Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:11
Behavioral task
behavioral1
Sample
525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe
-
Size
256KB
-
MD5
34deb99939b9d8882fded7cfac2b71b0
-
SHA1
a1c1679243140b0349fe0c0e447959359780be8f
-
SHA256
525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db
-
SHA512
53acc452456eab2e34aad8ec3ca1af26ec7cdda307997ae7cbf641e7dcb95515922a17f63d935ff830f2472284beb7f1c6aadc8b9a6075dd8fc19f7c70aa54f9
-
SSDEEP
6144:3xKxWIjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:hKUOlpJxifbWGRdA6sQhPbWGRdA6sQxU
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghpoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmpooah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhakcfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnpimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjallg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkibo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjmijme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhldafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekiphge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Debplg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkklhjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifampo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ookpodkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdldnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcomhbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noemqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbeded32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmfkkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahmbo32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1500-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000b0000000155e2-5.dat family_berbew behavioral1/memory/1500-6-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew behavioral1/files/0x0008000000015c5d-18.dat family_berbew behavioral1/memory/2680-20-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew behavioral1/memory/2916-28-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0007000000015c7c-33.dat family_berbew behavioral1/memory/2916-34-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2916-41-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0009000000015d88-47.dat family_berbew behavioral1/files/0x0005000000018698-67.dat family_berbew behavioral1/memory/2556-55-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2440-68-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000186a0-74.dat family_berbew behavioral1/memory/2516-87-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1012-95-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018ae8-94.dat family_berbew behavioral1/files/0x0006000000018b33-101.dat family_berbew behavioral1/memory/1084-109-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b42-115.dat family_berbew behavioral1/memory/904-123-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b6a-132.dat family_berbew behavioral1/memory/2600-137-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b96-145.dat family_berbew behavioral1/memory/1896-152-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018d06-157.dat family_berbew behavioral1/memory/2228-165-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1896-163-0x00000000002B0000-0x00000000002F0000-memory.dmp family_berbew behavioral1/files/0x00050000000192f4-171.dat family_berbew behavioral1/memory/1180-179-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019333-185.dat family_berbew behavioral1/memory/1180-187-0x0000000000250000-0x0000000000290000-memory.dmp family_berbew behavioral1/memory/1632-193-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019377-199.dat family_berbew behavioral1/memory/1632-201-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/1196-212-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000193b0-213.dat family_berbew behavioral1/memory/1196-215-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/324-221-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001946b-228.dat family_berbew behavioral1/memory/548-231-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019473-239.dat family_berbew behavioral1/memory/912-241-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000194a4-247.dat family_berbew behavioral1/memory/1848-251-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1812-262-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1848-260-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew behavioral1/files/0x00040000000194d8-259.dat family_berbew behavioral1/memory/2972-273-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000194e8-268.dat family_berbew behavioral1/memory/2972-283-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2972-282-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x00050000000194ee-279.dat family_berbew behavioral1/files/0x00050000000194f2-289.dat family_berbew behavioral1/memory/1620-292-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1516-299-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1620-298-0x0000000000440000-0x0000000000480000-memory.dmp family_berbew behavioral1/memory/2028-306-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001950c-301.dat family_berbew behavioral1/files/0x0005000000019547-312.dat family_berbew behavioral1/memory/2036-321-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2036-323-0x0000000000230000-0x0000000000270000-memory.dmp family_berbew behavioral1/memory/1872-328-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001959c-324.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2680 Lahmbo32.exe 2916 Mhgoji32.exe 2592 Mhilph32.exe 2556 Nhdocl32.exe 2440 Namclbil.exe 2516 Noemqe32.exe 1012 Ogqaehak.exe 1084 Opnpimdf.exe 904 Poeipifl.exe 2600 Pkofjijm.exe 1896 Pdldnomh.exe 2228 Qmgibqjc.exe 1180 Aojojl32.exe 1632 Acqnnndl.exe 1196 Bjmbqhif.exe 324 Bjallg32.exe 548 Bncaekhp.exe 912 Cikbhc32.exe 1848 Cdecha32.exe 1812 Comdkipe.exe 2972 Debplg32.exe 1620 Dhbhmb32.exe 1516 Eoompl32.exe 2028 Eoajel32.exe 2036 Eabcggll.exe 1872 Eniclh32.exe 3004 Flqmbd32.exe 2248 Fbmfkkbm.exe 2540 Ffkoai32.exe 2656 Fbdlkj32.exe 2756 Fgadda32.exe 2392 Gmpjagfa.exe 2460 Gqnbhf32.exe 1484 Gljpncgc.exe 2348 Hfpdkl32.exe 1272 Hipmmg32.exe 2464 Hhejnc32.exe 292 Hdlkcdog.exe 2004 Helgmg32.exe 2312 Ifoqjo32.exe 824 Ifampo32.exe 1640 Idfnicfl.exe 2284 Imnbbi32.exe 672 Ifffkncm.exe 2060 Iapgkl32.exe 3056 Jkhldafl.exe 800 Jlhhndno.exe 976 Jniefm32.exe 1648 Joiappkp.exe 896 Jpjngh32.exe 2784 Jjbbpmgo.exe 2860 Jdhgnf32.exe 2052 Jnpkflne.exe 2744 Kghpoa32.exe 2900 Kpadhg32.exe 2660 Klhemhpk.exe 2644 Kljabgnh.exe 2640 Kkoncdcp.exe 752 Khcomhbi.exe 2376 Lhelbh32.exe 1588 Lcomce32.exe 1092 Ldoimh32.exe 2572 Lmjnak32.exe 2148 Lfbbjpgd.exe -
Loads dropped DLL 64 IoCs
pid Process 1500 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe 1500 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe 2680 Lahmbo32.exe 2680 Lahmbo32.exe 2916 Mhgoji32.exe 2916 Mhgoji32.exe 2592 Mhilph32.exe 2592 Mhilph32.exe 2556 Nhdocl32.exe 2556 Nhdocl32.exe 2440 Namclbil.exe 2440 Namclbil.exe 2516 Noemqe32.exe 2516 Noemqe32.exe 1012 Ogqaehak.exe 1012 Ogqaehak.exe 1084 Opnpimdf.exe 1084 Opnpimdf.exe 904 Poeipifl.exe 904 Poeipifl.exe 2600 Pkofjijm.exe 2600 Pkofjijm.exe 1896 Pdldnomh.exe 1896 Pdldnomh.exe 2228 Qmgibqjc.exe 2228 Qmgibqjc.exe 1180 Aojojl32.exe 1180 Aojojl32.exe 1632 Acqnnndl.exe 1632 Acqnnndl.exe 1196 Bjmbqhif.exe 1196 Bjmbqhif.exe 324 Bjallg32.exe 324 Bjallg32.exe 548 Bncaekhp.exe 548 Bncaekhp.exe 912 Cikbhc32.exe 912 Cikbhc32.exe 1848 Cdecha32.exe 1848 Cdecha32.exe 1812 Comdkipe.exe 1812 Comdkipe.exe 2972 Debplg32.exe 2972 Debplg32.exe 1620 Dhbhmb32.exe 1620 Dhbhmb32.exe 1516 Eoompl32.exe 1516 Eoompl32.exe 2028 Eoajel32.exe 2028 Eoajel32.exe 2036 Eabcggll.exe 2036 Eabcggll.exe 1872 Eniclh32.exe 1872 Eniclh32.exe 3004 Flqmbd32.exe 3004 Flqmbd32.exe 2248 Fbmfkkbm.exe 2248 Fbmfkkbm.exe 2540 Ffkoai32.exe 2540 Ffkoai32.exe 2656 Fbdlkj32.exe 2656 Fbdlkj32.exe 2756 Fgadda32.exe 2756 Fgadda32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hpkompgg.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Helgmg32.exe Hdlkcdog.exe File created C:\Windows\SysWOW64\Eeiead32.dll Ldoimh32.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Pecgea32.exe File created C:\Windows\SysWOW64\Pmibbi32.dll Bajqfq32.exe File opened for modification C:\Windows\SysWOW64\Dknajh32.exe Dphmloih.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Iamdkfnc.exe Iakgefqe.exe File created C:\Windows\SysWOW64\Kdpfadlm.exe Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Knhjjj32.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Hipmmg32.exe Hfpdkl32.exe File created C:\Windows\SysWOW64\Ibejjo32.dll Ookpodkj.exe File created C:\Windows\SysWOW64\Acnckp32.dll Akkoig32.exe File created C:\Windows\SysWOW64\Dklqidif.dll Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe Lkgngb32.exe File created C:\Windows\SysWOW64\Ldcinhie.dll Ojmpooah.exe File created C:\Windows\SysWOW64\Pfpemp32.dll Nmejllia.exe File opened for modification C:\Windows\SysWOW64\Bkklhjnk.exe Bcpgdhpp.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe Gdmdacnn.exe File created C:\Windows\SysWOW64\Ngdjmc32.dll Knhjjj32.exe File opened for modification C:\Windows\SysWOW64\Bieopm32.exe Bgcbhd32.exe File opened for modification C:\Windows\SysWOW64\Lahmbo32.exe 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Gfgbgqka.dll Dhbhmb32.exe File created C:\Windows\SysWOW64\Ifffkncm.exe Imnbbi32.exe File created C:\Windows\SysWOW64\Bkklhjnk.exe Bcpgdhpp.exe File created C:\Windows\SysWOW64\Cpqmndme.dll Qcachc32.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Nloone32.dll Cchbgi32.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Klhemhpk.exe File opened for modification C:\Windows\SysWOW64\Nlfmbibo.exe Ndhlhg32.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jmdepg32.exe File created C:\Windows\SysWOW64\Llbqfe32.exe Lcjlnpmo.exe File opened for modification C:\Windows\SysWOW64\Pdldnomh.exe Pkofjijm.exe File created C:\Windows\SysWOW64\Mkdfahce.dll Eoajel32.exe File created C:\Windows\SysWOW64\Flqmbd32.exe Eniclh32.exe File created C:\Windows\SysWOW64\Ldmikj32.dll Nhakcfab.exe File created C:\Windows\SysWOW64\Plaimk32.exe Plolgk32.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Eknmhk32.exe File opened for modification C:\Windows\SysWOW64\Jikeeh32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Jendoajo.dll Ajpepm32.exe File created C:\Windows\SysWOW64\Cchbgi32.exe Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Gqnbhf32.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Hhejnc32.exe Hipmmg32.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Omqlpp32.exe Ookpodkj.exe File opened for modification C:\Windows\SysWOW64\Elipgofb.exe Eoepnk32.exe File created C:\Windows\SysWOW64\Goplilpf.exe Gblkoham.exe File created C:\Windows\SysWOW64\Hpkompgg.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Dppllabf.dll Fggkcl32.exe File opened for modification C:\Windows\SysWOW64\Ilnomp32.exe Illbhp32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Khghgchk.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Khghgchk.exe File created C:\Windows\SysWOW64\Bbeded32.exe Bkklhjnk.exe File opened for modification C:\Windows\SysWOW64\Cfeepelg.exe Cmmagpef.exe File created C:\Windows\SysWOW64\Oncobd32.dll Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Pepcelel.exe Objaha32.exe File created C:\Windows\SysWOW64\Lppjddce.dll Eoompl32.exe File created C:\Windows\SysWOW64\Ebpdod32.dll Hdlkcdog.exe File opened for modification C:\Windows\SysWOW64\Jjbbpmgo.exe Jpjngh32.exe File created C:\Windows\SysWOW64\Kojpahgg.dll Ohfqmi32.exe File created C:\Windows\SysWOW64\Mhgoji32.exe Lahmbo32.exe File opened for modification C:\Windows\SysWOW64\Qmgibqjc.exe Pdldnomh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3592 3556 WerFault.exe 242 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibejjo32.dll" Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmgibqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiajbpa.dll" Ifoqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbaab32.dll" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bieopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eabcggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmecgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdonhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkfag32.dll" Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppllabf.dll" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijbkbjk.dll" Hcdnhoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjboh32.dll" Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmikj32.dll" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcppidk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbbpakg.dll" Kgqocoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnpimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckoelflc.dll" Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaemhl32.dll" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljdnm32.dll" Khghgchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phemcq32.dll" Opnpimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbbbh32.dll" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll" Ilnomp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhkqcb.dll" Jniefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfdnfj.dll" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgoji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqnbhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lkgngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobnniji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoajel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepafc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojieb32.dll" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdoomf32.dll" Flqmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckboie32.dll" Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkchmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2680 1500 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe 28 PID 1500 wrote to memory of 2680 1500 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe 28 PID 1500 wrote to memory of 2680 1500 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe 28 PID 1500 wrote to memory of 2680 1500 525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe 28 PID 2680 wrote to memory of 2916 2680 Lahmbo32.exe 29 PID 2680 wrote to memory of 2916 2680 Lahmbo32.exe 29 PID 2680 wrote to memory of 2916 2680 Lahmbo32.exe 29 PID 2680 wrote to memory of 2916 2680 Lahmbo32.exe 29 PID 2916 wrote to memory of 2592 2916 Mhgoji32.exe 30 PID 2916 wrote to memory of 2592 2916 Mhgoji32.exe 30 PID 2916 wrote to memory of 2592 2916 Mhgoji32.exe 30 PID 2916 wrote to memory of 2592 2916 Mhgoji32.exe 30 PID 2592 wrote to memory of 2556 2592 Mhilph32.exe 31 PID 2592 wrote to memory of 2556 2592 Mhilph32.exe 31 PID 2592 wrote to memory of 2556 2592 Mhilph32.exe 31 PID 2592 wrote to memory of 2556 2592 Mhilph32.exe 31 PID 2556 wrote to memory of 2440 2556 Nhdocl32.exe 32 PID 2556 wrote to memory of 2440 2556 Nhdocl32.exe 32 PID 2556 wrote to memory of 2440 2556 Nhdocl32.exe 32 PID 2556 wrote to memory of 2440 2556 Nhdocl32.exe 32 PID 2440 wrote to memory of 2516 2440 Namclbil.exe 33 PID 2440 wrote to memory of 2516 2440 Namclbil.exe 33 PID 2440 wrote to memory of 2516 2440 Namclbil.exe 33 PID 2440 wrote to memory of 2516 2440 Namclbil.exe 33 PID 2516 wrote to memory of 1012 2516 Noemqe32.exe 34 PID 2516 wrote to memory of 1012 2516 Noemqe32.exe 34 PID 2516 wrote to memory of 1012 2516 Noemqe32.exe 34 PID 2516 wrote to memory of 1012 2516 Noemqe32.exe 34 PID 1012 wrote to memory of 1084 1012 Ogqaehak.exe 35 PID 1012 wrote to memory of 1084 1012 Ogqaehak.exe 35 PID 1012 wrote to memory of 1084 1012 Ogqaehak.exe 35 PID 1012 wrote to memory of 1084 1012 Ogqaehak.exe 35 PID 1084 wrote to memory of 904 1084 Opnpimdf.exe 36 PID 1084 wrote to memory of 904 1084 Opnpimdf.exe 36 PID 1084 wrote to memory of 904 1084 Opnpimdf.exe 36 PID 1084 wrote to memory of 904 1084 Opnpimdf.exe 36 PID 904 wrote to memory of 2600 904 Poeipifl.exe 37 PID 904 wrote to memory of 2600 904 Poeipifl.exe 37 PID 904 wrote to memory of 2600 904 Poeipifl.exe 37 PID 904 wrote to memory of 2600 904 Poeipifl.exe 37 PID 2600 wrote to memory of 1896 2600 Pkofjijm.exe 38 PID 2600 wrote to memory of 1896 2600 Pkofjijm.exe 38 PID 2600 wrote to memory of 1896 2600 Pkofjijm.exe 38 PID 2600 wrote to memory of 1896 2600 Pkofjijm.exe 38 PID 1896 wrote to memory of 2228 1896 Pdldnomh.exe 39 PID 1896 wrote to memory of 2228 1896 Pdldnomh.exe 39 PID 1896 wrote to memory of 2228 1896 Pdldnomh.exe 39 PID 1896 wrote to memory of 2228 1896 Pdldnomh.exe 39 PID 2228 wrote to memory of 1180 2228 Qmgibqjc.exe 40 PID 2228 wrote to memory of 1180 2228 Qmgibqjc.exe 40 PID 2228 wrote to memory of 1180 2228 Qmgibqjc.exe 40 PID 2228 wrote to memory of 1180 2228 Qmgibqjc.exe 40 PID 1180 wrote to memory of 1632 1180 Aojojl32.exe 41 PID 1180 wrote to memory of 1632 1180 Aojojl32.exe 41 PID 1180 wrote to memory of 1632 1180 Aojojl32.exe 41 PID 1180 wrote to memory of 1632 1180 Aojojl32.exe 41 PID 1632 wrote to memory of 1196 1632 Acqnnndl.exe 42 PID 1632 wrote to memory of 1196 1632 Acqnnndl.exe 42 PID 1632 wrote to memory of 1196 1632 Acqnnndl.exe 42 PID 1632 wrote to memory of 1196 1632 Acqnnndl.exe 42 PID 1196 wrote to memory of 324 1196 Bjmbqhif.exe 43 PID 1196 wrote to memory of 324 1196 Bjmbqhif.exe 43 PID 1196 wrote to memory of 324 1196 Bjmbqhif.exe 43 PID 1196 wrote to memory of 324 1196 Bjmbqhif.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\525353e79a90fcf415e5f47e7b2c35e8644f490472c27cb958c2a7e8d18771db_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe38⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe43⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe48⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe50⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe54⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe56⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe58⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe62⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe65⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe67⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe68⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe69⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe71⤵PID:2136
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe72⤵PID:320
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe75⤵PID:2084
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe76⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe77⤵PID:2608
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe78⤵PID:2732
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe79⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe80⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe81⤵PID:2224
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe82⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe84⤵PID:1904
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe85⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe86⤵PID:2780
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe87⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe89⤵PID:2332
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe90⤵PID:1968
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe91⤵PID:2808
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe92⤵PID:1960
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe93⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe94⤵PID:1584
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe98⤵PID:2844
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe99⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe101⤵PID:1756
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe102⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe103⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe106⤵PID:2328
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe107⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe108⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe109⤵PID:1952
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe111⤵PID:2576
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe113⤵PID:2876
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe114⤵PID:840
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe116⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe117⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe119⤵PID:400
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe120⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe121⤵PID:608
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe122⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-