Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:01
Behavioral task
behavioral1
Sample
729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe
-
Size
109KB
-
MD5
729125b4c194b3a4d9321618e17d7260
-
SHA1
128cb4b054b368bb8d59da2cef866380592947ec
-
SHA256
7c6b9c0d817b5510181980ea05168f4779f3c077141cfbffeadb5398b72cd300
-
SHA512
e16240a4bc22240ed631c9984591dbe62447a93062c56fd64916b94cb1a26aa5fc1ccab38fc71ca80f2f6f76c0b44e6ffc4c49b9d090b21d869f28b4ccc683a4
-
SSDEEP
3072:T/yUjLHGF9NB6zPnqx87hKoJ9ALCqwzBu1DjHLMVDqqkSp:bJjLW9MPnqx87hKoJ9gwtu1DjrFqh
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fqppci32.exeEqmlccdi.exeDhikci32.exeBipecnkd.exeQhkdof32.exeNfohgqlg.exeOclkgccf.exeAaldccip.exeKngkqbgl.exeNgndaccj.exeQaqegecm.exeHifmmb32.exeLfjfecno.exeCdnmfclj.exeDigehphc.exeDfnbgc32.exeJljbeali.exeJafdcbge.exeCdlqqcnl.exeEokqkh32.exeHfcnpn32.exePdmdnadc.exeBedgjgkg.exeMnjqmpgg.exeHahokfag.exeIiopca32.exeLhenai32.exeCmgqpkip.exeFechomko.exeIibccgep.exeJgbchj32.exePjpfjl32.exeMapppn32.exeBapgdm32.exeAekddhcb.exeCoohhlpe.exeDheibpje.exeMgeakekd.exeKlggli32.exeBgdemb32.exeEjccgi32.exeBddjpd32.exeGppcmeem.exeIebngial.exeQmeigg32.exeLoighj32.exeMfqlfb32.exeNjmqnobn.exeBmhocd32.exePhdnngdn.exeConanfli.exeAibibp32.exeBadanigc.exeCohkokgj.exeKnqepc32.exeOmgmeigd.exeAagkhd32.exeGpmomo32.exeObjkmkjj.exeCndeii32.exeHlbcnd32.exeIlqoobdd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bipecnkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfohgqlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljbeali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokqkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bedgjgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqmpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fechomko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aekddhcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgeakekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmeigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aibibp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgmeigd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqoobdd.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/1620-4-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Nnicid32.exe family_berbew behavioral2/memory/3704-12-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Neclenfo.exe family_berbew behavioral2/memory/4304-19-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Nmnqjp32.exe family_berbew behavioral2/memory/3152-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Nmnqjp32.exe family_berbew behavioral2/memory/4836-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Nhahaiec.exe family_berbew C:\Windows\SysWOW64\Odhifjkg.exe family_berbew behavioral2/memory/5060-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ojbacd32.exe family_berbew behavioral2/memory/3680-52-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Omqmop32.exe family_berbew behavioral2/memory/3784-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ohfami32.exe family_berbew behavioral2/memory/4752-63-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ojdnid32.exe family_berbew behavioral2/memory/396-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Oanfen32.exe family_berbew behavioral2/memory/3468-80-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Oldjcg32.exe family_berbew behavioral2/memory/4828-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Omegjomb.exe family_berbew behavioral2/memory/552-96-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Oelolmnd.exe family_berbew behavioral2/memory/1016-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Olfghg32.exe family_berbew behavioral2/memory/4656-111-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Omgcpokp.exe family_berbew behavioral2/memory/1728-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Oeokal32.exe family_berbew behavioral2/memory/1992-128-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Olicnfco.exe family_berbew behavioral2/memory/3480-140-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Paelfmaf.exe family_berbew behavioral2/memory/4288-143-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1428-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Phodcg32.exe family_berbew C:\Windows\SysWOW64\Poimpapp.exe family_berbew behavioral2/memory/4996-160-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Pecellgl.exe family_berbew behavioral2/memory/2640-168-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Pkpmdbfd.exe family_berbew behavioral2/memory/5072-176-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Pmoiqneg.exe family_berbew behavioral2/memory/4284-183-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Phdnngdn.exe family_berbew behavioral2/memory/3544-191-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Ponfka32.exe family_berbew behavioral2/memory/3508-200-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Palbgl32.exe family_berbew behavioral2/memory/4416-213-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2604-215-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Phfjcf32.exe family_berbew C:\Windows\SysWOW64\Phigif32.exe family_berbew C:\Windows\SysWOW64\Pkgcea32.exe family_berbew behavioral2/memory/3428-228-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4520-232-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Qemhbj32.exe family_berbew behavioral2/memory/3956-244-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew C:\Windows\SysWOW64\Qhkdof32.exe family_berbew behavioral2/memory/2072-248-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nnicid32.exeNeclenfo.exeNhahaiec.exeNmnqjp32.exeOdhifjkg.exeOjbacd32.exeOmqmop32.exeOhfami32.exeOjdnid32.exeOanfen32.exeOldjcg32.exeOmegjomb.exeOelolmnd.exeOlfghg32.exeOmgcpokp.exeOeokal32.exeOlicnfco.exePaelfmaf.exePhodcg32.exePoimpapp.exePecellgl.exePkpmdbfd.exePmoiqneg.exePhdnngdn.exePonfka32.exePalbgl32.exePhfjcf32.exePhigif32.exePkgcea32.exeQemhbj32.exeQhkdof32.exeQoelkp32.exeQhmqdemc.exeAogiap32.exeAeaanjkl.exeAlkijdci.exeAojefobm.exeAahbbkaq.exeAdfnofpd.exeAlnfpcag.exeAnobgl32.exeAajohjon.exeAhdged32.exeAlpbecod.exeAnaomkdb.exeAdkgje32.exeAkepfpcl.exeAnclbkbp.exeAekddhcb.exeAkglloai.exeBemqih32.exeBhkmec32.exeBnhenj32.exeBadanigc.exeBlielbfi.exeBafndi32.exeBddjpd32.exeBllbaa32.exeBedgjgkg.exeBlnoga32.exeBnoknihb.exeBffcpg32.exeBlqllqqa.exeCoohhlpe.exepid process 3704 Nnicid32.exe 4304 Neclenfo.exe 3152 Nhahaiec.exe 4836 Nmnqjp32.exe 5060 Odhifjkg.exe 3680 Ojbacd32.exe 3784 Omqmop32.exe 4752 Ohfami32.exe 396 Ojdnid32.exe 3468 Oanfen32.exe 4828 Oldjcg32.exe 552 Omegjomb.exe 1016 Oelolmnd.exe 4656 Olfghg32.exe 1728 Omgcpokp.exe 1992 Oeokal32.exe 3480 Olicnfco.exe 4288 Paelfmaf.exe 1428 Phodcg32.exe 4996 Poimpapp.exe 2640 Pecellgl.exe 5072 Pkpmdbfd.exe 4284 Pmoiqneg.exe 3544 Phdnngdn.exe 3508 Ponfka32.exe 4416 Palbgl32.exe 2604 Phfjcf32.exe 3428 Phigif32.exe 4520 Pkgcea32.exe 3956 Qemhbj32.exe 2072 Qhkdof32.exe 448 Qoelkp32.exe 3472 Qhmqdemc.exe 1780 Aogiap32.exe 4772 Aeaanjkl.exe 1912 Alkijdci.exe 1408 Aojefobm.exe 4460 Aahbbkaq.exe 3356 Adfnofpd.exe 2884 Alnfpcag.exe 2036 Anobgl32.exe 676 Aajohjon.exe 3108 Ahdged32.exe 4832 Alpbecod.exe 1384 Anaomkdb.exe 1984 Adkgje32.exe 464 Akepfpcl.exe 1260 Anclbkbp.exe 1060 Aekddhcb.exe 1696 Akglloai.exe 2172 Bemqih32.exe 3340 Bhkmec32.exe 4784 Bnhenj32.exe 3992 Badanigc.exe 2612 Blielbfi.exe 1832 Bafndi32.exe 3332 Bddjpd32.exe 3104 Bllbaa32.exe 3444 Bedgjgkg.exe 756 Blnoga32.exe 2656 Bnoknihb.exe 1872 Bffcpg32.exe 1548 Blqllqqa.exe 4992 Coohhlpe.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gfjkjo32.exeJnlkedai.exeAagkhd32.exeBdfpkm32.exeDkcndeen.exeJpbjfjci.exeFbjena32.exeJilfifme.exeQdoacabq.exeFcekfnkb.exeHpiecd32.exeMbgeqmjp.exeOckdmmoj.exeFbpchb32.exeLfbped32.exeAbcgjg32.exeOmegjomb.exeBgdemb32.exeFkfcqb32.exeFgoakc32.exeFgcjfbed.exeCleegp32.exeCljobphg.exeOnmfimga.exeDgcihgaj.exeCpfmlghd.exeImgicgca.exeBbdpad32.exeEofgpikj.exeMqimikfj.exeNqmfdj32.exeFbaahf32.exeFooclapd.exeCcblbb32.exeEmhkdmlg.exePjpfjl32.exeAaoaic32.exeAmjbbfgo.exeAplaoj32.exeGnepna32.exeHfjdqmng.exeEcdbop32.exeOnapdl32.exeFboecfii.exeKcbfcigf.exeGnpphljo.exeJaajhb32.exeMlhqcgnk.exeCfnjpfcl.exeKgkfnh32.exeNmfcok32.exeAlpbecod.exeBafndi32.exeJllokajf.exeOeokal32.exeCpdgqmnb.exeIbaeen32.exeCponen32.exeGlgcbf32.exeQiiflaoo.exedescription ioc process File created C:\Windows\SysWOW64\Pfabjq32.dll Gfjkjo32.exe File opened for modification C:\Windows\SysWOW64\Kcidmkpq.exe Jnlkedai.exe File created C:\Windows\SysWOW64\Adfgdpmi.exe Aagkhd32.exe File created C:\Windows\SysWOW64\Bgelgi32.exe Bdfpkm32.exe File created C:\Windows\SysWOW64\Oiikeffm.dll Dkcndeen.exe File created C:\Windows\SysWOW64\Falmlm32.dll Jpbjfjci.exe File created C:\Windows\SysWOW64\Ambfbo32.dll Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Jljbeali.exe Jilfifme.exe File created C:\Windows\SysWOW64\Godcje32.dll Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Fnjocf32.exe Fcekfnkb.exe File created C:\Windows\SysWOW64\Fenhjedb.dll Hpiecd32.exe File opened for modification C:\Windows\SysWOW64\Mlljnf32.exe Mbgeqmjp.exe File created C:\Windows\SysWOW64\Oflmnh32.exe Ockdmmoj.exe File opened for modification C:\Windows\SysWOW64\Fflohaij.exe Fbpchb32.exe File created C:\Windows\SysWOW64\Lnjgfb32.exe Lfbped32.exe File created C:\Windows\SysWOW64\Cldaec32.dll Abcgjg32.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Omegjomb.exe File created C:\Windows\SysWOW64\Pknjieep.dll Bgdemb32.exe File created C:\Windows\SysWOW64\Fbplml32.exe Fkfcqb32.exe File created C:\Windows\SysWOW64\Fkjmlaac.exe Fgoakc32.exe File created C:\Windows\SysWOW64\Cnnnfkal.dll Fgcjfbed.exe File created C:\Windows\SysWOW64\Eadhip32.dll Cleegp32.exe File created C:\Windows\SysWOW64\Cohkokgj.exe Cljobphg.exe File opened for modification C:\Windows\SysWOW64\Oakbehfe.exe Onmfimga.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Dmjmekgn.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Dfjehbcf.dll Imgicgca.exe File created C:\Windows\SysWOW64\Bphqji32.exe Bbdpad32.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Eofgpikj.exe File created C:\Windows\SysWOW64\Mgqaip32.dll Cpfmlghd.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Mqimikfj.exe File opened for modification C:\Windows\SysWOW64\Nclbpf32.exe Nqmfdj32.exe File opened for modification C:\Windows\SysWOW64\Fdpnda32.exe Fbaahf32.exe File created C:\Windows\SysWOW64\Kldjcoje.dll Fooclapd.exe File created C:\Windows\SysWOW64\Cmgqpkip.exe Ccblbb32.exe File created C:\Windows\SysWOW64\Bjqlnnkp.dll Emhkdmlg.exe File opened for modification C:\Windows\SysWOW64\Pmnbfhal.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Aaoaic32.exe File created C:\Windows\SysWOW64\Adcjop32.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Gpkehj32.dll Aplaoj32.exe File created C:\Windows\SysWOW64\Ghjnkpdc.dll Gnepna32.exe File created C:\Windows\SysWOW64\Gmhgag32.dll Hfjdqmng.exe File opened for modification C:\Windows\SysWOW64\Ejojljqa.exe Ecdbop32.exe File created C:\Windows\SysWOW64\Opclldhj.exe Onapdl32.exe File opened for modification C:\Windows\SysWOW64\Fcpakn32.exe Fboecfii.exe File created C:\Windows\SysWOW64\Ekamnhne.dll Kcbfcigf.exe File created C:\Windows\SysWOW64\Gpolbo32.exe Gnpphljo.exe File created C:\Windows\SysWOW64\Hlglnp32.dll Jaajhb32.exe File opened for modification C:\Windows\SysWOW64\Mfpell32.exe Mlhqcgnk.exe File created C:\Windows\SysWOW64\Fcpakn32.exe Fboecfii.exe File created C:\Windows\SysWOW64\Iogkekkb.dll Cfnjpfcl.exe File created C:\Windows\SysWOW64\Knenkbio.exe Kgkfnh32.exe File created C:\Windows\SysWOW64\Apaadpng.exe Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Npepkf32.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Ginacp32.dll Alpbecod.exe File created C:\Windows\SysWOW64\Neiqnh32.dll Bafndi32.exe File created C:\Windows\SysWOW64\Jleiba32.dll Jllokajf.exe File created C:\Windows\SysWOW64\Fechok32.dll Oeokal32.exe File created C:\Windows\SysWOW64\Jokkgl32.exe Jllokajf.exe File opened for modification C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Ibaeen32.exe File created C:\Windows\SysWOW64\Cgifbhid.exe Cponen32.exe File opened for modification C:\Windows\SysWOW64\Gnepna32.exe Glgcbf32.exe File opened for modification C:\Windows\SysWOW64\Qbajeg32.exe Qiiflaoo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 13468 13336 WerFault.exe Gddgpqbe.exe -
Modifies registry class 64 IoCs
Processes:
Jiiicf32.exeMnegbp32.exeMqfpckhm.exeDahmfpap.exePfhmjf32.exeFnjocf32.exeLfgipd32.exeNggnadib.exeOcihgnam.exePmnbfhal.exeFgoakc32.exeFecadghc.exeAbcgjg32.exeMfeeabda.exeAmnlme32.exeCoqncejg.exeDkekjdck.exeCleegp32.exeFfceip32.exeJgkmgk32.exePanhbfep.exeAidehpea.exeFpkibf32.exePfandnla.exeQoelkp32.exeEpmmqheb.exeHlpfhe32.exeJghpbk32.exeJcanll32.exeIlkoim32.exeBnoknihb.exeGfjkjo32.exeMapppn32.exeEjccgi32.exePkgcea32.exeEiekog32.exeJpbjfjci.exeEgaejeej.exeJblmgf32.exeKhbiello.exeNqmojd32.exeEcdbop32.exeOcaebc32.exePfiddm32.exeOgjdmbil.exePnplfj32.exeBllbaa32.exeGpgind32.exeIefgbh32.exeNmdgikhi.exeAhaceo32.exeDdnfmqng.exeFmkqpkla.exeMgphpe32.exePfoann32.exeAdcjop32.exeFijdjfdb.exeCbkfbcpb.exePhfjcf32.exeHfcnpn32.exeDpiplm32.exeFbbicl32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkbnj32.dll" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqfpckhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahmfpap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfhmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll" Fnjocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocihgnam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abcgjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coqncejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cleegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfandnla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoelkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epmmqheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlpfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Bnoknihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfjkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll" Ejccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkgcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Khbiello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll" Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogjdmbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Ahaceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpdihki.dll" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll" Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll" Adcjop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fijdjfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbkfbcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhgcipb.dll" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbbicl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exeNnicid32.exeNeclenfo.exeNhahaiec.exeNmnqjp32.exeOdhifjkg.exeOjbacd32.exeOmqmop32.exeOhfami32.exeOjdnid32.exeOanfen32.exeOldjcg32.exeOmegjomb.exeOelolmnd.exeOlfghg32.exeOmgcpokp.exeOeokal32.exeOlicnfco.exePaelfmaf.exePhodcg32.exePoimpapp.exePecellgl.exedescription pid process target process PID 1620 wrote to memory of 3704 1620 729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe Nnicid32.exe PID 1620 wrote to memory of 3704 1620 729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe Nnicid32.exe PID 1620 wrote to memory of 3704 1620 729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe Nnicid32.exe PID 3704 wrote to memory of 4304 3704 Nnicid32.exe Neclenfo.exe PID 3704 wrote to memory of 4304 3704 Nnicid32.exe Neclenfo.exe PID 3704 wrote to memory of 4304 3704 Nnicid32.exe Neclenfo.exe PID 4304 wrote to memory of 3152 4304 Neclenfo.exe Nhahaiec.exe PID 4304 wrote to memory of 3152 4304 Neclenfo.exe Nhahaiec.exe PID 4304 wrote to memory of 3152 4304 Neclenfo.exe Nhahaiec.exe PID 3152 wrote to memory of 4836 3152 Nhahaiec.exe Nmnqjp32.exe PID 3152 wrote to memory of 4836 3152 Nhahaiec.exe Nmnqjp32.exe PID 3152 wrote to memory of 4836 3152 Nhahaiec.exe Nmnqjp32.exe PID 4836 wrote to memory of 5060 4836 Nmnqjp32.exe Odhifjkg.exe PID 4836 wrote to memory of 5060 4836 Nmnqjp32.exe Odhifjkg.exe PID 4836 wrote to memory of 5060 4836 Nmnqjp32.exe Odhifjkg.exe PID 5060 wrote to memory of 3680 5060 Odhifjkg.exe Ojbacd32.exe PID 5060 wrote to memory of 3680 5060 Odhifjkg.exe Ojbacd32.exe PID 5060 wrote to memory of 3680 5060 Odhifjkg.exe Ojbacd32.exe PID 3680 wrote to memory of 3784 3680 Ojbacd32.exe Omqmop32.exe PID 3680 wrote to memory of 3784 3680 Ojbacd32.exe Omqmop32.exe PID 3680 wrote to memory of 3784 3680 Ojbacd32.exe Omqmop32.exe PID 3784 wrote to memory of 4752 3784 Omqmop32.exe Ohfami32.exe PID 3784 wrote to memory of 4752 3784 Omqmop32.exe Ohfami32.exe PID 3784 wrote to memory of 4752 3784 Omqmop32.exe Ohfami32.exe PID 4752 wrote to memory of 396 4752 Ohfami32.exe Ojdnid32.exe PID 4752 wrote to memory of 396 4752 Ohfami32.exe Ojdnid32.exe PID 4752 wrote to memory of 396 4752 Ohfami32.exe Ojdnid32.exe PID 396 wrote to memory of 3468 396 Ojdnid32.exe Oanfen32.exe PID 396 wrote to memory of 3468 396 Ojdnid32.exe Oanfen32.exe PID 396 wrote to memory of 3468 396 Ojdnid32.exe Oanfen32.exe PID 3468 wrote to memory of 4828 3468 Oanfen32.exe Oldjcg32.exe PID 3468 wrote to memory of 4828 3468 Oanfen32.exe Oldjcg32.exe PID 3468 wrote to memory of 4828 3468 Oanfen32.exe Oldjcg32.exe PID 4828 wrote to memory of 552 4828 Oldjcg32.exe Omegjomb.exe PID 4828 wrote to memory of 552 4828 Oldjcg32.exe Omegjomb.exe PID 4828 wrote to memory of 552 4828 Oldjcg32.exe Omegjomb.exe PID 552 wrote to memory of 1016 552 Omegjomb.exe Oelolmnd.exe PID 552 wrote to memory of 1016 552 Omegjomb.exe Oelolmnd.exe PID 552 wrote to memory of 1016 552 Omegjomb.exe Oelolmnd.exe PID 1016 wrote to memory of 4656 1016 Oelolmnd.exe Olfghg32.exe PID 1016 wrote to memory of 4656 1016 Oelolmnd.exe Olfghg32.exe PID 1016 wrote to memory of 4656 1016 Oelolmnd.exe Olfghg32.exe PID 4656 wrote to memory of 1728 4656 Olfghg32.exe Omgcpokp.exe PID 4656 wrote to memory of 1728 4656 Olfghg32.exe Omgcpokp.exe PID 4656 wrote to memory of 1728 4656 Olfghg32.exe Omgcpokp.exe PID 1728 wrote to memory of 1992 1728 Omgcpokp.exe Oeokal32.exe PID 1728 wrote to memory of 1992 1728 Omgcpokp.exe Oeokal32.exe PID 1728 wrote to memory of 1992 1728 Omgcpokp.exe Oeokal32.exe PID 1992 wrote to memory of 3480 1992 Oeokal32.exe Olicnfco.exe PID 1992 wrote to memory of 3480 1992 Oeokal32.exe Olicnfco.exe PID 1992 wrote to memory of 3480 1992 Oeokal32.exe Olicnfco.exe PID 3480 wrote to memory of 4288 3480 Olicnfco.exe Paelfmaf.exe PID 3480 wrote to memory of 4288 3480 Olicnfco.exe Paelfmaf.exe PID 3480 wrote to memory of 4288 3480 Olicnfco.exe Paelfmaf.exe PID 4288 wrote to memory of 1428 4288 Paelfmaf.exe Phodcg32.exe PID 4288 wrote to memory of 1428 4288 Paelfmaf.exe Phodcg32.exe PID 4288 wrote to memory of 1428 4288 Paelfmaf.exe Phodcg32.exe PID 1428 wrote to memory of 4996 1428 Phodcg32.exe Poimpapp.exe PID 1428 wrote to memory of 4996 1428 Phodcg32.exe Poimpapp.exe PID 1428 wrote to memory of 4996 1428 Phodcg32.exe Poimpapp.exe PID 4996 wrote to memory of 2640 4996 Poimpapp.exe Pecellgl.exe PID 4996 wrote to memory of 2640 4996 Poimpapp.exe Pecellgl.exe PID 4996 wrote to memory of 2640 4996 Poimpapp.exe Pecellgl.exe PID 2640 wrote to memory of 5072 2640 Pecellgl.exe Pkpmdbfd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\729125b4c194b3a4d9321618e17d7260_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe23⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe24⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe26⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe27⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe29⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe31⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe34⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe35⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe36⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe37⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe38⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe39⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe40⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe41⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe42⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe43⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe44⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4832 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe46⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe47⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe48⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe49⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe51⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe52⤵PID:3540
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe53⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe54⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe55⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe57⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe62⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe64⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe68⤵PID:5168
-
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe72⤵PID:5336
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe73⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe74⤵PID:5420
-
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe75⤵PID:5460
-
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe76⤵PID:5500
-
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe77⤵PID:5540
-
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe78⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe80⤵PID:5660
-
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe81⤵PID:5700
-
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe82⤵PID:5744
-
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe83⤵PID:5792
-
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe84⤵PID:5832
-
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe86⤵PID:5928
-
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe87⤵PID:5984
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe89⤵PID:6072
-
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe90⤵PID:6112
-
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe91⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe92⤵PID:5188
-
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe93⤵PID:5300
-
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe95⤵PID:5468
-
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe96⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe97⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe98⤵PID:5688
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe99⤵PID:5768
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe100⤵PID:5844
-
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe101⤵PID:5912
-
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe103⤵PID:6068
-
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe104⤵PID:6132
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe105⤵PID:5200
-
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe106⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe107⤵PID:5456
-
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe108⤵PID:3836
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe109⤵PID:5668
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe110⤵PID:5804
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe111⤵PID:5896
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe112⤵PID:6040
-
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe113⤵PID:5208
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe114⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe115⤵PID:5696
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe116⤵PID:5852
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe117⤵PID:6000
-
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe118⤵PID:5412
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe119⤵PID:5676
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe120⤵PID:6008
-
C:\Windows\SysWOW64\Fbelcblk.exeC:\Windows\system32\Fbelcblk.exe121⤵PID:5528
-
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe123⤵
- Modifies registry class
PID:6168 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe124⤵PID:6212
-
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe125⤵PID:6248
-
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe126⤵
- Modifies registry class
PID:6288 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe127⤵PID:6344
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe128⤵
- Modifies registry class
PID:6384 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe129⤵
- Drops file in System32 directory
PID:6436 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe130⤵PID:6476
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe131⤵PID:6520
-
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe132⤵PID:6564
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe133⤵PID:6604
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe134⤵PID:6648
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe135⤵PID:6696
-
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6740 -
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe137⤵PID:6780
-
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe138⤵
- Drops file in System32 directory
- Modifies registry class
PID:6820 -
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe139⤵PID:6864
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe140⤵
- Drops file in System32 directory
PID:6908 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe141⤵
- Drops file in System32 directory
PID:6948 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe142⤵PID:6992
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe143⤵PID:7052
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe144⤵PID:7092
-
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe145⤵PID:7128
-
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe146⤵PID:6152
-
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe147⤵PID:6260
-
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe148⤵PID:6352
-
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe149⤵
- Modifies registry class
PID:6444 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe150⤵PID:6516
-
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe151⤵PID:6596
-
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe152⤵PID:6688
-
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe153⤵
- Drops file in System32 directory
PID:6772 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe154⤵PID:6836
-
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6956 -
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe156⤵PID:7072
-
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe157⤵
- Modifies registry class
PID:6156 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe158⤵PID:6232
-
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe159⤵PID:6428
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe160⤵PID:6548
-
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6704 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe162⤵PID:6876
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe163⤵PID:7024
-
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe164⤵PID:7120
-
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe165⤵PID:6416
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe166⤵PID:6584
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe167⤵
- Drops file in System32 directory
PID:6812 -
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe168⤵PID:7068
-
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe169⤵PID:6556
-
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe170⤵
- Drops file in System32 directory
PID:6788 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe171⤵PID:6332
-
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe172⤵
- Drops file in System32 directory
PID:6944 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe173⤵PID:6976
-
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe174⤵PID:6340
-
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7208 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe176⤵PID:7248
-
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe177⤵PID:7296
-
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe178⤵PID:7336
-
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe179⤵PID:7384
-
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe180⤵PID:7416
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe181⤵PID:7460
-
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe182⤵PID:7504
-
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe183⤵PID:7552
-
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe184⤵
- Modifies registry class
PID:7608 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7648 -
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7704 -
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe187⤵PID:7756
-
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe188⤵PID:7804
-
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe189⤵PID:7856
-
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe190⤵PID:7900
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe191⤵PID:7952
-
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe192⤵PID:7992
-
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe193⤵
- Modifies registry class
PID:8036 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe194⤵PID:8080
-
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe195⤵PID:8120
-
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe196⤵PID:8172
-
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe197⤵PID:7188
-
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe198⤵
- Modifies registry class
PID:7228 -
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe199⤵PID:7316
-
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe200⤵
- Modifies registry class
PID:7372 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe201⤵PID:7444
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe202⤵PID:7516
-
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe203⤵PID:7592
-
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe204⤵
- Modifies registry class
PID:7636 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe205⤵PID:7724
-
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe206⤵
- Drops file in System32 directory
PID:7780 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7844 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe208⤵PID:7936
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe209⤵PID:8028
-
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe210⤵PID:8064
-
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe211⤵PID:8136
-
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe212⤵PID:7216
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe213⤵
- Drops file in System32 directory
PID:7284 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe214⤵PID:7400
-
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7532 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe216⤵
- Drops file in System32 directory
PID:7712 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe217⤵PID:7772
-
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe218⤵PID:7944
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe219⤵PID:8020
-
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe220⤵PID:8112
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe221⤵PID:7280
-
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe222⤵PID:7500
-
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7632 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe224⤵PID:7884
-
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe225⤵PID:8072
-
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe226⤵PID:7196
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe227⤵
- Drops file in System32 directory
PID:7476 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe228⤵PID:7684
-
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe229⤵PID:8000
-
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe230⤵
- Drops file in System32 directory
PID:7456 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe231⤵PID:7908
-
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe232⤵PID:7404
-
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7424 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8208 -
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe235⤵PID:8244
-
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe236⤵
- Drops file in System32 directory
PID:8284 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe237⤵PID:8328
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe238⤵PID:8364
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe239⤵PID:8404
-
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe240⤵PID:8444
-
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe241⤵PID:8488
-
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe242⤵PID:8528