Analysis
-
max time kernel
94s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 07:13
Behavioral task
behavioral1
Sample
7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe
-
Size
89KB
-
MD5
7c59783ab9e2457e9a707b0ae5464200
-
SHA1
9277c723558592d8850fd3944b7a656dd6bb55f7
-
SHA256
2ff4dd9d4316c6c3ccfd94d66a26fc74864e63adbbd5aeb488f6ca3b327f835b
-
SHA512
330055fabad641c2f43dda9b469b966858847d1e3c95cf407791fc46e24a610cfd2b65fd61f72e6c341543d920522b83e44f97345b2693dccf4236e76ff8e770
-
SSDEEP
1536:TasYUx+jV9g8nhSCGyCanF64c9L26XUE5tvd18AZcjF2ERQKD68a+VMKKTRVGFtl:ToU0fvRFnxsNs3err4MKy3G7UEqMM6
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mmpijp32.exeLnjjdgee.exeNqmhbpba.exePabkdmpi.exeBecifhfj.exeEcjhcg32.exeFcfhof32.exeFkmchi32.exeFdgdgnbm.exeFhemmlhc.exeFbnafb32.exeGmhfhp32.exeHfcicmqp.exeJpppnp32.exePcijeb32.exeAegikj32.exeDlgmpogj.exeJfhlejnh.exeNepgjaeg.exeEleplc32.exeImpepm32.exeJfkoeppq.exeMnlfigcc.exeNnneknob.exeFobiilai.exeGcpapkgp.exeEleiam32.exePkfblfab.exeAqkgpedc.exePcbmka32.exeCnkplejl.exeIannfk32.exeBaocghgi.exeIpnjab32.exeJfcbjk32.exeHmcojh32.exeHkikkeeo.exeIlghlc32.exeLpnlpnih.exeDobfld32.exePkjlge32.exeChpada32.exeDoeiljfn.exeIfllil32.exeKmlnbi32.exeFdnjgmle.exeGfcgge32.exeNnhfee32.exeDhnnep32.exeMegdccmb.exeAelcfilb.exeJfeopj32.exeOgkcpbam.exeCffdpghg.exeEhhgfdho.exeGfqjafdq.exeLgpagm32.exeMjeddggd.exeEbbidj32.exeBjagjhnc.exeGcekkjcj.exeCehkhecb.exeDpemacql.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pabkdmpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becifhfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcfhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhemmlhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmhfhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpppnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfkoeppq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnneknob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fobiilai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcpapkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhfhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eleiam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfblfab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iannfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baocghgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipnjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkikkeeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilghlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkjlge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifllil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmlnbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfcgge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aelcfilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfeopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehhgfdho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfqjafdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpagm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebbidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpemacql.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Dpcpkc32.exe family_berbew C:\Windows\SysWOW64\Dcalgo32.exe family_berbew C:\Windows\SysWOW64\Dadlclim.exe family_berbew C:\Windows\SysWOW64\Dhnepfpj.exe family_berbew C:\Windows\SysWOW64\Dpemacql.exe family_berbew C:\Windows\SysWOW64\Dohmlp32.exe family_berbew C:\Windows\SysWOW64\Dagiil32.exe family_berbew C:\Windows\SysWOW64\Debeijoc.exe family_berbew C:\Windows\SysWOW64\Dphifcoi.exe family_berbew C:\Windows\SysWOW64\Dcfebonm.exe family_berbew C:\Windows\SysWOW64\Dfdbojmq.exe family_berbew C:\Windows\SysWOW64\Dpjflb32.exe family_berbew C:\Windows\SysWOW64\Dchbhn32.exe family_berbew C:\Windows\SysWOW64\Efgodj32.exe family_berbew C:\Windows\SysWOW64\Elagacbk.exe family_berbew C:\Windows\SysWOW64\Ebnoikqb.exe family_berbew C:\Windows\SysWOW64\Ehhgfdho.exe family_berbew C:\Windows\SysWOW64\Eoapbo32.exe family_berbew C:\Windows\SysWOW64\Ecmlcmhe.exe family_berbew C:\Windows\SysWOW64\Eflhoigi.exe family_berbew C:\Windows\SysWOW64\Eleplc32.exe family_berbew C:\Windows\SysWOW64\Ebbidj32.exe family_berbew C:\Windows\SysWOW64\Elhmablc.exe family_berbew C:\Windows\SysWOW64\Ejlmkgkl.exe family_berbew C:\Windows\SysWOW64\Emjjgbjp.exe family_berbew C:\Windows\SysWOW64\Eqfeha32.exe family_berbew C:\Windows\SysWOW64\Fmmfmbhn.exe family_berbew C:\Windows\SysWOW64\Fokbim32.exe family_berbew C:\Windows\SysWOW64\Fcgoilpj.exe family_berbew C:\Windows\SysWOW64\Fjqgff32.exe family_berbew C:\Windows\SysWOW64\Fmocba32.exe family_berbew C:\Windows\SysWOW64\Ffggkgmk.exe family_berbew C:\Windows\SysWOW64\Himcoo32.exe family_berbew C:\Windows\SysWOW64\Iannfk32.exe family_berbew C:\Windows\SysWOW64\Ifjfnb32.exe family_berbew C:\Windows\SysWOW64\Imgkql32.exe family_berbew C:\Windows\SysWOW64\Ijkljp32.exe family_berbew C:\Windows\SysWOW64\Jplmmfmi.exe family_berbew C:\Windows\SysWOW64\Kmjqmi32.exe family_berbew C:\Windows\SysWOW64\Kmlnbi32.exe family_berbew C:\Windows\SysWOW64\Lijdhiaa.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Lgpagm32.exe family_berbew C:\Windows\SysWOW64\Lcgblncm.exe family_berbew C:\Windows\SysWOW64\Mnlfigcc.exe family_berbew C:\Windows\SysWOW64\Mkepnjng.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew C:\Windows\SysWOW64\Nnhfee32.exe family_berbew C:\Windows\SysWOW64\Ngpjnkpf.exe family_berbew C:\Windows\SysWOW64\Nqiogp32.exe family_berbew C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Nggqoj32.exe family_berbew C:\Windows\SysWOW64\Obangb32.exe family_berbew C:\Windows\SysWOW64\Onholckc.exe family_berbew C:\Windows\SysWOW64\Ogaceh32.exe family_berbew C:\Windows\SysWOW64\Odednmpm.exe family_berbew C:\Windows\SysWOW64\Odgqdlnj.exe family_berbew C:\Windows\SysWOW64\Peimil32.exe family_berbew C:\Windows\SysWOW64\Pnfkma32.exe family_berbew C:\Windows\SysWOW64\Qbgqio32.exe family_berbew C:\Windows\SysWOW64\Abkjdnoa.exe family_berbew C:\Windows\SysWOW64\Ajfoiqll.exe family_berbew C:\Windows\SysWOW64\Ajiknpjj.exe family_berbew C:\Windows\SysWOW64\Ajkhdp32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Dpcpkc32.exeDcalgo32.exeDadlclim.exeDhnepfpj.exeDpemacql.exeDohmlp32.exeDagiil32.exeDebeijoc.exeDphifcoi.exeDcfebonm.exeDfdbojmq.exeDpjflb32.exeDchbhn32.exeEfgodj32.exeElagacbk.exeEbnoikqb.exeEhhgfdho.exeEoapbo32.exeEcmlcmhe.exeEflhoigi.exeEleplc32.exeEbbidj32.exeElhmablc.exeEjlmkgkl.exeEmjjgbjp.exeEqfeha32.exeFmmfmbhn.exeFokbim32.exeFcgoilpj.exeFjqgff32.exeFmocba32.exeFfggkgmk.exeFifdgblo.exeFckhdk32.exeFfjdqg32.exeFihqmb32.exeFobiilai.exeFjhmgeao.exeFmficqpc.exeFqaeco32.exeGcpapkgp.exeGfnnlffc.exeGmhfhp32.exeGqdbiofi.exeGfqjafdq.exeGiofnacd.exeGmkbnp32.exeGcekkjcj.exeGfcgge32.exeHboagf32.exeHjfihc32.exeHapaemll.exeHcnnaikp.exeHjhfnccl.exeHpenfjad.exeHbckbepg.exeHimcoo32.exeHccglh32.exeHmklen32.exeHcedaheh.exeHfcpncdk.exeHjolnb32.exeHmmhjm32.exeHaidklda.exepid process 4928 Dpcpkc32.exe 928 Dcalgo32.exe 3940 Dadlclim.exe 2116 Dhnepfpj.exe 4952 Dpemacql.exe 3724 Dohmlp32.exe 1568 Dagiil32.exe 1968 Debeijoc.exe 1512 Dphifcoi.exe 2076 Dcfebonm.exe 3120 Dfdbojmq.exe 3304 Dpjflb32.exe 808 Dchbhn32.exe 428 Efgodj32.exe 3936 Elagacbk.exe 4964 Ebnoikqb.exe 3128 Ehhgfdho.exe 2408 Eoapbo32.exe 4616 Ecmlcmhe.exe 2476 Eflhoigi.exe 2628 Eleplc32.exe 3548 Ebbidj32.exe 1496 Elhmablc.exe 1500 Ejlmkgkl.exe 228 Emjjgbjp.exe 2352 Eqfeha32.exe 5076 Fmmfmbhn.exe 1688 Fokbim32.exe 3760 Fcgoilpj.exe 3240 Fjqgff32.exe 708 Fmocba32.exe 3176 Ffggkgmk.exe 776 Fifdgblo.exe 2012 Fckhdk32.exe 3896 Ffjdqg32.exe 1776 Fihqmb32.exe 4020 Fobiilai.exe 4556 Fjhmgeao.exe 3388 Fmficqpc.exe 1960 Fqaeco32.exe 3260 Gcpapkgp.exe 760 Gfnnlffc.exe 3708 Gmhfhp32.exe 5028 Gqdbiofi.exe 4044 Gfqjafdq.exe 3780 Giofnacd.exe 4280 Gmkbnp32.exe 1228 Gcekkjcj.exe 2920 Gfcgge32.exe 1468 Hboagf32.exe 4920 Hjfihc32.exe 2560 Hapaemll.exe 2504 Hcnnaikp.exe 1652 Hjhfnccl.exe 4560 Hpenfjad.exe 5056 Hbckbepg.exe 4052 Himcoo32.exe 4420 Hccglh32.exe 4120 Hmklen32.exe 864 Hcedaheh.exe 748 Hfcpncdk.exe 716 Hjolnb32.exe 4380 Hmmhjm32.exe 2468 Haidklda.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dcfebonm.exeLknjmkdo.exeJfhlejnh.exeCnnlaehj.exeHaidklda.exeKmjqmi32.exeBhfonc32.exeFlnlhk32.exeJcefno32.exeDkifae32.exeDagiil32.exeHimcoo32.exeOqgkhnjf.exeCahfmgoo.exeOfqpqo32.exeChmndlge.exeDddhpjof.exeHcedaheh.exeIbmmhdhm.exeNkqpjidj.exeChmeobkq.exeKinemkko.exePcojkhap.exeHbpgbo32.exeAfhohlbj.exeIjdeiaio.exeFafkecel.exeMbfkbhpa.exeOddmdf32.exePjhlml32.exeBelebq32.exeIpckgh32.exeImakkfdg.exeLpebpm32.exeFhjfhl32.exeKlqcioba.exeAabmqd32.exeJjmhppqd.exeGofkje32.exeHfqlnm32.exeJbmfoa32.exePkfblfab.exeAelcfilb.exeKdcbom32.exeMpkbebbf.exeNdghmo32.exeAejfpjne.exeLbmhlihl.exeGmhfhp32.exeGkoiefmj.exeLeihbeib.exeLekehdgp.exeCagobalc.exeCmiflbel.exeFckhdk32.exeMaaepd32.exeDboigi32.exeEdbklofb.exeFfddka32.exeFkffog32.exeKfoafi32.exeKgphpo32.exeEchknh32.exeAqncedbp.exedescription ioc process File created C:\Windows\SysWOW64\Dfdbojmq.exe Dcfebonm.exe File created C:\Windows\SysWOW64\Mnlfigcc.exe Lknjmkdo.exe File created C:\Windows\SysWOW64\Ndqgbjkm.dll Jfhlejnh.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cnnlaehj.exe File created C:\Windows\SysWOW64\Fjkiobic.dll Haidklda.exe File opened for modification C:\Windows\SysWOW64\Kaemnhla.exe Kmjqmi32.exe File created C:\Windows\SysWOW64\Bjdkjo32.exe Bhfonc32.exe File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Flnlhk32.exe File opened for modification C:\Windows\SysWOW64\Jfcbjk32.exe Jcefno32.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dkifae32.exe File created C:\Windows\SysWOW64\Debeijoc.exe Dagiil32.exe File created C:\Windows\SysWOW64\Jkageheh.dll Himcoo32.exe File opened for modification C:\Windows\SysWOW64\Ogaceh32.exe Oqgkhnjf.exe File opened for modification C:\Windows\SysWOW64\Cdfbibnb.exe Cahfmgoo.exe File created C:\Windows\SysWOW64\Onhhamgg.exe Ofqpqo32.exe File created C:\Windows\SysWOW64\Omocan32.dll Chmndlge.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Mlmpolji.dll Hcedaheh.exe File created C:\Windows\SysWOW64\Ijdeiaio.exe Ibmmhdhm.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Cklaknjd.exe Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Kmjqmi32.exe Kinemkko.exe File created C:\Windows\SysWOW64\Pkfblfab.exe Pcojkhap.exe File created C:\Windows\SysWOW64\Heocnk32.exe Hbpgbo32.exe File opened for modification C:\Windows\SysWOW64\Ambgef32.exe Afhohlbj.exe File created C:\Windows\SysWOW64\Kbmebabl.dll Ijdeiaio.exe File opened for modification C:\Windows\SysWOW64\Febgea32.exe Fafkecel.exe File created C:\Windows\SysWOW64\Medgncoe.exe Mbfkbhpa.exe File created C:\Windows\SysWOW64\Ogbipa32.exe Oddmdf32.exe File created C:\Windows\SysWOW64\Pncgmkmj.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Jfihel32.dll Belebq32.exe File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe Ipckgh32.exe File created C:\Windows\SysWOW64\Ildkgc32.exe Imakkfdg.exe File created C:\Windows\SysWOW64\Lgokmgjm.exe Lpebpm32.exe File created C:\Windows\SysWOW64\Glebhjlg.exe Fhjfhl32.exe File opened for modification C:\Windows\SysWOW64\Kdgljmcd.exe Klqcioba.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Mjlcankg.dll Jjmhppqd.exe File opened for modification C:\Windows\SysWOW64\Ghopckpi.exe Gofkje32.exe File created C:\Windows\SysWOW64\Fpeohm32.dll Hfqlnm32.exe File created C:\Windows\SysWOW64\Jigollag.exe Jbmfoa32.exe File created C:\Windows\SysWOW64\Pndohaqe.exe Pkfblfab.exe File created C:\Windows\SysWOW64\Phfkqkek.dll Aelcfilb.exe File created C:\Windows\SysWOW64\Kbfbkj32.exe Kdcbom32.exe File opened for modification C:\Windows\SysWOW64\Mciobn32.exe Mpkbebbf.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ndghmo32.exe File created C:\Windows\SysWOW64\Acmflf32.exe Aejfpjne.exe File created C:\Windows\SysWOW64\Lekehdgp.exe Lbmhlihl.exe File created C:\Windows\SysWOW64\Ginahd32.dll Gmhfhp32.exe File created C:\Windows\SysWOW64\Gokdeeec.exe Gkoiefmj.exe File created C:\Windows\SysWOW64\Lpnlpnih.exe Leihbeib.exe File created C:\Windows\SysWOW64\Lmbmibhb.exe Lekehdgp.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cagobalc.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Hofddb32.dll Fckhdk32.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe Dboigi32.exe File created C:\Windows\SysWOW64\Fljcmlfd.exe Edbklofb.exe File created C:\Windows\SysWOW64\Fdgdgnbm.exe Ffddka32.exe File created C:\Windows\SysWOW64\Ohjgdmkj.dll Fkffog32.exe File created C:\Windows\SysWOW64\Pmdfog32.dll Kfoafi32.exe File created C:\Windows\SysWOW64\Bdiihjon.dll Kgphpo32.exe File created C:\Windows\SysWOW64\Eefhjc32.exe Echknh32.exe File created C:\Windows\SysWOW64\Agglboim.exe Aqncedbp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 13092 13296 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Onmhgb32.exeIckchq32.exeMdhdajea.exeDojcgi32.exeFdgdgnbm.exeFkopnh32.exeJimekgff.exePfjcgn32.exeDhmgki32.exeHmklen32.exeDohfbj32.exeElgfgl32.exeIpnjab32.exeMaohkd32.exeFljcmlfd.exeHkmefd32.exeJmknaell.exeOgbipa32.exePncgmkmj.exeAndqdh32.exeIiibkn32.exeEdnaqo32.exeGmoeoidl.exeHbbdholl.exeMkpgck32.exeEabbjc32.exeFdnjgmle.exeKdcbom32.exeDogogcpo.exeAcmflf32.exeDhnnep32.exeElppfmoo.exeQffbbldm.exeImgkql32.exeHfqlnm32.exeJbeidl32.exeLljfpnjg.exeQmmnjfnl.exePgemphmn.exeBecifhfj.exeDdgkpp32.exeFooeif32.exeAmbgef32.exeDagiil32.exeKaemnhla.exeOcckojkm.exeDhidjpqc.exeOfcmfodb.exePagdol32.exeBbnpqk32.exeKmijbcpl.exeEcmlcmhe.exeEbbidj32.exeNcgkcl32.exePnfkma32.exeBjpaooda.exeJifhaenk.exeNggjdc32.exeGcpapkgp.exeHjfihc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camjdd32.dll" Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll" Ickchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll" Mdhdajea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhi32.dll" Dojcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkephlb.dll" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahkcp.dll" Fkopnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll" Pfjcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll" Hmklen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" Elgfgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipnjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkmefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Andqdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iiibkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmoeoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbbdholl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll" Eabbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcfmgfde.dll" Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll" Hbbdholl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll" Imgkql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfqlnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbeidl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lljfpnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkcl32.dll" Pgemphmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdhdajea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Becifhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjehihl.dll" Dohfbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddgkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fooeif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dagiil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Occkojkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pagdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbnpqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll" Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll" Ebbidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnfkma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjpaooda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jifhaenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nggjdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcpapkgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjakp32.dll" Acmflf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exeDpcpkc32.exeDcalgo32.exeDadlclim.exeDhnepfpj.exeDpemacql.exeDohmlp32.exeDagiil32.exeDebeijoc.exeDphifcoi.exeDcfebonm.exeDfdbojmq.exeDpjflb32.exeDchbhn32.exeEfgodj32.exeElagacbk.exeEbnoikqb.exeEhhgfdho.exeEoapbo32.exeEcmlcmhe.exeEflhoigi.exeEleplc32.exedescription pid process target process PID 1664 wrote to memory of 4928 1664 7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe Dpcpkc32.exe PID 1664 wrote to memory of 4928 1664 7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe Dpcpkc32.exe PID 1664 wrote to memory of 4928 1664 7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe Dpcpkc32.exe PID 4928 wrote to memory of 928 4928 Dpcpkc32.exe Dcalgo32.exe PID 4928 wrote to memory of 928 4928 Dpcpkc32.exe Dcalgo32.exe PID 4928 wrote to memory of 928 4928 Dpcpkc32.exe Dcalgo32.exe PID 928 wrote to memory of 3940 928 Dcalgo32.exe Dadlclim.exe PID 928 wrote to memory of 3940 928 Dcalgo32.exe Dadlclim.exe PID 928 wrote to memory of 3940 928 Dcalgo32.exe Dadlclim.exe PID 3940 wrote to memory of 2116 3940 Dadlclim.exe Dhnepfpj.exe PID 3940 wrote to memory of 2116 3940 Dadlclim.exe Dhnepfpj.exe PID 3940 wrote to memory of 2116 3940 Dadlclim.exe Dhnepfpj.exe PID 2116 wrote to memory of 4952 2116 Dhnepfpj.exe Dpemacql.exe PID 2116 wrote to memory of 4952 2116 Dhnepfpj.exe Dpemacql.exe PID 2116 wrote to memory of 4952 2116 Dhnepfpj.exe Dpemacql.exe PID 4952 wrote to memory of 3724 4952 Dpemacql.exe Dohmlp32.exe PID 4952 wrote to memory of 3724 4952 Dpemacql.exe Dohmlp32.exe PID 4952 wrote to memory of 3724 4952 Dpemacql.exe Dohmlp32.exe PID 3724 wrote to memory of 1568 3724 Dohmlp32.exe Dagiil32.exe PID 3724 wrote to memory of 1568 3724 Dohmlp32.exe Dagiil32.exe PID 3724 wrote to memory of 1568 3724 Dohmlp32.exe Dagiil32.exe PID 1568 wrote to memory of 1968 1568 Dagiil32.exe Debeijoc.exe PID 1568 wrote to memory of 1968 1568 Dagiil32.exe Debeijoc.exe PID 1568 wrote to memory of 1968 1568 Dagiil32.exe Debeijoc.exe PID 1968 wrote to memory of 1512 1968 Debeijoc.exe Dphifcoi.exe PID 1968 wrote to memory of 1512 1968 Debeijoc.exe Dphifcoi.exe PID 1968 wrote to memory of 1512 1968 Debeijoc.exe Dphifcoi.exe PID 1512 wrote to memory of 2076 1512 Dphifcoi.exe Dcfebonm.exe PID 1512 wrote to memory of 2076 1512 Dphifcoi.exe Dcfebonm.exe PID 1512 wrote to memory of 2076 1512 Dphifcoi.exe Dcfebonm.exe PID 2076 wrote to memory of 3120 2076 Dcfebonm.exe Dfdbojmq.exe PID 2076 wrote to memory of 3120 2076 Dcfebonm.exe Dfdbojmq.exe PID 2076 wrote to memory of 3120 2076 Dcfebonm.exe Dfdbojmq.exe PID 3120 wrote to memory of 3304 3120 Dfdbojmq.exe Dpjflb32.exe PID 3120 wrote to memory of 3304 3120 Dfdbojmq.exe Dpjflb32.exe PID 3120 wrote to memory of 3304 3120 Dfdbojmq.exe Dpjflb32.exe PID 3304 wrote to memory of 808 3304 Dpjflb32.exe Dchbhn32.exe PID 3304 wrote to memory of 808 3304 Dpjflb32.exe Dchbhn32.exe PID 3304 wrote to memory of 808 3304 Dpjflb32.exe Dchbhn32.exe PID 808 wrote to memory of 428 808 Dchbhn32.exe Efgodj32.exe PID 808 wrote to memory of 428 808 Dchbhn32.exe Efgodj32.exe PID 808 wrote to memory of 428 808 Dchbhn32.exe Efgodj32.exe PID 428 wrote to memory of 3936 428 Efgodj32.exe Elagacbk.exe PID 428 wrote to memory of 3936 428 Efgodj32.exe Elagacbk.exe PID 428 wrote to memory of 3936 428 Efgodj32.exe Elagacbk.exe PID 3936 wrote to memory of 4964 3936 Elagacbk.exe Ebnoikqb.exe PID 3936 wrote to memory of 4964 3936 Elagacbk.exe Ebnoikqb.exe PID 3936 wrote to memory of 4964 3936 Elagacbk.exe Ebnoikqb.exe PID 4964 wrote to memory of 3128 4964 Ebnoikqb.exe Ehhgfdho.exe PID 4964 wrote to memory of 3128 4964 Ebnoikqb.exe Ehhgfdho.exe PID 4964 wrote to memory of 3128 4964 Ebnoikqb.exe Ehhgfdho.exe PID 3128 wrote to memory of 2408 3128 Ehhgfdho.exe Eoapbo32.exe PID 3128 wrote to memory of 2408 3128 Ehhgfdho.exe Eoapbo32.exe PID 3128 wrote to memory of 2408 3128 Ehhgfdho.exe Eoapbo32.exe PID 2408 wrote to memory of 4616 2408 Eoapbo32.exe Ecmlcmhe.exe PID 2408 wrote to memory of 4616 2408 Eoapbo32.exe Ecmlcmhe.exe PID 2408 wrote to memory of 4616 2408 Eoapbo32.exe Ecmlcmhe.exe PID 4616 wrote to memory of 2476 4616 Ecmlcmhe.exe Eflhoigi.exe PID 4616 wrote to memory of 2476 4616 Ecmlcmhe.exe Eflhoigi.exe PID 4616 wrote to memory of 2476 4616 Ecmlcmhe.exe Eflhoigi.exe PID 2476 wrote to memory of 2628 2476 Eflhoigi.exe Eleplc32.exe PID 2476 wrote to memory of 2628 2476 Eflhoigi.exe Eleplc32.exe PID 2476 wrote to memory of 2628 2476 Eflhoigi.exe Eleplc32.exe PID 2628 wrote to memory of 3548 2628 Eleplc32.exe Ebbidj32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7c59783ab9e2457e9a707b0ae5464200_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe24⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe25⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe26⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe27⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe28⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe29⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe30⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe31⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe32⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe33⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe34⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe36⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe37⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe39⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe40⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe41⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe43⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe45⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe47⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe48⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe51⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe53⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe54⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe55⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe56⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe57⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe59⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe62⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe63⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe64⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe66⤵PID:3900
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe67⤵PID:3920
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5024 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe69⤵PID:4680
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe70⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe71⤵
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe74⤵PID:4924
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe75⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe76⤵PID:4384
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe77⤵
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe78⤵PID:3116
-
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe79⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe80⤵PID:2384
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe81⤵PID:4940
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe82⤵PID:4688
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe83⤵PID:4608
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe84⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe85⤵PID:1152
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe86⤵PID:2572
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe87⤵PID:4780
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe88⤵PID:412
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe89⤵PID:680
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe90⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe91⤵PID:3624
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe92⤵PID:4636
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe93⤵PID:4028
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4672 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe95⤵PID:3532
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe96⤵PID:1788
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe97⤵PID:3676
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe98⤵PID:4600
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe99⤵PID:5152
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe100⤵PID:5212
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe101⤵PID:5268
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe102⤵PID:5316
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe103⤵PID:5368
-
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe104⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe105⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe106⤵
- Drops file in System32 directory
PID:5552 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe107⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe108⤵PID:5656
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe109⤵PID:5700
-
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe110⤵PID:5740
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe111⤵PID:5792
-
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe113⤵PID:5896
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe114⤵PID:5940
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe115⤵PID:5980
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe116⤵PID:6024
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe117⤵PID:6064
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe118⤵PID:6104
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe119⤵PID:5124
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe120⤵PID:5204
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe121⤵PID:5288
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe122⤵PID:5356
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe123⤵PID:5480
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe124⤵PID:5564
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe125⤵PID:5652
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe126⤵PID:5728
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe127⤵PID:5784
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe128⤵PID:5888
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe131⤵PID:6088
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe132⤵PID:5132
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe133⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe135⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe136⤵PID:5588
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe137⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe138⤵PID:5960
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe139⤵PID:6080
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe140⤵PID:5192
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe142⤵PID:5600
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe143⤵PID:5764
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe144⤵PID:5992
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe145⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe146⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe147⤵PID:5892
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe148⤵PID:3744
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe150⤵PID:5692
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe151⤵PID:4552
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe152⤵PID:6060
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe153⤵PID:724
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe154⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe155⤵PID:3112
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe156⤵PID:5848
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe157⤵
- Drops file in System32 directory
PID:6184 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe158⤵
- Drops file in System32 directory
PID:6228 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe159⤵PID:6272
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6316 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe161⤵PID:6352
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe162⤵PID:6404
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe163⤵PID:6448
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe164⤵PID:6492
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe165⤵PID:6540
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe166⤵PID:6580
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe167⤵PID:6624
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe168⤵PID:6668
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe169⤵PID:6712
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe170⤵PID:6756
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe171⤵
- Modifies registry class
PID:6796 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe172⤵PID:6840
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe173⤵PID:6884
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe174⤵
- Drops file in System32 directory
PID:6928 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe175⤵PID:6972
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe176⤵PID:7016
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe177⤵PID:7060
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe178⤵PID:7104
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe179⤵PID:7148
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe180⤵
- Modifies registry class
PID:6180 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe181⤵PID:6256
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe182⤵
- Modifies registry class
PID:6324 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe183⤵PID:6412
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe184⤵PID:6488
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe185⤵PID:6588
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe186⤵PID:6648
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe187⤵PID:6728
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe188⤵
- Drops file in System32 directory
PID:6792 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6860 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe190⤵PID:6920
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7000 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe192⤵PID:7068
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe193⤵PID:7144
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe194⤵
- Modifies registry class
PID:6224 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe195⤵PID:6304
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6440 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe197⤵PID:6576
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe198⤵
- Modifies registry class
PID:6696 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe199⤵PID:6784
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe200⤵PID:6872
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe201⤵PID:7004
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe202⤵PID:7128
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe203⤵PID:3264
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe204⤵PID:6424
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe205⤵PID:6632
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe206⤵PID:6780
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6964 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe208⤵PID:7088
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe209⤵PID:6344
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe210⤵PID:6656
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe211⤵
- Drops file in System32 directory
PID:6892 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe212⤵
- Modifies registry class
PID:7112 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe213⤵PID:6572
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe214⤵PID:6944
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe215⤵PID:6568
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7052 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe217⤵PID:6308
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe218⤵PID:6376
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe219⤵PID:7208
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe220⤵PID:7252
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe221⤵PID:7296
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe222⤵PID:7336
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe223⤵PID:7380
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe224⤵PID:7420
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe225⤵PID:7464
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe226⤵PID:7504
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe227⤵PID:7548
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7592 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe229⤵PID:7636
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe230⤵
- Modifies registry class
PID:7680 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe231⤵PID:7724
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe232⤵PID:7768
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe233⤵PID:7812
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe234⤵PID:7856
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe235⤵PID:7900
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe236⤵PID:7944
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe237⤵
- Drops file in System32 directory
PID:7988 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe238⤵PID:8032
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8076 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe240⤵PID:8120
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe241⤵PID:8164
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe242⤵PID:7192