Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:47
Behavioral task
behavioral1
Sample
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe
-
Size
565KB
-
MD5
163102364ede906230dcc915f9a2a320
-
SHA1
e4eb91ad52993a5dbff6f7e58ce1996337db5c23
-
SHA256
decfb0f3e04afd480d68d483d2bfdc450cabde7b8e2ce15044519cbd03ad0c6e
-
SHA512
47b15ad3a18025506afb5b4caf85004a3a1772be1538eac0ca28ef0ce7e76ab46c8107acaa2e17cb5e3f7fb4f88b9b4a41856f9927e38c99d2c622520f099176
-
SSDEEP
12288:ikWA55HtntuFjAh//+zrWAIAqWim/+zrWAI5KF8OX:i7E51tuFjAh/mvFimm09OX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qchmagie.exeFojlngce.exeKboljk32.exeMipcob32.exeBcoenmao.exeHbeghene.exeOkhfjh32.exeOdpjcm32.exeCeehho32.exeDelnin32.exeHfljmdjc.exeMpdelajl.exeNkjjij32.exeLlcpoo32.exeNpfkgjdn.exePcppfaka.exeBhhdil32.exeCkcgkldl.exeDlncan32.exeGhaliknf.exeOcbddc32.exePdifoehl.exeKphmie32.exeAngddopp.exeBjpaooda.exeEeidoc32.exeFllpbldb.exeLdoaklml.exeJfaloa32.exeAegikj32.exeAbpcon32.exeIefioj32.exeKpeiioac.exePcijeb32.exeEepjpb32.exeCknnpm32.exeDhhnpjmh.exeJjbako32.exeMnlfigcc.exeMajopeii.exeOfeilobp.exeAglemn32.exeHjolnb32.exeGmoeoidl.exeCdfbibnb.exeIlidbbgl.exeKibgmdcn.exeIfopiajn.exeKmnjhioc.exeMgnnhk32.exeLgpagm32.exeGkhbdg32.exeIehfdi32.exeIpckgh32.exeJigollag.exeAnmjcieo.exeCeqnmpfo.exeNcgkcl32.exeMckemg32.exeOflgep32.exeLenamdem.exeGcpapkgp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qchmagie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojlngce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kboljk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipcob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoenmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbeghene.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odpjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llcpoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckcgkldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlncan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghaliknf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kphmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Angddopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaloa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpcon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cknnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlfigcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmoeoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilidbbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibgmdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifopiajn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnjhioc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkhbdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipckgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigollag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflgep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenamdem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcpapkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknnpm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/1700-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gcpapkgp.exe family_berbew behavioral2/memory/4552-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gfnnlffc.exe family_berbew behavioral2/memory/2408-15-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gjlfbd32.exe family_berbew behavioral2/memory/4796-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Giofnacd.exe family_berbew behavioral2/memory/4180-36-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gqfooodg.exe family_berbew behavioral2/memory/988-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gfcgge32.exe family_berbew behavioral2/memory/4440-52-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gpklpkio.exe family_berbew behavioral2/memory/32-57-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gpnhekgl.exe family_berbew behavioral2/memory/4592-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gifmnpnl.exe family_berbew behavioral2/memory/4472-76-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Gameonno.exe family_berbew behavioral2/memory/3532-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hboagf32.exe family_berbew behavioral2/memory/3232-90-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hcnnaikp.exe family_berbew C:\Windows\SysWOW64\Hfljmdjc.exe family_berbew behavioral2/memory/2188-100-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/3956-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hfofbd32.exe family_berbew behavioral2/memory/2652-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hmioonpn.exe family_berbew C:\Windows\SysWOW64\Hpgkkioa.exe family_berbew behavioral2/memory/1980-132-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hbeghene.exe family_berbew behavioral2/memory/440-136-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1984-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hjmoibog.exe family_berbew behavioral2/memory/1460-144-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Hjolnb32.exe family_berbew behavioral2/memory/3876-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Haidklda.exe family_berbew behavioral2/memory/2884-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Iakaql32.exe family_berbew behavioral2/memory/1600-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ifhiib32.exe family_berbew behavioral2/memory/5040-176-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Iiffen32.exe family_berbew C:\Windows\SysWOW64\Iiffen32.exe family_berbew behavioral2/memory/868-184-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ijfboafl.exe family_berbew behavioral2/memory/2940-196-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ipckgh32.exe family_berbew behavioral2/memory/3848-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ibagcc32.exe family_berbew behavioral2/memory/3108-208-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Iikopmkd.exe family_berbew behavioral2/memory/4520-216-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ifopiajn.exe family_berbew behavioral2/memory/5028-224-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Iinlemia.exe family_berbew behavioral2/memory/3152-232-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Jpgdbg32.exe family_berbew behavioral2/memory/1112-240-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Jfaloa32.exe family_berbew behavioral2/memory/624-247-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Gcpapkgp.exeGfnnlffc.exeGjlfbd32.exeGiofnacd.exeGqfooodg.exeGfcgge32.exeGpklpkio.exeGpnhekgl.exeGifmnpnl.exeGameonno.exeHboagf32.exeHcnnaikp.exeHfljmdjc.exeHfofbd32.exeHmioonpn.exeHpgkkioa.exeHbeghene.exeHjmoibog.exeHjolnb32.exeHaidklda.exeIakaql32.exeIfhiib32.exeIiffen32.exeIjfboafl.exeIpckgh32.exeIbagcc32.exeIikopmkd.exeIfopiajn.exeIinlemia.exeJpgdbg32.exeJfaloa32.exeJdemhe32.exeJjpeepnb.exeJmnaakne.exeJplmmfmi.exeJjbako32.exeJmpngk32.exeJaljgidl.exeJbmfoa32.exeJigollag.exeJangmibi.exeJdmcidam.exeJfkoeppq.exeJkfkfohj.exeKaqcbi32.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKmgdgjek.exeKpepcedo.exeKgphpo32.exeKaemnhla.exeKphmie32.exeKgbefoji.exeKmlnbi32.exeKcifkp32.exeKkpnlm32.exeKmnjhioc.exeKpmfddnf.exeKckbqpnj.exeKkbkamnl.exeLalcng32.exeLdkojb32.exeLcmofolg.exepid process 4552 Gcpapkgp.exe 2408 Gfnnlffc.exe 4796 Gjlfbd32.exe 4180 Giofnacd.exe 988 Gqfooodg.exe 4440 Gfcgge32.exe 32 Gpklpkio.exe 4592 Gpnhekgl.exe 4472 Gifmnpnl.exe 3532 Gameonno.exe 3232 Hboagf32.exe 2188 Hcnnaikp.exe 3956 Hfljmdjc.exe 2652 Hfofbd32.exe 1984 Hmioonpn.exe 1980 Hpgkkioa.exe 440 Hbeghene.exe 1460 Hjmoibog.exe 3876 Hjolnb32.exe 2884 Haidklda.exe 1600 Iakaql32.exe 5040 Ifhiib32.exe 868 Iiffen32.exe 2940 Ijfboafl.exe 3848 Ipckgh32.exe 3108 Ibagcc32.exe 4520 Iikopmkd.exe 5028 Ifopiajn.exe 3152 Iinlemia.exe 1112 Jpgdbg32.exe 624 Jfaloa32.exe 4112 Jdemhe32.exe 2908 Jjpeepnb.exe 2516 Jmnaakne.exe 3068 Jplmmfmi.exe 1960 Jjbako32.exe 64 Jmpngk32.exe 3680 Jaljgidl.exe 3708 Jbmfoa32.exe 2276 Jigollag.exe 2192 Jangmibi.exe 400 Jdmcidam.exe 784 Jfkoeppq.exe 2152 Jkfkfohj.exe 2980 Kaqcbi32.exe 4616 Kpccnefa.exe 560 Kbapjafe.exe 2288 Kkihknfg.exe 4052 Kmgdgjek.exe 4116 Kpepcedo.exe 3216 Kgphpo32.exe 1824 Kaemnhla.exe 692 Kphmie32.exe 432 Kgbefoji.exe 3664 Kmlnbi32.exe 720 Kcifkp32.exe 3368 Kkpnlm32.exe 4528 Kmnjhioc.exe 5092 Kpmfddnf.exe 2748 Kckbqpnj.exe 3052 Kkbkamnl.exe 4364 Lalcng32.exe 1576 Ldkojb32.exe 2568 Lcmofolg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Chpada32.exeDccbbhld.exeIckchq32.exeOnhhamgg.exePcijeb32.exeBanllbdn.exeHfljmdjc.exeQjbena32.exeNnolfdcn.exeIpnjab32.exeHaidklda.exeNcgkcl32.exeDjdmffnn.exeIjfboafl.exePncgmkmj.exeLkdggmlj.exeNcfdie32.exeBjghpn32.exeNgdmod32.exeAglemn32.exeMaaepd32.exePjhbgb32.exeAgoabn32.exeKpmfddnf.exeKepelfam.exeEdnaqo32.exeHeapdjlp.exeJianff32.exeOlmeci32.exeChcddk32.exeJmnaakne.exeOkhfjh32.exeMamleegg.exeAlkdnboj.exeHfqlnm32.exeLdoaklml.exeOcbddc32.exePgioqq32.exeGfnnlffc.exeGqfooodg.exeBhhdil32.exeLbmhlihl.exeBaicac32.exeCdfkolkf.exeQajadlja.exeHioiji32.exeEeidoc32.exeHihbijhn.exePnonbk32.exeCeehho32.exeDkifae32.exeOgogoi32.exePkceffcd.exeAbpcon32.exeFhgjblfq.exeIcgjmapi.exeCmiflbel.exeCnicfe32.exeDmjocp32.exeMgnnhk32.exeGkhbdg32.exeLgbnmm32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Cknnpm32.exe Chpada32.exe File created C:\Windows\SysWOW64\Nnambi32.dll Dccbbhld.exe File created C:\Windows\SysWOW64\Laapnj32.dll Ickchq32.exe File opened for modification C:\Windows\SysWOW64\Odapnf32.exe Onhhamgg.exe File created C:\Windows\SysWOW64\Igjnojdk.dll Pcijeb32.exe File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe Banllbdn.exe File created C:\Windows\SysWOW64\Dnplgc32.dll Hfljmdjc.exe File created C:\Windows\SysWOW64\Aegikj32.exe Qjbena32.exe File created C:\Windows\SysWOW64\Bghhihab.dll Nnolfdcn.exe File opened for modification C:\Windows\SysWOW64\Ifgbnlmj.exe Ipnjab32.exe File created C:\Windows\SysWOW64\Iakaql32.exe Haidklda.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Ncgkcl32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Ipckgh32.exe Ijfboafl.exe File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe Pncgmkmj.exe File opened for modification C:\Windows\SysWOW64\Lmccchkn.exe Lkdggmlj.exe File created C:\Windows\SysWOW64\Neeqea32.exe Ncfdie32.exe File created C:\Windows\SysWOW64\Jdencjac.dll Bjghpn32.exe File created C:\Windows\SysWOW64\Nnneknob.exe Ngdmod32.exe File created C:\Windows\SysWOW64\Oahicipe.dll Aglemn32.exe File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Pcagphom.exe Pjhbgb32.exe File created C:\Windows\SysWOW64\Empblm32.dll Ngdmod32.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Agoabn32.exe File created C:\Windows\SysWOW64\Kckbqpnj.exe Kpmfddnf.exe File created C:\Windows\SysWOW64\Aceghl32.dll Kepelfam.exe File created C:\Windows\SysWOW64\Aainof32.dll Ednaqo32.exe File created C:\Windows\SysWOW64\Hkkhqd32.exe Heapdjlp.exe File created C:\Windows\SysWOW64\Jlpkba32.exe Jianff32.exe File opened for modification C:\Windows\SysWOW64\Ocgmpccl.exe Olmeci32.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Chcddk32.exe File opened for modification C:\Windows\SysWOW64\Jplmmfmi.exe Jmnaakne.exe File opened for modification C:\Windows\SysWOW64\Obangb32.exe Okhfjh32.exe File opened for modification C:\Windows\SysWOW64\Mpolqa32.exe Mamleegg.exe File created C:\Windows\SysWOW64\Ejmcmk32.dll Alkdnboj.exe File created C:\Windows\SysWOW64\Hioiji32.exe Hfqlnm32.exe File created C:\Windows\SysWOW64\Likjcbkc.exe Ldoaklml.exe File created C:\Windows\SysWOW64\Ofqpqo32.exe Ocbddc32.exe File opened for modification C:\Windows\SysWOW64\Pncgmkmj.exe Pgioqq32.exe File created C:\Windows\SysWOW64\Fojjgcdm.dll Gfnnlffc.exe File created C:\Windows\SysWOW64\Oeahce32.dll Gqfooodg.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Lekehdgp.exe Lbmhlihl.exe File opened for modification C:\Windows\SysWOW64\Bchomn32.exe Baicac32.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Panjjlqo.dll Qajadlja.exe File created C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File created C:\Windows\SysWOW64\Olgkhn32.dll Eeidoc32.exe File created C:\Windows\SysWOW64\Hkfoeega.exe Hihbijhn.exe File created C:\Windows\SysWOW64\Kkbljp32.dll Pnonbk32.exe File created C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File opened for modification C:\Windows\SysWOW64\Obdkma32.exe Ogogoi32.exe File opened for modification C:\Windows\SysWOW64\Pqpnombl.exe Pkceffcd.exe File opened for modification C:\Windows\SysWOW64\Adapgfqj.exe Abpcon32.exe File created C:\Windows\SysWOW64\Fkffog32.exe Fhgjblfq.exe File created C:\Windows\SysWOW64\Iehfdi32.exe Icgjmapi.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Cagobalc.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Ikjmhmfd.dll Ijfboafl.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mgnnhk32.exe File opened for modification C:\Windows\SysWOW64\Gcojed32.exe Gkhbdg32.exe File created C:\Windows\SysWOW64\Bidjkmlh.dll Lgbnmm32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 11180 11100 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Ocnjidkf.exeOgkcpbam.exeLalcng32.exeLdohebqh.exeOkhfjh32.exeAlkdnboj.exeEdnaqo32.exeJpgdbg32.exeHijooifk.exeLiimncmf.exeNnqbanmo.exeMdmegp32.exeDkoggkjo.exeHcbpab32.exeIlidbbgl.exeAepefb32.exeBeeflhdh.exeLbmhlihl.exeMnlfigcc.exeNacbfdao.exeIehfdi32.exeIkbnacmd.exeKpeiioac.exeKdcbom32.exeOponmilc.exePqbdjfln.exeJplmmfmi.exeDhkapp32.exeDccbbhld.exeFhgjblfq.exePjhbgb32.exeMdehlk32.exeOfeilobp.exeAcnlgp32.exeKplpjn32.exeOlmeci32.exeCdfkolkf.exeDknpmdfc.exeHmioonpn.exeKbapjafe.exeGfembo32.exeJfeopj32.exeNloiakho.exeMgddhf32.exePncgmkmj.exeBjokdipf.exeHcnnaikp.exeIbagcc32.exeMdfofakp.exeEeidoc32.exeLingibiq.exeKboljk32.exeNebdoa32.exeNkjjij32.exeQjpiha32.exeBjghpn32.exeCkcgkldl.exeHfifmnij.exeKaemnhla.exeOjoign32.exeNcnadk32.exeAlabgd32.exeFbnafb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okhfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alkdnboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Liimncmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdmegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbbae32.dll" Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aepefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beeflhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Ikbnacmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpeiioac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oponmilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqnnn32.dll" Dhkapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjfkopm.dll" Fhgjblfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjhbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll" Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmioonpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfembo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfeopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nloiakho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgddhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pncgmkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll" Hcnnaikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibagcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdfofakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lingibiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nebdoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjpiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcddpd.dll" Hfifmnij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Ojoign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncnadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijgnaaa.dll" Fbnafb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
163102364ede906230dcc915f9a2a320_NeikiAnalytics.exeGcpapkgp.exeGfnnlffc.exeGjlfbd32.exeGiofnacd.exeGqfooodg.exeGfcgge32.exeGpklpkio.exeGpnhekgl.exeGifmnpnl.exeGameonno.exeHboagf32.exeHcnnaikp.exeHfljmdjc.exeHfofbd32.exeHmioonpn.exeHpgkkioa.exeHbeghene.exeHjmoibog.exeHjolnb32.exeHaidklda.exeIakaql32.exedescription pid process target process PID 1700 wrote to memory of 4552 1700 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Gcpapkgp.exe PID 1700 wrote to memory of 4552 1700 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Gcpapkgp.exe PID 1700 wrote to memory of 4552 1700 163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe Gcpapkgp.exe PID 4552 wrote to memory of 2408 4552 Gcpapkgp.exe Gfnnlffc.exe PID 4552 wrote to memory of 2408 4552 Gcpapkgp.exe Gfnnlffc.exe PID 4552 wrote to memory of 2408 4552 Gcpapkgp.exe Gfnnlffc.exe PID 2408 wrote to memory of 4796 2408 Gfnnlffc.exe Gjlfbd32.exe PID 2408 wrote to memory of 4796 2408 Gfnnlffc.exe Gjlfbd32.exe PID 2408 wrote to memory of 4796 2408 Gfnnlffc.exe Gjlfbd32.exe PID 4796 wrote to memory of 4180 4796 Gjlfbd32.exe Giofnacd.exe PID 4796 wrote to memory of 4180 4796 Gjlfbd32.exe Giofnacd.exe PID 4796 wrote to memory of 4180 4796 Gjlfbd32.exe Giofnacd.exe PID 4180 wrote to memory of 988 4180 Giofnacd.exe Gqfooodg.exe PID 4180 wrote to memory of 988 4180 Giofnacd.exe Gqfooodg.exe PID 4180 wrote to memory of 988 4180 Giofnacd.exe Gqfooodg.exe PID 988 wrote to memory of 4440 988 Gqfooodg.exe Gfcgge32.exe PID 988 wrote to memory of 4440 988 Gqfooodg.exe Gfcgge32.exe PID 988 wrote to memory of 4440 988 Gqfooodg.exe Gfcgge32.exe PID 4440 wrote to memory of 32 4440 Gfcgge32.exe Gpklpkio.exe PID 4440 wrote to memory of 32 4440 Gfcgge32.exe Gpklpkio.exe PID 4440 wrote to memory of 32 4440 Gfcgge32.exe Gpklpkio.exe PID 32 wrote to memory of 4592 32 Gpklpkio.exe Gpnhekgl.exe PID 32 wrote to memory of 4592 32 Gpklpkio.exe Gpnhekgl.exe PID 32 wrote to memory of 4592 32 Gpklpkio.exe Gpnhekgl.exe PID 4592 wrote to memory of 4472 4592 Gpnhekgl.exe Gifmnpnl.exe PID 4592 wrote to memory of 4472 4592 Gpnhekgl.exe Gifmnpnl.exe PID 4592 wrote to memory of 4472 4592 Gpnhekgl.exe Gifmnpnl.exe PID 4472 wrote to memory of 3532 4472 Gifmnpnl.exe Gameonno.exe PID 4472 wrote to memory of 3532 4472 Gifmnpnl.exe Gameonno.exe PID 4472 wrote to memory of 3532 4472 Gifmnpnl.exe Gameonno.exe PID 3532 wrote to memory of 3232 3532 Gameonno.exe Hboagf32.exe PID 3532 wrote to memory of 3232 3532 Gameonno.exe Hboagf32.exe PID 3532 wrote to memory of 3232 3532 Gameonno.exe Hboagf32.exe PID 3232 wrote to memory of 2188 3232 Hboagf32.exe Hcnnaikp.exe PID 3232 wrote to memory of 2188 3232 Hboagf32.exe Hcnnaikp.exe PID 3232 wrote to memory of 2188 3232 Hboagf32.exe Hcnnaikp.exe PID 2188 wrote to memory of 3956 2188 Hcnnaikp.exe Hfljmdjc.exe PID 2188 wrote to memory of 3956 2188 Hcnnaikp.exe Hfljmdjc.exe PID 2188 wrote to memory of 3956 2188 Hcnnaikp.exe Hfljmdjc.exe PID 3956 wrote to memory of 2652 3956 Hfljmdjc.exe Hfofbd32.exe PID 3956 wrote to memory of 2652 3956 Hfljmdjc.exe Hfofbd32.exe PID 3956 wrote to memory of 2652 3956 Hfljmdjc.exe Hfofbd32.exe PID 2652 wrote to memory of 1984 2652 Hfofbd32.exe Hmioonpn.exe PID 2652 wrote to memory of 1984 2652 Hfofbd32.exe Hmioonpn.exe PID 2652 wrote to memory of 1984 2652 Hfofbd32.exe Hmioonpn.exe PID 1984 wrote to memory of 1980 1984 Hmioonpn.exe Hpgkkioa.exe PID 1984 wrote to memory of 1980 1984 Hmioonpn.exe Hpgkkioa.exe PID 1984 wrote to memory of 1980 1984 Hmioonpn.exe Hpgkkioa.exe PID 1980 wrote to memory of 440 1980 Hpgkkioa.exe Hbeghene.exe PID 1980 wrote to memory of 440 1980 Hpgkkioa.exe Hbeghene.exe PID 1980 wrote to memory of 440 1980 Hpgkkioa.exe Hbeghene.exe PID 440 wrote to memory of 1460 440 Hbeghene.exe Hjmoibog.exe PID 440 wrote to memory of 1460 440 Hbeghene.exe Hjmoibog.exe PID 440 wrote to memory of 1460 440 Hbeghene.exe Hjmoibog.exe PID 1460 wrote to memory of 3876 1460 Hjmoibog.exe Hjolnb32.exe PID 1460 wrote to memory of 3876 1460 Hjmoibog.exe Hjolnb32.exe PID 1460 wrote to memory of 3876 1460 Hjmoibog.exe Hjolnb32.exe PID 3876 wrote to memory of 2884 3876 Hjolnb32.exe Haidklda.exe PID 3876 wrote to memory of 2884 3876 Hjolnb32.exe Haidklda.exe PID 3876 wrote to memory of 2884 3876 Hjolnb32.exe Haidklda.exe PID 2884 wrote to memory of 1600 2884 Haidklda.exe Iakaql32.exe PID 2884 wrote to memory of 1600 2884 Haidklda.exe Iakaql32.exe PID 2884 wrote to memory of 1600 2884 Haidklda.exe Iakaql32.exe PID 1600 wrote to memory of 5040 1600 Iakaql32.exe Ifhiib32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\163102364ede906230dcc915f9a2a320_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe23⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe24⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe28⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe30⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe33⤵PID:4476
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe34⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe35⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe39⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe40⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe41⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe43⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe44⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe45⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe46⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe47⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe48⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe50⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe51⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe52⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe53⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe56⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe57⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe58⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe59⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe62⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe63⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe65⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe66⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe67⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe68⤵PID:5096
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe69⤵PID:3376
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe70⤵PID:1272
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe71⤵PID:1880
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe72⤵PID:1268
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe73⤵
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe74⤵PID:4936
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe75⤵PID:3988
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe76⤵PID:3488
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe77⤵PID:3328
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe79⤵PID:4376
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe80⤵PID:1040
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe81⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe83⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe84⤵PID:3048
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe85⤵PID:2208
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3964 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe87⤵PID:4984
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe88⤵PID:3140
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe89⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe90⤵PID:4368
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe91⤵PID:1204
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe92⤵PID:412
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe93⤵PID:1520
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe94⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe95⤵PID:3468
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe96⤵PID:1220
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe97⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe99⤵PID:5068
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe102⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe103⤵PID:5168
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe104⤵PID:5216
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe105⤵PID:5260
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe107⤵PID:5348
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe108⤵PID:5388
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe110⤵PID:5480
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe111⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe112⤵PID:5564
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe113⤵PID:5612
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe114⤵PID:5652
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe115⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe116⤵PID:5740
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe117⤵PID:5784
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe118⤵PID:5828
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe119⤵PID:5868
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe121⤵PID:5952
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe123⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe124⤵PID:6084
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe125⤵PID:6120
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe126⤵PID:5156
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe127⤵PID:5224
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe128⤵PID:5296
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe129⤵PID:5368
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe130⤵PID:5428
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe131⤵PID:5488
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe132⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe133⤵PID:5648
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe134⤵
- Drops file in System32 directory
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe135⤵PID:5732
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe136⤵PID:5760
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe137⤵PID:5844
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe138⤵PID:5900
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe139⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe140⤵
- Drops file in System32 directory
PID:6036 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe142⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe144⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe145⤵PID:5420
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe146⤵PID:5596
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe147⤵PID:5708
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe149⤵PID:5812
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe151⤵PID:5944
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe152⤵
- Drops file in System32 directory
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe153⤵PID:5344
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe154⤵PID:1596
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe156⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe157⤵PID:5920
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe158⤵PID:6060
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe159⤵PID:5252
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe160⤵PID:5544
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe161⤵PID:1888
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe162⤵
- Drops file in System32 directory
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe163⤵PID:6116
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe164⤵PID:5680
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe165⤵PID:2200
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe166⤵PID:5164
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe167⤵PID:5972
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe168⤵PID:5836
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe169⤵
- Drops file in System32 directory
PID:6152 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6192 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6228 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe172⤵PID:6280
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe173⤵PID:6316
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe174⤵PID:6364
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6396 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe176⤵PID:6448
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe177⤵PID:6492
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe178⤵PID:6524
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe179⤵PID:6576
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe180⤵PID:6616
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe181⤵PID:6652
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe182⤵
- Modifies registry class
PID:6696 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe183⤵PID:6744
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe184⤵PID:6780
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe185⤵PID:6832
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe186⤵PID:6876
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe187⤵PID:6920
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe188⤵
- Drops file in System32 directory
- Modifies registry class
PID:6956 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe189⤵PID:7000
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe190⤵PID:7044
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe191⤵
- Modifies registry class
PID:7092 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe192⤵PID:7132
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe194⤵PID:6212
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe195⤵PID:860
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6360 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe197⤵PID:6416
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe198⤵PID:6480
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe199⤵PID:6568
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe200⤵PID:6640
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe201⤵
- Drops file in System32 directory
- Modifies registry class
PID:6740 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe202⤵PID:6792
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe203⤵PID:6872
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6928 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe205⤵PID:6992
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe206⤵PID:7060
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7120 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6200 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe209⤵PID:6304
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe210⤵PID:6404
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe211⤵PID:6476
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe212⤵PID:6632
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe213⤵PID:6716
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe214⤵
- Modifies registry class
PID:6840 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe215⤵
- Drops file in System32 directory
- Modifies registry class
PID:6968 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe216⤵PID:7084
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe217⤵PID:6160
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe218⤵PID:6296
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe219⤵PID:6536
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6608 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe221⤵PID:6868
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe222⤵PID:7040
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe223⤵PID:6256
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe224⤵PID:6488
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe225⤵PID:6820
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe226⤵PID:7032
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6520 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe228⤵PID:6828
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe229⤵
- Modifies registry class
PID:6352 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6912 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe231⤵PID:6704
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe232⤵PID:7172
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe233⤵PID:7220
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe234⤵
- Modifies registry class
PID:7268 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe235⤵
- Drops file in System32 directory
PID:7312 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe236⤵PID:7356
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe237⤵PID:7400
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe238⤵
- Modifies registry class
PID:7440 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe239⤵PID:7480
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe240⤵PID:7516
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe241⤵
- Drops file in System32 directory
PID:7568 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe242⤵PID:7612