exe family_berbew C:\Windows\SysWOW64\Fchddejl.exe family_berbew C:\Windows\SysWOW64\Fhemmlhc.exe family_berbew C:\Windows\SysWOW64\Fdlnbm32.exe family_berbew C:\Windows\SysWOW64\Fbpnkama.exe family_berbew C:\Windows\SysWOW64\Fhjfhl32.exe family_berbew C:\Windows\SysWOW64\Gdqgmmjb.exe family_berbew C:\Windows\SysWOW64\Gfembo32.exe family_berbew C:\Windows\SysWOW64\Ikpaldog.exe family_berbew C:\Windows\SysWOW64\Ikbnacmd.exe family_berbew C:\Windows\SysWOW64\Jbhfjljd.exe family_berbew C:\Windows\SysWOW64\Jmpgldhg.exe family_berbew C:\Windows\SysWOW64\Kboljk32.exe family_berbew C:\Windows\SysWOW64\Mnebeogl.exe family_berbew C:\Windows\SysWOW64\Ogifjcdp.exe family_berbew C:\Windows\SysWOW64\Ocgmpccl.exe family_berbew C:\Windows\SysWOW64\Pdifoehl.exe family_berbew C:\Windows\SysWOW64\Qmkadgpo.exe family_berbew C:\Windows\SysWOW64\Qfcfml32.exe family_berbew C:\Windows\SysWOW64\Acjclpcf.exe family_berbew C:\Windows\SysWOW64\Accfbokl.exe family_berbew C:\Windows\SysWOW64\Bfhhoi32.exe family_berbew C:\Windows\SysWOW64\Ceqnmpfo.exe family_berbew C:\Windows\SysWOW64\Ddjejl32.exe family_berbew C:\Windows\SysWOW64\Daqbip32.exe family_berbew C:\Windows\SysWOW64\Dkifae32.exe family_berbew C:\Windows\SysWOW64\Eecdjmfi.exe family_berbew C:\Windows\SysWOW64\Emoinpcd.exe family_berbew C:\Windows\SysWOW64\Ekgbccni.exe family_berbew C:\Windows\SysWOW64\Ekiohclf.exe family_berbew C:\Windows\SysWOW64\Foghnabl.exe family_berbew C:\Windows\SysWOW64\Fddqghpd.exe family_berbew C:\Windows\SysWOW64\Fhdfbfdh.exe family_berbew C:\Windows\SysWOW64\Famjkl32.exe family_berbew C:\Windows\SysWOW64\Gaogak32.exe family_berbew C:\Windows\SysWOW64\Gglpibgm.exe family_berbew C:\Windows\SysWOW64\Gdbmhf32.exe family_berbew C:\Windows\SysWOW64\Hheoid32.exe family_berbew C:\Windows\SysWOW64\Idgojc32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bdhfhe32.exeBehbag32.exeBlbknaib.exeBobcpmfc.exeBaaplhef.exeCdainc32.exeCknnpm32.exeCbefaj32.exeCbgbgj32.exeConclk32.exeChghdqbf.exeDaolnf32.exeDdmhja32.exeDkjmlk32.exeDlijfneg.exeDllfkn32.exeDedkdcie.exeDhbgqohi.exeEkcpbj32.exeEamhodmf.exeEekaebcm.exeEcoangbg.exeEhljfnpn.exeEepjpb32.exeFcckif32.exeFojlngce.exeFchddejl.exeFhemmlhc.exeFdlnbm32.exeFbpnkama.exeFhjfhl32.exeGdqgmmjb.exeGkkojgao.exeGfpcgpae.exeGhopckpi.exeGohhpe32.exeGbgdlq32.exeGdeqhl32.exeGcfqfc32.exeGfembo32.exeGkaejf32.exeGfgjgo32.exeHopnqdan.exeHfifmnij.exeHmcojh32.exeHbpgbo32.exeHijooifk.exeHodgkc32.exeHfnphn32.exeHmhhehlb.exeHofdacke.exeHfqlnm32.exeHkmefd32.exeHcdmga32.exeIefioj32.exeIkpaldog.exeIehfdi32.exeIkbnacmd.exeIfgbnlmj.exeIldkgc32.exeIckchq32.exeIemppiab.exeImdgqfbd.exeIcnpmp32.exepid process 232 Bdhfhe32.exe 732 Behbag32.exe 1020 Blbknaib.exe 3512 Bobcpmfc.exe 2092 Baaplhef.exe 3984 Cdainc32.exe 4192 Cknnpm32.exe 4520 Cbefaj32.exe 2068 Cbgbgj32.exe 4112 Conclk32.exe 1516 Chghdqbf.exe 2688 Daolnf32.exe 5020 Ddmhja32.exe 552 Dkjmlk32.exe 1060 Dlijfneg.exe 4052 Dllfkn32.exe 1028 Dedkdcie.exe 4872 Dhbgqohi.exe 3916 Ekcpbj32.exe 2060 Eamhodmf.exe 3780 Eekaebcm.exe 4972 Ecoangbg.exe 1704 Ehljfnpn.exe 4908 Eepjpb32.exe 4280 Fcckif32.exe 1348 Fojlngce.exe 4784 Fchddejl.exe 968 Fhemmlhc.exe 4528 Fdlnbm32.exe 4952 Fbpnkama.exe 1560 Fhjfhl32.exe 1124 Gdqgmmjb.exe 2732 Gkkojgao.exe 1324 Gfpcgpae.exe 1612 Ghopckpi.exe 1620 Gohhpe32.exe 3680 Gbgdlq32.exe 2576 Gdeqhl32.exe 1996 Gcfqfc32.exe 5116 Gfembo32.exe 3924 Gkaejf32.exe 3208 Gfgjgo32.exe 4400 Hopnqdan.exe 3376 Hfifmnij.exe 2224 Hmcojh32.exe 1404 Hbpgbo32.exe 3080 Hijooifk.exe 4516 Hodgkc32.exe 5036 Hfnphn32.exe 1928 Hmhhehlb.exe 3212 Hofdacke.exe 4968 Hfqlnm32.exe 1828 Hkmefd32.exe 1268 Hcdmga32.exe 4144 Iefioj32.exe 1164 Ikpaldog.exe 816 Iehfdi32.exe 1812 Ikbnacmd.exe 4752 Ifgbnlmj.exe 1644 Ildkgc32.exe 2212 Ickchq32.exe 3048 Iemppiab.exe 844 Imdgqfbd.exe 4108 Icnpmp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ckmonl32.exeGdqgmmjb.exeNeppokal.exeIbfnqmpf.exeNjefqo32.exeBaicac32.exeHpcodihc.exeIloidijb.exeLbmhlihl.exeCcgjopal.exePgihfj32.exeHpdfnolo.exeOdoogi32.exePkgcea32.exeJqhafffk.exeDaekdooc.exeNeafjdkn.exeJnlkedai.exeFddqghpd.exeHheoid32.exeNkqkhk32.exeMqimikfj.exeMchhggno.exeOdocigqg.exeQgcbgo32.exeJbhfjljd.exeBklfgo32.exeDbqqkkbo.exeEfepbi32.exeChlflabp.exeEiloco32.exeCabfga32.exeElnoopdj.exeIjcjmmil.exeQdphngfl.exeKlimip32.exeMiemjaci.exeGdeqhl32.exeHodgkc32.exeModgdicm.exeCimmggfl.exeLbabgh32.exeCagobalc.exeDifpmfna.exeMfcmmp32.exeFnipbc32.exeOfkgcobj.exeMmlpoqpg.exeNndjndbh.exePhfjcf32.exeBggnof32.exeQkmdkgob.exeGpqjglii.exeBeihma32.exeFkqeib32.exeMgfqmfde.exeGncchb32.exeOfmdio32.exeImdgqfbd.exeImiehfao.exeMenjdbgj.exeGmeakf32.exeOpqofe32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cnkkjh32.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Gkkojgao.exe Gdqgmmjb.exe File created C:\Windows\SysWOW64\Kkkahahf.dll Neppokal.exe File created C:\Windows\SysWOW64\Fdahdiml.dll Ibfnqmpf.exe File created C:\Windows\SysWOW64\Olcbmj32.exe Njefqo32.exe File created C:\Windows\SysWOW64\Bchomn32.exe Baicac32.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hpcodihc.exe File opened for modification C:\Windows\SysWOW64\Ijcjmmil.exe Iloidijb.exe File opened for modification C:\Windows\SysWOW64\Lekehdgp.exe Lbmhlihl.exe File created C:\Windows\SysWOW64\Ibodeh32.dll Ccgjopal.exe File created C:\Windows\SysWOW64\Kkbllbmg.dll Pgihfj32.exe File opened for modification C:\Windows\SysWOW64\Hkjjlhle.exe Hpdfnolo.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Odoogi32.exe File created C:\Windows\SysWOW64\Jocgnlha.dll Pkgcea32.exe File opened for modification C:\Windows\SysWOW64\Jgbjbp32.exe Jqhafffk.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Komhll32.exe Jnlkedai.exe File created C:\Windows\SysWOW64\Oebneoob.dll Fddqghpd.exe File created C:\Windows\SysWOW64\Mnnndm32.dll Hheoid32.exe File created C:\Windows\SysWOW64\Najceeoo.exe Nkqkhk32.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Mqimikfj.exe File created C:\Windows\SysWOW64\Megdccmb.exe Mchhggno.exe File created C:\Windows\SysWOW64\Ognpebpj.exe Odocigqg.exe File created C:\Windows\SysWOW64\Ajanck32.exe Qgcbgo32.exe File created C:\Windows\SysWOW64\Dmamoe32.dll Jbhfjljd.exe File created C:\Windows\SysWOW64\Bddjpd32.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Dikihe32.exe Dbqqkkbo.exe File created C:\Windows\SysWOW64\Epndknin.exe Efepbi32.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Eofgpikj.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Cenahpha.exe Cabfga32.exe File created C:\Windows\SysWOW64\Fpjqcaao.dll Elnoopdj.exe File created C:\Windows\SysWOW64\Idhnkf32.exe Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Qkipkani.exe Qdphngfl.exe File created C:\Windows\SysWOW64\Kebbafoj.exe Klimip32.exe File opened for modification C:\Windows\SysWOW64\Mmpijp32.exe Miemjaci.exe File created C:\Windows\SysWOW64\Gcfqfc32.exe Gdeqhl32.exe File created C:\Windows\SysWOW64\Hfnphn32.exe Hodgkc32.exe File opened for modification C:\Windows\SysWOW64\Mgloefco.exe Modgdicm.exe File created C:\Windows\SysWOW64\Ccbadp32.exe Cimmggfl.exe File opened for modification C:\Windows\SysWOW64\Lepncd32.exe Lbabgh32.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File created C:\Windows\SysWOW64\Npbblbdb.dll Difpmfna.exe File created C:\Windows\SysWOW64\Nqomdf32.dll Mfcmmp32.exe File created C:\Windows\SysWOW64\Fbelcblk.exe Fnipbc32.exe File created C:\Windows\SysWOW64\Opclldhj.exe Ofkgcobj.exe File opened for modification C:\Windows\SysWOW64\Mlopkm32.exe Mmlpoqpg.exe File created C:\Windows\SysWOW64\Nenbjo32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Hffpdd32.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Cqpbglno.exe Bggnof32.exe File opened for modification C:\Windows\SysWOW64\Qaflgago.exe Qkmdkgob.exe File created C:\Windows\SysWOW64\Lejomj32.dll Gpqjglii.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File created C:\Windows\SysWOW64\Ddqhja32.dll Fkqeib32.exe File opened for modification C:\Windows\SysWOW64\Miemjaci.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Gemkelcd.exe Gncchb32.exe File created C:\Windows\SysWOW64\Opeiadfg.exe Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Icnpmp32.exe Imdgqfbd.exe File created C:\Windows\SysWOW64\Ibfnqmpf.exe Imiehfao.exe File created C:\Windows\SysWOW64\Lemphdgj.dll Menjdbgj.exe File created C:\Windows\SysWOW64\Bqcmhb32.dll Gmeakf32.exe File created C:\Windows\SysWOW64\Ofkgcobj.exe Opqofe32.exe File created C:\Windows\SysWOW64\Jholncde.dll Mgfqmfde.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 9912 9692 -
Modifies registry class 64 IoCs
Processes:
Aodogdmn.exeMnebeogl.exeEgnchd32.exeMibijk32.exeQhngolpo.exeQaflgago.exeIinqbn32.exeAeiofcji.exeBfqkddfd.exeJbkbpoog.exeLhfmdj32.exeFibhpbea.exeCkmonl32.exeNdfqbhia.exeDmcibama.exeFhemmlhc.exeJbjcolha.exeNcdgcf32.exeAmddjegd.exeBohibc32.exeBkafmd32.exeNbefdijg.exeHmnmgnoh.exeKmkbfeab.exeDdakjkqi.exeDfpgffpm.exeIfbbig32.exeEfgemb32.exeDfjpfj32.exeKiejmi32.exePpmcdq32.exeHmcojh32.exeIefioj32.exeOgkcpbam.exeJeekkafl.exeEiloco32.exeGhopckpi.exeAeklkchg.exeMnmdme32.exePagbaglh.exeAccfbokl.exeCfldelik.exeOlcbmj32.exePgefeajb.exeAfoeiklb.exeNnneknob.exeOhnohn32.exeKfpcoefj.exeGgahedjn.exeNggnadib.exeDkjmlk32.exeJmbdbd32.exeMcpnhfhf.exeFkbkdkpp.exeJdnoplhh.exeGfmojenc.exeHjjnae32.exeHfnphn32.exeAmbgef32.exeGglpibgm.exeAkccap32.exeKkjeomld.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Mnebeogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkbgfif.dll" Egnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mibijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendmajn.dll" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbicmh32.dll" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" Ncdgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bohibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efgemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfjpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiejmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppmcdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkcpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeekkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiloco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnmdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgllff32.dll" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambahc32.dll" Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afoeiklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnneknob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palbkhoj.dll" Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll" Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkbkdkpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgiggmj.dll" Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll" Hfnphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ambgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gglpibgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkjeomld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exeBdhfhe32.exeBehbag32.exeBlbknaib.exeBobcpmfc.exeBaaplhef.exeCdainc32.exeCknnpm32.exeCbefaj32.exeCbgbgj32.exeConclk32.exeChghdqbf.exeDaolnf32.exeDdmhja32.exeDkjmlk32.exeDlijfneg.exeDllfkn32.exeDedkdcie.exeDhbgqohi.exeEkcpbj32.exeEamhodmf.exeEekaebcm.exedescription pid process target process PID 1700 wrote to memory of 232 1700 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Bdhfhe32.exe PID 1700 wrote to memory of 232 1700 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Bdhfhe32.exe PID 1700 wrote to memory of 232 1700 73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe Bdhfhe32.exe PID 232 wrote to memory of 732 232 Bdhfhe32.exe Behbag32.exe PID 232 wrote to memory of 732 232 Bdhfhe32.exe Behbag32.exe PID 232 wrote to memory of 732 232 Bdhfhe32.exe Behbag32.exe PID 732 wrote to memory of 1020 732 Behbag32.exe Blbknaib.exe PID 732 wrote to memory of 1020 732 Behbag32.exe Blbknaib.exe PID 732 wrote to memory of 1020 732 Behbag32.exe Blbknaib.exe PID 1020 wrote to memory of 3512 1020 Blbknaib.exe Bobcpmfc.exe PID 1020 wrote to memory of 3512 1020 Blbknaib.exe Bobcpmfc.exe PID 1020 wrote to memory of 3512 1020 Blbknaib.exe Bobcpmfc.exe PID 3512 wrote to memory of 2092 3512 Bobcpmfc.exe Baaplhef.exe PID 3512 wrote to memory of 2092 3512 Bobcpmfc.exe Baaplhef.exe PID 3512 wrote to memory of 2092 3512 Bobcpmfc.exe Baaplhef.exe PID 2092 wrote to memory of 3984 2092 Baaplhef.exe Cdainc32.exe PID 2092 wrote to memory of 3984 2092 Baaplhef.exe Cdainc32.exe PID 2092 wrote to memory of 3984 2092 Baaplhef.exe Cdainc32.exe PID 3984 wrote to memory of 4192 3984 Cdainc32.exe Cknnpm32.exe PID 3984 wrote to memory of 4192 3984 Cdainc32.exe Cknnpm32.exe PID 3984 wrote to memory of 4192 3984 Cdainc32.exe Cknnpm32.exe PID 4192 wrote to memory of 4520 4192 Cknnpm32.exe Cbefaj32.exe PID 4192 wrote to memory of 4520 4192 Cknnpm32.exe Cbefaj32.exe PID 4192 wrote to memory of 4520 4192 Cknnpm32.exe Cbefaj32.exe PID 4520 wrote to memory of 2068 4520 Cbefaj32.exe Cbgbgj32.exe PID 4520 wrote to memory of 2068 4520 Cbefaj32.exe Cbgbgj32.exe PID 4520 wrote to memory of 2068 4520 Cbefaj32.exe Cbgbgj32.exe PID 2068 wrote to memory of 4112 2068 Cbgbgj32.exe Conclk32.exe PID 2068 wrote to memory of 4112 2068 Cbgbgj32.exe Conclk32.exe PID 2068 wrote to memory of 4112 2068 Cbgbgj32.exe Conclk32.exe PID 4112 wrote to memory of 1516 4112 Conclk32.exe Chghdqbf.exe PID 4112 wrote to memory of 1516 4112 Conclk32.exe Chghdqbf.exe PID 4112 wrote to memory of 1516 4112 Conclk32.exe Chghdqbf.exe PID 1516 wrote to memory of 2688 1516 Chghdqbf.exe Daolnf32.exe PID 1516 wrote to memory of 2688 1516 Chghdqbf.exe Daolnf32.exe PID 1516 wrote to memory of 2688 1516 Chghdqbf.exe Daolnf32.exe PID 2688 wrote to memory of 5020 2688 Daolnf32.exe Ddmhja32.exe PID 2688 wrote to memory of 5020 2688 Daolnf32.exe Ddmhja32.exe PID 2688 wrote to memory of 5020 2688 Daolnf32.exe Ddmhja32.exe PID 5020 wrote to memory of 552 5020 Ddmhja32.exe Dkjmlk32.exe PID 5020 wrote to memory of 552 5020 Ddmhja32.exe Dkjmlk32.exe PID 5020 wrote to memory of 552 5020 Ddmhja32.exe Dkjmlk32.exe PID 552 wrote to memory of 1060 552 Dkjmlk32.exe Dlijfneg.exe PID 552 wrote to memory of 1060 552 Dkjmlk32.exe Dlijfneg.exe PID 552 wrote to memory of 1060 552 Dkjmlk32.exe Dlijfneg.exe PID 1060 wrote to memory of 4052 1060 Dlijfneg.exe Dllfkn32.exe PID 1060 wrote to memory of 4052 1060 Dlijfneg.exe Dllfkn32.exe PID 1060 wrote to memory of 4052 1060 Dlijfneg.exe Dllfkn32.exe PID 4052 wrote to memory of 1028 4052 Dllfkn32.exe Dedkdcie.exe PID 4052 wrote to memory of 1028 4052 Dllfkn32.exe Dedkdcie.exe PID 4052 wrote to memory of 1028 4052 Dllfkn32.exe Dedkdcie.exe PID 1028 wrote to memory of 4872 1028 Dedkdcie.exe Dhbgqohi.exe PID 1028 wrote to memory of 4872 1028 Dedkdcie.exe Dhbgqohi.exe PID 1028 wrote to memory of 4872 1028 Dedkdcie.exe Dhbgqohi.exe PID 4872 wrote to memory of 3916 4872 Dhbgqohi.exe Ekcpbj32.exe PID 4872 wrote to memory of 3916 4872 Dhbgqohi.exe Ekcpbj32.exe PID 4872 wrote to memory of 3916 4872 Dhbgqohi.exe Ekcpbj32.exe PID 3916 wrote to memory of 2060 3916 Ekcpbj32.exe Eamhodmf.exe PID 3916 wrote to memory of 2060 3916 Ekcpbj32.exe Eamhodmf.exe PID 3916 wrote to memory of 2060 3916 Ekcpbj32.exe Eamhodmf.exe PID 2060 wrote to memory of 3780 2060 Eamhodmf.exe Eekaebcm.exe PID 2060 wrote to memory of 3780 2060 Eamhodmf.exe Eekaebcm.exe PID 2060 wrote to memory of 3780 2060 Eamhodmf.exe Eekaebcm.exe PID 3780 wrote to memory of 4972 3780 Eekaebcm.exe Ecoangbg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\73edbe2205beca00bade57fc1c19d700_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe23⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe24⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe25⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe26⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe27⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe28⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe30⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe31⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe32⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe35⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe37⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe38⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe40⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe41⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe42⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe43⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe44⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe45⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe47⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe48⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe51⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe52⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe53⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe54⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe55⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe57⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe58⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe59⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe60⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe61⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe62⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe63⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe65⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe66⤵PID:348
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe67⤵PID:3720
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe68⤵PID:2724
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe69⤵PID:3012
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe70⤵PID:2368
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe71⤵PID:4432
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe72⤵PID:4512
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe73⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe75⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe76⤵PID:3232
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe77⤵PID:1156
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe78⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe79⤵PID:4072
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe80⤵PID:5132
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe81⤵PID:5172
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe82⤵PID:5216
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe83⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe84⤵PID:5304
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe85⤵PID:5348
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe86⤵PID:5396
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe87⤵PID:5448
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe88⤵PID:5492
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe89⤵PID:5536
-
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe90⤵PID:5580
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe92⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe95⤵PID:5812
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe96⤵PID:5860
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe98⤵PID:5948
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe99⤵
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe100⤵PID:6044
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe101⤵PID:6088
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe102⤵PID:6136
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe103⤵PID:5164
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe104⤵PID:5252
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe106⤵PID:5392
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe107⤵PID:5456
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe108⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe109⤵PID:5608
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe110⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe111⤵PID:5732
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe112⤵PID:5828
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe113⤵PID:5884
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe114⤵
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe115⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe116⤵PID:6076
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe117⤵PID:5140
-
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe118⤵PID:6096
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe119⤵PID:5388
-
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe120⤵PID:5532
-
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe121⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe122⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe123⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe124⤵PID:6064
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe125⤵PID:5208
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe126⤵PID:5368
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe127⤵PID:5676
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe128⤵PID:5940
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe129⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe130⤵PID:6244
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe131⤵PID:6288
-
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe132⤵PID:6340
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe133⤵PID:6388
-
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe134⤵PID:6428
-
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe135⤵PID:6468
-
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe136⤵PID:6516
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe137⤵
- Modifies registry class
PID:6564 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe138⤵PID:6604
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6644 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe140⤵
- Modifies registry class
PID:6688 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6728 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe142⤵PID:6780
-
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe143⤵
- Drops file in System32 directory
PID:6820 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe144⤵
- Modifies registry class
PID:6868 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe145⤵PID:6916
-
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe146⤵PID:6964
-
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe147⤵PID:7008
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7052 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe149⤵PID:7100
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe150⤵
- Modifies registry class
PID:7144 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe151⤵PID:5480
-
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe153⤵PID:6156
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe154⤵PID:6224
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe155⤵PID:6212
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe156⤵PID:6332
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe157⤵PID:6376
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe158⤵PID:6456
-
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe159⤵PID:6524
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6592 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe161⤵PID:6676
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe162⤵PID:6740
-
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe163⤵PID:6804
-
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe164⤵
- Modifies registry class
PID:6896 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe165⤵PID:6960
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe166⤵PID:7032
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe167⤵PID:7108
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe168⤵PID:5344
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe169⤵PID:6152
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe170⤵PID:6184
-
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe171⤵PID:6216
-
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe172⤵PID:6364
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe173⤵PID:6476
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe174⤵PID:6588
-
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe175⤵PID:6672
-
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe176⤵PID:6800
-
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe177⤵PID:6880
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe178⤵PID:7016
-
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe179⤵PID:7136
-
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe180⤵PID:6084
-
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe181⤵PID:6256
-
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe182⤵PID:6436
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe183⤵PID:6584
-
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe184⤵PID:6768
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe185⤵PID:6892
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe186⤵
- Drops file in System32 directory
PID:7092 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe187⤵PID:4944
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe188⤵PID:6356
-
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe189⤵PID:7128
-
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe190⤵PID:6764
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe191⤵PID:6860
-
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe192⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe193⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe194⤵PID:6772
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe195⤵PID:5616
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe196⤵
- Modifies registry class
PID:6724 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe197⤵
- Modifies registry class
PID:6836 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe198⤵PID:6924
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe199⤵PID:7208
-
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe200⤵PID:7256
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe201⤵PID:7296
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe202⤵PID:7340
-
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe203⤵
- Modifies registry class
PID:7388 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe204⤵PID:7432
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe205⤵PID:7464
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe206⤵
- Modifies registry class
PID:7512 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe207⤵PID:7552
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe208⤵PID:7588
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe209⤵PID:7628
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe210⤵PID:7672
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe211⤵PID:7712
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe212⤵
- Drops file in System32 directory
PID:7752 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe213⤵PID:7796
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7836 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe215⤵PID:7904
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe216⤵PID:7968
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8032 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe218⤵PID:8068
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe219⤵
- Drops file in System32 directory
PID:8124 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe220⤵PID:8184
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe221⤵PID:7204
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe222⤵PID:6976
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe223⤵PID:7308
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe224⤵PID:7380
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7456 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe226⤵
- Drops file in System32 directory
PID:7536 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe227⤵PID:7612
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe228⤵PID:7680
-
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe229⤵PID:7740
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe230⤵PID:7832
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe231⤵PID:7956
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe232⤵PID:8052
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe233⤵PID:8132
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe234⤵
- Drops file in System32 directory
PID:7192 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe235⤵PID:7288
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe236⤵PID:7416
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe237⤵PID:7528
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe238⤵PID:7664
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe239⤵PID:7744
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe240⤵PID:7824
-
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe241⤵PID:8028
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe242⤵PID:7096