Analysis
-
max time kernel
133s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:25
Behavioral task
behavioral1
Sample
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe
-
Size
378KB
-
MD5
13322faa972aaec35250efccb6e35420
-
SHA1
d5779e1bc5e71025bd914b64006f9763ee7265aa
-
SHA256
a077cd9185fa98c5bced725719c0f699eb192685488ed03a585cc01ecea2b33f
-
SHA512
ee0bcde16f28a9d8676c9f12997c1428bc9df85d4e9e7c95f3481c0b2e0477340b70006314d10f916c843439a7419b173944b5349cff201f85846b5a59baa1d1
-
SSDEEP
6144:PdB6O+KgXiwEPeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42Gp:PX1+O1PeYr75lTefkY660fIaDZkY6605
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Doeiljfn.exeDddojq32.exeJpgmha32.exeLiddbc32.exeQchmagie.exeLebkhc32.exeMigjoaaf.exeNgpccdlj.exeBaicac32.exeBeglgani.exeEleiam32.exeMmpijp32.exeNilcjp32.exeOgogoi32.exeDoqpak32.exeKfoafi32.exeLfkaag32.exeMiifeq32.exeHbpgbo32.exeHcdmga32.exeMckemg32.exeNnjbke32.exeHimldi32.exeJlkagbej.exeMegdccmb.exeMdmnlj32.exeDdmaok32.exePcagphom.exeDdbbeade.exeHopnqdan.exeKboljk32.exeChmndlge.exeCnicfe32.exeDkifae32.exeBlfdia32.exeIfgbnlmj.exeLlemdo32.exeMdehlk32.exeOgkcpbam.exeAfmhck32.exeAhmlgd32.exeBehbag32.exeEhedfo32.exeKpbmco32.exeOgnpebpj.exePnlaml32.exeCjbpaf32.exeDknpmdfc.exeBjghpn32.exeCkcgkldl.exeDkljak32.exeJpppnp32.exeBfhhoi32.exeBjddphlq.exeChjaol32.exeGofkje32.exeIemppiab.exeImfdff32.exeNeeqea32.exePcppfaka.exeCefoce32.exeGfembo32.exeImakkfdg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeiljfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liddbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qchmagie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebkhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migjoaaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eleiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogogoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqpak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpgbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckemg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkagbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdmnlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kboljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmndlge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifgbnlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llemdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behbag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehedfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ognpebpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjghpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcgkldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkljak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpppnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagphom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iemppiab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neeqea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imakkfdg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Nnjbke32.exe family_berbew C:\Windows\SysWOW64\Nddkgonp.exe family_berbew C:\Windows\SysWOW64\Nqklmpdd.exe family_berbew C:\Windows\SysWOW64\Ncihikcg.exe family_berbew C:\Windows\SysWOW64\Nkqpjidj.exe family_berbew C:\Windows\SysWOW64\Nnolfdcn.exe family_berbew C:\Windows\SysWOW64\Nqmhbpba.exe family_berbew C:\Windows\SysWOW64\Nggqoj32.exe family_berbew C:\Windows\SysWOW64\Onfbfc32.exe family_berbew C:\Windows\SysWOW64\Oqdoboli.exe family_berbew C:\Windows\SysWOW64\Ogogoi32.exe family_berbew C:\Windows\SysWOW64\Obdkma32.exe family_berbew C:\Windows\SysWOW64\Ojopad32.exe family_berbew C:\Windows\SysWOW64\Odednmpm.exe family_berbew C:\Windows\SysWOW64\Ojalgcnd.exe family_berbew C:\Windows\SysWOW64\Odgqdlnj.exe family_berbew C:\Windows\SysWOW64\Pbkamqmd.exe family_berbew C:\Windows\SysWOW64\Pghieg32.exe family_berbew C:\Windows\SysWOW64\Pnbbbabh.exe family_berbew C:\Windows\SysWOW64\Pgjfkg32.exe family_berbew C:\Windows\SysWOW64\Pbpjhp32.exe family_berbew C:\Windows\SysWOW64\Pcagphom.exe family_berbew C:\Windows\SysWOW64\Pjkombfj.exe family_berbew C:\Windows\SysWOW64\Pbbgnpgl.exe family_berbew C:\Windows\SysWOW64\Pgopffec.exe family_berbew C:\Windows\SysWOW64\Pcccfh32.exe family_berbew C:\Windows\SysWOW64\Qchmagie.exe family_berbew C:\Windows\SysWOW64\Agffge32.exe family_berbew C:\Windows\SysWOW64\Abkjdnoa.exe family_berbew C:\Windows\SysWOW64\Ahhblemi.exe family_berbew C:\Windows\SysWOW64\Aelcfilb.exe family_berbew C:\Windows\SysWOW64\Andgoobc.exe family_berbew C:\Windows\SysWOW64\Bejogg32.exe family_berbew C:\Windows\SysWOW64\Cbqlfkmi.exe family_berbew C:\Windows\SysWOW64\Ceaehfjj.exe family_berbew C:\Windows\SysWOW64\Chghdqbf.exe family_berbew C:\Windows\SysWOW64\Eleiam32.exe family_berbew C:\Windows\SysWOW64\Eepjpb32.exe family_berbew C:\Windows\SysWOW64\Fckajehi.exe family_berbew C:\Windows\SysWOW64\Gfembo32.exe family_berbew C:\Windows\SysWOW64\Hmfkoh32.exe family_berbew C:\Windows\SysWOW64\Hcdmga32.exe family_berbew C:\Windows\SysWOW64\Ibjjhn32.exe family_berbew C:\Windows\SysWOW64\Iemppiab.exe family_berbew C:\Windows\SysWOW64\Icnpmp32.exe family_berbew C:\Windows\SysWOW64\Imfdff32.exe family_berbew C:\Windows\SysWOW64\Ibcmom32.exe family_berbew C:\Windows\SysWOW64\Jeklag32.exe family_berbew C:\Windows\SysWOW64\Kiidgeki.exe family_berbew C:\Windows\SysWOW64\Kmkfhc32.exe family_berbew C:\Windows\SysWOW64\Lfhdlh32.exe family_berbew C:\Windows\SysWOW64\Likjcbkc.exe family_berbew C:\Windows\SysWOW64\Mbfkbhpa.exe family_berbew C:\Windows\SysWOW64\Megdccmb.exe family_berbew C:\Windows\SysWOW64\Mcmabg32.exe family_berbew C:\Windows\SysWOW64\Mdmnlj32.exe family_berbew C:\Windows\SysWOW64\Npmagine.exe family_berbew C:\Windows\SysWOW64\Nggjdc32.exe family_berbew C:\Windows\SysWOW64\Olfobjbg.exe family_berbew C:\Windows\SysWOW64\Pfhfan32.exe family_berbew C:\Windows\SysWOW64\Pmdkch32.exe family_berbew C:\Windows\SysWOW64\Pcppfaka.exe family_berbew C:\Windows\SysWOW64\Pjjhbl32.exe family_berbew C:\Windows\SysWOW64\Qnjnnj32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nnjbke32.exeNddkgonp.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNnolfdcn.exeNqmhbpba.exeNggqoj32.exeOnfbfc32.exeOqdoboli.exeOgogoi32.exeObdkma32.exeOjopad32.exeOdednmpm.exeOjalgcnd.exeOdgqdlnj.exePbkamqmd.exePghieg32.exePnbbbabh.exePgjfkg32.exePbpjhp32.exePcagphom.exePjkombfj.exePbbgnpgl.exePcccfh32.exePgopffec.exeQchmagie.exeAgffge32.exeAbkjdnoa.exeAhhblemi.exeAelcfilb.exeAndgoobc.exeAhmlgd32.exeAbbpem32.exeAealah32.exeAhoimd32.exeAjneip32.exeBahmfj32.exeBdfibe32.exeBlmacb32.exeBajjli32.exeBeeflhdh.exeBlpnib32.exeBnnjen32.exeBehbag32.exeBdkcmdhp.exeBlbknaib.exeBblckl32.exeBejogg32.exeBjghpn32.exeBbnpqk32.exeBdolhc32.exeBlfdia32.exeCbqlfkmi.exeChmeobkq.exeCeaehfjj.exeClkndpag.exeCahfmgoo.exeChbnia32.exeClnjjpod.exeColffknh.exeCefoce32.exeCkcgkldl.exeCbjoljdo.exepid process 3892 Nnjbke32.exe 2920 Nddkgonp.exe 1252 Nqklmpdd.exe 2172 Ncihikcg.exe 2896 Nkqpjidj.exe 3948 Nnolfdcn.exe 4576 Nqmhbpba.exe 3408 Nggqoj32.exe 1816 Onfbfc32.exe 2760 Oqdoboli.exe 916 Ogogoi32.exe 4344 Obdkma32.exe 4844 Ojopad32.exe 1260 Odednmpm.exe 4724 Ojalgcnd.exe 640 Odgqdlnj.exe 3720 Pbkamqmd.exe 4788 Pghieg32.exe 4452 Pnbbbabh.exe 1492 Pgjfkg32.exe 376 Pbpjhp32.exe 5064 Pcagphom.exe 4324 Pjkombfj.exe 3460 Pbbgnpgl.exe 1616 Pcccfh32.exe 824 Pgopffec.exe 1944 Qchmagie.exe 3600 Agffge32.exe 3128 Abkjdnoa.exe 4308 Ahhblemi.exe 1964 Aelcfilb.exe 1420 Andgoobc.exe 2512 Ahmlgd32.exe 2332 Abbpem32.exe 1960 Aealah32.exe 2728 Ahoimd32.exe 3156 Ajneip32.exe 3952 Bahmfj32.exe 3620 Bdfibe32.exe 4600 Blmacb32.exe 1768 Bajjli32.exe 3960 Beeflhdh.exe 2828 Blpnib32.exe 1004 Bnnjen32.exe 5060 Behbag32.exe 3632 Bdkcmdhp.exe 1352 Blbknaib.exe 2480 Bblckl32.exe 1288 Bejogg32.exe 4100 Bjghpn32.exe 2764 Bbnpqk32.exe 1848 Bdolhc32.exe 3212 Blfdia32.exe 1996 Cbqlfkmi.exe 4380 Chmeobkq.exe 1580 Ceaehfjj.exe 3688 Clkndpag.exe 3288 Cahfmgoo.exe 1028 Chbnia32.exe 2808 Clnjjpod.exe 2968 Colffknh.exe 4456 Cefoce32.exe 3392 Ckcgkldl.exe 3436 Cbjoljdo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nnjbke32.exeDhbgqohi.exeIbjjhn32.exeIkbnacmd.exeBmpcfdmg.exeDhfajjoj.exeDadeieea.exeKboljk32.exeAdgbpc32.exeAhhblemi.exeGohhpe32.exeOnhhamgg.exePcagphom.exeEoolbinc.exeDobfld32.exeBjfaeh32.exeChmeobkq.exeDaolnf32.exeKlimip32.exeLlemdo32.exeNdokbi32.exePggbkagp.exeOdgqdlnj.exeElgfgl32.exeLfhdlh32.exeHcmgfbhd.exeJfhlejnh.exeCagobalc.exeGomakdcp.exeCegdnopg.exeNddkgonp.exePjkombfj.exeHmabdibj.exeDfknkg32.exeEeidoc32.exeKepelfam.exeKfckahdj.exeBeihma32.exeQfcfml32.exeAealah32.exeFdegandp.exeMlopkm32.exeLiddbc32.exeLikjcbkc.exeNnneknob.exePdifoehl.exeEhedfo32.exeGofkje32.exeHmfkoh32.exeHkkhqd32.exeJpnchp32.exeGlhonj32.exeHioiji32.exeJmbdbd32.exeNdhmhh32.exeDdmaok32.exeAbbpem32.exeEchknh32.exeKikame32.exeOlfobjbg.exeAmgapeea.exeAbkjdnoa.exeLebkhc32.exedescription ioc process File created C:\Windows\SysWOW64\Jlnpomfk.dll Nnjbke32.exe File created C:\Windows\SysWOW64\Ekacmjgl.exe Dhbgqohi.exe File created C:\Windows\SysWOW64\Jcinbcgc.dll Ibjjhn32.exe File created C:\Windows\SysWOW64\Ipdejo32.dll Ikbnacmd.exe File created C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File opened for modification C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Ddbbeade.exe Dadeieea.exe File created C:\Windows\SysWOW64\Kfjhkjle.exe Kboljk32.exe File created C:\Windows\SysWOW64\Kboeke32.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Ajbajd32.dll Ahhblemi.exe File opened for modification C:\Windows\SysWOW64\Ghaliknf.exe Gohhpe32.exe File created C:\Windows\SysWOW64\Gpaekf32.dll Onhhamgg.exe File opened for modification C:\Windows\SysWOW64\Pjkombfj.exe Pcagphom.exe File created C:\Windows\SysWOW64\Eeidoc32.exe Eoolbinc.exe File created C:\Windows\SysWOW64\Delnin32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Bjfaeh32.exe File created C:\Windows\SysWOW64\Ceaehfjj.exe Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Dhidjpqc.exe Daolnf32.exe File created C:\Windows\SysWOW64\Nlplhfon.dll Klimip32.exe File created C:\Windows\SysWOW64\Efhaoapj.dll Llemdo32.exe File created C:\Windows\SysWOW64\Odgdacjh.dll Ndokbi32.exe File created C:\Windows\SysWOW64\Mfilim32.dll Pggbkagp.exe File opened for modification C:\Windows\SysWOW64\Pbkamqmd.exe Odgqdlnj.exe File opened for modification C:\Windows\SysWOW64\Eadopc32.exe Elgfgl32.exe File opened for modification C:\Windows\SysWOW64\Llemdo32.exe Lfhdlh32.exe File created C:\Windows\SysWOW64\Hfgefhai.dll Hcmgfbhd.exe File created C:\Windows\SysWOW64\Nnbnoffm.dll Jfhlejnh.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File created C:\Windows\SysWOW64\Jmnoof32.dll Gomakdcp.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Nqklmpdd.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pjkombfj.exe File opened for modification C:\Windows\SysWOW64\Hopnqdan.exe Hmabdibj.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cagobalc.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Elbmlmml.exe Eeidoc32.exe File created C:\Windows\SysWOW64\Fbnkjc32.dll Kepelfam.exe File created C:\Windows\SysWOW64\Nhgaocmg.dll Kfckahdj.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Beihma32.exe File opened for modification C:\Windows\SysWOW64\Qnjnnj32.exe Qfcfml32.exe File opened for modification C:\Windows\SysWOW64\Ahoimd32.exe Aealah32.exe File created C:\Windows\SysWOW64\Gcmdhh32.dll Fdegandp.exe File created C:\Windows\SysWOW64\Mdehlk32.exe Mlopkm32.exe File opened for modification C:\Windows\SysWOW64\Lmppcbjd.exe Liddbc32.exe File created C:\Windows\SysWOW64\Ldanqkki.exe Likjcbkc.exe File opened for modification C:\Windows\SysWOW64\Npmagine.exe Nnneknob.exe File created C:\Windows\SysWOW64\Popodg32.dll Pdifoehl.exe File created C:\Windows\SysWOW64\Eoolbinc.exe Ehedfo32.exe File opened for modification C:\Windows\SysWOW64\Gbdgfa32.exe Gofkje32.exe File created C:\Windows\SysWOW64\Hodgkc32.exe Hmfkoh32.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Hkkhqd32.exe File created C:\Windows\SysWOW64\Ingapb32.dll Jpnchp32.exe File opened for modification C:\Windows\SysWOW64\Gofkje32.exe Glhonj32.exe File created C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File created C:\Windows\SysWOW64\Anmcpemd.dll Jmbdbd32.exe File opened for modification C:\Windows\SysWOW64\Nggjdc32.exe Ndhmhh32.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Aealah32.exe Abbpem32.exe File opened for modification C:\Windows\SysWOW64\Ehedfo32.exe Echknh32.exe File created C:\Windows\SysWOW64\Djkahqga.dll Kikame32.exe File created C:\Windows\SysWOW64\Odmgcgbi.exe Olfobjbg.exe File created C:\Windows\SysWOW64\Hjlena32.dll Amgapeea.exe File opened for modification C:\Windows\SysWOW64\Ahhblemi.exe Abkjdnoa.exe File created C:\Windows\SysWOW64\Gdkkfn32.dll Lebkhc32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 9928 9776 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Mipcob32.exeChjaol32.exeElgfgl32.exeKibgmdcn.exeKplpjn32.exeNloiakho.exeAndgoobc.exeOjoign32.exeDknpmdfc.exeDkgqfl32.exeHbbdholl.exeCmgjgcgo.exeJpnchp32.exeMegdccmb.exeChokikeb.exeColffknh.exeFdgdgnbm.exeIifokh32.exeDelnin32.exeAhhblemi.exeBlfdia32.exeKlimip32.exeJlkagbej.exeAealah32.exeEoolbinc.exeIicbehnq.exeFkffog32.exeGbdgfa32.exeKbaipkbi.exeOddmdf32.exeCnnlaehj.exeBlbknaib.exeFkciihgg.exeQdbiedpa.exeBaicac32.exeOjgbfocc.exeNddkgonp.exeJioaqfcc.exeGblngpbd.exeNdaggimg.exeDhocqigp.exeBdkcmdhp.exeBdolhc32.exeEleiam32.exeAdgbpc32.exeBeglgani.exeDfpgffpm.exeEapedd32.exePnlaml32.exeGcfqfc32.exeJehokgge.exeLgmngglp.exeImfdff32.exeKpbmco32.exeLbmhlihl.exeNcihikcg.exeDlgmpogj.exeFlnlhk32.exeGdjjckag.exeIpknlb32.exeJpppnp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll" Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elgfgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kibgmdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kplpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcadgkl.dll" Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbbdholl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmgjgcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpnchp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Colffknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdgdgnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll" Iifokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbajd32.dll" Ahhblemi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll" Klimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abckpb32.dll" Jlkagbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aealah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmldgi32.dll" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjgdmkj.dll" Fkffog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbaipkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oddmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnlaehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdchadai.dll" Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfpbq32.dll" Fkciihgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll" Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll" Kbaipkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhcgeja.dll" Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicplccq.dll" Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjgop32.dll" Eleiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elgfgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafgeo32.dll" Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll" Jehokgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll" Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbmhlihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlgmpogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfmkjoa.dll" Gdjjckag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll" Jpppnp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exeNnjbke32.exeNddkgonp.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNnolfdcn.exeNqmhbpba.exeNggqoj32.exeOnfbfc32.exeOqdoboli.exeOgogoi32.exeObdkma32.exeOjopad32.exeOdednmpm.exeOjalgcnd.exeOdgqdlnj.exePbkamqmd.exePghieg32.exePnbbbabh.exePgjfkg32.exePbpjhp32.exedescription pid process target process PID 1804 wrote to memory of 3892 1804 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Nnjbke32.exe PID 1804 wrote to memory of 3892 1804 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Nnjbke32.exe PID 1804 wrote to memory of 3892 1804 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Nnjbke32.exe PID 3892 wrote to memory of 2920 3892 Nnjbke32.exe Nddkgonp.exe PID 3892 wrote to memory of 2920 3892 Nnjbke32.exe Nddkgonp.exe PID 3892 wrote to memory of 2920 3892 Nnjbke32.exe Nddkgonp.exe PID 2920 wrote to memory of 1252 2920 Nddkgonp.exe Nqklmpdd.exe PID 2920 wrote to memory of 1252 2920 Nddkgonp.exe Nqklmpdd.exe PID 2920 wrote to memory of 1252 2920 Nddkgonp.exe Nqklmpdd.exe PID 1252 wrote to memory of 2172 1252 Nqklmpdd.exe Ncihikcg.exe PID 1252 wrote to memory of 2172 1252 Nqklmpdd.exe Ncihikcg.exe PID 1252 wrote to memory of 2172 1252 Nqklmpdd.exe Ncihikcg.exe PID 2172 wrote to memory of 2896 2172 Ncihikcg.exe Nkqpjidj.exe PID 2172 wrote to memory of 2896 2172 Ncihikcg.exe Nkqpjidj.exe PID 2172 wrote to memory of 2896 2172 Ncihikcg.exe Nkqpjidj.exe PID 2896 wrote to memory of 3948 2896 Nkqpjidj.exe Nnolfdcn.exe PID 2896 wrote to memory of 3948 2896 Nkqpjidj.exe Nnolfdcn.exe PID 2896 wrote to memory of 3948 2896 Nkqpjidj.exe Nnolfdcn.exe PID 3948 wrote to memory of 4576 3948 Nnolfdcn.exe Nqmhbpba.exe PID 3948 wrote to memory of 4576 3948 Nnolfdcn.exe Nqmhbpba.exe PID 3948 wrote to memory of 4576 3948 Nnolfdcn.exe Nqmhbpba.exe PID 4576 wrote to memory of 3408 4576 Nqmhbpba.exe Nggqoj32.exe PID 4576 wrote to memory of 3408 4576 Nqmhbpba.exe Nggqoj32.exe PID 4576 wrote to memory of 3408 4576 Nqmhbpba.exe Nggqoj32.exe PID 3408 wrote to memory of 1816 3408 Nggqoj32.exe Onfbfc32.exe PID 3408 wrote to memory of 1816 3408 Nggqoj32.exe Onfbfc32.exe PID 3408 wrote to memory of 1816 3408 Nggqoj32.exe Onfbfc32.exe PID 1816 wrote to memory of 2760 1816 Onfbfc32.exe Oqdoboli.exe PID 1816 wrote to memory of 2760 1816 Onfbfc32.exe Oqdoboli.exe PID 1816 wrote to memory of 2760 1816 Onfbfc32.exe Oqdoboli.exe PID 2760 wrote to memory of 916 2760 Oqdoboli.exe Ogogoi32.exe PID 2760 wrote to memory of 916 2760 Oqdoboli.exe Ogogoi32.exe PID 2760 wrote to memory of 916 2760 Oqdoboli.exe Ogogoi32.exe PID 916 wrote to memory of 4344 916 Ogogoi32.exe Obdkma32.exe PID 916 wrote to memory of 4344 916 Ogogoi32.exe Obdkma32.exe PID 916 wrote to memory of 4344 916 Ogogoi32.exe Obdkma32.exe PID 4344 wrote to memory of 4844 4344 Obdkma32.exe Ojopad32.exe PID 4344 wrote to memory of 4844 4344 Obdkma32.exe Ojopad32.exe PID 4344 wrote to memory of 4844 4344 Obdkma32.exe Ojopad32.exe PID 4844 wrote to memory of 1260 4844 Ojopad32.exe Odednmpm.exe PID 4844 wrote to memory of 1260 4844 Ojopad32.exe Odednmpm.exe PID 4844 wrote to memory of 1260 4844 Ojopad32.exe Odednmpm.exe PID 1260 wrote to memory of 4724 1260 Odednmpm.exe Ojalgcnd.exe PID 1260 wrote to memory of 4724 1260 Odednmpm.exe Ojalgcnd.exe PID 1260 wrote to memory of 4724 1260 Odednmpm.exe Ojalgcnd.exe PID 4724 wrote to memory of 640 4724 Ojalgcnd.exe Odgqdlnj.exe PID 4724 wrote to memory of 640 4724 Ojalgcnd.exe Odgqdlnj.exe PID 4724 wrote to memory of 640 4724 Ojalgcnd.exe Odgqdlnj.exe PID 640 wrote to memory of 3720 640 Odgqdlnj.exe Pbkamqmd.exe PID 640 wrote to memory of 3720 640 Odgqdlnj.exe Pbkamqmd.exe PID 640 wrote to memory of 3720 640 Odgqdlnj.exe Pbkamqmd.exe PID 3720 wrote to memory of 4788 3720 Pbkamqmd.exe Pghieg32.exe PID 3720 wrote to memory of 4788 3720 Pbkamqmd.exe Pghieg32.exe PID 3720 wrote to memory of 4788 3720 Pbkamqmd.exe Pghieg32.exe PID 4788 wrote to memory of 4452 4788 Pghieg32.exe Pnbbbabh.exe PID 4788 wrote to memory of 4452 4788 Pghieg32.exe Pnbbbabh.exe PID 4788 wrote to memory of 4452 4788 Pghieg32.exe Pnbbbabh.exe PID 4452 wrote to memory of 1492 4452 Pnbbbabh.exe Pgjfkg32.exe PID 4452 wrote to memory of 1492 4452 Pnbbbabh.exe Pgjfkg32.exe PID 4452 wrote to memory of 1492 4452 Pnbbbabh.exe Pgjfkg32.exe PID 1492 wrote to memory of 376 1492 Pgjfkg32.exe Pbpjhp32.exe PID 1492 wrote to memory of 376 1492 Pgjfkg32.exe Pbpjhp32.exe PID 1492 wrote to memory of 376 1492 Pgjfkg32.exe Pbpjhp32.exe PID 376 wrote to memory of 5064 376 Pbpjhp32.exe Pcagphom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe25⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe26⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe27⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe29⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3128 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe32⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe37⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe38⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe39⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe40⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe41⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe42⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe43⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe44⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe45⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe49⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe50⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe52⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe55⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe57⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe58⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe59⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe60⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe61⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe65⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe66⤵PID:4996
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe68⤵
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe69⤵PID:3320
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe70⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe71⤵PID:2684
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe72⤵PID:656
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe73⤵
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5108 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe75⤵
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe78⤵PID:2564
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3984 -
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe80⤵PID:1068
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe81⤵PID:1988
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe82⤵PID:1448
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe83⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe84⤵PID:1208
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe85⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe88⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe89⤵PID:5244
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe90⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe91⤵PID:5364
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe93⤵PID:5488
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe94⤵PID:5552
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe95⤵PID:5608
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe97⤵PID:5704
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe98⤵PID:5744
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe99⤵PID:5796
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe100⤵PID:5836
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe101⤵PID:5880
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe102⤵PID:5924
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe103⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe104⤵PID:6032
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe105⤵PID:6068
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe106⤵PID:6120
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe107⤵PID:1280
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe108⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe109⤵
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe110⤵PID:5416
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe111⤵PID:5496
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe112⤵PID:5596
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe113⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe114⤵PID:5752
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe115⤵PID:5816
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe116⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe117⤵PID:5940
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe118⤵PID:6016
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe119⤵PID:6104
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe120⤵PID:2200
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe121⤵PID:5260
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe122⤵PID:5476
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe123⤵PID:5616
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe124⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe126⤵
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe127⤵PID:6112
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe128⤵PID:5308
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe129⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe130⤵PID:5804
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe131⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5228 -
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe133⤵PID:5540
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe134⤵
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe135⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe136⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe137⤵PID:5432
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe138⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe140⤵PID:6168
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe141⤵PID:6208
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe142⤵PID:6248
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe143⤵PID:6288
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe144⤵
- Drops file in System32 directory
PID:6332 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6368 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe146⤵PID:6416
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe147⤵
- Drops file in System32 directory
PID:6456 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe148⤵PID:6500
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe149⤵
- Modifies registry class
PID:6548 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6592 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe151⤵
- Drops file in System32 directory
PID:6632 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe152⤵PID:6676
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe153⤵
- Drops file in System32 directory
PID:6716 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe154⤵PID:6760
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6804 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe156⤵PID:6844
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe157⤵PID:6884
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe158⤵
- Modifies registry class
PID:6924 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe159⤵
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe160⤵
- Modifies registry class
PID:7012 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe161⤵
- Drops file in System32 directory
PID:7052 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe162⤵PID:7096
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7140 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe164⤵
- Modifies registry class
PID:6164 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6224 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe166⤵PID:6316
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe167⤵PID:6392
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6464 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe169⤵PID:6536
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe170⤵PID:6620
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe171⤵PID:6672
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6748 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe173⤵PID:6792
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe174⤵PID:6880
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe175⤵PID:6948
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7008 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7084 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe178⤵PID:7132
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe179⤵PID:6192
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe180⤵
- Modifies registry class
PID:6384 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe181⤵PID:6492
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe182⤵PID:6660
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe183⤵PID:6780
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe184⤵PID:6892
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe185⤵PID:6996
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe186⤵PID:7092
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe187⤵
- Modifies registry class
PID:6196 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe188⤵PID:6508
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe189⤵
- Drops file in System32 directory
- Modifies registry class
PID:6664 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe190⤵PID:6868
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe191⤵
- Drops file in System32 directory
PID:7048 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe192⤵PID:6304
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe193⤵
- Drops file in System32 directory
PID:6612 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6976 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6184 -
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe196⤵PID:6860
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe197⤵PID:6200
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7004 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe199⤵
- Modifies registry class
PID:7172 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe200⤵
- Drops file in System32 directory
PID:7212 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe201⤵
- Drops file in System32 directory
PID:7248 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe202⤵
- Drops file in System32 directory
- Modifies registry class
PID:7296 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe203⤵PID:7336
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7380 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe205⤵PID:7424
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe206⤵PID:7468
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe207⤵PID:7508
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe208⤵PID:7552
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe209⤵PID:7596
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe210⤵PID:7640
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe211⤵
- Drops file in System32 directory
PID:7684 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe212⤵
- Modifies registry class
PID:7728 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe213⤵
- Modifies registry class
PID:7772 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe214⤵PID:7816
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe215⤵PID:7860
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7908 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe217⤵PID:7944
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe218⤵
- Modifies registry class
PID:7988 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe219⤵
- Drops file in System32 directory
PID:8032 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8076 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe221⤵PID:8120
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8160 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe223⤵PID:6156
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe224⤵PID:7240
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe225⤵PID:7304
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe226⤵
- Modifies registry class
PID:7376 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe227⤵
- Drops file in System32 directory
PID:7452 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe228⤵PID:7528
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7588 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe230⤵PID:7652
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe231⤵PID:7716
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe232⤵PID:7812
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe233⤵
- Modifies registry class
PID:7868 -
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe234⤵
- Drops file in System32 directory
PID:7916 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7996 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe236⤵PID:8068
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8144 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe238⤵PID:7196
-
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7320 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe240⤵PID:7432
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7540 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe242⤵PID:7636