Analysis
-
max time kernel
51s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 22:26
Behavioral task
behavioral1
Sample
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe
-
Size
276KB
-
MD5
02de46bc365f9d1ab305012dc3edad50
-
SHA1
7ac5c0d1306ffa50fcd378a5d77dfb298139d48e
-
SHA256
a01a77d60f0ea0befdc79c56015eafa768e385d3f2df503737edae07f0591bfa
-
SHA512
7b168ea776985d4275335fa83954a0793e79004fa6e56e48a4eb03ccde0b6d5192a5bbe11c4225f7b1e99eb8c7f2fa83a25641f39bb2d0601c2f87299127d98a
-
SSDEEP
6144:zH2wXdShrydWZHEFJ7aWN1rtMsQBOSGaF+:z2KS+2HEGWN1RMs1S7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dmifkecb.exeHqddqj32.exeJfoaam32.exePpamjcpj.exeAjhndgjj.exeMemalfcb.exeMeadlo32.exeQdflaa32.exePiceflpi.exeNpognfpo.exeBkefphem.exeLhenai32.exeDgdncplk.exeAmfhgj32.exeMhoind32.exeBflagg32.exeLllagh32.exeGegchl32.exeHgdlcm32.exeNhbmnj32.exeDmbiackg.exeNdmgnkja.exeMapgfk32.exeCebdcmhh.exeBkkhbb32.exeFneoma32.exeHjoeoo32.exeOmgabj32.exeCicjokll.exeIcpecm32.exeOcohmc32.exeHhaggp32.exeBpbpecen.exeGlmhdm32.exeNonbqd32.exeCkjknfnh.exeAfkipi32.exeFikihlmj.exeCiefek32.exeDbphcpog.exeFeenjgfq.exeAbgjkpll.exeEgknji32.exePocdba32.exePdbiphhi.exeBkjpkg32.exeHbnaeh32.exeIbgdlg32.exeEepkkefp.exeKnmpbi32.exeQaqegecm.exeInfhebbh.exeJblmgf32.exeImhjlb32.exeKfidgk32.exeKanidd32.exeDpihbjmg.exeEpbkhhel.exeIfleji32.exeKmlgcf32.exeOggbfdog.exeHokgmpkl.exeLjjpnb32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmifkecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqddqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfoaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppamjcpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhndgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Memalfcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meadlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdflaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piceflpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npognfpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkefphem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhenai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdncplk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhoind32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllagh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegchl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdlcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbiackg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cebdcmhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkhbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneoma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjoeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicjokll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhaggp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbpecen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glmhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nonbqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikihlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciefek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbphcpog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feenjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abgjkpll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egknji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibgdlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepkkefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eepkkefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knmpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaqegecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infhebbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imhjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfidgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpihbjmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifleji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oggbfdog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjpnb32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Iefgbh32.exe family_berbew C:\Windows\SysWOW64\Jpaekqhh.exe family_berbew C:\Windows\SysWOW64\Jepjhg32.exe family_berbew C:\Windows\SysWOW64\Jinboekc.exe family_berbew C:\Windows\SysWOW64\Komhll32.exe family_berbew C:\Windows\SysWOW64\Kjeiodek.exe family_berbew C:\Windows\SysWOW64\Kgkfnh32.exe family_berbew C:\Windows\SysWOW64\Kngkqbgl.exe family_berbew C:\Windows\SysWOW64\Kngkqbgl.exe family_berbew C:\Windows\SysWOW64\Lmdnbn32.exe family_berbew C:\Windows\SysWOW64\Nceefd32.exe family_berbew C:\Windows\SysWOW64\Ocohmc32.exe family_berbew C:\Windows\SysWOW64\Ppahmb32.exe family_berbew C:\Windows\SysWOW64\Qaqegecm.exe family_berbew C:\Windows\SysWOW64\Qacameaj.exe family_berbew C:\Windows\SysWOW64\Aknbkjfh.exe family_berbew C:\Windows\SysWOW64\Agdcpkll.exe family_berbew C:\Windows\SysWOW64\Agdcpkll.exe family_berbew C:\Windows\SysWOW64\Aaldccip.exe family_berbew C:\Windows\SysWOW64\Aaoaic32.exe family_berbew C:\Windows\SysWOW64\Bdojjo32.exe family_berbew C:\Windows\SysWOW64\Bhpofl32.exe family_berbew C:\Windows\SysWOW64\Bajqda32.exe family_berbew C:\Windows\SysWOW64\Bdfpkm32.exe family_berbew C:\Windows\SysWOW64\Coqncejg.exe family_berbew C:\Windows\SysWOW64\Ckgohf32.exe family_berbew C:\Windows\SysWOW64\Ckjknfnh.exe family_berbew C:\Windows\SysWOW64\Dhbebj32.exe family_berbew C:\Windows\SysWOW64\Cnjdpaki.exe family_berbew C:\Windows\SysWOW64\Dggbcf32.exe family_berbew C:\Windows\SysWOW64\Doagjc32.exe family_berbew C:\Windows\SysWOW64\Dglkoeio.exe family_berbew C:\Windows\SysWOW64\Ebdlangb.exe family_berbew C:\Windows\SysWOW64\Fganqbgg.exe family_berbew C:\Windows\SysWOW64\Hbldphde.exe family_berbew C:\Windows\SysWOW64\Ganldgib.exe family_berbew C:\Windows\SysWOW64\Fdlkdhnk.exe family_berbew C:\Windows\SysWOW64\Ibjqaf32.exe family_berbew C:\Windows\SysWOW64\Bdagpnbk.exe family_berbew C:\Windows\SysWOW64\Kapfiqoj.exe family_berbew C:\Windows\SysWOW64\Kabcopmg.exe family_berbew C:\Windows\SysWOW64\Nhhdnf32.exe family_berbew C:\Windows\SysWOW64\Pcbkml32.exe family_berbew C:\Windows\SysWOW64\Aimogakj.exe family_berbew C:\Windows\SysWOW64\Affikdfn.exe family_berbew C:\Windows\SysWOW64\Bmbnnn32.exe family_berbew C:\Windows\SysWOW64\Bfmolc32.exe family_berbew C:\Windows\SysWOW64\Cmbgdl32.exe family_berbew C:\Windows\SysWOW64\Dgdncplk.exe family_berbew C:\Windows\SysWOW64\Dpopbepi.exe family_berbew C:\Windows\SysWOW64\Ddmhhd32.exe family_berbew C:\Windows\SysWOW64\Eafbmgad.exe family_berbew C:\Windows\SysWOW64\Fjeplijj.exe family_berbew C:\Windows\SysWOW64\Fgqgfl32.exe family_berbew C:\Windows\SysWOW64\Gqnejaff.exe family_berbew C:\Windows\SysWOW64\Gjhfif32.exe family_berbew C:\Windows\SysWOW64\Hbdgec32.exe family_berbew C:\Windows\SysWOW64\Hjaioe32.exe family_berbew C:\Windows\SysWOW64\Hkcbnh32.exe family_berbew C:\Windows\SysWOW64\Infhebbh.exe family_berbew C:\Windows\SysWOW64\Klbgfc32.exe family_berbew C:\Windows\SysWOW64\Kaaldjil.exe family_berbew C:\Windows\SysWOW64\Llkjmb32.exe family_berbew C:\Windows\SysWOW64\Moalil32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Iefgbh32.exeJpaekqhh.exeJepjhg32.exeJinboekc.exeKomhll32.exeKjeiodek.exeKgkfnh32.exeKngkqbgl.exeLmdnbn32.exeNceefd32.exeOcohmc32.exePpahmb32.exeQaqegecm.exeQacameaj.exeAknbkjfh.exeAgdcpkll.exeAaldccip.exeAaoaic32.exeBdojjo32.exeBdagpnbk.exeBhpofl32.exeBdfpkm32.exeBajqda32.exeCoqncejg.exeCkgohf32.exeCkjknfnh.exeCnjdpaki.exeDhbebj32.exeDggbcf32.exeDoagjc32.exeDglkoeio.exeEbdlangb.exeEdeeci32.exeEhbnigjj.exeEnpfan32.exeFdlkdhnk.exeFoapaa32.exeFijdjfdb.exeFnfmbmbi.exeFkjmlaac.exeFganqbgg.exeFeenjgfq.exeGnnccl32.exeGanldgib.exeGkdpbpih.exeGeldkfpi.exeGacepg32.exeGngeik32.exeHlkfbocp.exeHhaggp32.exeHbgkei32.exeHhdcmp32.exeHehdfdek.exeHbldphde.exeHbnaeh32.exeIlfennic.exeIbqnkh32.exeIlnlom32.exeIbgdlg32.exeIlphdlqh.exeIbjqaf32.exeJlbejloe.exeJblmgf32.exeJhifomdj.exepid process 392 Iefgbh32.exe 2344 Jpaekqhh.exe 2880 Jepjhg32.exe 2324 Jinboekc.exe 1380 Komhll32.exe 4556 Kjeiodek.exe 4144 Kgkfnh32.exe 4984 Kngkqbgl.exe 1828 Lmdnbn32.exe 1640 Nceefd32.exe 3484 Ocohmc32.exe 3656 Ppahmb32.exe 4772 Qaqegecm.exe 1440 Qacameaj.exe 4748 Aknbkjfh.exe 4728 Agdcpkll.exe 3584 Aaldccip.exe 1940 Aaoaic32.exe 3192 Bdojjo32.exe 3740 Bdagpnbk.exe 456 Bhpofl32.exe 4036 Bdfpkm32.exe 2348 Bajqda32.exe 4280 Coqncejg.exe 636 Ckgohf32.exe 840 Ckjknfnh.exe 2412 Cnjdpaki.exe 3304 Dhbebj32.exe 232 Dggbcf32.exe 4684 Doagjc32.exe 1028 Dglkoeio.exe 844 Ebdlangb.exe 3628 Edeeci32.exe 4868 Ehbnigjj.exe 3624 Enpfan32.exe 1144 Fdlkdhnk.exe 4692 Foapaa32.exe 3400 Fijdjfdb.exe 4392 Fnfmbmbi.exe 800 Fkjmlaac.exe 4300 Fganqbgg.exe 2612 Feenjgfq.exe 2160 Gnnccl32.exe 848 Ganldgib.exe 3412 Gkdpbpih.exe 4596 Geldkfpi.exe 4272 Gacepg32.exe 1816 Gngeik32.exe 3600 Hlkfbocp.exe 1384 Hhaggp32.exe 5036 Hbgkei32.exe 2592 Hhdcmp32.exe 2788 Hehdfdek.exe 3532 Hbldphde.exe 3580 Hbnaeh32.exe 1952 Ilfennic.exe 3012 Ibqnkh32.exe 4292 Ilnlom32.exe 5012 Ibgdlg32.exe 3368 Ilphdlqh.exe 4704 Ibjqaf32.exe 4668 Jlbejloe.exe 2340 Jblmgf32.exe 4216 Jhifomdj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qkqdnkge.exeHkaeih32.exeDmifkecb.exeHfniikha.exeOgdofo32.exeMeoggpmd.exeHgdlcm32.exeLpelqj32.exeAmfhgj32.exeEcdkdj32.exeGjqinamq.exeAfkipi32.exeBdphnmjk.exeFnffhgon.exeHbfdjc32.exeHjaioe32.exeMbibfm32.exeGqnejaff.exeNcaklhdi.exeBipnihgi.exeBbpolb32.exeHhaggp32.exeDdmhhd32.exeIholohii.exePocdba32.exeDpihbjmg.exeDhdmfljb.exeQdihfq32.exeIbqnkh32.exeJnocakfb.exeGegchl32.exeMjdbda32.exeOiehhjjp.exeOoangh32.exeFljlom32.exeDpllbp32.exeGnanioad.exeNipffmmg.exeJbagbebm.exeJehfcl32.exeAbgjkpll.exeFikihlmj.exeCiqmjkno.exeGkdpbpih.exeHhdcmp32.exeLaglkb32.exeDlncla32.exeBqnemp32.exeGnnccl32.exeJblmgf32.exeInfhebbh.exeKjeiodek.exeCajjjk32.exeEpdime32.exeNdejcemn.exeAmmnhilb.exeEgknji32.exeBbklli32.exeGebimmco.exeBkefphem.exedescription ioc process File created C:\Windows\SysWOW64\Qnopjfgi.exe Qkqdnkge.exe File created C:\Windows\SysWOW64\Hkcbnh32.exe Hkaeih32.exe File created C:\Windows\SysWOW64\Dfakcj32.exe Dmifkecb.exe File opened for modification C:\Windows\SysWOW64\Hpcmfchg.exe Hfniikha.exe File opened for modification C:\Windows\SysWOW64\Opmcod32.exe Ogdofo32.exe File opened for modification C:\Windows\SysWOW64\Moglpedd.exe Meoggpmd.exe File created C:\Windows\SysWOW64\Dfebnlgm.dll Hgdlcm32.exe File opened for modification C:\Windows\SysWOW64\Ljjpnb32.exe Lpelqj32.exe File created C:\Windows\SysWOW64\Abgjkpll.exe Amfhgj32.exe File opened for modification C:\Windows\SysWOW64\Eippgckc.exe Ecdkdj32.exe File created C:\Windows\SysWOW64\Gijcdi32.dll Gjqinamq.exe File opened for modification C:\Windows\SysWOW64\Afnefieo.exe Afkipi32.exe File opened for modification C:\Windows\SysWOW64\Bkjpkg32.exe Bdphnmjk.exe File created C:\Windows\SysWOW64\Fkjfakng.exe Fnffhgon.exe File created C:\Windows\SysWOW64\Hjaioe32.exe Hbfdjc32.exe File opened for modification C:\Windows\SysWOW64\Hkaeih32.exe Hjaioe32.exe File opened for modification C:\Windows\SysWOW64\Mlofcf32.exe Mbibfm32.exe File opened for modification C:\Windows\SysWOW64\Gkcigjel.exe Gqnejaff.exe File created C:\Windows\SysWOW64\Gipjam32.dll Ncaklhdi.exe File created C:\Windows\SysWOW64\Cpifeb32.exe Bipnihgi.exe File created C:\Windows\SysWOW64\Bglgdi32.exe Bbpolb32.exe File created C:\Windows\SysWOW64\Hbgkei32.exe Hhaggp32.exe File opened for modification C:\Windows\SysWOW64\Epdime32.exe Ddmhhd32.exe File opened for modification C:\Windows\SysWOW64\Ibdplaho.exe Iholohii.exe File created C:\Windows\SysWOW64\Pbdgkjib.dll Pocdba32.exe File created C:\Windows\SysWOW64\Dhdmfljb.exe Dpihbjmg.exe File created C:\Windows\SysWOW64\Dehnpp32.exe Dhdmfljb.exe File created C:\Windows\SysWOW64\Qjeaog32.exe Qdihfq32.exe File opened for modification C:\Windows\SysWOW64\Hbgkei32.exe Hhaggp32.exe File created C:\Windows\SysWOW64\Ilnlom32.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Gqkajk32.exe Gjqinamq.exe File created C:\Windows\SysWOW64\Jelhcd32.exe Jnocakfb.exe File created C:\Windows\SysWOW64\Djnhpf32.dll Gegchl32.exe File created C:\Windows\SysWOW64\Jgqfbo32.dll Mjdbda32.exe File opened for modification C:\Windows\SysWOW64\Opopdd32.exe Oiehhjjp.exe File opened for modification C:\Windows\SysWOW64\Pdngpo32.exe Ooangh32.exe File created C:\Windows\SysWOW64\Debaqh32.dll Ooangh32.exe File created C:\Windows\SysWOW64\Ggbmaj32.dll Fljlom32.exe File created C:\Windows\SysWOW64\Didqkeeq.exe Dpllbp32.exe File created C:\Windows\SysWOW64\Dfbjlf32.dll Gnanioad.exe File created C:\Windows\SysWOW64\Ndejcemn.exe Nipffmmg.exe File created C:\Windows\SysWOW64\Jbccge32.exe Jbagbebm.exe File opened for modification C:\Windows\SysWOW64\Jjdokb32.exe Jehfcl32.exe File opened for modification C:\Windows\SysWOW64\Ammnhilb.exe Abgjkpll.exe File created C:\Windows\SysWOW64\Ffdcne32.dll Fikihlmj.exe File created C:\Windows\SysWOW64\Cjaiac32.exe Ciqmjkno.exe File created C:\Windows\SysWOW64\Ocoick32.dll Gkdpbpih.exe File created C:\Windows\SysWOW64\Hehdfdek.exe Hhdcmp32.exe File created C:\Windows\SysWOW64\Eagdjbff.dll Laglkb32.exe File opened for modification C:\Windows\SysWOW64\Defheg32.exe Dlncla32.exe File created C:\Windows\SysWOW64\Hnbkjebd.dll Bqnemp32.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gnnccl32.exe File created C:\Windows\SysWOW64\Hfibla32.dll Jblmgf32.exe File created C:\Windows\SysWOW64\Pkbpfi32.dll Infhebbh.exe File created C:\Windows\SysWOW64\Kgkfnh32.exe Kjeiodek.exe File opened for modification C:\Windows\SysWOW64\Cmpjoloh.exe Cajjjk32.exe File created C:\Windows\SysWOW64\Icembg32.dll Epdime32.exe File created C:\Windows\SysWOW64\Cnaphbnj.dll Ndejcemn.exe File opened for modification C:\Windows\SysWOW64\Aehbmk32.exe Ammnhilb.exe File opened for modification C:\Windows\SysWOW64\Edoncm32.exe Egknji32.exe File created C:\Windows\SysWOW64\Geeloobh.dll Bbklli32.exe File opened for modification C:\Windows\SysWOW64\Gebimmco.exe Fikihlmj.exe File created C:\Windows\SysWOW64\Gpgnjebd.exe Gebimmco.exe File opened for modification C:\Windows\SysWOW64\Bbpolb32.exe Bkefphem.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8384 3032 WerFault.exe Okfpid32.exe -
Modifies registry class 64 IoCs
Processes:
Mlhqcgnk.exeGjhfif32.exeIcachjbb.exeMknlef32.exeAfnefieo.exeDbckcf32.exeJqmicpbj.exeMfmpob32.exeMmghklif.exeNpognfpo.exeAamipe32.exeHbfdjc32.exeOhncdobq.exeAehbmk32.exeNdmgnkja.exeQoocnpag.exeCfedmfqd.exeLmkipncc.exeNiglfl32.exeNamegfql.exeBpbpecen.exeNdpcdjho.exeCgagjo32.exeJfjakgpa.exeKgcqlh32.exeFijdjfdb.exeFkjmlaac.exeNjgqhicg.exeAimogakj.exeCehlcikj.exeHfnpca32.exeEhbihj32.exeObidcdfo.exeBgeadjai.exeCmpjoloh.exeCpifeb32.exeCdnelpod.exeMjkiephp.exeNhhdnf32.exeOqhoeb32.exePfncia32.exeDefheg32.exeDidqkeeq.exeMkicjgnn.exeHpcmfchg.exeEbdlangb.exeNcbafoge.exeGfgjbb32.exeOggbfdog.exeKmkpipaf.exeKlddlckd.exeHdbmfhbi.exeQjeaog32.exeAbabkdij.exeIloajfml.exePgpobmca.exeAgdcpkll.exeEdeeci32.exeMbibfm32.exeMoalil32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holhmcgf.dll" Gjhfif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icachjbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mknlef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbckcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqmicpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbogaaom.dll" Mfmpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiddl32.dll" Mmghklif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npognfpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbfdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll" Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndmgnkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoocnpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geijac32.dll" Cfedmfqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmkipncc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niglfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll" Namegfql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpbpecen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbqpa32.dll" Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkejc32.dll" Cgagjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfjakgpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgcqlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll" Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpkld32.dll" Aimogakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cehlcikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfnpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngnaa32.dll" Ehbihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll" Obidcdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egheil32.dll" Bgeadjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll" Cmpjoloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midbjmkg.dll" Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdnelpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkiephp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll" Nhhdnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflnkhef.dll" Pfncia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Defheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Didqkeeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpcmfchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncbafoge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfgjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncpqlhj.dll" Oggbfdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmkpipaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klddlckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domkqq32.dll" Hdbmfhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjeaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ababkdij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iloajfml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakofc32.dll" Pgpobmca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll" Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moalil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdbmfhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfqgkgc.dll" Hpcmfchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll" Klddlckd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exeIefgbh32.exeJpaekqhh.exeJepjhg32.exeJinboekc.exeKomhll32.exeKjeiodek.exeKgkfnh32.exeKngkqbgl.exeLmdnbn32.exeNceefd32.exeOcohmc32.exePpahmb32.exeQaqegecm.exeQacameaj.exeAknbkjfh.exeAgdcpkll.exeAaldccip.exeAaoaic32.exeBdojjo32.exeBdagpnbk.exeBhpofl32.exedescription pid process target process PID 4888 wrote to memory of 392 4888 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iefgbh32.exe PID 4888 wrote to memory of 392 4888 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iefgbh32.exe PID 4888 wrote to memory of 392 4888 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iefgbh32.exe PID 392 wrote to memory of 2344 392 Iefgbh32.exe Jpaekqhh.exe PID 392 wrote to memory of 2344 392 Iefgbh32.exe Jpaekqhh.exe PID 392 wrote to memory of 2344 392 Iefgbh32.exe Jpaekqhh.exe PID 2344 wrote to memory of 2880 2344 Jpaekqhh.exe Jepjhg32.exe PID 2344 wrote to memory of 2880 2344 Jpaekqhh.exe Jepjhg32.exe PID 2344 wrote to memory of 2880 2344 Jpaekqhh.exe Jepjhg32.exe PID 2880 wrote to memory of 2324 2880 Jepjhg32.exe Jinboekc.exe PID 2880 wrote to memory of 2324 2880 Jepjhg32.exe Jinboekc.exe PID 2880 wrote to memory of 2324 2880 Jepjhg32.exe Jinboekc.exe PID 2324 wrote to memory of 1380 2324 Jinboekc.exe Komhll32.exe PID 2324 wrote to memory of 1380 2324 Jinboekc.exe Komhll32.exe PID 2324 wrote to memory of 1380 2324 Jinboekc.exe Komhll32.exe PID 1380 wrote to memory of 4556 1380 Komhll32.exe Kjeiodek.exe PID 1380 wrote to memory of 4556 1380 Komhll32.exe Kjeiodek.exe PID 1380 wrote to memory of 4556 1380 Komhll32.exe Kjeiodek.exe PID 4556 wrote to memory of 4144 4556 Kjeiodek.exe Kgkfnh32.exe PID 4556 wrote to memory of 4144 4556 Kjeiodek.exe Kgkfnh32.exe PID 4556 wrote to memory of 4144 4556 Kjeiodek.exe Kgkfnh32.exe PID 4144 wrote to memory of 4984 4144 Kgkfnh32.exe Kngkqbgl.exe PID 4144 wrote to memory of 4984 4144 Kgkfnh32.exe Kngkqbgl.exe PID 4144 wrote to memory of 4984 4144 Kgkfnh32.exe Kngkqbgl.exe PID 4984 wrote to memory of 1828 4984 Kngkqbgl.exe Lmdnbn32.exe PID 4984 wrote to memory of 1828 4984 Kngkqbgl.exe Lmdnbn32.exe PID 4984 wrote to memory of 1828 4984 Kngkqbgl.exe Lmdnbn32.exe PID 1828 wrote to memory of 1640 1828 Lmdnbn32.exe Nceefd32.exe PID 1828 wrote to memory of 1640 1828 Lmdnbn32.exe Nceefd32.exe PID 1828 wrote to memory of 1640 1828 Lmdnbn32.exe Nceefd32.exe PID 1640 wrote to memory of 3484 1640 Nceefd32.exe Ocohmc32.exe PID 1640 wrote to memory of 3484 1640 Nceefd32.exe Ocohmc32.exe PID 1640 wrote to memory of 3484 1640 Nceefd32.exe Ocohmc32.exe PID 3484 wrote to memory of 3656 3484 Ocohmc32.exe Ppahmb32.exe PID 3484 wrote to memory of 3656 3484 Ocohmc32.exe Ppahmb32.exe PID 3484 wrote to memory of 3656 3484 Ocohmc32.exe Ppahmb32.exe PID 3656 wrote to memory of 4772 3656 Ppahmb32.exe Qaqegecm.exe PID 3656 wrote to memory of 4772 3656 Ppahmb32.exe Qaqegecm.exe PID 3656 wrote to memory of 4772 3656 Ppahmb32.exe Qaqegecm.exe PID 4772 wrote to memory of 1440 4772 Qaqegecm.exe Qacameaj.exe PID 4772 wrote to memory of 1440 4772 Qaqegecm.exe Qacameaj.exe PID 4772 wrote to memory of 1440 4772 Qaqegecm.exe Qacameaj.exe PID 1440 wrote to memory of 4748 1440 Qacameaj.exe Aknbkjfh.exe PID 1440 wrote to memory of 4748 1440 Qacameaj.exe Aknbkjfh.exe PID 1440 wrote to memory of 4748 1440 Qacameaj.exe Aknbkjfh.exe PID 4748 wrote to memory of 4728 4748 Aknbkjfh.exe Agdcpkll.exe PID 4748 wrote to memory of 4728 4748 Aknbkjfh.exe Agdcpkll.exe PID 4748 wrote to memory of 4728 4748 Aknbkjfh.exe Agdcpkll.exe PID 4728 wrote to memory of 3584 4728 Agdcpkll.exe Aaldccip.exe PID 4728 wrote to memory of 3584 4728 Agdcpkll.exe Aaldccip.exe PID 4728 wrote to memory of 3584 4728 Agdcpkll.exe Aaldccip.exe PID 3584 wrote to memory of 1940 3584 Aaldccip.exe Aaoaic32.exe PID 3584 wrote to memory of 1940 3584 Aaldccip.exe Aaoaic32.exe PID 3584 wrote to memory of 1940 3584 Aaldccip.exe Aaoaic32.exe PID 1940 wrote to memory of 3192 1940 Aaoaic32.exe Bdojjo32.exe PID 1940 wrote to memory of 3192 1940 Aaoaic32.exe Bdojjo32.exe PID 1940 wrote to memory of 3192 1940 Aaoaic32.exe Bdojjo32.exe PID 3192 wrote to memory of 3740 3192 Bdojjo32.exe Bdagpnbk.exe PID 3192 wrote to memory of 3740 3192 Bdojjo32.exe Bdagpnbk.exe PID 3192 wrote to memory of 3740 3192 Bdojjo32.exe Bdagpnbk.exe PID 3740 wrote to memory of 456 3740 Bdagpnbk.exe Bhpofl32.exe PID 3740 wrote to memory of 456 3740 Bdagpnbk.exe Bhpofl32.exe PID 3740 wrote to memory of 456 3740 Bdagpnbk.exe Bhpofl32.exe PID 456 wrote to memory of 4036 456 Bhpofl32.exe Bdfpkm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe23⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe24⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe25⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe26⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe28⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe29⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe30⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe31⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe32⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe35⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe36⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe37⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe38⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe40⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe42⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ganldgib.exeC:\Windows\system32\Ganldgib.exe45⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe47⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe48⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe49⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe50⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe52⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe54⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe55⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe57⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe59⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe61⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe62⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe63⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe65⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe66⤵PID:1916
-
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe67⤵PID:1452
-
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe68⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe69⤵PID:2208
-
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe70⤵PID:3188
-
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe71⤵PID:4540
-
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe72⤵PID:1544
-
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe73⤵PID:1264
-
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe74⤵PID:312
-
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe75⤵PID:4400
-
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe76⤵PID:4448
-
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe78⤵PID:5160
-
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe80⤵PID:5268
-
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe81⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe82⤵PID:5356
-
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe83⤵PID:5416
-
C:\Windows\SysWOW64\Mbibfm32.exeC:\Windows\system32\Mbibfm32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe85⤵PID:5532
-
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe86⤵PID:5576
-
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe87⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe88⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe89⤵PID:5732
-
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe90⤵PID:5784
-
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe91⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe92⤵PID:5920
-
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe93⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe94⤵PID:6016
-
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe95⤵PID:6064
-
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe96⤵PID:6112
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe97⤵PID:5144
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe98⤵PID:5256
-
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe99⤵PID:5324
-
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe100⤵PID:5408
-
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe101⤵PID:5508
-
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe102⤵PID:5584
-
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe103⤵PID:5652
-
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe104⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe105⤵PID:1948
-
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe106⤵PID:5904
-
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe107⤵PID:5984
-
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe108⤵PID:6072
-
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe109⤵PID:5140
-
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe111⤵PID:5488
-
C:\Windows\SysWOW64\Bdeiqgkj.exeC:\Windows\system32\Bdeiqgkj.exe112⤵PID:5592
-
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe113⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe114⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe115⤵PID:5964
-
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe116⤵PID:6100
-
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe117⤵PID:5216
-
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe118⤵PID:640
-
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe119⤵PID:5720
-
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe121⤵PID:6128
-
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe122⤵PID:2004
-
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe123⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe124⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe125⤵PID:5768
-
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe126⤵PID:4276
-
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe127⤵PID:5156
-
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe128⤵PID:1092
-
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe129⤵PID:6160
-
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe130⤵
- Drops file in System32 directory
PID:6208 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe131⤵PID:6252
-
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe132⤵PID:6296
-
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe133⤵PID:6340
-
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe134⤵PID:6384
-
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe135⤵
- Drops file in System32 directory
PID:6428 -
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe136⤵PID:6472
-
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe137⤵
- Modifies registry class
PID:6536 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe138⤵PID:6588
-
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe139⤵PID:6644
-
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe140⤵PID:6700
-
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe141⤵
- Drops file in System32 directory
- Modifies registry class
PID:6744 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe142⤵
- Drops file in System32 directory
PID:6788 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe143⤵
- Drops file in System32 directory
PID:6848 -
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe144⤵PID:6892
-
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe145⤵
- Modifies registry class
PID:6940 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6992 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe147⤵
- Drops file in System32 directory
PID:7064 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe148⤵PID:7120
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe149⤵PID:7164
-
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe150⤵PID:6188
-
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe151⤵
- Modifies registry class
PID:6260 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe152⤵
- Drops file in System32 directory
PID:6356 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe153⤵PID:6436
-
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe154⤵PID:6528
-
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe155⤵PID:6604
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe156⤵PID:6688
-
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe157⤵PID:6760
-
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe158⤵PID:6840
-
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe159⤵PID:6876
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe160⤵PID:6980
-
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe161⤵PID:7076
-
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe162⤵PID:7156
-
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe163⤵
- Modifies registry class
PID:6236 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe164⤵PID:6372
-
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe165⤵PID:6412
-
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe166⤵PID:6620
-
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe167⤵PID:6752
-
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe168⤵PID:6880
-
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe169⤵
- Modifies registry class
PID:7012 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7148 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe171⤵PID:6268
-
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe172⤵PID:6460
-
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe173⤵PID:6652
-
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe174⤵PID:6856
-
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe175⤵
- Modifies registry class
PID:7060 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe176⤵PID:6248
-
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe177⤵PID:6628
-
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe178⤵PID:6900
-
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe179⤵PID:6196
-
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe180⤵
- Drops file in System32 directory
PID:6712 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe181⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe182⤵PID:7052
-
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe183⤵
- Modifies registry class
PID:6684 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe184⤵PID:1560
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe185⤵PID:5220
-
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe186⤵PID:4204
-
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe187⤵
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe188⤵PID:7116
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe189⤵
- Modifies registry class
PID:7192 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe190⤵PID:7236
-
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe191⤵PID:7280
-
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe192⤵PID:7324
-
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe193⤵PID:7368
-
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe194⤵PID:7412
-
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7464 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe196⤵PID:7508
-
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7552 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7596 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe199⤵
- Drops file in System32 directory
PID:7640 -
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe200⤵
- Modifies registry class
PID:7680 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe201⤵PID:7728
-
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe202⤵PID:7772
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7816 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe204⤵PID:7864
-
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe205⤵PID:7924
-
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe206⤵
- Drops file in System32 directory
PID:7968 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe207⤵
- Modifies registry class
PID:8016 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe208⤵PID:8072
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe209⤵
- Modifies registry class
PID:8128 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe210⤵PID:8176
-
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe211⤵PID:7220
-
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe212⤵PID:7288
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe213⤵
- Modifies registry class
PID:7364 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe214⤵PID:7428
-
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe215⤵PID:7492
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7568 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe217⤵PID:7624
-
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe218⤵
- Drops file in System32 directory
PID:7700 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe219⤵
- Modifies registry class
PID:7764 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe220⤵
- Drops file in System32 directory
PID:7832 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe221⤵
- Modifies registry class
PID:7916 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe222⤵PID:7984
-
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8124 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe225⤵PID:8188
-
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7268 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe227⤵
- Drops file in System32 directory
PID:7404 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe228⤵PID:7496
-
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe229⤵PID:7608
-
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe230⤵PID:5700
-
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe231⤵PID:7908
-
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3972 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe233⤵
- Drops file in System32 directory
PID:8136 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7264 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe235⤵
- Drops file in System32 directory
PID:7408 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe236⤵PID:7544
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe237⤵
- Modifies registry class
PID:7740 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe238⤵PID:8024
-
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe239⤵
- Drops file in System32 directory
PID:7208 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe240⤵PID:7352
-
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe241⤵
- Modifies registry class
PID:7676 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704