Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:07
Behavioral task
behavioral1
Sample
0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe
-
Size
6.7MB
-
MD5
0820ef123cc5c35ea59c6ea27321ed20
-
SHA1
b729abd959fcd1ac6157f7d68ef2e7b1d3fbd333
-
SHA256
0d9b70e0f8a386afa3d42e80c35e3260c33315f3d1cb39f6922fd865b9990fed
-
SHA512
46b3d31b517be1bd5057aa2cf82cf878badbda36ec9c1f935db8476d0a8ec5e158b492c010671f9ae92d99127ab4126e588e985b049e1ca226a519e4a5896bec
-
SSDEEP
196608:eaSHFaZRBEYyqmS2DiHPKQgwUgUjvho4wzlF65i6YxE+a3:eaSHFaZRBEYyqmS2DiHPKQg3jvZwNVO3
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pcjiff32.exeOmjpeo32.exePhigif32.exeAahbbkaq.exeFpdcag32.exeCgifbhid.exeIeojgc32.exe0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exeKoonge32.exeQepkbpak.exeBbdhiojo.exeMepfiq32.exeCkmonl32.exeFiodpl32.exeGbeejp32.exeGbbajjlp.exeCefoce32.exeHnbeeiji.exeAcokhc32.exeCnahdi32.exeDkokcl32.exeGfjkjo32.exeKhlklj32.exeAanjpk32.exeGkoplk32.exeKpanan32.exeNpepkf32.exeDakikoom.exeJemfhacc.exeBkmeha32.exeFjmfmh32.exeNndjndbh.exeKidben32.exeLegben32.exeBdlfjh32.exeGkmdecbg.exeMilidebi.exePmaffnce.exeEkodjiol.exeMfhbga32.exePjaleemj.exeDcnlnaom.exeJgogbgei.exeBckkca32.exeEblpgjha.exePhaahggp.exeGkaclqkk.exeKbhmbdle.exeLhnhajba.exeLlflea32.exeCmedjl32.exeMomcpa32.exeBohibc32.exeEbdcld32.exeJpcapp32.exePmpolgoi.exePoimpapp.exeQemhbj32.exeBlielbfi.exeOkchnk32.exeDdgplado.exeFbpchb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahbbkaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koonge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdhiojo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbajjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acokhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemfhacc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmfmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnlnaom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgogbgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhmbdle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemhbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blielbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgplado.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Odpjcm32.exe family_berbew C:\Windows\SysWOW64\Pgjfkg32.exe family_berbew C:\Windows\SysWOW64\Pjkombfj.exe family_berbew C:\Windows\SysWOW64\Qgallfcq.exe family_berbew C:\Windows\SysWOW64\Qgciaf32.exe family_berbew C:\Windows\SysWOW64\Aegikj32.exe family_berbew C:\Windows\SysWOW64\Aanjpk32.exe family_berbew C:\Windows\SysWOW64\Cefoce32.exe family_berbew C:\Windows\SysWOW64\Conclk32.exe family_berbew C:\Windows\SysWOW64\Jpgmha32.exe family_berbew C:\Windows\SysWOW64\Jmpgldhg.exe family_berbew C:\Windows\SysWOW64\Jmbdbd32.exe family_berbew C:\Windows\SysWOW64\Nloiakho.exe family_berbew C:\Windows\SysWOW64\Ognpebpj.exe family_berbew C:\Windows\SysWOW64\Qqijje32.exe family_berbew C:\Windows\SysWOW64\Andqdh32.exe family_berbew C:\Windows\SysWOW64\Cfpnph32.exe family_berbew C:\Windows\SysWOW64\Danecp32.exe family_berbew C:\Windows\SysWOW64\Emcbio32.exe family_berbew C:\Windows\SysWOW64\Gekcaj32.exe family_berbew C:\Windows\SysWOW64\Ifihif32.exe family_berbew C:\Windows\SysWOW64\Indmnh32.exe family_berbew C:\Windows\SysWOW64\Jbbfdfkn.exe family_berbew C:\Windows\SysWOW64\Jecofa32.exe family_berbew C:\Windows\SysWOW64\Jicdap32.exe family_berbew C:\Windows\SysWOW64\Jicdap32.exe family_berbew C:\Windows\SysWOW64\Amfjeobf.exe family_berbew C:\Windows\SysWOW64\Cmipblaq.exe family_berbew C:\Windows\SysWOW64\Dcogje32.exe family_berbew C:\Windows\SysWOW64\Ehhpla32.exe family_berbew C:\Windows\SysWOW64\Fkpool32.exe family_berbew C:\Windows\SysWOW64\Jgadgf32.exe family_berbew C:\Windows\SysWOW64\Nemmoe32.exe family_berbew C:\Windows\SysWOW64\Ohghgodi.exe family_berbew C:\Windows\SysWOW64\Ooejohhq.exe family_berbew C:\Windows\SysWOW64\Pcjiff32.exe family_berbew C:\Windows\SysWOW64\Acfhad32.exe family_berbew C:\Windows\SysWOW64\Bohibc32.exe family_berbew C:\Windows\SysWOW64\Bckkca32.exe family_berbew C:\Windows\SysWOW64\Cbphdn32.exe family_berbew C:\Windows\SysWOW64\Dfefkkqp.exe family_berbew C:\Windows\SysWOW64\Dbcmakpl.exe family_berbew C:\Windows\SysWOW64\Eppqqn32.exe family_berbew C:\Windows\SysWOW64\Fikbocki.exe family_berbew C:\Windows\SysWOW64\Fdglmkeg.exe family_berbew C:\Windows\SysWOW64\Gikkfqmf.exe family_berbew C:\Windows\SysWOW64\Hibafp32.exe family_berbew C:\Windows\SysWOW64\Hkdjfb32.exe family_berbew C:\Windows\SysWOW64\Idcepgmg.exe family_berbew C:\Windows\SysWOW64\Idkkpf32.exe family_berbew C:\Windows\SysWOW64\Jlkipgpe.exe family_berbew C:\Windows\SysWOW64\Kjccdkki.exe family_berbew C:\Windows\SysWOW64\Lmpkadnm.exe family_berbew C:\Windows\SysWOW64\Lqbncb32.exe family_berbew C:\Windows\SysWOW64\Mjahlgpf.exe family_berbew C:\Windows\SysWOW64\Aahbbkaq.exe family_berbew C:\Windows\SysWOW64\Bhpfqcln.exe family_berbew C:\Windows\SysWOW64\Fiodpl32.exe family_berbew C:\Windows\SysWOW64\Gfhndpol.exe family_berbew C:\Windows\SysWOW64\Hlglidlo.exe family_berbew C:\Windows\SysWOW64\Ieidhh32.exe family_berbew C:\Windows\SysWOW64\Jokkgl32.exe family_berbew C:\Windows\SysWOW64\Kpanan32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nnmopdep.exeOdpjcm32.exePgjfkg32.exePjkombfj.exeQgallfcq.exeQgciaf32.exeAegikj32.exeAanjpk32.exeCefoce32.exeConclk32.exeJpgmha32.exeJmpgldhg.exeJmbdbd32.exeNloiakho.exeOgnpebpj.exeQqijje32.exeAndqdh32.exeCfpnph32.exeDanecp32.exeEmcbio32.exeGekcaj32.exeIfihif32.exeIndmnh32.exeJbbfdfkn.exeJecofa32.exeJgdhgmep.exeJicdap32.exeAmfjeobf.exeCmipblaq.exeDcogje32.exeEhhpla32.exeFkpool32.exeHdilnojp.exeHhfedm32.exeInomhbeq.exeIndfca32.exeJjjghcfp.exeJgogbgei.exeJgadgf32.exeJibmgi32.exeKghjhemo.exeKiggbhda.exeKqbkfkal.exeKeqdmihc.exeKbddfmgl.exeKjpijpdg.exeLkofdbkj.exeLicfngjd.exeLbkkgl32.exeLbngllob.exeLlflea32.exeLlhikacp.exeMilidebi.exeMbenmk32.exeMnlnbl32.exeMnnkgl32.exeMjellmbp.exeMhilfa32.exeNemmoe32.exeNojjcj32.exeNkqkhk32.exeOkchnk32.exeOhghgodi.exeOoejohhq.exepid process 528 Nnmopdep.exe 4340 Odpjcm32.exe 3340 Pgjfkg32.exe 1648 Pjkombfj.exe 3116 Qgallfcq.exe 1948 Qgciaf32.exe 1180 Aegikj32.exe 4184 Aanjpk32.exe 2836 Cefoce32.exe 1716 Conclk32.exe 1620 Jpgmha32.exe 4144 Jmpgldhg.exe 4980 Jmbdbd32.exe 3492 Nloiakho.exe 436 Ognpebpj.exe 2688 Qqijje32.exe 4412 Andqdh32.exe 4452 Cfpnph32.exe 1524 Danecp32.exe 3264 Emcbio32.exe 3400 Gekcaj32.exe 3804 Ifihif32.exe 3676 Indmnh32.exe 1928 Jbbfdfkn.exe 2760 Jecofa32.exe 3100 Jgdhgmep.exe 632 Jicdap32.exe 684 Amfjeobf.exe 3660 Cmipblaq.exe 1668 Dcogje32.exe 3564 Ehhpla32.exe 4900 Fkpool32.exe 3572 Hdilnojp.exe 5112 Hhfedm32.exe 3172 Inomhbeq.exe 4280 Indfca32.exe 2172 Jjjghcfp.exe 4544 Jgogbgei.exe 2952 Jgadgf32.exe 5064 Jibmgi32.exe 1568 Kghjhemo.exe 3864 Kiggbhda.exe 3468 Kqbkfkal.exe 1816 Keqdmihc.exe 1160 Kbddfmgl.exe 736 Kjpijpdg.exe 2388 Lkofdbkj.exe 2876 Licfngjd.exe 3552 Lbkkgl32.exe 2464 Lbngllob.exe 2596 Llflea32.exe 3472 Llhikacp.exe 2592 Milidebi.exe 1464 Mbenmk32.exe 3476 Mnlnbl32.exe 3288 Mnnkgl32.exe 3392 Mjellmbp.exe 4904 Mhilfa32.exe 2748 Nemmoe32.exe 1664 Nojjcj32.exe 1428 Nkqkhk32.exe 3140 Okchnk32.exe 4668 Ohghgodi.exe 2228 Ooejohhq.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mhilfa32.exeIeidhh32.exeBaannc32.exeHnbeeiji.exeCmedjl32.exeBhpfqcln.exeBkmeha32.exeJibmgi32.exeNemmoe32.exePmpolgoi.exeEidlnd32.exePgjfkg32.exeEkdnei32.exeFbbicl32.exeKoonge32.exeFkjmlaac.exeOiccje32.exePblajhje.exeMnlnbl32.exeDanecp32.exeJgadgf32.exeBmofagfp.exeAlelqb32.exeFpdcag32.exeQmeigg32.exeNloiakho.exeCgnomg32.exeLlhikacp.exeDmdhcddh.exePhaahggp.exeCpfcfmlp.exeDcogje32.exeQepkbpak.exeLqbncb32.exeEicedn32.exeCgifbhid.exeOmjpeo32.exeDbkqfe32.exeJilfifme.exeHaodle32.exeOdpjcm32.exeKiggbhda.exeOafcqcea.exePoimpapp.exeIlnbicff.exeFbpchb32.exeOplfkeob.exePjkombfj.exeJpgmha32.exeConclk32.exeMjellmbp.exeEppqqn32.exeIdcepgmg.exePmnbfhal.exeKjhloj32.exeKhlklj32.exeIndmnh32.exeBbdhiojo.exeKjmfjj32.exeNndjndbh.exeNccokk32.exePjaleemj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nemmoe32.exe Mhilfa32.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Ieidhh32.exe File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe Baannc32.exe File opened for modification C:\Windows\SysWOW64\Ihkjno32.exe Hnbeeiji.exe File created C:\Windows\SysWOW64\Cgmhcaac.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Iibjhgbi.dll Bhpfqcln.exe File created C:\Windows\SysWOW64\Bdeiqgkj.exe Bkmeha32.exe File created C:\Windows\SysWOW64\Algheg32.dll Jibmgi32.exe File opened for modification C:\Windows\SysWOW64\Nojjcj32.exe Nemmoe32.exe File created C:\Windows\SysWOW64\Pnplfj32.exe Pmpolgoi.exe File created C:\Windows\SysWOW64\Jcoong32.dll Eidlnd32.exe File created C:\Windows\SysWOW64\Iqjpdi32.dll Pgjfkg32.exe File opened for modification C:\Windows\SysWOW64\Fihnomjp.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Fkjmlaac.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Kidben32.exe Koonge32.exe File opened for modification C:\Windows\SysWOW64\Fecadghc.exe Fkjmlaac.exe File created C:\Windows\SysWOW64\Ojcpdg32.exe Oiccje32.exe File opened for modification C:\Windows\SysWOW64\Qppaclio.exe Pblajhje.exe File created C:\Windows\SysWOW64\Fjqjajoe.dll Mnlnbl32.exe File created C:\Windows\SysWOW64\Emcbio32.exe Danecp32.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jgadgf32.exe File created C:\Windows\SysWOW64\Bckkca32.exe Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Blgifbil.exe Alelqb32.exe File created C:\Windows\SysWOW64\Flkdfh32.exe Fpdcag32.exe File created C:\Windows\SysWOW64\Qhjmdp32.exe Qmeigg32.exe File opened for modification C:\Windows\SysWOW64\Ognpebpj.exe Nloiakho.exe File created C:\Windows\SysWOW64\Cpfcfmlp.exe Cgnomg32.exe File created C:\Windows\SysWOW64\Glgokg32.dll Llhikacp.exe File created C:\Windows\SysWOW64\Kamhmbej.dll Dmdhcddh.exe File created C:\Windows\SysWOW64\Pefabkej.exe Phaahggp.exe File created C:\Windows\SysWOW64\Fomnhddq.dll Cgnomg32.exe File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Nggmhj32.dll Dcogje32.exe File opened for modification C:\Windows\SysWOW64\Qaflgago.exe Qepkbpak.exe File created C:\Windows\SysWOW64\Ihejacdm.dll Lqbncb32.exe File created C:\Windows\SysWOW64\Ekdnei32.exe Eicedn32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Cgifbhid.exe File created C:\Windows\SysWOW64\Kdflmg32.dll Omjpeo32.exe File created C:\Windows\SysWOW64\Fiboaq32.dll Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Jgpfbjlo.exe Jilfifme.exe File created C:\Windows\SysWOW64\Pkpbai32.dll Haodle32.exe File created C:\Windows\SysWOW64\Lpkman32.dll Odpjcm32.exe File created C:\Windows\SysWOW64\Fphppfgi.dll Kiggbhda.exe File opened for modification C:\Windows\SysWOW64\Piphgq32.exe Oafcqcea.exe File opened for modification C:\Windows\SysWOW64\Phaahggp.exe Poimpapp.exe File created C:\Windows\SysWOW64\Imnocf32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Fbpchb32.exe File created C:\Windows\SysWOW64\Ofhknodl.exe Oplfkeob.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Pjkombfj.exe File created C:\Windows\SysWOW64\Ghkmacoj.dll Jpgmha32.exe File opened for modification C:\Windows\SysWOW64\Jpgmha32.exe Conclk32.exe File opened for modification C:\Windows\SysWOW64\Mhilfa32.exe Mjellmbp.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Eppqqn32.exe File created C:\Windows\SysWOW64\Pfejnf32.dll Idcepgmg.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Pmnbfhal.exe File created C:\Windows\SysWOW64\Lngqkhda.dll Pmnbfhal.exe File created C:\Windows\SysWOW64\Bfllfd32.dll Kjhloj32.exe File created C:\Windows\SysWOW64\Lhnhajba.exe Khlklj32.exe File created C:\Windows\SysWOW64\Idfplbal.dll Indmnh32.exe File created C:\Windows\SysWOW64\Capqggce.dll Bbdhiojo.exe File opened for modification C:\Windows\SysWOW64\Lgqfdnah.exe Kjmfjj32.exe File opened for modification C:\Windows\SysWOW64\Nlhkgi32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Fpkefnho.dll Nccokk32.exe File created C:\Windows\SysWOW64\Mpiedk32.dll Pjaleemj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5092 1144 WerFault.exe Gbmadd32.exe -
Modifies registry class 64 IoCs
Processes:
Mnlnbl32.exeBhmbqm32.exePjkombfj.exeOjcpdg32.exeCdaile32.exeBdgged32.exeFdglmkeg.exeNpepkf32.exeEdbiniff.exeMbenmk32.exePkegpb32.exeHibafp32.exeMnegbp32.exeDanecp32.exeHlepcdoa.exeKoonge32.exeModpib32.exeFkpool32.exePoimpapp.exeJpcapp32.exePafkgphl.exeGkmdecbg.exeFlkdfh32.exeGfjkjo32.exeDqbcbkab.exeHnbeeiji.exeNloiakho.exeCnaaib32.exeEkjded32.exePgjfkg32.exeJicdap32.exeDdgplado.exeOabhfg32.exeDkcndeen.exeFkjmlaac.exeQqijje32.exeJknfcofa.exeNlhkgi32.exeAahbbkaq.exeKpqggh32.exeMilidebi.exeMjahlgpf.exeDkokcl32.exeEcgodpgb.exeAndqdh32.exeLkofdbkj.exeNkqkhk32.exeQaflgago.exeAcfhad32.exeCbphdn32.exeIkpjbq32.exeDijbno32.exe0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exeQjffpe32.exeEkodjiol.exeCnfkdb32.exePblajhje.exeCcbadp32.exeOjemig32.exeOafcqcea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" Mnlnbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhmbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll" Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll" Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbenmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhgcipb.dll" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modpib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" Poimpapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Nloiakho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoefilfc.dll" Jicdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgplado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonklp32.dll" Jknfcofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aahbbkaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbond32.dll" Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkegpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgodpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Lkofdbkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkqkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfhad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dijbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjffpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll" Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkakadbk.dll" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafcqcea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exeNnmopdep.exeOdpjcm32.exePgjfkg32.exePjkombfj.exeQgallfcq.exeQgciaf32.exeAegikj32.exeAanjpk32.exeCefoce32.exeConclk32.exeJpgmha32.exeJmpgldhg.exeJmbdbd32.exeNloiakho.exeOgnpebpj.exeQqijje32.exeAndqdh32.exeCfpnph32.exeDanecp32.exeEmcbio32.exeGekcaj32.exedescription pid process target process PID 1476 wrote to memory of 528 1476 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe Nnmopdep.exe PID 1476 wrote to memory of 528 1476 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe Nnmopdep.exe PID 1476 wrote to memory of 528 1476 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe Nnmopdep.exe PID 528 wrote to memory of 4340 528 Nnmopdep.exe Odpjcm32.exe PID 528 wrote to memory of 4340 528 Nnmopdep.exe Odpjcm32.exe PID 528 wrote to memory of 4340 528 Nnmopdep.exe Odpjcm32.exe PID 4340 wrote to memory of 3340 4340 Odpjcm32.exe Pgjfkg32.exe PID 4340 wrote to memory of 3340 4340 Odpjcm32.exe Pgjfkg32.exe PID 4340 wrote to memory of 3340 4340 Odpjcm32.exe Pgjfkg32.exe PID 3340 wrote to memory of 1648 3340 Pgjfkg32.exe Pjkombfj.exe PID 3340 wrote to memory of 1648 3340 Pgjfkg32.exe Pjkombfj.exe PID 3340 wrote to memory of 1648 3340 Pgjfkg32.exe Pjkombfj.exe PID 1648 wrote to memory of 3116 1648 Pjkombfj.exe Qgallfcq.exe PID 1648 wrote to memory of 3116 1648 Pjkombfj.exe Qgallfcq.exe PID 1648 wrote to memory of 3116 1648 Pjkombfj.exe Qgallfcq.exe PID 3116 wrote to memory of 1948 3116 Qgallfcq.exe Qgciaf32.exe PID 3116 wrote to memory of 1948 3116 Qgallfcq.exe Qgciaf32.exe PID 3116 wrote to memory of 1948 3116 Qgallfcq.exe Qgciaf32.exe PID 1948 wrote to memory of 1180 1948 Qgciaf32.exe Aegikj32.exe PID 1948 wrote to memory of 1180 1948 Qgciaf32.exe Aegikj32.exe PID 1948 wrote to memory of 1180 1948 Qgciaf32.exe Aegikj32.exe PID 1180 wrote to memory of 4184 1180 Aegikj32.exe Aanjpk32.exe PID 1180 wrote to memory of 4184 1180 Aegikj32.exe Aanjpk32.exe PID 1180 wrote to memory of 4184 1180 Aegikj32.exe Aanjpk32.exe PID 4184 wrote to memory of 2836 4184 Aanjpk32.exe Cefoce32.exe PID 4184 wrote to memory of 2836 4184 Aanjpk32.exe Cefoce32.exe PID 4184 wrote to memory of 2836 4184 Aanjpk32.exe Cefoce32.exe PID 2836 wrote to memory of 1716 2836 Cefoce32.exe Conclk32.exe PID 2836 wrote to memory of 1716 2836 Cefoce32.exe Conclk32.exe PID 2836 wrote to memory of 1716 2836 Cefoce32.exe Conclk32.exe PID 1716 wrote to memory of 1620 1716 Conclk32.exe Jpgmha32.exe PID 1716 wrote to memory of 1620 1716 Conclk32.exe Jpgmha32.exe PID 1716 wrote to memory of 1620 1716 Conclk32.exe Jpgmha32.exe PID 1620 wrote to memory of 4144 1620 Jpgmha32.exe Jmpgldhg.exe PID 1620 wrote to memory of 4144 1620 Jpgmha32.exe Jmpgldhg.exe PID 1620 wrote to memory of 4144 1620 Jpgmha32.exe Jmpgldhg.exe PID 4144 wrote to memory of 4980 4144 Jmpgldhg.exe Jmbdbd32.exe PID 4144 wrote to memory of 4980 4144 Jmpgldhg.exe Jmbdbd32.exe PID 4144 wrote to memory of 4980 4144 Jmpgldhg.exe Jmbdbd32.exe PID 4980 wrote to memory of 3492 4980 Jmbdbd32.exe Nloiakho.exe PID 4980 wrote to memory of 3492 4980 Jmbdbd32.exe Nloiakho.exe PID 4980 wrote to memory of 3492 4980 Jmbdbd32.exe Nloiakho.exe PID 3492 wrote to memory of 436 3492 Nloiakho.exe Ognpebpj.exe PID 3492 wrote to memory of 436 3492 Nloiakho.exe Ognpebpj.exe PID 3492 wrote to memory of 436 3492 Nloiakho.exe Ognpebpj.exe PID 436 wrote to memory of 2688 436 Ognpebpj.exe Qqijje32.exe PID 436 wrote to memory of 2688 436 Ognpebpj.exe Qqijje32.exe PID 436 wrote to memory of 2688 436 Ognpebpj.exe Qqijje32.exe PID 2688 wrote to memory of 4412 2688 Qqijje32.exe Andqdh32.exe PID 2688 wrote to memory of 4412 2688 Qqijje32.exe Andqdh32.exe PID 2688 wrote to memory of 4412 2688 Qqijje32.exe Andqdh32.exe PID 4412 wrote to memory of 4452 4412 Andqdh32.exe Cfpnph32.exe PID 4412 wrote to memory of 4452 4412 Andqdh32.exe Cfpnph32.exe PID 4412 wrote to memory of 4452 4412 Andqdh32.exe Cfpnph32.exe PID 4452 wrote to memory of 1524 4452 Cfpnph32.exe Danecp32.exe PID 4452 wrote to memory of 1524 4452 Cfpnph32.exe Danecp32.exe PID 4452 wrote to memory of 1524 4452 Cfpnph32.exe Danecp32.exe PID 1524 wrote to memory of 3264 1524 Danecp32.exe Emcbio32.exe PID 1524 wrote to memory of 3264 1524 Danecp32.exe Emcbio32.exe PID 1524 wrote to memory of 3264 1524 Danecp32.exe Emcbio32.exe PID 3264 wrote to memory of 3400 3264 Emcbio32.exe Gekcaj32.exe PID 3264 wrote to memory of 3400 3264 Emcbio32.exe Gekcaj32.exe PID 3264 wrote to memory of 3400 3264 Emcbio32.exe Gekcaj32.exe PID 3400 wrote to memory of 3804 3400 Gekcaj32.exe Ifihif32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe23⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe25⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe26⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe27⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe29⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe30⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe32⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe34⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe35⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe36⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe37⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe38⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe42⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe44⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe45⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe46⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe47⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe49⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe50⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe51⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3472 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe57⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe61⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe64⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe65⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:728 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe67⤵PID:4848
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe68⤵PID:3008
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe70⤵PID:180
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe71⤵PID:2680
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3460 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe73⤵
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe74⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe75⤵PID:4340
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe76⤵PID:528
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4820 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe80⤵
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3388 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe82⤵
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe83⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe84⤵PID:1192
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe85⤵PID:4608
-
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe86⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe87⤵PID:5216
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe88⤵PID:5256
-
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe89⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe91⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe92⤵PID:5428
-
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe93⤵PID:5472
-
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe94⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe95⤵PID:5564
-
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe96⤵PID:5604
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe98⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe99⤵PID:5732
-
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe100⤵PID:5776
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe101⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe102⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe103⤵PID:5908
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe104⤵PID:5964
-
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe105⤵PID:6016
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe106⤵
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe107⤵PID:6116
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe108⤵
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe109⤵PID:4184
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe110⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe111⤵PID:5240
-
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe112⤵PID:5292
-
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe113⤵PID:5372
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe114⤵PID:5444
-
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe115⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe117⤵PID:5652
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe118⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe119⤵PID:5784
-
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe121⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe122⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe123⤵PID:6028
-
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe124⤵PID:6080
-
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe125⤵PID:6140
-
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe126⤵PID:2176
-
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe127⤵PID:5160
-
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe128⤵PID:5268
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe129⤵PID:5380
-
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe133⤵PID:5404
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe135⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3892 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe138⤵PID:3128
-
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe139⤵PID:5368
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe140⤵PID:5560
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe142⤵PID:988
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe143⤵PID:4732
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe144⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe145⤵PID:5424
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe147⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe148⤵
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe149⤵PID:5336
-
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe151⤵PID:4352
-
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe152⤵PID:5824
-
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe153⤵PID:4376
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe157⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe158⤵PID:2128
-
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe159⤵PID:800
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe160⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe161⤵PID:5812
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe163⤵PID:2236
-
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe165⤵
- Drops file in System32 directory
PID:6180 -
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe166⤵
- Drops file in System32 directory
PID:6224 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe167⤵PID:6272
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6320 -
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6372 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe170⤵
- Modifies registry class
PID:6416 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6464 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe172⤵PID:6512
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe173⤵PID:6560
-
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6604 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe175⤵PID:6648
-
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe176⤵PID:6700
-
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe177⤵PID:6748
-
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6796 -
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe179⤵PID:6844
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe180⤵PID:6892
-
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe181⤵PID:6940
-
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe182⤵
- Modifies registry class
PID:6984 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe183⤵PID:7028
-
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe184⤵PID:7072
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe185⤵
- Drops file in System32 directory
PID:7116 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe186⤵PID:6148
-
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe187⤵
- Drops file in System32 directory
PID:6212 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe189⤵
- Drops file in System32 directory
PID:6360 -
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe190⤵PID:6460
-
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe191⤵PID:6524
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe192⤵PID:6632
-
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe193⤵PID:6708
-
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6756 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe195⤵PID:6820
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe196⤵PID:6900
-
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe197⤵PID:6972
-
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe198⤵PID:7012
-
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe199⤵PID:7124
-
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe200⤵
- Modifies registry class
PID:6856 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe201⤵PID:6192
-
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe202⤵PID:3088
-
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6396 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe204⤵PID:6496
-
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe205⤵PID:6552
-
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6624 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe207⤵PID:6664
-
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe208⤵PID:6744
-
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe209⤵PID:6828
-
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe210⤵
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe211⤵PID:7044
-
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe212⤵PID:7036
-
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe213⤵PID:6168
-
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe214⤵
- Modifies registry class
PID:6284 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe215⤵
- Drops file in System32 directory
PID:6392 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6448 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe217⤵PID:6612
-
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe218⤵
- Drops file in System32 directory
PID:6720 -
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe219⤵PID:6792
-
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe220⤵PID:7024
-
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe221⤵PID:6160
-
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe222⤵PID:7108
-
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe223⤵PID:6424
-
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe224⤵
- Drops file in System32 directory
PID:6600 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe225⤵
- Modifies registry class
PID:6860 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe226⤵PID:4512
-
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe227⤵PID:3260
-
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe228⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6656 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe230⤵PID:7080
-
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe231⤵
- Modifies registry class
PID:6488 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe232⤵
- Drops file in System32 directory
PID:6772 -
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe233⤵
- Drops file in System32 directory
PID:7140 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe234⤵PID:6804
-
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe235⤵PID:7112
-
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7048 -
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe237⤵
- Modifies registry class
PID:6244 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe238⤵
- Modifies registry class
PID:6280 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe239⤵
- Modifies registry class
PID:7192 -
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe240⤵
- Modifies registry class
PID:7236 -
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe241⤵PID:7280
-
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe242⤵PID:7328