Analysis
-
max time kernel
106s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 23:31
Behavioral task
behavioral1
Sample
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
6d082380b6dde79eabeb5a66b1ff6910
-
SHA1
ddbbe0fda0790dda5796ecad00a5b12772acb174
-
SHA256
3ffa589c61079a1054abe1b180573730924d1af6213cbe5800f62d452858dfe0
-
SHA512
b68cdc657351c8d2d14bb6b7f68b7550b25d859c19778a87ca75ce5a64282c7944bde1904ba99b2bffdb65695bd38c768fb8337d31255ce353e293f61aabcebd
-
SSDEEP
98304:+6Gn9646r6HaSHFaZRBEYyqmS2DiHPKQgmZ0V:saSHFaZRBEYyqmS2DiHPKQg/
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mepfiq32.exeDpalgenf.exeIjkled32.exeJdalog32.exeIlmedf32.exeQihoak32.exeAjanck32.exeDinmhkke.exeMiaboe32.exePhbhcmjl.exeLmmolepp.exeOmfekbdh.exeOdkjng32.exeNmdgikhi.exeIhdldn32.exeCmedjl32.exeHnpaec32.exeGphgbafl.exeDkbocbog.exePpgomnai.exeIagqgn32.exePbbgicnd.exeAmddjegd.exeJlfpdh32.exeJpcapp32.exeKcidmkpq.exeFohfbpgi.exeMjnnbk32.exeKbbhqn32.exeOhnohn32.exeCjecpkcg.exeEhlhih32.exeIbfnqmpf.exeQodeajbg.exePjjhbl32.exeLhfmdj32.exeAhfdjanb.exeEagaoh32.exePifnhpmi.exeEifhdd32.exeOcfdgg32.exePmjhlklg.exeQckfid32.exeDgejpd32.exeIknmla32.exeKiikpnmj.exeFdpnda32.exeKkbkmqed.exeJhhodg32.exeIlidbbgl.exeQgnbaj32.exeAfnnnd32.exeCbbdjm32.exePpjbmc32.exeOcbddc32.exeApeknk32.exeBkkhbb32.exeCajjjk32.exeNnlhfn32.exeElpkep32.exeMfhbga32.exeIahgad32.exeModpib32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpalgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qihoak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmolepp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfekbdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbocbog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbbgicnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfpdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlhih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfdjanb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfdgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjhlklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qckfid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgejpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiikpnmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpnda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilidbbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnnnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjbmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkhbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahgad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modpib32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Hmioonpn.exe family_berbew C:\Windows\SysWOW64\Iffmccbi.exe family_berbew C:\Windows\SysWOW64\Ifmcdblq.exe family_berbew C:\Windows\SysWOW64\Jbocea32.exe family_berbew C:\Windows\SysWOW64\Kkihknfg.exe family_berbew C:\Windows\SysWOW64\Kpjjod32.exe family_berbew C:\Windows\SysWOW64\Ldaeka32.exe family_berbew C:\Windows\SysWOW64\Mdmegp32.exe family_berbew C:\Windows\SysWOW64\Ngedij32.exe family_berbew C:\Windows\SysWOW64\Okloegjl.exe family_berbew C:\Windows\SysWOW64\Pkaiqf32.exe family_berbew C:\Windows\SysWOW64\Qgallfcq.exe family_berbew C:\Windows\SysWOW64\Abngjnmo.exe family_berbew C:\Windows\SysWOW64\Bhdbhcck.exe family_berbew C:\Windows\SysWOW64\Bdolhc32.exe family_berbew C:\Windows\SysWOW64\Cbcilkjg.exe family_berbew C:\Windows\SysWOW64\Cbgbgj32.exe family_berbew C:\Windows\SysWOW64\Dafbne32.exe family_berbew C:\Windows\SysWOW64\Eoolbinc.exe family_berbew C:\Windows\SysWOW64\Ekemhj32.exe family_berbew C:\Windows\SysWOW64\Fhqcam32.exe family_berbew C:\Windows\SysWOW64\Fhjfhl32.exe family_berbew C:\Windows\SysWOW64\Ghaliknf.exe family_berbew C:\Windows\SysWOW64\Hcpclbfa.exe family_berbew C:\Windows\SysWOW64\Hkkhqd32.exe family_berbew C:\Windows\SysWOW64\Ilidbbgl.exe family_berbew C:\Windows\SysWOW64\Jbeidl32.exe family_berbew C:\Windows\SysWOW64\Jbjcolha.exe family_berbew C:\Windows\SysWOW64\Kpjcdn32.exe family_berbew C:\Windows\SysWOW64\Lfkaag32.exe family_berbew C:\Windows\SysWOW64\Lpcfkm32.exe family_berbew C:\Windows\SysWOW64\Mpoefk32.exe family_berbew C:\Windows\SysWOW64\Nnneknob.exe family_berbew C:\Windows\SysWOW64\Oncofm32.exe family_berbew C:\Windows\SysWOW64\Onjegled.exe family_berbew C:\Windows\SysWOW64\Pmdkch32.exe family_berbew C:\Windows\SysWOW64\Ajanck32.exe family_berbew C:\Windows\SysWOW64\Agoabn32.exe family_berbew C:\Windows\SysWOW64\Bnmcjg32.exe family_berbew C:\Windows\SysWOW64\Edknqiho.exe family_berbew C:\Windows\SysWOW64\Fddqghpd.exe family_berbew C:\Windows\SysWOW64\Folaiqng.exe family_berbew C:\Windows\SysWOW64\Gnfhfl32.exe family_berbew C:\Windows\SysWOW64\Ghpendjj.exe family_berbew C:\Windows\SysWOW64\Hakgmjoh.exe family_berbew C:\Windows\SysWOW64\Hbpphi32.exe family_berbew C:\Windows\SysWOW64\Hgoeep32.exe family_berbew C:\Windows\SysWOW64\Iigdfa32.exe family_berbew C:\Windows\SysWOW64\Jkodhk32.exe family_berbew C:\Windows\SysWOW64\Kppici32.exe family_berbew C:\Windows\SysWOW64\Klifnj32.exe family_berbew C:\Windows\SysWOW64\Knlleepl.exe family_berbew C:\Windows\SysWOW64\Lhfmdj32.exe family_berbew C:\Windows\SysWOW64\Lihfcm32.exe family_berbew C:\Windows\SysWOW64\Mlnipg32.exe family_berbew C:\Windows\SysWOW64\Mhicpg32.exe family_berbew C:\Windows\SysWOW64\Neppokal.exe family_berbew C:\Windows\SysWOW64\Nipekiep.exe family_berbew C:\Windows\SysWOW64\Ncjginjn.exe family_berbew C:\Windows\SysWOW64\Oenlqi32.exe family_berbew C:\Windows\SysWOW64\Ocdjpmac.exe family_berbew C:\Windows\SysWOW64\Qgnbaj32.exe family_berbew C:\Windows\SysWOW64\Bfqkddfd.exe family_berbew C:\Windows\SysWOW64\Cmklglpn.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Hmioonpn.exeIffmccbi.exeIfmcdblq.exeJbocea32.exeKkihknfg.exeKpjjod32.exeLdaeka32.exeMdmegp32.exeNgedij32.exeOkloegjl.exePkaiqf32.exeQgallfcq.exeAbngjnmo.exeBhdbhcck.exeBdolhc32.exeCbcilkjg.exeCbgbgj32.exeDafbne32.exeEoolbinc.exeEkemhj32.exeFhqcam32.exeFhjfhl32.exeGhaliknf.exeHcpclbfa.exeHkkhqd32.exeIlidbbgl.exeJbeidl32.exeJbjcolha.exeKpjcdn32.exeLfkaag32.exeLpcfkm32.exeMpoefk32.exeMdmnlj32.exeNcbknfed.exeNdaggimg.exeNnlhfn32.exeNdfqbhia.exeNnneknob.exeOdkjng32.exeOncofm32.exeOcbddc32.exeOnhhamgg.exeOcdqjceo.exeOnjegled.exeOfeilobp.exePnonbk32.exePmdkch32.exePflplnlg.exePjjhbl32.exeQmkadgpo.exeQgqeappe.exeQqijje32.exeAjanck32.exeAclpap32.exeAmddjegd.exeAfmhck32.exeAglemn32.exeAnfmjhmd.exeAgoabn32.exeBaicac32.exeBnmcjg32.exeBeihma32.exeBapiabak.exeChjaol32.exepid process 1692 Hmioonpn.exe 1036 Iffmccbi.exe 4584 Ifmcdblq.exe 3344 Jbocea32.exe 2336 Kkihknfg.exe 1904 Kpjjod32.exe 1940 Ldaeka32.exe 3084 Mdmegp32.exe 3376 Ngedij32.exe 4968 Okloegjl.exe 3408 Pkaiqf32.exe 3260 Qgallfcq.exe 924 Abngjnmo.exe 1284 Bhdbhcck.exe 1860 Bdolhc32.exe 3904 Cbcilkjg.exe 808 Cbgbgj32.exe 2876 Dafbne32.exe 3024 Eoolbinc.exe 3596 Ekemhj32.exe 5088 Fhqcam32.exe 3936 Fhjfhl32.exe 5044 Ghaliknf.exe 3400 Hcpclbfa.exe 4588 Hkkhqd32.exe 4384 Ilidbbgl.exe 5036 Jbeidl32.exe 4404 Jbjcolha.exe 1200 Kpjcdn32.exe 3888 Lfkaag32.exe 1424 Lpcfkm32.exe 3868 Mpoefk32.exe 3800 Mdmnlj32.exe 4788 Ncbknfed.exe 2296 Ndaggimg.exe 2920 Nnlhfn32.exe 1524 Ndfqbhia.exe 4768 Nnneknob.exe 2640 Odkjng32.exe 1584 Oncofm32.exe 3060 Ocbddc32.exe 3448 Onhhamgg.exe 4608 Ocdqjceo.exe 4992 Onjegled.exe 1592 Ofeilobp.exe 4652 Pnonbk32.exe 4148 Pmdkch32.exe 232 Pflplnlg.exe 2816 Pjjhbl32.exe 3432 Qmkadgpo.exe 4496 Qgqeappe.exe 2792 Qqijje32.exe 400 Ajanck32.exe 3900 Aclpap32.exe 936 Amddjegd.exe 2564 Afmhck32.exe 3040 Aglemn32.exe 4696 Anfmjhmd.exe 3064 Agoabn32.exe 3460 Baicac32.exe 3004 Bnmcjg32.exe 60 Beihma32.exe 2684 Bapiabak.exe 3820 Chjaol32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Knchpiom.exeIelfgmnj.exeNfcabp32.exeGgfglb32.exeDnqcfjae.exePkholi32.exeOcdqjceo.exePhlacbfm.exeBihjfnmm.exeIefgbh32.exeEiekog32.exeJpnakk32.exeAbjmkf32.exePkabbgol.exeAhjgjj32.exeIjegcm32.exeKjjiej32.exeLkeekk32.exeGcghkm32.exeAcokhc32.exeBkmeha32.exeFdpnda32.exeKpjcdn32.exeJedccfqg.exeIdgojc32.exeNenbjo32.exeKgkfnh32.exeBacjdbch.exeHgjljpkm.exeJleijb32.exeAbcppq32.exeBapiabak.exeCpbbch32.exeCimcan32.exePnfiplog.exeIiehpahb.exeFbcfhibj.exeHpfcdojl.exeNolgijpk.exeFnalmh32.exeJibmgi32.exeNlqloo32.exeNhgmcp32.exeHgoeep32.exeQadoba32.exeHolfoqcm.exeEjojljqa.exeMlnipg32.exePoodpmca.exeNakhaf32.exeHekgfj32.exePjlcjf32.exeFedmqk32.exeDhomfc32.exePkenjh32.exeHdmoohbo.exeCcchof32.exePmbegqjk.exeDafbne32.exeJehhaaci.exedescription ioc process File created C:\Windows\SysWOW64\Kcpahpmd.exe Knchpiom.exe File created C:\Windows\SysWOW64\Dbmoak32.dll Ielfgmnj.exe File created C:\Windows\SysWOW64\Offnhpfo.exe Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Gpolbo32.exe Ggfglb32.exe File created C:\Windows\SysWOW64\Kcpcgc32.dll Dnqcfjae.exe File opened for modification C:\Windows\SysWOW64\Pbbgicnd.exe Pkholi32.exe File opened for modification C:\Windows\SysWOW64\Onjegled.exe Ocdqjceo.exe File created C:\Windows\SysWOW64\Dkibhn32.dll Phlacbfm.exe File opened for modification C:\Windows\SysWOW64\Cpbbch32.exe Bihjfnmm.exe File created C:\Windows\SysWOW64\Hkdoio32.dll Iefgbh32.exe File opened for modification C:\Windows\SysWOW64\Fqppci32.exe Eiekog32.exe File created C:\Windows\SysWOW64\Jaonbc32.exe Jpnakk32.exe File opened for modification C:\Windows\SysWOW64\Ampaho32.exe Abjmkf32.exe File created C:\Windows\SysWOW64\Qckfid32.exe Pkabbgol.exe File opened for modification C:\Windows\SysWOW64\Acokhc32.exe Ahjgjj32.exe File opened for modification C:\Windows\SysWOW64\Jlfpdh32.exe Ijegcm32.exe File created C:\Windows\SysWOW64\Ohpfbb32.dll Kjjiej32.exe File created C:\Windows\SysWOW64\Bdkohe32.dll Lkeekk32.exe File created C:\Windows\SysWOW64\Gqkhda32.exe Gcghkm32.exe File created C:\Windows\SysWOW64\Bhldpj32.exe Acokhc32.exe File created C:\Windows\SysWOW64\Aaopkj32.dll Acokhc32.exe File created C:\Windows\SysWOW64\Gfchag32.dll Bkmeha32.exe File created C:\Windows\SysWOW64\Fhgmqghl.dll Fdpnda32.exe File created C:\Windows\SysWOW64\Ljodkeij.dll Kpjcdn32.exe File opened for modification C:\Windows\SysWOW64\Kcidmkpq.exe Jedccfqg.exe File created C:\Windows\SysWOW64\Iomcgl32.exe Idgojc32.exe File opened for modification C:\Windows\SysWOW64\Nccokk32.exe Nenbjo32.exe File opened for modification C:\Windows\SysWOW64\Klhnfo32.exe Kgkfnh32.exe File created C:\Windows\SysWOW64\Bgpcliao.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Cpagaq32.dll Hgjljpkm.exe File created C:\Windows\SysWOW64\Pmcckk32.dll Jleijb32.exe File opened for modification C:\Windows\SysWOW64\Fbdnne32.exe Fdpnda32.exe File opened for modification C:\Windows\SysWOW64\Amhdmi32.exe Abcppq32.exe File created C:\Windows\SysWOW64\Chjaol32.exe Bapiabak.exe File created C:\Windows\SysWOW64\Cikglnkj.exe Cpbbch32.exe File created C:\Windows\SysWOW64\Ccchof32.exe Cimcan32.exe File created C:\Windows\SysWOW64\Pccahbmn.exe Pnfiplog.exe File opened for modification C:\Windows\SysWOW64\Inbqhhfj.exe Iiehpahb.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Fbcfhibj.exe File opened for modification C:\Windows\SysWOW64\Qgnbaj32.exe Phlacbfm.exe File created C:\Windows\SysWOW64\Ecjfni32.dll Hpfcdojl.exe File created C:\Windows\SysWOW64\Objpoh32.exe Nolgijpk.exe File created C:\Windows\SysWOW64\Ajgqdaoi.dll Fnalmh32.exe File created C:\Windows\SysWOW64\Jbkbpoog.exe Jibmgi32.exe File opened for modification C:\Windows\SysWOW64\Namegfql.exe Nlqloo32.exe File created C:\Windows\SysWOW64\Naapmhbn.dll Nhgmcp32.exe File opened for modification C:\Windows\SysWOW64\Hkmnln32.exe Hgoeep32.exe File created C:\Windows\SysWOW64\Ccphhl32.dll Qadoba32.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Holfoqcm.exe File created C:\Windows\SysWOW64\Kojkgebl.dll Ejojljqa.exe File opened for modification C:\Windows\SysWOW64\Moobbb32.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Pjehmfch.exe Poodpmca.exe File opened for modification C:\Windows\SysWOW64\Nlqloo32.exe Nakhaf32.exe File created C:\Windows\SysWOW64\Hpqldc32.exe Hekgfj32.exe File created C:\Windows\SysWOW64\Piapkbeg.exe Pjlcjf32.exe File opened for modification C:\Windows\SysWOW64\Folaiqng.exe Fedmqk32.exe File created C:\Windows\SysWOW64\Gdbnag32.dll Dhomfc32.exe File created C:\Windows\SysWOW64\Ockbnedp.dll Pkenjh32.exe File created C:\Windows\SysWOW64\Dpcpem32.dll Hdmoohbo.exe File created C:\Windows\SysWOW64\Cmklglpn.exe Ccchof32.exe File created C:\Windows\SysWOW64\Nccokk32.exe Nenbjo32.exe File opened for modification C:\Windows\SysWOW64\Qclmck32.exe Pmbegqjk.exe File opened for modification C:\Windows\SysWOW64\Eoolbinc.exe Dafbne32.exe File created C:\Windows\SysWOW64\Fbjabghp.dll Jehhaaci.exe -
Modifies registry class 64 IoCs
Processes:
Bebjdgmj.exeCcblbb32.exeHdkidohn.exeEifhdd32.exeHdehni32.exeNapjdpcn.exeJlhljhbg.exeHjfbjdnd.exeMoobbb32.exePhlacbfm.exeFdhcgaic.exeBjbfklei.exeEdmclccp.exeGiqkkf32.exeCijpahho.exeHehkajig.exeBdolhc32.exeGhaliknf.exePflplnlg.exeBppfmigl.exeOcfdgg32.exeLlmhaold.exeCammjakm.exeCaojpaij.exeHcljmj32.exeFnnjmbpm.exeQjnkcekm.exeDhhfedil.exeMbbagk32.exeIknmla32.exeFolaiqng.exeNncccnol.exeNeccpd32.exeNmdgikhi.exeGgfglb32.exePjlcjf32.exePahpfc32.exeKcbnnpka.exeBepmoh32.exeNqaiecjd.exeAkkffkhk.exeHnpaec32.exe6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exeEkgbccni.exeMhoipb32.exeIipfmggc.exeClchbqoo.exeDfglfdkb.exeKolabf32.exeJejefqaf.exeNeppokal.exeOhiemobf.exeAojlaeei.exeGcnnllcg.exePkabbgol.exePoodpmca.exeFbcfhibj.exeFlfkkhid.exeMljmhflh.exeLljklo32.exeNnfpinmi.exeOckdmmoj.exeOnpjichj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebjdgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccblbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdkidohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napjdpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfbjdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkibhn32.dll" Phlacbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioenpjfm.dll" Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmclccp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fppcajgd.dll" Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohibf32.dll" Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghaliknf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflplnlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppfmigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcljmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnkcekm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folaiqng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgneq.dll" Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll" Ggfglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoigi32.dll" Pahpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaifo32.dll" Hnpaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekgbccni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhoipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clchbqoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccblbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neppokal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojlaeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcnnllcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkabbgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbcfhibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll" Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljklo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ockdmmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onpjichj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exeHmioonpn.exeIffmccbi.exeIfmcdblq.exeJbocea32.exeKkihknfg.exeKpjjod32.exeLdaeka32.exeMdmegp32.exeNgedij32.exeOkloegjl.exePkaiqf32.exeQgallfcq.exeAbngjnmo.exeBhdbhcck.exeBdolhc32.exeCbcilkjg.exeCbgbgj32.exeDafbne32.exeEoolbinc.exeEkemhj32.exeFhqcam32.exedescription pid process target process PID 3588 wrote to memory of 1692 3588 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Hmioonpn.exe PID 3588 wrote to memory of 1692 3588 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Hmioonpn.exe PID 3588 wrote to memory of 1692 3588 6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe Hmioonpn.exe PID 1692 wrote to memory of 1036 1692 Hmioonpn.exe Iffmccbi.exe PID 1692 wrote to memory of 1036 1692 Hmioonpn.exe Iffmccbi.exe PID 1692 wrote to memory of 1036 1692 Hmioonpn.exe Iffmccbi.exe PID 1036 wrote to memory of 4584 1036 Iffmccbi.exe Ifmcdblq.exe PID 1036 wrote to memory of 4584 1036 Iffmccbi.exe Ifmcdblq.exe PID 1036 wrote to memory of 4584 1036 Iffmccbi.exe Ifmcdblq.exe PID 4584 wrote to memory of 3344 4584 Ifmcdblq.exe Jbocea32.exe PID 4584 wrote to memory of 3344 4584 Ifmcdblq.exe Jbocea32.exe PID 4584 wrote to memory of 3344 4584 Ifmcdblq.exe Jbocea32.exe PID 3344 wrote to memory of 2336 3344 Jbocea32.exe Kkihknfg.exe PID 3344 wrote to memory of 2336 3344 Jbocea32.exe Kkihknfg.exe PID 3344 wrote to memory of 2336 3344 Jbocea32.exe Kkihknfg.exe PID 2336 wrote to memory of 1904 2336 Kkihknfg.exe Kpjjod32.exe PID 2336 wrote to memory of 1904 2336 Kkihknfg.exe Kpjjod32.exe PID 2336 wrote to memory of 1904 2336 Kkihknfg.exe Kpjjod32.exe PID 1904 wrote to memory of 1940 1904 Kpjjod32.exe Ldaeka32.exe PID 1904 wrote to memory of 1940 1904 Kpjjod32.exe Ldaeka32.exe PID 1904 wrote to memory of 1940 1904 Kpjjod32.exe Ldaeka32.exe PID 1940 wrote to memory of 3084 1940 Ldaeka32.exe Mdmegp32.exe PID 1940 wrote to memory of 3084 1940 Ldaeka32.exe Mdmegp32.exe PID 1940 wrote to memory of 3084 1940 Ldaeka32.exe Mdmegp32.exe PID 3084 wrote to memory of 3376 3084 Mdmegp32.exe Ngedij32.exe PID 3084 wrote to memory of 3376 3084 Mdmegp32.exe Ngedij32.exe PID 3084 wrote to memory of 3376 3084 Mdmegp32.exe Ngedij32.exe PID 3376 wrote to memory of 4968 3376 Ngedij32.exe Okloegjl.exe PID 3376 wrote to memory of 4968 3376 Ngedij32.exe Okloegjl.exe PID 3376 wrote to memory of 4968 3376 Ngedij32.exe Okloegjl.exe PID 4968 wrote to memory of 3408 4968 Okloegjl.exe Pkaiqf32.exe PID 4968 wrote to memory of 3408 4968 Okloegjl.exe Pkaiqf32.exe PID 4968 wrote to memory of 3408 4968 Okloegjl.exe Pkaiqf32.exe PID 3408 wrote to memory of 3260 3408 Pkaiqf32.exe Qgallfcq.exe PID 3408 wrote to memory of 3260 3408 Pkaiqf32.exe Qgallfcq.exe PID 3408 wrote to memory of 3260 3408 Pkaiqf32.exe Qgallfcq.exe PID 3260 wrote to memory of 924 3260 Qgallfcq.exe Abngjnmo.exe PID 3260 wrote to memory of 924 3260 Qgallfcq.exe Abngjnmo.exe PID 3260 wrote to memory of 924 3260 Qgallfcq.exe Abngjnmo.exe PID 924 wrote to memory of 1284 924 Abngjnmo.exe Bhdbhcck.exe PID 924 wrote to memory of 1284 924 Abngjnmo.exe Bhdbhcck.exe PID 924 wrote to memory of 1284 924 Abngjnmo.exe Bhdbhcck.exe PID 1284 wrote to memory of 1860 1284 Bhdbhcck.exe Bdolhc32.exe PID 1284 wrote to memory of 1860 1284 Bhdbhcck.exe Bdolhc32.exe PID 1284 wrote to memory of 1860 1284 Bhdbhcck.exe Bdolhc32.exe PID 1860 wrote to memory of 3904 1860 Bdolhc32.exe Cbcilkjg.exe PID 1860 wrote to memory of 3904 1860 Bdolhc32.exe Cbcilkjg.exe PID 1860 wrote to memory of 3904 1860 Bdolhc32.exe Cbcilkjg.exe PID 3904 wrote to memory of 808 3904 Cbcilkjg.exe Cbgbgj32.exe PID 3904 wrote to memory of 808 3904 Cbcilkjg.exe Cbgbgj32.exe PID 3904 wrote to memory of 808 3904 Cbcilkjg.exe Cbgbgj32.exe PID 808 wrote to memory of 2876 808 Cbgbgj32.exe Dafbne32.exe PID 808 wrote to memory of 2876 808 Cbgbgj32.exe Dafbne32.exe PID 808 wrote to memory of 2876 808 Cbgbgj32.exe Dafbne32.exe PID 2876 wrote to memory of 3024 2876 Dafbne32.exe Eoolbinc.exe PID 2876 wrote to memory of 3024 2876 Dafbne32.exe Eoolbinc.exe PID 2876 wrote to memory of 3024 2876 Dafbne32.exe Eoolbinc.exe PID 3024 wrote to memory of 3596 3024 Eoolbinc.exe Ekemhj32.exe PID 3024 wrote to memory of 3596 3024 Eoolbinc.exe Ekemhj32.exe PID 3024 wrote to memory of 3596 3024 Eoolbinc.exe Ekemhj32.exe PID 3596 wrote to memory of 5088 3596 Ekemhj32.exe Fhqcam32.exe PID 3596 wrote to memory of 5088 3596 Ekemhj32.exe Fhqcam32.exe PID 3596 wrote to memory of 5088 3596 Ekemhj32.exe Fhqcam32.exe PID 5088 wrote to memory of 3936 5088 Fhqcam32.exe Fhjfhl32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6d082380b6dde79eabeb5a66b1ff6910_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe23⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe25⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe26⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe28⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe29⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe31⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe32⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe33⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe34⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe35⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe36⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe38⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe39⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe41⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe43⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4608 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe45⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe46⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe47⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe48⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe51⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe52⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe53⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe55⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe58⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe59⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe61⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe62⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe63⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe65⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe66⤵PID:4796
-
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe67⤵PID:1388
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe68⤵PID:3528
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe69⤵PID:4504
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe70⤵PID:852
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe71⤵PID:4132
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe72⤵PID:2240
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe73⤵PID:3544
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe74⤵PID:3032
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe75⤵PID:3988
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe76⤵PID:5020
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe77⤵PID:408
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe78⤵PID:3316
-
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe79⤵PID:3000
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe80⤵PID:4760
-
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe81⤵PID:4044
-
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe82⤵PID:1868
-
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe83⤵PID:428
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe84⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe85⤵PID:2844
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe86⤵PID:3508
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe87⤵PID:460
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe88⤵PID:384
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe89⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe90⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe91⤵PID:5116
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe92⤵PID:1696
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe93⤵PID:3684
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe94⤵PID:1396
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe95⤵PID:5156
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe96⤵PID:5204
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe97⤵PID:5260
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe98⤵PID:5312
-
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe99⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe100⤵PID:5404
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe101⤵
- Drops file in System32 directory
PID:5448 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe103⤵PID:5536
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe104⤵PID:5580
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe105⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe106⤵PID:5668
-
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe107⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe108⤵PID:5752
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe109⤵PID:5800
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe110⤵PID:5844
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe111⤵PID:5888
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe112⤵PID:5932
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe114⤵PID:6024
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe116⤵PID:6112
-
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe117⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe118⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe119⤵PID:5240
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe121⤵PID:5380
-
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe122⤵PID:4904
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe123⤵PID:116
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe124⤵PID:5508
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe125⤵PID:5572
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe127⤵PID:4616
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe128⤵PID:5788
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe129⤵PID:5836
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe130⤵PID:5916
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe131⤵PID:5972
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe132⤵PID:6052
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe133⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe134⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe135⤵PID:5248
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe136⤵PID:5296
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe137⤵PID:5416
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe138⤵PID:264
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe139⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe140⤵PID:5676
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe141⤵PID:5744
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe142⤵PID:5876
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe143⤵PID:5964
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe144⤵PID:1672
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe145⤵PID:3100
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe146⤵PID:5328
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe147⤵PID:5432
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe148⤵PID:5524
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe149⤵PID:5700
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe150⤵PID:5860
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe151⤵PID:6004
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe152⤵PID:2056
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe153⤵
- Drops file in System32 directory
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe154⤵PID:5996
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe155⤵PID:5760
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe156⤵PID:6016
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe157⤵PID:5212
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe158⤵
- Drops file in System32 directory
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4352 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe160⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe161⤵PID:4564
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe162⤵PID:5792
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe163⤵PID:5908
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe165⤵PID:6176
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe166⤵PID:6220
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe167⤵PID:6264
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe168⤵PID:6308
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6348 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe170⤵PID:6392
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe171⤵PID:6440
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe172⤵PID:6480
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe173⤵PID:6528
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe174⤵PID:6572
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe175⤵PID:6612
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe176⤵
- Modifies registry class
PID:6656 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe177⤵
- Drops file in System32 directory
PID:6696 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe178⤵
- Drops file in System32 directory
PID:6740 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe179⤵PID:6784
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe180⤵PID:6828
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe181⤵
- Drops file in System32 directory
PID:6872 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe182⤵
- Drops file in System32 directory
PID:6916 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe183⤵PID:6960
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe184⤵PID:7004
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe185⤵PID:7048
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7092 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe187⤵PID:7140
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe188⤵
- Modifies registry class
PID:6160 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe189⤵PID:6240
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe190⤵PID:6296
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6384 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe192⤵
- Drops file in System32 directory
PID:6436 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6516 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe194⤵PID:6580
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe195⤵PID:6648
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe196⤵PID:6724
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe197⤵PID:6792
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe198⤵PID:6860
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe199⤵
- Modifies registry class
PID:6928 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe200⤵PID:7000
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe201⤵PID:7060
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe202⤵PID:7136
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe203⤵PID:6228
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe204⤵
- Modifies registry class
PID:6304 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe205⤵PID:6428
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe206⤵PID:6552
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe207⤵PID:6644
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe208⤵PID:6768
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe209⤵PID:6868
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe210⤵PID:6972
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7080 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe212⤵
- Modifies registry class
PID:6288 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe213⤵PID:6504
-
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe214⤵PID:6760
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe215⤵
- Modifies registry class
PID:6904 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe216⤵PID:6976
-
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe217⤵PID:3748
-
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe218⤵
- Drops file in System32 directory
PID:6604 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe219⤵PID:6848
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe220⤵PID:7056
-
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe221⤵PID:6400
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe222⤵PID:6924
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe223⤵PID:3588
-
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe224⤵PID:6820
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe225⤵PID:6420
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe226⤵PID:4428
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe227⤵PID:6196
-
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe228⤵PID:1692
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe229⤵PID:7196
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe230⤵
- Drops file in System32 directory
PID:7240 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe231⤵PID:7284
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe232⤵PID:7328
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe233⤵PID:7372
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe234⤵PID:7416
-
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7460 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe236⤵PID:7504
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe237⤵PID:7548
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe238⤵PID:7588
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe239⤵PID:7636
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe240⤵PID:7680
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe241⤵PID:7724
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe242⤵PID:7768