Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 00:58
Behavioral task
behavioral1
Sample
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe
-
Size
224KB
-
MD5
18089e6523289161cdf87f3abb854a70
-
SHA1
b2bca637d54837f07cae4cd83664beb495038a07
-
SHA256
beec77e98e3804abb01b0abce66988f949b299ce75d164645e8f5ab66ba5d1cc
-
SHA512
305dd5501e5c4b1dfb652bb6b0fdbfee902a50a710e731734fb2c05878fb0c2c8d61ef01f9cdc160a2940c6003f26ef52196ed2d2b18546954646b9f87471ee1
-
SSDEEP
3072:UL6bxYC9fk7h+4eyppwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFH8:Uf7UzPm7U5j2QE2+g24Id2jFH8
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mfpell32.exeNimmifgo.exeCibain32.exeNnabladg.exePbjddh32.exeAbgcqjhp.exeNgipjp32.exeOdbpij32.exeEkcgkb32.exeDcphdqmj.exeJdjfohjg.exePcbdcf32.exeDpefaq32.exePoeahaib.exeChiblk32.exeOdjmdocp.exeHqddqj32.exeOnmahojj.exeLeabphmp.exeNdlacapp.exeLdkhlcnb.exeNcmaai32.exeLmgfod32.exeJcpojk32.exeGcnnllcg.exeLdbefe32.exeCblebgfh.exeOeamcmmo.exeDpihbjmg.exeElnehifk.exeIllfdc32.exeLchfib32.exeLibido32.exeGifkpknp.exeIhpcinld.exeFkcpql32.exeCleqfb32.exeBichcc32.exeFneggdhg.exeMjpjgj32.exeAidomjaf.exeIglhob32.exeKjpgmj32.exeOfbdncaj.exeBjcmpepm.exeAjjjjghg.exeEfampahd.exeIcbbimih.exeAhkkhnpg.exeIjbbfc32.exeKdpiqehp.exeInidkb32.exeLojfin32.exeGjhonp32.exeEikpan32.exeGpbpbecj.exeAdfgdpmi.exeKeimof32.exeAalmimfd.exeIcefib32.exePgaelcgm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnabladg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abgcqjhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngipjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekcgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcbdcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poeahaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqddqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmahojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poeahaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leabphmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndlacapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldkhlcnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmgfod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpojk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcnnllcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbefe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cblebgfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeamcmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elnehifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lchfib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libido32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifkpknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpcinld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcpql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleqfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bichcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjpjgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidomjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iglhob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofbdncaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcmpepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cibain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjjghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbbimih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahkkhnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdpiqehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cblebgfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inidkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjhonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eikpan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpbpbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keimof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmimfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icefib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgaelcgm.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Oacoqnci.exe family_berbew C:\Windows\SysWOW64\Poimpapp.exe family_berbew C:\Windows\SysWOW64\Poliea32.exe family_berbew C:\Windows\SysWOW64\Ponfka32.exe family_berbew C:\Windows\SysWOW64\Phfjcf32.exe family_berbew C:\Windows\SysWOW64\Pkgcea32.exe family_berbew C:\Windows\SysWOW64\Qoelkp32.exe family_berbew C:\Windows\SysWOW64\Amjillkj.exe family_berbew C:\Windows\SysWOW64\Anmfbl32.exe family_berbew C:\Windows\SysWOW64\Aefjii32.exe family_berbew C:\Windows\SysWOW64\Albpkc32.exe family_berbew C:\Windows\SysWOW64\Bemqih32.exe family_berbew C:\Windows\SysWOW64\Bklfgo32.exe family_berbew C:\Windows\SysWOW64\Bahkih32.exe family_berbew C:\Windows\SysWOW64\Bdickcpo.exe family_berbew C:\Windows\SysWOW64\Ckeimm32.exe family_berbew C:\Windows\SysWOW64\Cdpjlb32.exe family_berbew C:\Windows\SysWOW64\Fneggdhg.exe family_berbew C:\Windows\SysWOW64\Fimhjl32.exe family_berbew C:\Windows\SysWOW64\Fpimlfke.exe family_berbew C:\Windows\SysWOW64\Fpkibf32.exe family_berbew C:\Windows\SysWOW64\Gifkpknp.exe family_berbew C:\Windows\SysWOW64\Gpbpbecj.exe family_berbew C:\Windows\SysWOW64\Gimqajgh.exe family_berbew C:\Windows\SysWOW64\Hbhboolf.exe family_berbew C:\Windows\SysWOW64\Hmpcbhji.exe family_berbew C:\Windows\SysWOW64\Hfjdqmng.exe family_berbew C:\Windows\SysWOW64\Imgicgca.exe family_berbew C:\Windows\SysWOW64\Illfdc32.exe family_berbew C:\Windows\SysWOW64\Ilnbicff.exe family_berbew C:\Windows\SysWOW64\Iplkpa32.exe family_berbew C:\Windows\SysWOW64\Joahqn32.exe family_berbew C:\Windows\SysWOW64\Qhhpop32.exe family_berbew C:\Windows\SysWOW64\Qfmmplad.exe family_berbew C:\Windows\SysWOW64\Adfgdpmi.exe family_berbew C:\Windows\SysWOW64\Amcehdod.exe family_berbew C:\Windows\SysWOW64\Cdkifmjq.exe family_berbew C:\Windows\SysWOW64\Dafppp32.exe family_berbew C:\Windows\SysWOW64\Ekcgkb32.exe family_berbew C:\Windows\SysWOW64\Fqgedh32.exe family_berbew C:\Windows\SysWOW64\Gejhef32.exe family_berbew C:\Windows\SysWOW64\Gngeik32.exe family_berbew C:\Windows\SysWOW64\Ihmfco32.exe family_berbew C:\Windows\SysWOW64\Iolhkh32.exe family_berbew C:\Windows\SysWOW64\Jahqiaeb.exe family_berbew C:\Windows\SysWOW64\Lchfib32.exe family_berbew C:\Windows\SysWOW64\Mfbaalbi.exe family_berbew C:\Windows\SysWOW64\Omalpc32.exe family_berbew C:\Windows\SysWOW64\Pakdbp32.exe family_berbew C:\Windows\SysWOW64\Qjhbfd32.exe family_berbew C:\Windows\SysWOW64\Aiplmq32.exe family_berbew C:\Windows\SysWOW64\Bmbnnn32.exe family_berbew C:\Windows\SysWOW64\Bphqji32.exe family_berbew C:\Windows\SysWOW64\Cibain32.exe family_berbew C:\Windows\SysWOW64\Dpjfgf32.exe family_berbew C:\Windows\SysWOW64\Eqkondfl.exe family_berbew C:\Windows\SysWOW64\Fboecfii.exe family_berbew C:\Windows\SysWOW64\Ggepalof.exe family_berbew C:\Windows\SysWOW64\Hbfdjc32.exe family_berbew C:\Windows\SysWOW64\Hcjmhk32.exe family_berbew C:\Windows\SysWOW64\Iabglnco.exe family_berbew C:\Windows\SysWOW64\Kejloi32.exe family_berbew C:\Windows\SysWOW64\Lkqgno32.exe family_berbew C:\Windows\SysWOW64\Ncaklhdi.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Oacoqnci.exePoimpapp.exePoliea32.exePonfka32.exePhfjcf32.exePkgcea32.exeQoelkp32.exeAmjillkj.exeAnmfbl32.exeAefjii32.exeAlbpkc32.exeBemqih32.exeBklfgo32.exeBahkih32.exeBdickcpo.exeCkeimm32.exeCdpjlb32.exeFneggdhg.exeFimhjl32.exeFpimlfke.exeFpkibf32.exeGifkpknp.exeGpbpbecj.exeGimqajgh.exeHbhboolf.exeHmpcbhji.exeHfjdqmng.exeImgicgca.exeIllfdc32.exeIlnbicff.exeIplkpa32.exeJoahqn32.exeJpaekqhh.exeJlgepanl.exeJepjhg32.exeJcdjbk32.exeKeimof32.exeKpanan32.exeKnenkbio.exeKgnbdh32.exeLfbped32.exeLqkqhm32.exeLckiihok.exeLjhnlb32.exeMmhgmmbf.exeMoipoh32.exeMnmmboed.exeNnojho32.exeNflkbanj.exeNmipdk32.exeOnkidm32.exeOcjoadei.exeOnapdl32.exeOmgmeigd.exePnfiplog.exePnifekmd.exePpjbmc32.exePplobcpp.exePfiddm32.exeQhhpop32.exeQfmmplad.exeAogbfi32.exeAhofoogd.exeAdfgdpmi.exepid process 3600 Oacoqnci.exe 3464 Poimpapp.exe 2180 Poliea32.exe 1208 Ponfka32.exe 1692 Phfjcf32.exe 1436 Pkgcea32.exe 980 Qoelkp32.exe 3868 Amjillkj.exe 1212 Anmfbl32.exe 4492 Aefjii32.exe 380 Albpkc32.exe 1804 Bemqih32.exe 2176 Bklfgo32.exe 2816 Bahkih32.exe 5004 Bdickcpo.exe 4552 Ckeimm32.exe 1624 Cdpjlb32.exe 4560 Fneggdhg.exe 1560 Fimhjl32.exe 3100 Fpimlfke.exe 2364 Fpkibf32.exe 1556 Gifkpknp.exe 1728 Gpbpbecj.exe 4376 Gimqajgh.exe 2244 Hbhboolf.exe 4336 Hmpcbhji.exe 3608 Hfjdqmng.exe 572 Imgicgca.exe 3692 Illfdc32.exe 4996 Ilnbicff.exe 2316 Iplkpa32.exe 684 Joahqn32.exe 4268 Jpaekqhh.exe 5080 Jlgepanl.exe 3712 Jepjhg32.exe 2788 Jcdjbk32.exe 1184 Keimof32.exe 3900 Kpanan32.exe 1912 Knenkbio.exe 3080 Kgnbdh32.exe 1256 Lfbped32.exe 2356 Lqkqhm32.exe 3192 Lckiihok.exe 4696 Ljhnlb32.exe 2032 Mmhgmmbf.exe 2972 Moipoh32.exe 2292 Mnmmboed.exe 1900 Nnojho32.exe 788 Nflkbanj.exe 4168 Nmipdk32.exe 3744 Onkidm32.exe 3968 Ocjoadei.exe 3284 Onapdl32.exe 4820 Omgmeigd.exe 1272 Pnfiplog.exe 2416 Pnifekmd.exe 4512 Ppjbmc32.exe 2072 Pplobcpp.exe 4468 Pfiddm32.exe 4860 Qhhpop32.exe 2340 Qfmmplad.exe 3628 Aogbfi32.exe 1536 Ahofoogd.exe 1548 Adfgdpmi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eihcln32.exeNckkfp32.exeIbbcfa32.exeNkcmjlio.exeGnoacp32.exeBejhhd32.exeIhmfco32.exeBmjkic32.exeGicgpelg.exeGngeik32.exeNfldgk32.exeKjpgmj32.exeLfbped32.exeMmhgmmbf.exeHpioin32.exeLdkhlcnb.exeMclhjkfa.exeAbpcja32.exeCffkhl32.exePgaelcgm.exeAmjillkj.exeOnapdl32.exeJadgnb32.exeNjbgmjgl.exeEnhifi32.exeNcmaai32.exeIcefib32.exePhilfgdh.exePhfjcf32.exeGipbck32.exeFlboch32.exeLdfoad32.exeBcbeqaia.exeEebgqe32.exeJmdjha32.exePadnaq32.exeNhffijdm.exeCldjkl32.exeJcpojk32.exeClbdpc32.exePbhgoh32.exeElnehifk.exeIcbbimih.exeIgpkok32.exeDiafqi32.exeIplkpa32.exeLqkqhm32.exeCdkifmjq.exeIiopca32.exeMdbnmbhj.exeFlaiho32.exeDlicflic.exeGlchjedc.exeHfjdqmng.exeLmkipncc.exeNfaijand.exeDhfcae32.exeHfeoijbi.exeAefjii32.exeIllfdc32.exeAonhghjl.exedescription ioc process File created C:\Windows\SysWOW64\Alcolgqi.dll Eihcln32.exe File created C:\Windows\SysWOW64\Nhhdnf32.exe Nckkfp32.exe File opened for modification C:\Windows\SysWOW64\Inidkb32.exe Ibbcfa32.exe File created C:\Windows\SysWOW64\Ndlacapp.exe Nkcmjlio.exe File created C:\Windows\SysWOW64\Painhneh.dll Gnoacp32.exe File created C:\Windows\SysWOW64\Klgnnd32.dll Bejhhd32.exe File created C:\Windows\SysWOW64\Ihpcinld.exe Ihmfco32.exe File created C:\Windows\SysWOW64\Jkmmde32.dll Bmjkic32.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Hfibjl32.dll Gngeik32.exe File created C:\Windows\SysWOW64\Nodiqp32.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Kjbdbjbi.exe Kjpgmj32.exe File created C:\Windows\SysWOW64\Iblhpckf.dll Lfbped32.exe File opened for modification C:\Windows\SysWOW64\Moipoh32.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Hhdcmp32.exe Hpioin32.exe File created C:\Windows\SysWOW64\Dcmlbk32.dll Ldkhlcnb.exe File created C:\Windows\SysWOW64\Mcoepkdo.exe Mclhjkfa.exe File opened for modification C:\Windows\SysWOW64\Apgqie32.exe Abpcja32.exe File created C:\Windows\SysWOW64\Ngllodpm.dll Cffkhl32.exe File created C:\Windows\SysWOW64\Hpqkcc32.dll Pgaelcgm.exe File created C:\Windows\SysWOW64\Anmfbl32.exe Amjillkj.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Onapdl32.exe File created C:\Windows\SysWOW64\Jbccge32.exe Jadgnb32.exe File created C:\Windows\SysWOW64\Nckkfp32.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Eddnic32.exe Enhifi32.exe File created C:\Windows\SysWOW64\Nhjjip32.exe Ncmaai32.exe File created C:\Windows\SysWOW64\Adokoq32.dll Icefib32.exe File opened for modification C:\Windows\SysWOW64\Pdpmkhjl.exe Philfgdh.exe File created C:\Windows\SysWOW64\Pkgcea32.exe Phfjcf32.exe File created C:\Windows\SysWOW64\Nlccpl32.dll Gipbck32.exe File created C:\Windows\SysWOW64\Fifomlap.exe Flboch32.exe File created C:\Windows\SysWOW64\Lkqgno32.exe Ldfoad32.exe File opened for modification C:\Windows\SysWOW64\Bipnihgi.exe Bcbeqaia.exe File opened for modification C:\Windows\SysWOW64\Egbdjhlp.exe Eebgqe32.exe File created C:\Windows\SysWOW64\Qfiale32.dll Jmdjha32.exe File created C:\Windows\SysWOW64\Dblamanm.dll Padnaq32.exe File created C:\Windows\SysWOW64\Ekpidqbi.dll Nhffijdm.exe File opened for modification C:\Windows\SysWOW64\Beobcdoi.exe Bejhhd32.exe File created C:\Windows\SysWOW64\Cfjnhe32.exe Cldjkl32.exe File opened for modification C:\Windows\SysWOW64\Kqdodo32.exe Jcpojk32.exe File opened for modification C:\Windows\SysWOW64\Cleqfb32.exe Clbdpc32.exe File opened for modification C:\Windows\SysWOW64\Pbjddh32.exe Pbhgoh32.exe File opened for modification C:\Windows\SysWOW64\Cfjnhe32.exe Cldjkl32.exe File opened for modification C:\Windows\SysWOW64\Fgffka32.exe Elnehifk.exe File opened for modification C:\Windows\SysWOW64\Iiokacgp.exe Icbbimih.exe File created C:\Windows\SysWOW64\Jokpcmmj.exe Igpkok32.exe File opened for modification C:\Windows\SysWOW64\Jokpcmmj.exe Igpkok32.exe File created C:\Windows\SysWOW64\Momael32.dll Diafqi32.exe File created C:\Windows\SysWOW64\Joahqn32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Famkjfqd.dll Lqkqhm32.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Iolhkh32.exe Iiopca32.exe File created C:\Windows\SysWOW64\Kefjdppe.dll Mdbnmbhj.exe File opened for modification C:\Windows\SysWOW64\Fnqebaog.exe Flaiho32.exe File opened for modification C:\Windows\SysWOW64\Dfngcdhi.exe Dlicflic.exe File opened for modification C:\Windows\SysWOW64\Gjghdj32.exe Glchjedc.exe File opened for modification C:\Windows\SysWOW64\Imgicgca.exe Hfjdqmng.exe File created C:\Windows\SysWOW64\Bpncbp32.dll Lmkipncc.exe File opened for modification C:\Windows\SysWOW64\Nhafcd32.exe Nfaijand.exe File created C:\Windows\SysWOW64\Eldlhckj.exe Dhfcae32.exe File opened for modification C:\Windows\SysWOW64\Hcipcnac.exe Hfeoijbi.exe File created C:\Windows\SysWOW64\Albpkc32.exe Aefjii32.exe File created C:\Windows\SysWOW64\Ilnbicff.exe Illfdc32.exe File opened for modification C:\Windows\SysWOW64\Amcehdod.exe Aonhghjl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6168 5516 WerFault.exe Eldlhckj.exe -
Modifies registry class 64 IoCs
Processes:
Ijbbfc32.exeKcgekjgp.exeCkmmpg32.exeKlpakj32.exeKpnjah32.exePakdbp32.exeDbphcpog.exePfiddm32.exeMdjjgggk.exeOgbbqo32.exeApimodmh.exeCldjkl32.exeEfampahd.exeKgnbdh32.exeMfbaalbi.exeOdjmdocp.exeCpcila32.exeHphfac32.exePnfiplog.exeQjhbfd32.exeBipnihgi.exeMklpof32.exeNnabladg.exePojjcp32.exeMjafoapj.exePbhgoh32.exePokanf32.exeJgjeppkp.exeEppobi32.exeFgjpfqpi.exeLjffccjh.exeKalcik32.exeLdbefe32.exeDedkogqm.exeKpanan32.exeBjhkmbho.exeBipecnkd.exeLdkhlcnb.exeAijeme32.exeMnmmboed.exeLjpaqmgb.exeModpib32.exeIiopca32.exeOflmnh32.exeBphqji32.exeDcphdqmj.exeJoahqn32.exeMoipoh32.exeEgohdegl.exeAbpcja32.exeNgemjg32.exeNoehac32.exeFboecfii.exeLkqgno32.exeMcoepkdo.exeBihhhi32.exeHfnpca32.exeDoqbifpl.exeEihcln32.exeChiblk32.exeFeenjgfq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll" Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdmjk32.dll" Kcgekjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pakdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbphcpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbphcpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll" Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdjjgggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogbbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll" Apimodmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cldjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odjmdocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnoeb32.dll" Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkkpon.dll" Bipnihgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mklpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihhkm32.dll" Nnabladg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pojjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjafoapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbhgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pokanf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcdji32.dll" Eppobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcboj32.dll" Fgjpfqpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljffccjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll" Ldbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpanan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll" Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmlbk32.dll" Ldkhlcnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofacao32.dll" Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Modpib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oflmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll" Bphqji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngemjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Noehac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll" Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkqgno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcoepkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppbeie32.dll" Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfnpca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doqbifpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcolgqi.dll" Eihcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Feenjgfq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exeOacoqnci.exePoimpapp.exePoliea32.exePonfka32.exePhfjcf32.exePkgcea32.exeQoelkp32.exeAmjillkj.exeAnmfbl32.exeAefjii32.exeAlbpkc32.exeBemqih32.exeBklfgo32.exeBahkih32.exeBdickcpo.exeCkeimm32.exeCdpjlb32.exeFneggdhg.exeFimhjl32.exeFpimlfke.exeFpkibf32.exedescription pid process target process PID 3076 wrote to memory of 3600 3076 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Oacoqnci.exe PID 3076 wrote to memory of 3600 3076 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Oacoqnci.exe PID 3076 wrote to memory of 3600 3076 18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe Oacoqnci.exe PID 3600 wrote to memory of 3464 3600 Oacoqnci.exe Poimpapp.exe PID 3600 wrote to memory of 3464 3600 Oacoqnci.exe Poimpapp.exe PID 3600 wrote to memory of 3464 3600 Oacoqnci.exe Poimpapp.exe PID 3464 wrote to memory of 2180 3464 Poimpapp.exe Poliea32.exe PID 3464 wrote to memory of 2180 3464 Poimpapp.exe Poliea32.exe PID 3464 wrote to memory of 2180 3464 Poimpapp.exe Poliea32.exe PID 2180 wrote to memory of 1208 2180 Poliea32.exe Ponfka32.exe PID 2180 wrote to memory of 1208 2180 Poliea32.exe Ponfka32.exe PID 2180 wrote to memory of 1208 2180 Poliea32.exe Ponfka32.exe PID 1208 wrote to memory of 1692 1208 Ponfka32.exe Phfjcf32.exe PID 1208 wrote to memory of 1692 1208 Ponfka32.exe Phfjcf32.exe PID 1208 wrote to memory of 1692 1208 Ponfka32.exe Phfjcf32.exe PID 1692 wrote to memory of 1436 1692 Phfjcf32.exe Pkgcea32.exe PID 1692 wrote to memory of 1436 1692 Phfjcf32.exe Pkgcea32.exe PID 1692 wrote to memory of 1436 1692 Phfjcf32.exe Pkgcea32.exe PID 1436 wrote to memory of 980 1436 Pkgcea32.exe Qoelkp32.exe PID 1436 wrote to memory of 980 1436 Pkgcea32.exe Qoelkp32.exe PID 1436 wrote to memory of 980 1436 Pkgcea32.exe Qoelkp32.exe PID 980 wrote to memory of 3868 980 Qoelkp32.exe Amjillkj.exe PID 980 wrote to memory of 3868 980 Qoelkp32.exe Amjillkj.exe PID 980 wrote to memory of 3868 980 Qoelkp32.exe Amjillkj.exe PID 3868 wrote to memory of 1212 3868 Amjillkj.exe Anmfbl32.exe PID 3868 wrote to memory of 1212 3868 Amjillkj.exe Anmfbl32.exe PID 3868 wrote to memory of 1212 3868 Amjillkj.exe Anmfbl32.exe PID 1212 wrote to memory of 4492 1212 Anmfbl32.exe Aefjii32.exe PID 1212 wrote to memory of 4492 1212 Anmfbl32.exe Aefjii32.exe PID 1212 wrote to memory of 4492 1212 Anmfbl32.exe Aefjii32.exe PID 4492 wrote to memory of 380 4492 Aefjii32.exe Albpkc32.exe PID 4492 wrote to memory of 380 4492 Aefjii32.exe Albpkc32.exe PID 4492 wrote to memory of 380 4492 Aefjii32.exe Albpkc32.exe PID 380 wrote to memory of 1804 380 Albpkc32.exe Bemqih32.exe PID 380 wrote to memory of 1804 380 Albpkc32.exe Bemqih32.exe PID 380 wrote to memory of 1804 380 Albpkc32.exe Bemqih32.exe PID 1804 wrote to memory of 2176 1804 Bemqih32.exe Bklfgo32.exe PID 1804 wrote to memory of 2176 1804 Bemqih32.exe Bklfgo32.exe PID 1804 wrote to memory of 2176 1804 Bemqih32.exe Bklfgo32.exe PID 2176 wrote to memory of 2816 2176 Bklfgo32.exe Bahkih32.exe PID 2176 wrote to memory of 2816 2176 Bklfgo32.exe Bahkih32.exe PID 2176 wrote to memory of 2816 2176 Bklfgo32.exe Bahkih32.exe PID 2816 wrote to memory of 5004 2816 Bahkih32.exe Bdickcpo.exe PID 2816 wrote to memory of 5004 2816 Bahkih32.exe Bdickcpo.exe PID 2816 wrote to memory of 5004 2816 Bahkih32.exe Bdickcpo.exe PID 5004 wrote to memory of 4552 5004 Bdickcpo.exe Ckeimm32.exe PID 5004 wrote to memory of 4552 5004 Bdickcpo.exe Ckeimm32.exe PID 5004 wrote to memory of 4552 5004 Bdickcpo.exe Ckeimm32.exe PID 4552 wrote to memory of 1624 4552 Ckeimm32.exe Cdpjlb32.exe PID 4552 wrote to memory of 1624 4552 Ckeimm32.exe Cdpjlb32.exe PID 4552 wrote to memory of 1624 4552 Ckeimm32.exe Cdpjlb32.exe PID 1624 wrote to memory of 4560 1624 Cdpjlb32.exe Fneggdhg.exe PID 1624 wrote to memory of 4560 1624 Cdpjlb32.exe Fneggdhg.exe PID 1624 wrote to memory of 4560 1624 Cdpjlb32.exe Fneggdhg.exe PID 4560 wrote to memory of 1560 4560 Fneggdhg.exe Fimhjl32.exe PID 4560 wrote to memory of 1560 4560 Fneggdhg.exe Fimhjl32.exe PID 4560 wrote to memory of 1560 4560 Fneggdhg.exe Fimhjl32.exe PID 1560 wrote to memory of 3100 1560 Fimhjl32.exe Fpimlfke.exe PID 1560 wrote to memory of 3100 1560 Fimhjl32.exe Fpimlfke.exe PID 1560 wrote to memory of 3100 1560 Fimhjl32.exe Fpimlfke.exe PID 3100 wrote to memory of 2364 3100 Fpimlfke.exe Fpkibf32.exe PID 3100 wrote to memory of 2364 3100 Fpimlfke.exe Fpkibf32.exe PID 3100 wrote to memory of 2364 3100 Fpimlfke.exe Fpkibf32.exe PID 2364 wrote to memory of 1556 2364 Fpkibf32.exe Gifkpknp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18089e6523289161cdf87f3abb854a70_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe25⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe26⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe27⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe29⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe31⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe34⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe35⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe36⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe37⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe40⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe44⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe45⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe49⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe50⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe51⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe52⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe53⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3284 -
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe55⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe57⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe58⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe59⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe61⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe62⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe63⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe64⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe66⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe67⤵PID:2828
-
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe68⤵PID:3864
-
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe69⤵
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe70⤵PID:4592
-
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe71⤵PID:1060
-
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe72⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe74⤵PID:4596
-
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe75⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe76⤵PID:444
-
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe77⤵PID:5128
-
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe78⤵PID:5172
-
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe80⤵PID:5264
-
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe81⤵PID:5308
-
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe82⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe83⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe84⤵PID:5440
-
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe85⤵PID:5492
-
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe86⤵PID:5536
-
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe87⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe88⤵PID:5624
-
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe89⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe90⤵PID:5712
-
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe91⤵PID:5756
-
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe92⤵PID:5800
-
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe93⤵PID:5844
-
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe94⤵PID:5888
-
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe95⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Iolhkh32.exeC:\Windows\system32\Iolhkh32.exe98⤵PID:6068
-
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe99⤵PID:6112
-
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe100⤵PID:1932
-
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe101⤵PID:5204
-
C:\Windows\SysWOW64\Jadgnb32.exeC:\Windows\system32\Jadgnb32.exe102⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe103⤵PID:5344
-
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe104⤵PID:5412
-
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe105⤵PID:5516
-
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe106⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe107⤵
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe108⤵PID:5768
-
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe109⤵PID:5840
-
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe110⤵PID:5908
-
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe111⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Lchfib32.exeC:\Windows\system32\Lchfib32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe113⤵PID:6104
-
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe114⤵PID:6140
-
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe115⤵PID:880
-
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe116⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe117⤵PID:5384
-
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe119⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe121⤵PID:5968
-
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe122⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe123⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe124⤵PID:5228
-
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe125⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe126⤵PID:5812
-
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe128⤵PID:5484
-
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe129⤵PID:5928
-
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe130⤵PID:5500
-
C:\Windows\SysWOW64\Ommceclc.exeC:\Windows\system32\Ommceclc.exe131⤵PID:5956
-
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe132⤵PID:5720
-
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe133⤵PID:6164
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe134⤵PID:6228
-
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe135⤵
- Modifies registry class
PID:6272 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe136⤵
- Drops file in System32 directory
PID:6316 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe137⤵
- Drops file in System32 directory
- Modifies registry class
PID:6360 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6404 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe139⤵
- Modifies registry class
PID:6448 -
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe140⤵PID:6492
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe141⤵PID:6536
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe142⤵
- Modifies registry class
PID:6580 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe143⤵PID:6624
-
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe144⤵PID:6684
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe145⤵PID:6728
-
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe146⤵PID:6772
-
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6816 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe148⤵PID:6860
-
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe149⤵PID:6908
-
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe150⤵
- Modifies registry class
PID:6952 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe151⤵PID:7004
-
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe152⤵
- Modifies registry class
PID:7052 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe153⤵
- Modifies registry class
PID:7120 -
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe155⤵PID:6236
-
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe156⤵PID:6308
-
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe157⤵PID:6380
-
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe158⤵PID:6456
-
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe159⤵PID:6528
-
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6588 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe161⤵
- Drops file in System32 directory
PID:6676 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe162⤵PID:6748
-
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe163⤵PID:6812
-
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6892 -
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe165⤵
- Modifies registry class
PID:6976 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe166⤵PID:7044
-
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe167⤵PID:7136
-
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe168⤵PID:6224
-
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe169⤵PID:6344
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe170⤵PID:6420
-
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6568 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe172⤵PID:6712
-
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe173⤵PID:6844
-
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe174⤵PID:7064
-
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe175⤵PID:6148
-
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe176⤵PID:6292
-
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe177⤵PID:6532
-
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe178⤵PID:6804
-
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe179⤵PID:6996
-
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe180⤵
- Drops file in System32 directory
PID:6348 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6760 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe182⤵PID:6396
-
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe183⤵PID:6176
-
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7176 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7228 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe186⤵PID:7272
-
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe187⤵PID:7316
-
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe188⤵PID:7360
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe189⤵PID:7404
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe190⤵
- Modifies registry class
PID:7448 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe191⤵PID:7500
-
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7544 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe193⤵PID:7604
-
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7648 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7700 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7752 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe197⤵
- Drops file in System32 directory
PID:7796 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe198⤵
- Modifies registry class
PID:7840 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe199⤵PID:7888
-
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:7932 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe201⤵
- Drops file in System32 directory
PID:7976 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe202⤵
- Modifies registry class
PID:8020 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe203⤵PID:8068
-
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe204⤵
- Drops file in System32 directory
PID:8108 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe205⤵PID:8152
-
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe206⤵PID:6160
-
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe207⤵PID:7256
-
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe208⤵
- Drops file in System32 directory
PID:7328 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7392 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7480 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe211⤵PID:7556
-
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe212⤵PID:7584
-
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe213⤵PID:7672
-
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7768 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe215⤵PID:7836
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7916 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe217⤵PID:7968
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe218⤵PID:8040
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8100 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe220⤵PID:6988
-
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe221⤵PID:7280
-
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe222⤵
- Modifies registry class
PID:7400 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe223⤵
- Drops file in System32 directory
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe224⤵PID:7536
-
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe225⤵PID:4956
-
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe226⤵
- Modifies registry class
PID:7656 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe227⤵PID:7808
-
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7928 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe229⤵PID:8028
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe230⤵
- Modifies registry class
PID:8116 -
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe231⤵PID:7208
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe232⤵PID:7396
-
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe233⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe234⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe235⤵PID:2568
-
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe236⤵
- Drops file in System32 directory
PID:7568 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe237⤵
- Drops file in System32 directory
PID:7640 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe239⤵PID:3916
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe240⤵
- Modifies registry class
PID:7988 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe241⤵PID:8092
-
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016