Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:59
Behavioral task
behavioral1
Sample
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe
-
Size
128KB
-
MD5
182d94d45477565a03a17ed94880cd30
-
SHA1
b6f595406407e5db928f423c2fa75a9f5e602269
-
SHA256
fade3b3ef580767338761151ee4dbf0282765506332257aaa9deed229294de44
-
SHA512
137ed7c9103f11e5bff25721ef0504e4ade8b1843897bc88e51911047c6a3dd2f1d38c6426a9c640b264ca7c2bf49bd22782350e2df526a1c486301bca8a7293
-
SSDEEP
1536:559pstdETpOYPvrqdoq8KIOXgB+enPA6pCyc9yWuPlFEhXGoZcWiqgF72S7f/Quv:5592mTNOd/Y+qAoWuKX5mW2wS7IrHrYj
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bdolhc32.exeCamphf32.exeFfgqqaip.exeNdhmhh32.exeQgcbgo32.exeAqkgpedc.exeAbbpem32.exeAjneip32.exeOdkjng32.exeBgehcmmm.exeEolpmi32.exeIehfdi32.exeHofdacke.exeLiddbc32.exeOcbddc32.exeCnnlaehj.exeObangb32.exeCogmkl32.exeEefhjc32.exeEhljfnpn.exeHbnjmp32.exeIihkpg32.exePnonbk32.exePjeoglgc.exeCkpjfm32.exeCdiooblp.exeFljcmlfd.exeGbbkaako.exeMplhql32.exeOfcmfodb.exeOkjbpglo.exeAbpcon32.exeHbpgbo32.exeJcllonma.exeMgddhf32.exeNlaegk32.exeChokikeb.exeCknnpm32.exeGfpcgpae.exeFhqcam32.exeNgmgne32.exeNjqmepik.exeNggjdc32.exeQgqeappe.exeDllfkn32.exeDocmgjhp.exeFdlnbm32.exeMmpijp32.exeBeeoaapl.exePghieg32.exeChbnia32.exeOgkcpbam.exeOdapnf32.exeAccfbokl.exeObfhba32.exeGkoiefmj.exeOlhlhjpd.exeBeglgani.exeCajlhqjp.exeOdpjcm32.exeKbceejpf.exeKefkme32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdolhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffgqqaip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajneip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iehfdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofdacke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obangb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbnjmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckpjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdiooblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mplhql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofcmfodb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjbpglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpgbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cknnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpcgpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngmgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggjdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqeappe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obangb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dllfkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghieg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbnia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accfbokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkoiefmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odpjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbceejpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefkme32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Okhfjh32.exe family_berbew C:\Windows\SysWOW64\Obangb32.exe family_berbew C:\Windows\SysWOW64\Odpjcm32.exe family_berbew C:\Windows\SysWOW64\Okjbpglo.exe family_berbew C:\Windows\SysWOW64\Obdkma32.exe family_berbew C:\Windows\SysWOW64\Odbgim32.exe family_berbew C:\Windows\SysWOW64\Ojopad32.exe family_berbew C:\Windows\SysWOW64\Obfhba32.exe family_berbew C:\Windows\SysWOW64\Ogcpjhoq.exe family_berbew C:\Windows\SysWOW64\Ojalgcnd.exe family_berbew C:\Windows\SysWOW64\Odgqdlnj.exe family_berbew C:\Windows\SysWOW64\Pgemphmn.exe family_berbew C:\Windows\SysWOW64\Pjdilcla.exe family_berbew C:\Windows\SysWOW64\Pqnaim32.exe family_berbew C:\Windows\SysWOW64\Pghieg32.exe family_berbew C:\Windows\SysWOW64\Pjffbc32.exe family_berbew C:\Windows\SysWOW64\Pqpnombl.exe family_berbew C:\Windows\SysWOW64\Pgjfkg32.exe family_berbew C:\Windows\SysWOW64\Pndohaqe.exe family_berbew C:\Windows\SysWOW64\Pengdk32.exe family_berbew C:\Windows\SysWOW64\Pjkombfj.exe family_berbew C:\Windows\SysWOW64\Pbbgnpgl.exe family_berbew C:\Windows\SysWOW64\Pgopffec.exe family_berbew C:\Windows\SysWOW64\Pnihcq32.exe family_berbew C:\Windows\SysWOW64\Qecppkdm.exe family_berbew C:\Windows\SysWOW64\Qkmhlekj.exe family_berbew C:\Windows\SysWOW64\Qnkdhpjn.exe family_berbew C:\Windows\SysWOW64\Qchmagie.exe family_berbew C:\Windows\SysWOW64\Qloebdig.exe family_berbew C:\Windows\SysWOW64\Aegikj32.exe family_berbew C:\Windows\SysWOW64\Alabgd32.exe family_berbew C:\Windows\SysWOW64\Abkjdnoa.exe family_berbew C:\Windows\SysWOW64\Aejfpjne.exe family_berbew C:\Windows\SysWOW64\Becifhfj.exe family_berbew C:\Windows\SysWOW64\Blmacb32.exe family_berbew C:\Windows\SysWOW64\Eefhjc32.exe family_berbew C:\Windows\SysWOW64\Ekjfcipa.exe family_berbew C:\Windows\SysWOW64\Edbklofb.exe family_berbew C:\Windows\SysWOW64\Hiefcj32.exe family_berbew C:\Windows\SysWOW64\Hihbijhn.exe family_berbew C:\Windows\SysWOW64\Heocnk32.exe family_berbew C:\Windows\SysWOW64\Hbbdholl.exe family_berbew C:\Windows\SysWOW64\Ibjjhn32.exe family_berbew C:\Windows\SysWOW64\Ibqpimpl.exe family_berbew C:\Windows\SysWOW64\Jioaqfcc.exe family_berbew C:\Windows\SysWOW64\Jmmjgejj.exe family_berbew C:\Windows\SysWOW64\Jcllonma.exe family_berbew C:\Windows\SysWOW64\Kbceejpf.exe family_berbew C:\Windows\SysWOW64\Liddbc32.exe family_berbew C:\Windows\SysWOW64\Lfhdlh32.exe family_berbew C:\Windows\SysWOW64\Lepncd32.exe family_berbew C:\Windows\SysWOW64\Mbfkbhpa.exe family_berbew C:\Windows\SysWOW64\Mckemg32.exe family_berbew C:\Windows\SysWOW64\Migjoaaf.exe family_berbew C:\Windows\SysWOW64\Ngpccdlj.exe family_berbew C:\Windows\SysWOW64\Ncfdie32.exe family_berbew C:\Windows\SysWOW64\Ncianepl.exe family_berbew C:\Windows\SysWOW64\Ogkcpbam.exe family_berbew C:\Windows\SysWOW64\Pnonbk32.exe family_berbew C:\Windows\SysWOW64\Qnhahj32.exe family_berbew C:\Windows\SysWOW64\Qnjnnj32.exe family_berbew C:\Windows\SysWOW64\Anadoi32.exe family_berbew C:\Windows\SysWOW64\Bagflcje.exe family_berbew C:\Windows\SysWOW64\Bfdodjhm.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Okhfjh32.exeObangb32.exeOdpjcm32.exeOkjbpglo.exeObdkma32.exeOdbgim32.exeOjopad32.exeObfhba32.exeOgcpjhoq.exeOjalgcnd.exeOdgqdlnj.exePgemphmn.exePjdilcla.exePqnaim32.exePghieg32.exePjffbc32.exePqpnombl.exePgjfkg32.exePndohaqe.exePengdk32.exePjkombfj.exePbbgnpgl.exePgopffec.exePnihcq32.exeQecppkdm.exeQkmhlekj.exeQnkdhpjn.exeQchmagie.exeQloebdig.exeAegikj32.exeAlabgd32.exeAbkjdnoa.exeAejfpjne.exeAjfoiqll.exeAbngjnmo.exeAelcfilb.exeAcocaf32.exeAjiknpjj.exeAbpcon32.exeAeopki32.exeAhmlgd32.exeAjkhdp32.exeAbbpem32.exeAealah32.exeAhoimd32.exeAjneip32.exeAbemjmgg.exeBecifhfj.exeBlmacb32.exeBnlnon32.exeBajjli32.exeBdhfhe32.exeBlpnib32.exeBbifelba.exeBehbag32.exeBhfonc32.exeBjdkjo32.exeBaocghgi.exeBdmpcdfm.exeBldgdago.exeBbnpqk32.exeBdolhc32.exeBkidenlg.exeCbqlfkmi.exepid process 3492 Okhfjh32.exe 2732 Obangb32.exe 5072 Odpjcm32.exe 1336 Okjbpglo.exe 4784 Obdkma32.exe 2984 Odbgim32.exe 3864 Ojopad32.exe 876 Obfhba32.exe 2688 Ogcpjhoq.exe 4220 Ojalgcnd.exe 3100 Odgqdlnj.exe 2684 Pgemphmn.exe 4036 Pjdilcla.exe 560 Pqnaim32.exe 4576 Pghieg32.exe 1532 Pjffbc32.exe 2872 Pqpnombl.exe 1328 Pgjfkg32.exe 4516 Pndohaqe.exe 3476 Pengdk32.exe 3432 Pjkombfj.exe 4716 Pbbgnpgl.exe 1800 Pgopffec.exe 4704 Pnihcq32.exe 5096 Qecppkdm.exe 4116 Qkmhlekj.exe 4856 Qnkdhpjn.exe 2596 Qchmagie.exe 2176 Qloebdig.exe 4852 Aegikj32.exe 232 Alabgd32.exe 1992 Abkjdnoa.exe 3372 Aejfpjne.exe 1472 Ajfoiqll.exe 3532 Abngjnmo.exe 2256 Aelcfilb.exe 4136 Acocaf32.exe 1220 Ajiknpjj.exe 3136 Abpcon32.exe 4672 Aeopki32.exe 460 Ahmlgd32.exe 3760 Ajkhdp32.exe 3064 Abbpem32.exe 4552 Aealah32.exe 3036 Ahoimd32.exe 2136 Ajneip32.exe 3900 Abemjmgg.exe 4260 Becifhfj.exe 3652 Blmacb32.exe 2708 Bnlnon32.exe 3460 Bajjli32.exe 4324 Bdhfhe32.exe 2764 Blpnib32.exe 1704 Bbifelba.exe 3316 Behbag32.exe 3972 Bhfonc32.exe 2940 Bjdkjo32.exe 3116 Baocghgi.exe 4464 Bdmpcdfm.exe 2592 Bldgdago.exe 2672 Bbnpqk32.exe 3840 Bdolhc32.exe 628 Bkidenlg.exe 4964 Cbqlfkmi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qkmhlekj.exeDkoggkjo.exeNnjlpo32.exeOdmgcgbi.exePqpnombl.exeGcagkdba.exeGfpcgpae.exeGbgdlq32.exeGkoiefmj.exeOnjegled.exeAmgapeea.exeCeoibflm.exeHcdmga32.exeIpnjab32.exeMegdccmb.exeHeocnk32.exeDekhneap.exeHbeqmoji.exeObfhba32.exeMiemjaci.exePcijeb32.exePgioqq32.exeCfmajipb.exeLlemdo32.exeEefhjc32.exeGkaejf32.exeMigjoaaf.exeBgcknmop.exeConclk32.exeKikame32.exePggbkagp.exeIbcmom32.exeEkcpbj32.exeBbnpqk32.exeOqhacgdh.exeQdbiedpa.exeAfmhck32.exeKmijbcpl.exeClpgpp32.exeGcfqfc32.exeNjqmepik.exeOjjolnaq.exeDhidjpqc.exeNggjdc32.exeAgeolo32.exeGdjjckag.exePflplnlg.exeCjinkg32.exeHfcicmqp.exeHkfoeega.exeHcmgfbhd.exeHkmefd32.exeIlidbbgl.exeKfmepi32.exeBcebhoii.exeFkalchij.exeLenamdem.exeAqkgpedc.exeDfknkg32.exeFbpnkama.exeAealah32.exeCeaehfjj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Qnkdhpjn.exe Qkmhlekj.exe File created C:\Windows\SysWOW64\Eckgieoo.dll Dkoggkjo.exe File created C:\Windows\SysWOW64\Ncfdie32.exe Nnjlpo32.exe File opened for modification C:\Windows\SysWOW64\Ogkcpbam.exe Odmgcgbi.exe File created C:\Windows\SysWOW64\Pgjfkg32.exe Pqpnombl.exe File created C:\Windows\SysWOW64\Gfpcgpae.exe Gcagkdba.exe File opened for modification C:\Windows\SysWOW64\Ghopckpi.exe Gfpcgpae.exe File created C:\Windows\SysWOW64\Bkomqm32.dll Gbgdlq32.exe File created C:\Windows\SysWOW64\Elikfp32.dll Gkoiefmj.exe File opened for modification C:\Windows\SysWOW64\Oqhacgdh.exe Onjegled.exe File created C:\Windows\SysWOW64\Hjlena32.dll Amgapeea.exe File created C:\Windows\SysWOW64\Cliaoq32.exe Ceoibflm.exe File opened for modification C:\Windows\SysWOW64\Hfcicmqp.exe Hcdmga32.exe File created C:\Windows\SysWOW64\Kjqkei32.dll Ipnjab32.exe File created C:\Windows\SysWOW64\Gijlad32.dll Megdccmb.exe File created C:\Windows\SysWOW64\Dammlf32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Dhidjpqc.exe Dekhneap.exe File created C:\Windows\SysWOW64\Pkbbae32.dll Hbeqmoji.exe File created C:\Windows\SysWOW64\Ogcpjhoq.exe Obfhba32.exe File created C:\Windows\SysWOW64\Gaiann32.dll Miemjaci.exe File created C:\Windows\SysWOW64\Pnonbk32.exe Pcijeb32.exe File created C:\Windows\SysWOW64\Pflplnlg.exe Pgioqq32.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Efhaoapj.dll Llemdo32.exe File created C:\Windows\SysWOW64\Kplcdidf.dll Eefhjc32.exe File created C:\Windows\SysWOW64\Gomakdcp.exe Gkaejf32.exe File opened for modification C:\Windows\SysWOW64\Mcpnhfhf.exe Migjoaaf.exe File created C:\Windows\SysWOW64\Bjagjhnc.exe Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Camphf32.exe Conclk32.exe File created C:\Windows\SysWOW64\Dhbbhk32.dll Kikame32.exe File created C:\Windows\SysWOW64\Pjeoglgc.exe Pggbkagp.exe File opened for modification C:\Windows\SysWOW64\Jeaikh32.exe Ibcmom32.exe File created C:\Windows\SysWOW64\Igoedk32.dll Ekcpbj32.exe File opened for modification C:\Windows\SysWOW64\Bdolhc32.exe Bbnpqk32.exe File created C:\Windows\SysWOW64\Oddmdf32.exe Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Gmdlbjng.dll Afmhck32.exe File created C:\Windows\SysWOW64\Ecjhcg32.exe Ekcpbj32.exe File created C:\Windows\SysWOW64\Kfankifm.exe Kmijbcpl.exe File opened for modification C:\Windows\SysWOW64\Cjinkg32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Conclk32.exe Clpgpp32.exe File created C:\Windows\SysWOW64\Gfembo32.exe Gcfqfc32.exe File created C:\Windows\SysWOW64\Nloiakho.exe Njqmepik.exe File created C:\Windows\SysWOW64\Bmfpfmmm.dll Ojjolnaq.exe File created C:\Windows\SysWOW64\Docmgjhp.exe Dhidjpqc.exe File opened for modification C:\Windows\SysWOW64\Olcbmj32.exe Nggjdc32.exe File created C:\Windows\SysWOW64\Ghekgcil.dll Ageolo32.exe File created C:\Windows\SysWOW64\Dbfmkjoa.dll Gdjjckag.exe File created C:\Windows\SysWOW64\Deeiam32.dll Pflplnlg.exe File created C:\Windows\SysWOW64\Cabfga32.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Iiaephpc.exe Hfcicmqp.exe File created C:\Windows\SysWOW64\Ciglpe32.dll Hkfoeega.exe File created C:\Windows\SysWOW64\Hfgefhai.dll Hcmgfbhd.exe File opened for modification C:\Windows\SysWOW64\Hcdmga32.exe Hkmefd32.exe File opened for modification C:\Windows\SysWOW64\Ibcmom32.exe Ilidbbgl.exe File created C:\Windows\SysWOW64\Kikame32.exe Kfmepi32.exe File created C:\Windows\SysWOW64\Bfdodjhm.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Geplnioe.dll Fkalchij.exe File created C:\Windows\SysWOW64\Llgjjnlj.exe Lenamdem.exe File created C:\Windows\SysWOW64\Baacma32.dll Aqkgpedc.exe File created C:\Windows\SysWOW64\Dmefhako.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Hhhbcf32.dll Fbpnkama.exe File opened for modification C:\Windows\SysWOW64\Ahoimd32.exe Aealah32.exe File created C:\Windows\SysWOW64\Chpada32.exe Ceaehfjj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6804 1444 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Pcijeb32.exeChagok32.exeAjiknpjj.exeConclk32.exeGkaejf32.exeCfmajipb.exeChcddk32.exeOdbgim32.exeNlaegk32.exeAccfbokl.exeEhedfo32.exeIbcmom32.exeLmgfda32.exeHihbijhn.exeJmbdbd32.exeDdmaok32.exeBbifelba.exeEkcpbj32.exeEhimanbq.exeEekaebcm.exeHeocnk32.exeOlkhmi32.exeEabbjc32.exeAadifclh.exeOgcpjhoq.exeBlmacb32.exeCeaehfjj.exeJifhaenk.exeNgmgne32.exeOlcbmj32.exePqbdjfln.exeBaocghgi.exeDhidjpqc.exeHbbdholl.exeBeeoaapl.exeBhhdil32.exeFcfhof32.exeQgcbgo32.exeCliaoq32.exeGfpcgpae.exeClpgpp32.exeJbhfjljd.exeMdehlk32.exeAealah32.exeLlgjjnlj.exeBfabnjjp.exeBmngqdpj.exeEkacmjgl.exeLiddbc32.exeNnjlpo32.exeOpdghh32.exeGdqgmmjb.exeKbceejpf.exeLfhdlh32.exeOcnjidkf.exeOgkcpbam.exeBecifhfj.exeFafkecel.exeFbpnkama.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" Pcijeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajiknpjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Chcddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll" Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll" Ibcmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmgfda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoilahe.dll" Jmbdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbcpkhj.dll" Bbifelba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekcpbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehimanbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eekaebcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eabbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogcpjhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blmacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceaehfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jifhaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngmgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajbcgdm.dll" Baocghgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcbhjlp.dll" Dhidjpqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbbdholl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbjqh32.dll" Ceaehfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" Qgcbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcneih32.dll" Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll" Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdehlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aealah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmngqdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdqgmmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbceejpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll" Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodpoobg.dll" Becifhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fafkecel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbpnkama.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exeOkhfjh32.exeObangb32.exeOdpjcm32.exeOkjbpglo.exeObdkma32.exeOdbgim32.exeOjopad32.exeObfhba32.exeOgcpjhoq.exeOjalgcnd.exeOdgqdlnj.exePgemphmn.exePjdilcla.exePqnaim32.exePghieg32.exePjffbc32.exePqpnombl.exePgjfkg32.exePndohaqe.exePengdk32.exePjkombfj.exedescription pid process target process PID 1776 wrote to memory of 3492 1776 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Okhfjh32.exe PID 1776 wrote to memory of 3492 1776 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Okhfjh32.exe PID 1776 wrote to memory of 3492 1776 182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe Okhfjh32.exe PID 3492 wrote to memory of 2732 3492 Okhfjh32.exe Obangb32.exe PID 3492 wrote to memory of 2732 3492 Okhfjh32.exe Obangb32.exe PID 3492 wrote to memory of 2732 3492 Okhfjh32.exe Obangb32.exe PID 2732 wrote to memory of 5072 2732 Obangb32.exe Odpjcm32.exe PID 2732 wrote to memory of 5072 2732 Obangb32.exe Odpjcm32.exe PID 2732 wrote to memory of 5072 2732 Obangb32.exe Odpjcm32.exe PID 5072 wrote to memory of 1336 5072 Odpjcm32.exe Okjbpglo.exe PID 5072 wrote to memory of 1336 5072 Odpjcm32.exe Okjbpglo.exe PID 5072 wrote to memory of 1336 5072 Odpjcm32.exe Okjbpglo.exe PID 1336 wrote to memory of 4784 1336 Okjbpglo.exe Obdkma32.exe PID 1336 wrote to memory of 4784 1336 Okjbpglo.exe Obdkma32.exe PID 1336 wrote to memory of 4784 1336 Okjbpglo.exe Obdkma32.exe PID 4784 wrote to memory of 2984 4784 Obdkma32.exe Odbgim32.exe PID 4784 wrote to memory of 2984 4784 Obdkma32.exe Odbgim32.exe PID 4784 wrote to memory of 2984 4784 Obdkma32.exe Odbgim32.exe PID 2984 wrote to memory of 3864 2984 Odbgim32.exe Ojopad32.exe PID 2984 wrote to memory of 3864 2984 Odbgim32.exe Ojopad32.exe PID 2984 wrote to memory of 3864 2984 Odbgim32.exe Ojopad32.exe PID 3864 wrote to memory of 876 3864 Ojopad32.exe Obfhba32.exe PID 3864 wrote to memory of 876 3864 Ojopad32.exe Obfhba32.exe PID 3864 wrote to memory of 876 3864 Ojopad32.exe Obfhba32.exe PID 876 wrote to memory of 2688 876 Obfhba32.exe Ogcpjhoq.exe PID 876 wrote to memory of 2688 876 Obfhba32.exe Ogcpjhoq.exe PID 876 wrote to memory of 2688 876 Obfhba32.exe Ogcpjhoq.exe PID 2688 wrote to memory of 4220 2688 Ogcpjhoq.exe Ojalgcnd.exe PID 2688 wrote to memory of 4220 2688 Ogcpjhoq.exe Ojalgcnd.exe PID 2688 wrote to memory of 4220 2688 Ogcpjhoq.exe Ojalgcnd.exe PID 4220 wrote to memory of 3100 4220 Ojalgcnd.exe Odgqdlnj.exe PID 4220 wrote to memory of 3100 4220 Ojalgcnd.exe Odgqdlnj.exe PID 4220 wrote to memory of 3100 4220 Ojalgcnd.exe Odgqdlnj.exe PID 3100 wrote to memory of 2684 3100 Odgqdlnj.exe Pgemphmn.exe PID 3100 wrote to memory of 2684 3100 Odgqdlnj.exe Pgemphmn.exe PID 3100 wrote to memory of 2684 3100 Odgqdlnj.exe Pgemphmn.exe PID 2684 wrote to memory of 4036 2684 Pgemphmn.exe Pjdilcla.exe PID 2684 wrote to memory of 4036 2684 Pgemphmn.exe Pjdilcla.exe PID 2684 wrote to memory of 4036 2684 Pgemphmn.exe Pjdilcla.exe PID 4036 wrote to memory of 560 4036 Pjdilcla.exe Pqnaim32.exe PID 4036 wrote to memory of 560 4036 Pjdilcla.exe Pqnaim32.exe PID 4036 wrote to memory of 560 4036 Pjdilcla.exe Pqnaim32.exe PID 560 wrote to memory of 4576 560 Pqnaim32.exe Pghieg32.exe PID 560 wrote to memory of 4576 560 Pqnaim32.exe Pghieg32.exe PID 560 wrote to memory of 4576 560 Pqnaim32.exe Pghieg32.exe PID 4576 wrote to memory of 1532 4576 Pghieg32.exe Pjffbc32.exe PID 4576 wrote to memory of 1532 4576 Pghieg32.exe Pjffbc32.exe PID 4576 wrote to memory of 1532 4576 Pghieg32.exe Pjffbc32.exe PID 1532 wrote to memory of 2872 1532 Pjffbc32.exe Pqpnombl.exe PID 1532 wrote to memory of 2872 1532 Pjffbc32.exe Pqpnombl.exe PID 1532 wrote to memory of 2872 1532 Pjffbc32.exe Pqpnombl.exe PID 2872 wrote to memory of 1328 2872 Pqpnombl.exe Pgjfkg32.exe PID 2872 wrote to memory of 1328 2872 Pqpnombl.exe Pgjfkg32.exe PID 2872 wrote to memory of 1328 2872 Pqpnombl.exe Pgjfkg32.exe PID 1328 wrote to memory of 4516 1328 Pgjfkg32.exe Pndohaqe.exe PID 1328 wrote to memory of 4516 1328 Pgjfkg32.exe Pndohaqe.exe PID 1328 wrote to memory of 4516 1328 Pgjfkg32.exe Pndohaqe.exe PID 4516 wrote to memory of 3476 4516 Pndohaqe.exe Pengdk32.exe PID 4516 wrote to memory of 3476 4516 Pndohaqe.exe Pengdk32.exe PID 4516 wrote to memory of 3476 4516 Pndohaqe.exe Pengdk32.exe PID 3476 wrote to memory of 3432 3476 Pengdk32.exe Pjkombfj.exe PID 3476 wrote to memory of 3432 3476 Pengdk32.exe Pjkombfj.exe PID 3476 wrote to memory of 3432 3476 Pengdk32.exe Pjkombfj.exe PID 3432 wrote to memory of 4716 3432 Pjkombfj.exe Pbbgnpgl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\182d94d45477565a03a17ed94880cd30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe23⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe24⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe25⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe26⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe28⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe29⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe30⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe31⤵PID:4296
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe32⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe33⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe34⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe35⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe36⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe37⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe38⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe39⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe42⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe43⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe44⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe47⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe49⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4260 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe52⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe53⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe54⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe57⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe58⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe59⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3116 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe61⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe62⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe65⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe66⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe67⤵
- Drops file in System32 directory
PID:3856 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe68⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4580 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe71⤵PID:3416
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3124 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe73⤵PID:2064
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3340 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3980 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe76⤵PID:1632
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe81⤵PID:3108
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe82⤵PID:1600
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe83⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:184 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe86⤵PID:1740
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe87⤵PID:656
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe88⤵PID:4184
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe89⤵PID:5164
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe90⤵PID:5208
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe91⤵PID:5252
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe92⤵PID:5292
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe94⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe95⤵PID:5432
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe96⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe99⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe101⤵PID:5712
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe102⤵PID:5756
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe103⤵PID:5800
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe104⤵PID:5852
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe105⤵PID:5908
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe106⤵PID:5964
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe107⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe108⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe109⤵PID:6092
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe110⤵PID:6136
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe111⤵
- Modifies registry class
PID:5152 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe112⤵PID:5228
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe114⤵PID:5380
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe115⤵PID:5460
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe116⤵PID:5512
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe118⤵PID:5652
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe119⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe120⤵PID:5792
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe122⤵PID:5988
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe123⤵
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe124⤵PID:6132
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe125⤵PID:5128
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe126⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe127⤵PID:5372
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe129⤵PID:5608
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe130⤵PID:5692
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe131⤵PID:5880
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe132⤵PID:5996
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe134⤵PID:5248
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe135⤵
- Drops file in System32 directory
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe136⤵PID:5576
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe137⤵PID:5752
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe138⤵PID:5924
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe139⤵PID:4224
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5308 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe141⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe142⤵PID:5984
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe143⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe145⤵PID:6088
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe146⤵PID:6080
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe147⤵PID:5900
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe148⤵
- Drops file in System32 directory
PID:6160 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe149⤵PID:6204
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe150⤵PID:6252
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6288 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe152⤵
- Drops file in System32 directory
PID:6340 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe153⤵PID:6376
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe154⤵PID:6424
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe155⤵
- Drops file in System32 directory
- Modifies registry class
PID:6460 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe156⤵PID:6508
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe157⤵PID:6548
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe158⤵
- Drops file in System32 directory
PID:6588 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe159⤵PID:6632
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe160⤵PID:6676
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6716 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe162⤵
- Modifies registry class
PID:6760 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe163⤵
- Drops file in System32 directory
PID:6808 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe164⤵
- Drops file in System32 directory
PID:6848 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6892 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe166⤵
- Drops file in System32 directory
- Modifies registry class
PID:6940 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe167⤵PID:6980
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe168⤵PID:7016
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe169⤵
- Modifies registry class
PID:7060 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7104 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe171⤵
- Drops file in System32 directory
PID:7144 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe172⤵PID:6148
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe173⤵PID:6248
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe174⤵
- Drops file in System32 directory
PID:6296 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe175⤵
- Drops file in System32 directory
PID:6372 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe176⤵
- Drops file in System32 directory
PID:6444 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe177⤵PID:6496
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe178⤵PID:6576
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe179⤵PID:6644
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6700 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe181⤵PID:6784
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe182⤵
- Drops file in System32 directory
PID:6840 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe183⤵PID:6916
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe184⤵PID:6976
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe185⤵PID:7052
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe186⤵PID:7136
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6156 -
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe188⤵PID:6272
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe189⤵
- Drops file in System32 directory
PID:6368 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe190⤵
- Drops file in System32 directory
- Modifies registry class
PID:6476 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe191⤵PID:6600
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe192⤵PID:6696
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe193⤵PID:5960
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe194⤵PID:6912
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe195⤵
- Modifies registry class
PID:7040 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe196⤵PID:5552
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe197⤵PID:6280
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe198⤵PID:6408
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe199⤵PID:6492
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe200⤵
- Modifies registry class
PID:6748 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe201⤵
- Modifies registry class
PID:6964 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe202⤵PID:7132
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6332 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe204⤵PID:6728
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe205⤵PID:6880
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe206⤵
- Drops file in System32 directory
PID:6360 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe207⤵
- Drops file in System32 directory
PID:6972 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6244 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe209⤵PID:7012
-
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe210⤵
- Drops file in System32 directory
PID:6888 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe211⤵PID:7176
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe212⤵PID:7220
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe213⤵PID:7264
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7308 -
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe215⤵PID:7344
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7392 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe217⤵PID:7432
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe218⤵
- Modifies registry class
PID:7472 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe219⤵PID:7512
-
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe220⤵PID:7560
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe221⤵
- Drops file in System32 directory
PID:7592 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe222⤵PID:7644
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe223⤵
- Drops file in System32 directory
PID:7688 -
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe224⤵
- Modifies registry class
PID:7736 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe225⤵PID:7772
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe226⤵PID:7820
-
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe227⤵
- Modifies registry class
PID:7860 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe228⤵PID:7900
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe229⤵PID:7948
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe230⤵PID:7988
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe231⤵PID:8032
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe232⤵PID:8076
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe233⤵PID:8116
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe234⤵
- Modifies registry class
PID:8156 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6188 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe236⤵
- Drops file in System32 directory
PID:7232 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe237⤵PID:7320
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7384 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe239⤵PID:7500
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe240⤵
- Drops file in System32 directory
PID:7548 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7632 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe242⤵
- Drops file in System32 directory
PID:7696