Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:56
Behavioral task
behavioral1
Sample
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe
-
Size
448KB
-
MD5
dab29f121ae4729d1808cc0a51036f60
-
SHA1
77bb32a50aa2741a08dfcbf8e6f9bca32ea5e380
-
SHA256
6f3a239c96a075c0e67125a1dfe4d42d3a436498065b0fd39ef5c4af57ef2d3c
-
SHA512
6fd6b33564c075f71f5564a88fd59cdfb60bc9a66a73a1529e200de6b62d924359a91a1abe84a185ab1a4fbec28e3dd954a842d66e36dfbd5c0d7f300421ab44
-
SSDEEP
6144:CcWCt08Zfbz2u7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:oRKl7aOlxzr3cOK3TajRfXFMKNxC
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pkndaa32.exeJhngjmlo.exeQnghel32.exeGpejeihi.exeOplelf32.exeKpkofpgq.exeCdoajb32.exeGjbpne32.exeNijpdfhm.exeDahkok32.exeDpeekh32.exeLcfqkl32.exeMhjbjopf.exeMapccndn.exeKdmban32.exeGoldfelp.exeChnqkg32.exeBbjdjjdn.exeLnbdko32.exePhfoee32.exeFeddombd.exeFnfamcoj.exeHhckpk32.exeBlobjaba.exeIgijkd32.exeBlbfjg32.exeFagjnn32.exeGngcgp32.exeBefmfpbi.exePioeoi32.exeAoepcn32.exeHbfbgd32.exeJcgapdeb.exeHjlbdc32.exeOllajp32.exeFkhgip32.exeHifpke32.exeMomfan32.exeEqpgol32.exeFikejl32.exeFfqofohj.exeMdadjd32.exeBfcodkcb.exeIlnmdgkj.exeIjnbcmkk.exeAlnqqd32.exeGnmgmbhb.exeNkpegi32.exeOhhkjp32.exeEfqbglen.exeHalbai32.exeKgqocoin.exeMdiefffn.exeJimbkh32.exeNlnpgd32.exeNncbdomg.exeJkbcln32.exeMbkmlh32.exeOnpjghhn.exeBajomhbl.exeGegabegc.exePplaki32.exeNeplhf32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oplelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbpne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhjbjopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapccndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjdjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igijkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngcgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pioeoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjlbdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhgip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffqofohj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnmdgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efqbglen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gegabegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neplhf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Jfcnngnd.exe family_berbew \Windows\SysWOW64\Jkbcln32.exe family_berbew \Windows\SysWOW64\Kaaijdgn.exe family_berbew \Windows\SysWOW64\Kkijmm32.exe family_berbew \Windows\SysWOW64\Kpkofpgq.exe family_berbew \Windows\SysWOW64\Kfgdhjmk.exe family_berbew \Windows\SysWOW64\Lpbefoai.exe family_berbew C:\Windows\SysWOW64\Lhmjkaoc.exe family_berbew \Windows\SysWOW64\Lajhofao.exe family_berbew \Windows\SysWOW64\Mgimmm32.exe family_berbew \Windows\SysWOW64\Mlibjc32.exe family_berbew \Windows\SysWOW64\Moiklogi.exe family_berbew \Windows\SysWOW64\Nefpnhlc.exe family_berbew C:\Windows\SysWOW64\Nhfipcid.exe family_berbew \Windows\SysWOW64\Nhkbkc32.exe family_berbew C:\Windows\SysWOW64\Ndbcpd32.exe family_berbew C:\Windows\SysWOW64\Ogeigofa.exe family_berbew C:\Windows\SysWOW64\Ombapedi.exe family_berbew C:\Windows\SysWOW64\Omdneebf.exe family_berbew C:\Windows\SysWOW64\Ocnfbo32.exe family_berbew C:\Windows\SysWOW64\Pfoocjfd.exe family_berbew behavioral1/memory/1540-273-0x0000000000260000-0x00000000002A3000-memory.dmp family_berbew C:\Windows\SysWOW64\Pklhlael.exe family_berbew C:\Windows\SysWOW64\Pkndaa32.exe family_berbew C:\Windows\SysWOW64\Pjadmnic.exe family_berbew behavioral1/memory/912-301-0x00000000003B0000-0x00000000003F3000-memory.dmp family_berbew behavioral1/memory/912-299-0x00000000003B0000-0x00000000003F3000-memory.dmp family_berbew behavioral1/memory/2188-307-0x0000000000450000-0x0000000000493000-memory.dmp family_berbew C:\Windows\SysWOW64\Pnomcl32.exe family_berbew behavioral1/memory/1388-322-0x00000000002F0000-0x0000000000333000-memory.dmp family_berbew behavioral1/memory/1388-320-0x00000000002F0000-0x0000000000333000-memory.dmp family_berbew C:\Windows\SysWOW64\Pggbla32.exe family_berbew C:\Windows\SysWOW64\Pikkiijf.exe family_berbew behavioral1/memory/2832-342-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew C:\Windows\SysWOW64\Qabcjgkh.exe family_berbew C:\Windows\SysWOW64\Qbelgood.exe family_berbew C:\Windows\SysWOW64\Alnqqd32.exe family_berbew behavioral1/memory/2620-370-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew C:\Windows\SysWOW64\Aefeijle.exe family_berbew C:\Windows\SysWOW64\Alpmfdcb.exe family_berbew C:\Windows\SysWOW64\Anafhopc.exe family_berbew C:\Windows\SysWOW64\Aekodi32.exe family_berbew C:\Windows\SysWOW64\Afohaa32.exe family_berbew behavioral1/memory/2740-430-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/memory/2740-428-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew C:\Windows\SysWOW64\Aoepcn32.exe family_berbew C:\Windows\SysWOW64\Bfadgq32.exe family_berbew C:\Windows\SysWOW64\Bdeeqehb.exe family_berbew C:\Windows\SysWOW64\Bbjbaa32.exe family_berbew C:\Windows\SysWOW64\Bidjnkdg.exe family_berbew C:\Windows\SysWOW64\Blbfjg32.exe family_berbew C:\Windows\SysWOW64\Bhigphio.exe family_berbew C:\Windows\SysWOW64\Baakhm32.exe family_berbew C:\Windows\SysWOW64\Bhkdeggl.exe family_berbew C:\Windows\SysWOW64\Ckjpacfp.exe family_berbew C:\Windows\SysWOW64\Ceodnl32.exe family_berbew C:\Windows\SysWOW64\Chnqkg32.exe family_berbew C:\Windows\SysWOW64\Ceaadk32.exe family_berbew C:\Windows\SysWOW64\Cddaphkn.exe family_berbew C:\Windows\SysWOW64\Ckoilb32.exe family_berbew C:\Windows\SysWOW64\Cnmehnan.exe family_berbew C:\Windows\SysWOW64\Chbjffad.exe family_berbew C:\Windows\SysWOW64\Cdikkg32.exe family_berbew C:\Windows\SysWOW64\Ckccgane.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jfcnngnd.exeJkbcln32.exeKaaijdgn.exeKkijmm32.exeKpkofpgq.exeKfgdhjmk.exeLpbefoai.exeLhmjkaoc.exeLajhofao.exeMgimmm32.exeMlibjc32.exeMoiklogi.exeNefpnhlc.exeNhfipcid.exeNhkbkc32.exeNdbcpd32.exeOgeigofa.exeOmbapedi.exeOmdneebf.exeOcnfbo32.exePfoocjfd.exePklhlael.exePkndaa32.exePjadmnic.exePnomcl32.exePggbla32.exePikkiijf.exeQabcjgkh.exeQbelgood.exeAlnqqd32.exeAefeijle.exeAlpmfdcb.exeAnafhopc.exeAekodi32.exeAfohaa32.exeAoepcn32.exeBfadgq32.exeBdeeqehb.exeBbjbaa32.exeBidjnkdg.exeBlbfjg32.exeBhigphio.exeBaakhm32.exeBhkdeggl.exeCkjpacfp.exeCeodnl32.exeChnqkg32.exeCeaadk32.exeCddaphkn.exeCkoilb32.exeCnmehnan.exeChbjffad.exeCdikkg32.exeCkccgane.exeCdlgpgef.exeDgjclbdi.exeDlgldibq.exeDcadac32.exeDfoqmo32.exeDpeekh32.exeDccagcgk.exeDhpiojfb.exeDfdjhndl.exeDhbfdjdp.exepid process 2848 Jfcnngnd.exe 1564 Jkbcln32.exe 2640 Kaaijdgn.exe 2656 Kkijmm32.exe 2980 Kpkofpgq.exe 2408 Kfgdhjmk.exe 2680 Lpbefoai.exe 2708 Lhmjkaoc.exe 1808 Lajhofao.exe 1096 Mgimmm32.exe 804 Mlibjc32.exe 1092 Moiklogi.exe 2344 Nefpnhlc.exe 1612 Nhfipcid.exe 2104 Nhkbkc32.exe 2828 Ndbcpd32.exe 1904 Ogeigofa.exe 1780 Ombapedi.exe 2868 Omdneebf.exe 1540 Ocnfbo32.exe 1956 Pfoocjfd.exe 912 Pklhlael.exe 2188 Pkndaa32.exe 1388 Pjadmnic.exe 1736 Pnomcl32.exe 2832 Pggbla32.exe 2836 Pikkiijf.exe 3056 Qabcjgkh.exe 2620 Qbelgood.exe 1876 Alnqqd32.exe 2512 Aefeijle.exe 2208 Alpmfdcb.exe 1992 Anafhopc.exe 2740 Aekodi32.exe 1860 Afohaa32.exe 1628 Aoepcn32.exe 800 Bfadgq32.exe 772 Bdeeqehb.exe 1756 Bbjbaa32.exe 1472 Bidjnkdg.exe 2288 Blbfjg32.exe 2940 Bhigphio.exe 2272 Baakhm32.exe 2052 Bhkdeggl.exe 3064 Ckjpacfp.exe 832 Ceodnl32.exe 1288 Chnqkg32.exe 932 Ceaadk32.exe 2992 Cddaphkn.exe 3068 Ckoilb32.exe 2356 Cnmehnan.exe 2840 Chbjffad.exe 2912 Cdikkg32.exe 2556 Ckccgane.exe 2812 Cdlgpgef.exe 2436 Dgjclbdi.exe 2900 Dlgldibq.exe 2768 Dcadac32.exe 2856 Dfoqmo32.exe 2024 Dpeekh32.exe 2012 Dccagcgk.exe 760 Dhpiojfb.exe 544 Dfdjhndl.exe 1664 Dhbfdjdp.exe -
Loads dropped DLL 64 IoCs
Processes:
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exeJfcnngnd.exeJkbcln32.exeKaaijdgn.exeKkijmm32.exeKpkofpgq.exeKfgdhjmk.exeLpbefoai.exeLhmjkaoc.exeLajhofao.exeMgimmm32.exeMlibjc32.exeMoiklogi.exeNefpnhlc.exeNhfipcid.exeNhkbkc32.exeNdbcpd32.exeOgeigofa.exeOmbapedi.exeOmdneebf.exeOcnfbo32.exePfoocjfd.exePklhlael.exePkndaa32.exePjadmnic.exePnomcl32.exePggbla32.exePikkiijf.exeQabcjgkh.exeQbelgood.exeAlnqqd32.exeAefeijle.exepid process 2684 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe 2684 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe 2848 Jfcnngnd.exe 2848 Jfcnngnd.exe 1564 Jkbcln32.exe 1564 Jkbcln32.exe 2640 Kaaijdgn.exe 2640 Kaaijdgn.exe 2656 Kkijmm32.exe 2656 Kkijmm32.exe 2980 Kpkofpgq.exe 2980 Kpkofpgq.exe 2408 Kfgdhjmk.exe 2408 Kfgdhjmk.exe 2680 Lpbefoai.exe 2680 Lpbefoai.exe 2708 Lhmjkaoc.exe 2708 Lhmjkaoc.exe 1808 Lajhofao.exe 1808 Lajhofao.exe 1096 Mgimmm32.exe 1096 Mgimmm32.exe 804 Mlibjc32.exe 804 Mlibjc32.exe 1092 Moiklogi.exe 1092 Moiklogi.exe 2344 Nefpnhlc.exe 2344 Nefpnhlc.exe 1612 Nhfipcid.exe 1612 Nhfipcid.exe 2104 Nhkbkc32.exe 2104 Nhkbkc32.exe 2828 Ndbcpd32.exe 2828 Ndbcpd32.exe 1904 Ogeigofa.exe 1904 Ogeigofa.exe 1780 Ombapedi.exe 1780 Ombapedi.exe 2868 Omdneebf.exe 2868 Omdneebf.exe 1540 Ocnfbo32.exe 1540 Ocnfbo32.exe 1956 Pfoocjfd.exe 1956 Pfoocjfd.exe 912 Pklhlael.exe 912 Pklhlael.exe 2188 Pkndaa32.exe 2188 Pkndaa32.exe 1388 Pjadmnic.exe 1388 Pjadmnic.exe 1736 Pnomcl32.exe 1736 Pnomcl32.exe 2832 Pggbla32.exe 2832 Pggbla32.exe 2836 Pikkiijf.exe 2836 Pikkiijf.exe 3056 Qabcjgkh.exe 3056 Qabcjgkh.exe 2620 Qbelgood.exe 2620 Qbelgood.exe 1876 Alnqqd32.exe 1876 Alnqqd32.exe 2512 Aefeijle.exe 2512 Aefeijle.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pnomcl32.exeEbgclm32.exeGcmamj32.exePnchhllf.exeBacihmoo.exeCeodnl32.exeHeihnoph.exePplaki32.exeEikfdl32.exeMpopnejo.exeDkigoimd.exeGiaidnkf.exeGfobbc32.exeDlahng32.exeQfonkfqd.exeMhjbjopf.exeFmaeho32.exeIbacbcgg.exeCilibi32.exeKgpmjf32.exeEclbcj32.exeHemqpf32.exeFepjea32.exeJcjdpj32.exeFpffje32.exeGjbpne32.exeOionacqo.exeBnnaoe32.exeCfcijf32.exeIakgefqe.exeOpqoge32.exeDfphcj32.exeOcjophem.exeOdhhgkib.exeOhiffh32.exePnopldgn.exeNncbdomg.exeLngpog32.exeEjaphpnp.exeOmbapedi.exeBaadng32.exeMomfan32.exeFaonom32.exeKaglcgdc.exeJliaac32.exeQlfdac32.exeIbfaopoi.exeJjnhhjjk.exeOnnnml32.exeCnmehnan.exeAkiobk32.exeBhjlli32.exeDcadac32.exeDnoomqbg.exeFcmben32.exePeefcjlg.exeCmppehkh.exeGpqpjj32.exeEodnebpd.exeAficjnpm.exeGicdnj32.exedescription ioc process File created C:\Windows\SysWOW64\Obmhdd32.dll Pnomcl32.exe File created C:\Windows\SysWOW64\Egdlec32.exe Ebgclm32.exe File opened for modification C:\Windows\SysWOW64\Gjgiidkl.exe Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Pmehdh32.exe Pnchhllf.exe File created C:\Windows\SysWOW64\Fpnehm32.dll Bacihmoo.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Ceodnl32.exe File created C:\Windows\SysWOW64\Pgegdo32.dll Heihnoph.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pplaki32.exe File created C:\Windows\SysWOW64\Eogolc32.exe Eikfdl32.exe File created C:\Windows\SysWOW64\Kdbepm32.exe File created C:\Windows\SysWOW64\Knakol32.dll Mpopnejo.exe File created C:\Windows\SysWOW64\Dacpkc32.exe Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Gcjmmdbf.exe Giaidnkf.exe File created C:\Windows\SysWOW64\Jmamaoln.dll Gfobbc32.exe File created C:\Windows\SysWOW64\Efjlgmlf.exe Dlahng32.exe File opened for modification C:\Windows\SysWOW64\Qmifhq32.exe Qfonkfqd.exe File created C:\Windows\SysWOW64\Iggbhk32.dll Mhjbjopf.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fmaeho32.exe File created C:\Windows\SysWOW64\Imggplgm.exe Ibacbcgg.exe File created C:\Windows\SysWOW64\Cpfaocal.exe Cilibi32.exe File created C:\Windows\SysWOW64\Kjoifb32.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Dfocegkg.dll Eclbcj32.exe File opened for modification C:\Windows\SysWOW64\Hpbdmo32.exe Hemqpf32.exe File opened for modification C:\Windows\SysWOW64\Gdcjpncm.exe Fepjea32.exe File created C:\Windows\SysWOW64\Joaeeklp.exe Jcjdpj32.exe File created C:\Windows\SysWOW64\Dclckn32.dll Fpffje32.exe File created C:\Windows\SysWOW64\Ahojmggk.dll Gjbpne32.exe File created C:\Windows\SysWOW64\Okojkf32.exe Oionacqo.exe File created C:\Windows\SysWOW64\Bgffhkoj.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Cmmagpef.exe Cfcijf32.exe File created C:\Windows\SysWOW64\Iefcfe32.exe Iakgefqe.exe File created C:\Windows\SysWOW64\Piicpk32.exe Opqoge32.exe File created C:\Windows\SysWOW64\Kdeaelok.exe File created C:\Windows\SysWOW64\Omlflo32.dll Dfphcj32.exe File created C:\Windows\SysWOW64\Hkojbh32.dll Ocjophem.exe File created C:\Windows\SysWOW64\Ibejjo32.dll Odhhgkib.exe File created C:\Windows\SysWOW64\Dkodahqi.dll Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Pkcpei32.exe Pnopldgn.exe File created C:\Windows\SysWOW64\Akafaiao.dll Nncbdomg.exe File created C:\Windows\SysWOW64\Hjmicg32.dll Lngpog32.exe File opened for modification C:\Windows\SysWOW64\Edidqf32.exe Ejaphpnp.exe File created C:\Windows\SysWOW64\Mijgof32.dll Ombapedi.exe File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe Baadng32.exe File created C:\Windows\SysWOW64\Fhkhip32.dll Momfan32.exe File created C:\Windows\SysWOW64\Hkekhpob.dll Faonom32.exe File opened for modification C:\Windows\SysWOW64\Klmqapci.exe Kaglcgdc.exe File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Jliaac32.exe File opened for modification C:\Windows\SysWOW64\Qkielpdf.exe Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Imleli32.exe Ibfaopoi.exe File created C:\Windows\SysWOW64\Jmlddeio.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Knbnol32.dll Onnnml32.exe File created C:\Windows\SysWOW64\Omfpmb32.dll File created C:\Windows\SysWOW64\Cgjcijfp.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Beackp32.exe Akiobk32.exe File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe Bhjlli32.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Dkcofe32.exe Dnoomqbg.exe File created C:\Windows\SysWOW64\Odikqa32.dll Fcmben32.exe File created C:\Windows\SysWOW64\Hlklph32.dll Peefcjlg.exe File created C:\Windows\SysWOW64\Efcckjpl.dll Cmppehkh.exe File opened for modification C:\Windows\SysWOW64\Gbomfe32.exe Gpqpjj32.exe File created C:\Windows\SysWOW64\Pkbeiaoi.dll Eodnebpd.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Aejiak32.dll Gicdnj32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 6096 5740 -
Modifies registry class 64 IoCs
Processes:
Hbdjcffd.exeKbokgpgg.exeKcopdb32.exeLnpgeopa.exeObhdcanc.exeHeihnoph.exeEabepp32.exeImaapa32.exeIgqhpj32.exeMgalqkbk.exeCjjkpe32.exeLjcbaamh.exeNeqnqofm.exeCmmagpef.exeMpgobc32.exeCgcnghpl.exeEfjmbaba.exeBajomhbl.exeAqmamm32.exeClbnhmjo.exeKekiphge.exeOmhhke32.exeGdboig32.exeHbnbkbja.exeFgdnnl32.exeGdkgkcpq.exeMapccndn.exeLqhfhigj.exeDfbnoc32.exeGoiehm32.exeNipdkieg.exeKnmhgf32.exeLcjlnpmo.exeBmibgd32.exeJenpajfb.exeNlnpgd32.exeBniajoic.exePhfoee32.exeMeoell32.exeDjgkii32.exeEdcnakpa.exeFoojop32.exeGbaileio.exeIkbifcpb.exeMgjebg32.exePkndaa32.exeHjgehgnh.exeGhbljk32.exeHinqgg32.exeOcalkn32.exeCkeqga32.exeHlffdh32.exeIbmgpoia.exeNajpll32.exeBjbndpmd.exeFmlbjq32.exeGgfpgi32.exeLncfcgeb.exeJhbold32.exeEeaepd32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlaqocp.dll" Hbdjcffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbokgpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppgpfpi.dll" Lnpgeopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlmhi32.dll" Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkkmi32.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcbaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphoebme.dll" Cmmagpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efjmbaba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clbnhmjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekiphge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omhhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdboig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbnbkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdkgkcpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapccndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goiehm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeheknp.dll" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acapig32.dll" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bniajoic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meoell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcial32.dll" Foojop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnbkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofinocal.dll" Ikbifcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgjebg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjgehgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqkfc32.dll" Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdneocc.dll" Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oieqmphd.dll" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjgicl.dll" Hlffdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqqcl32.dll" Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmlbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanlcl32.dll" Ggfpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lncfcgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeaepd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exeJfcnngnd.exeJkbcln32.exeKaaijdgn.exeKkijmm32.exeKpkofpgq.exeKfgdhjmk.exeLpbefoai.exeLhmjkaoc.exeLajhofao.exeMgimmm32.exeMlibjc32.exeMoiklogi.exeNefpnhlc.exeNhfipcid.exeNhkbkc32.exedescription pid process target process PID 2684 wrote to memory of 2848 2684 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Jfcnngnd.exe PID 2684 wrote to memory of 2848 2684 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Jfcnngnd.exe PID 2684 wrote to memory of 2848 2684 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Jfcnngnd.exe PID 2684 wrote to memory of 2848 2684 dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe Jfcnngnd.exe PID 2848 wrote to memory of 1564 2848 Jfcnngnd.exe Jkbcln32.exe PID 2848 wrote to memory of 1564 2848 Jfcnngnd.exe Jkbcln32.exe PID 2848 wrote to memory of 1564 2848 Jfcnngnd.exe Jkbcln32.exe PID 2848 wrote to memory of 1564 2848 Jfcnngnd.exe Jkbcln32.exe PID 1564 wrote to memory of 2640 1564 Jkbcln32.exe Kaaijdgn.exe PID 1564 wrote to memory of 2640 1564 Jkbcln32.exe Kaaijdgn.exe PID 1564 wrote to memory of 2640 1564 Jkbcln32.exe Kaaijdgn.exe PID 1564 wrote to memory of 2640 1564 Jkbcln32.exe Kaaijdgn.exe PID 2640 wrote to memory of 2656 2640 Kaaijdgn.exe Kkijmm32.exe PID 2640 wrote to memory of 2656 2640 Kaaijdgn.exe Kkijmm32.exe PID 2640 wrote to memory of 2656 2640 Kaaijdgn.exe Kkijmm32.exe PID 2640 wrote to memory of 2656 2640 Kaaijdgn.exe Kkijmm32.exe PID 2656 wrote to memory of 2980 2656 Kkijmm32.exe Kpkofpgq.exe PID 2656 wrote to memory of 2980 2656 Kkijmm32.exe Kpkofpgq.exe PID 2656 wrote to memory of 2980 2656 Kkijmm32.exe Kpkofpgq.exe PID 2656 wrote to memory of 2980 2656 Kkijmm32.exe Kpkofpgq.exe PID 2980 wrote to memory of 2408 2980 Kpkofpgq.exe Kfgdhjmk.exe PID 2980 wrote to memory of 2408 2980 Kpkofpgq.exe Kfgdhjmk.exe PID 2980 wrote to memory of 2408 2980 Kpkofpgq.exe Kfgdhjmk.exe PID 2980 wrote to memory of 2408 2980 Kpkofpgq.exe Kfgdhjmk.exe PID 2408 wrote to memory of 2680 2408 Kfgdhjmk.exe Lpbefoai.exe PID 2408 wrote to memory of 2680 2408 Kfgdhjmk.exe Lpbefoai.exe PID 2408 wrote to memory of 2680 2408 Kfgdhjmk.exe Lpbefoai.exe PID 2408 wrote to memory of 2680 2408 Kfgdhjmk.exe Lpbefoai.exe PID 2680 wrote to memory of 2708 2680 Lpbefoai.exe Lhmjkaoc.exe PID 2680 wrote to memory of 2708 2680 Lpbefoai.exe Lhmjkaoc.exe PID 2680 wrote to memory of 2708 2680 Lpbefoai.exe Lhmjkaoc.exe PID 2680 wrote to memory of 2708 2680 Lpbefoai.exe Lhmjkaoc.exe PID 2708 wrote to memory of 1808 2708 Lhmjkaoc.exe Lajhofao.exe PID 2708 wrote to memory of 1808 2708 Lhmjkaoc.exe Lajhofao.exe PID 2708 wrote to memory of 1808 2708 Lhmjkaoc.exe Lajhofao.exe PID 2708 wrote to memory of 1808 2708 Lhmjkaoc.exe Lajhofao.exe PID 1808 wrote to memory of 1096 1808 Lajhofao.exe Mgimmm32.exe PID 1808 wrote to memory of 1096 1808 Lajhofao.exe Mgimmm32.exe PID 1808 wrote to memory of 1096 1808 Lajhofao.exe Mgimmm32.exe PID 1808 wrote to memory of 1096 1808 Lajhofao.exe Mgimmm32.exe PID 1096 wrote to memory of 804 1096 Mgimmm32.exe Mlibjc32.exe PID 1096 wrote to memory of 804 1096 Mgimmm32.exe Mlibjc32.exe PID 1096 wrote to memory of 804 1096 Mgimmm32.exe Mlibjc32.exe PID 1096 wrote to memory of 804 1096 Mgimmm32.exe Mlibjc32.exe PID 804 wrote to memory of 1092 804 Mlibjc32.exe Moiklogi.exe PID 804 wrote to memory of 1092 804 Mlibjc32.exe Moiklogi.exe PID 804 wrote to memory of 1092 804 Mlibjc32.exe Moiklogi.exe PID 804 wrote to memory of 1092 804 Mlibjc32.exe Moiklogi.exe PID 1092 wrote to memory of 2344 1092 Moiklogi.exe Nefpnhlc.exe PID 1092 wrote to memory of 2344 1092 Moiklogi.exe Nefpnhlc.exe PID 1092 wrote to memory of 2344 1092 Moiklogi.exe Nefpnhlc.exe PID 1092 wrote to memory of 2344 1092 Moiklogi.exe Nefpnhlc.exe PID 2344 wrote to memory of 1612 2344 Nefpnhlc.exe Nhfipcid.exe PID 2344 wrote to memory of 1612 2344 Nefpnhlc.exe Nhfipcid.exe PID 2344 wrote to memory of 1612 2344 Nefpnhlc.exe Nhfipcid.exe PID 2344 wrote to memory of 1612 2344 Nefpnhlc.exe Nhfipcid.exe PID 1612 wrote to memory of 2104 1612 Nhfipcid.exe Nhkbkc32.exe PID 1612 wrote to memory of 2104 1612 Nhfipcid.exe Nhkbkc32.exe PID 1612 wrote to memory of 2104 1612 Nhfipcid.exe Nhkbkc32.exe PID 1612 wrote to memory of 2104 1612 Nhfipcid.exe Nhkbkc32.exe PID 2104 wrote to memory of 2828 2104 Nhkbkc32.exe Ndbcpd32.exe PID 2104 wrote to memory of 2828 2104 Nhkbkc32.exe Ndbcpd32.exe PID 2104 wrote to memory of 2828 2104 Nhkbkc32.exe Ndbcpd32.exe PID 2104 wrote to memory of 2828 2104 Nhkbkc32.exe Ndbcpd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dab29f121ae4729d1808cc0a51036f60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe33⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe34⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe35⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe36⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe38⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe39⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe40⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe41⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe43⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe44⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe45⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe49⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe50⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe51⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe53⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe54⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe55⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe56⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe57⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe58⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe60⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe62⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe63⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe64⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe65⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe66⤵PID:1996
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe67⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe68⤵PID:828
-
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe70⤵PID:1912
-
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe71⤵PID:2260
-
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe72⤵PID:1536
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe73⤵PID:988
-
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe74⤵PID:1556
-
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe75⤵PID:3008
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe76⤵PID:2536
-
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe77⤵PID:2216
-
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe78⤵PID:2716
-
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe79⤵PID:2464
-
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe80⤵PID:2876
-
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe81⤵PID:1636
-
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe82⤵PID:580
-
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe83⤵PID:1688
-
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe84⤵PID:1668
-
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe85⤵PID:2292
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe88⤵PID:1144
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe89⤵PID:2792
-
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe91⤵PID:1880
-
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe92⤵PID:3052
-
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe93⤵PID:2528
-
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe95⤵PID:1980
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe96⤵PID:2744
-
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe97⤵PID:700
-
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe98⤵
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe99⤵PID:660
-
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe100⤵PID:2236
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe101⤵PID:1972
-
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe102⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe104⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe106⤵PID:2316
-
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe108⤵PID:2584
-
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe109⤵PID:2320
-
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe111⤵PID:1532
-
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe112⤵PID:1872
-
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe113⤵PID:296
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe114⤵PID:2452
-
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe115⤵PID:1136
-
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe116⤵PID:2132
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe117⤵PID:308
-
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe118⤵PID:836
-
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe119⤵PID:2800
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe120⤵PID:1176
-
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe121⤵PID:2484
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe122⤵PID:2752
-
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe123⤵PID:1960
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe124⤵PID:2376
-
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe125⤵PID:3036
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe126⤵PID:1272
-
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe127⤵PID:1496
-
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe129⤵PID:2616
-
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe130⤵PID:2636
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe131⤵PID:2628
-
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe132⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe133⤵PID:1596
-
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe134⤵PID:1712
-
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe135⤵PID:2220
-
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe136⤵PID:2400
-
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe137⤵PID:1752
-
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe138⤵PID:1376
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe139⤵PID:412
-
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe140⤵PID:916
-
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe141⤵PID:612
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe142⤵PID:2504
-
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe143⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe144⤵PID:2488
-
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe145⤵PID:2476
-
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe146⤵PID:2456
-
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe147⤵PID:320
-
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe148⤵PID:2944
-
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe149⤵PID:2300
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe150⤵PID:2312
-
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe151⤵PID:1740
-
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe153⤵PID:1940
-
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe154⤵PID:2548
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe156⤵PID:2736
-
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe158⤵PID:556
-
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe159⤵PID:1900
-
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe160⤵PID:1708
-
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe161⤵PID:2192
-
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe162⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe163⤵PID:952
-
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe164⤵PID:312
-
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:864 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe166⤵PID:2444
-
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe167⤵PID:2884
-
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe168⤵PID:904
-
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe169⤵PID:2184
-
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe170⤵PID:2748
-
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe171⤵PID:628
-
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe173⤵PID:1672
-
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe174⤵PID:1368
-
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe176⤵PID:2016
-
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe178⤵PID:2924
-
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe179⤵PID:1916
-
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe181⤵PID:2720
-
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe182⤵PID:2124
-
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe183⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe184⤵PID:2712
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe185⤵PID:2724
-
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe186⤵PID:2808
-
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe187⤵PID:2364
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe188⤵PID:2296
-
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe189⤵PID:2664
-
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe190⤵PID:1632
-
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe191⤵PID:2072
-
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe192⤵PID:1220
-
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe193⤵PID:2804
-
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe194⤵PID:2872
-
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe195⤵PID:2308
-
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe196⤵PID:452
-
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe197⤵PID:3088
-
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe198⤵PID:3128
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe199⤵PID:3168
-
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe200⤵PID:3208
-
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe201⤵PID:3248
-
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe202⤵PID:3288
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe203⤵PID:3332
-
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe204⤵PID:3372
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe205⤵PID:3412
-
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe206⤵PID:3452
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe207⤵PID:3492
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe208⤵PID:3532
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe209⤵PID:3572
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe210⤵PID:3612
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe211⤵PID:3652
-
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe212⤵PID:3692
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3772 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe215⤵PID:3812
-
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe216⤵PID:3852
-
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe217⤵PID:3892
-
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe218⤵PID:3932
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe219⤵PID:3972
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe220⤵
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4052 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe222⤵
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe223⤵PID:1012
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe224⤵PID:3152
-
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe225⤵PID:3200
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe226⤵PID:3264
-
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe227⤵PID:3308
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe228⤵PID:3360
-
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe229⤵PID:3420
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe230⤵PID:3424
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe231⤵PID:3508
-
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe232⤵PID:3568
-
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe233⤵PID:3604
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe234⤵PID:3648
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe235⤵PID:3704
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe236⤵PID:3756
-
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe237⤵PID:3804
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe238⤵PID:3848
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe239⤵PID:3912
-
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe240⤵PID:3300
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe241⤵PID:3996
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe242⤵PID:4048