Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:14
Behavioral task
behavioral1
Sample
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe
-
Size
548KB
-
MD5
048f294b52f09d67f330488ddedc7de0
-
SHA1
d4171065b666d919728e0829d4b4010e30b216be
-
SHA256
e6fd3f028bedd3e57e45634424382b3109bb25c5de4102bfe5643d84e91d5c9b
-
SHA512
ed9d61e1d11e86c435e3bfa0330f384a15891810fc8d66ca31a7b3cb7d62fc45d9d8032e38556276840a616e6de9182120bcfc1b15a8483411fa0d8b02aa0239
-
SSDEEP
12288:BxImcEv46IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:vsDq5htaSHFaZRBEYyqmaf2qwiHPKgRP
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cfmhdpnc.exeLgfjggll.exeOkkfmmqj.exeCelbik32.exeNpdfhhhe.exeHbidne32.exeObecld32.exeGhgjflof.exeMnffnd32.exeAjlabc32.exeEjkkfjkj.exeAgilkijf.exeKfpifm32.exeFapeic32.exeMbjfcnkg.exeBckjhl32.exeNmabjfek.exeDjjeedhp.exeEnngdgim.exePcgkcccn.exeAjmhljip.exeMmakmp32.exeIgqhpj32.exeOlkjaflh.exeEoomai32.exeLchclmla.exeKpicle32.exeNlpkdkkd.exeNibqqh32.exeCjljnn32.exeKjpceebh.exeMokdja32.exeOdoddlcd.exeJcgapdeb.exeOhojmjep.exeDmgmpnhl.exePhcleoho.exeAfgnkilf.exeNidmhd32.exeLfhfab32.exeGjpddigo.exeCikbjpqd.exeCmikpngk.exeMgnkfjho.exeOkolfkjg.exeFpmpnmck.exeNlnpgd32.exeLdokfakl.exeKfdfdf32.exeOgbgbn32.exeCldnqe32.exeAnfggicl.exeMbgela32.exeBnofaf32.exeGpoibp32.exeFdekigip.exePkjphcff.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfmmqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbidne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnffnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajlabc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agilkijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapeic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmabjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjeedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enngdgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgkcccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmhljip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmakmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkjaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoomai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchclmla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpkdkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjljnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpceebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohojmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgmpnhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcleoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhfab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikbjpqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnkfjho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okolfkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmpnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldnqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfggicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbgela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgapdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnofaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpoibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdekigip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjphcff.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Qqeicede.exe family_berbew \Windows\SysWOW64\Ajbggjfq.exe family_berbew \Windows\SysWOW64\Afiglkle.exe family_berbew C:\Windows\SysWOW64\Bfpnmj32.exe family_berbew \Windows\SysWOW64\Bjbcfn32.exe family_berbew \Windows\SysWOW64\Clmbddgp.exe family_berbew C:\Windows\SysWOW64\Cpkkjc32.exe family_berbew \Windows\SysWOW64\Dhmfod32.exe family_berbew \Windows\SysWOW64\Dpmdofno.exe family_berbew \Windows\SysWOW64\Ecpjfq32.exe family_berbew \Windows\SysWOW64\Fkbdkb32.exe family_berbew \Windows\SysWOW64\Fcbbjcif.exe family_berbew \Windows\SysWOW64\Gnpmfqap.exe family_berbew C:\Windows\SysWOW64\Geoonjeg.exe family_berbew C:\Windows\SysWOW64\Hpmiig32.exe family_berbew \Windows\SysWOW64\Iaelanmg.exe family_berbew C:\Windows\SysWOW64\Ioliqbjn.exe family_berbew C:\Windows\SysWOW64\Jliohkak.exe family_berbew C:\Windows\SysWOW64\Jjmpbopd.exe family_berbew C:\Windows\SysWOW64\Jcgapdeb.exe family_berbew C:\Windows\SysWOW64\Jkbfdfbm.exe family_berbew C:\Windows\SysWOW64\Kglcogeo.exe family_berbew C:\Windows\SysWOW64\Knhhaaki.exe family_berbew C:\Windows\SysWOW64\Kmobhmnn.exe family_berbew behavioral1/memory/2988-302-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew behavioral1/memory/1468-310-0x0000000000260000-0x0000000000293000-memory.dmp family_berbew C:\Windows\SysWOW64\Lfhfab32.exe family_berbew C:\Windows\SysWOW64\Leopgo32.exe family_berbew C:\Windows\SysWOW64\Lnhdqdnd.exe family_berbew behavioral1/memory/1728-329-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew C:\Windows\SysWOW64\Mcifdj32.exe family_berbew behavioral1/memory/2780-346-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew C:\Windows\SysWOW64\Mmakmp32.exe family_berbew behavioral1/memory/2492-357-0x00000000002A0000-0x00000000002D3000-memory.dmp family_berbew behavioral1/memory/2492-356-0x00000000002A0000-0x00000000002D3000-memory.dmp family_berbew C:\Windows\SysWOW64\Mnaggcej.exe family_berbew behavioral1/memory/2636-368-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/memory/2636-367-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/memory/2612-378-0x00000000002A0000-0x00000000002D3000-memory.dmp family_berbew C:\Windows\SysWOW64\Mdpldi32.exe family_berbew C:\Windows\SysWOW64\Nmkncofl.exe family_berbew C:\Windows\SysWOW64\Nbhfke32.exe family_berbew behavioral1/memory/2896-406-0x00000000001B0000-0x00000000001E3000-memory.dmp family_berbew behavioral1/memory/2896-405-0x00000000001B0000-0x00000000001E3000-memory.dmp family_berbew behavioral1/memory/2644-398-0x00000000002C0000-0x00000000002F3000-memory.dmp family_berbew behavioral1/memory/2476-412-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/2476-411-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew C:\Windows\SysWOW64\Nlpkdkkd.exe family_berbew C:\Windows\SysWOW64\Nhiholof.exe family_berbew C:\Windows\SysWOW64\Odbeilbg.exe family_berbew C:\Windows\SysWOW64\Odebolpe.exe family_berbew C:\Windows\SysWOW64\Oghhfg32.exe family_berbew C:\Windows\SysWOW64\Ooclji32.exe family_berbew C:\Windows\SysWOW64\Poeipifl.exe family_berbew behavioral1/memory/744-491-0x0000000000220000-0x0000000000253000-memory.dmp family_berbew C:\Windows\SysWOW64\Peanbblf.exe family_berbew C:\Windows\SysWOW64\Pahogc32.exe family_berbew C:\Windows\SysWOW64\Pggdejno.exe family_berbew C:\Windows\SysWOW64\Qjhmfekp.exe family_berbew C:\Windows\SysWOW64\Qcqaok32.exe family_berbew C:\Windows\SysWOW64\Anolkh32.exe family_berbew C:\Windows\SysWOW64\Aigmnqgm.exe family_berbew C:\Windows\SysWOW64\Aboaff32.exe family_berbew C:\Windows\SysWOW64\Bnfblgca.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Qqeicede.exeAjbggjfq.exeAfiglkle.exeBfpnmj32.exeBjbcfn32.exeClmbddgp.exeCpkkjc32.exeDhmfod32.exeDpmdofno.exeEcpjfq32.exeFkbdkb32.exeFcbbjcif.exeGnpmfqap.exeGeoonjeg.exeHpmiig32.exeIaelanmg.exeIoliqbjn.exeJliohkak.exeJjmpbopd.exeJcgapdeb.exeJkbfdfbm.exeKglcogeo.exeKnhhaaki.exeKmobhmnn.exeLfhfab32.exeLeopgo32.exeLnhdqdnd.exeMcifdj32.exeMmakmp32.exeMnaggcej.exeMdpldi32.exeNmkncofl.exeNbhfke32.exeNlpkdkkd.exeNhiholof.exeOdbeilbg.exeOdebolpe.exeOghhfg32.exeOoclji32.exePoeipifl.exePeanbblf.exePahogc32.exePggdejno.exeQjhmfekp.exeQcqaok32.exeAnolkh32.exeAigmnqgm.exeAboaff32.exeBnfblgca.exeBgnfdm32.exeBcegin32.exeBmnlbcfg.exeBcgdom32.exeBbmapj32.exeBbonei32.exeCiifbchf.exeCofnjj32.exeChnbcpmn.exeCojhejbh.exeCkahkk32.exeCkcepj32.exeDdliip32.exeDiibag32.exeDpegcq32.exepid process 1384 Qqeicede.exe 2544 Ajbggjfq.exe 2524 Afiglkle.exe 2424 Bfpnmj32.exe 2404 Bjbcfn32.exe 2452 Clmbddgp.exe 268 Cpkkjc32.exe 1500 Dhmfod32.exe 2488 Dpmdofno.exe 2144 Ecpjfq32.exe 1648 Fkbdkb32.exe 480 Fcbbjcif.exe 1448 Gnpmfqap.exe 1572 Geoonjeg.exe 2240 Hpmiig32.exe 1312 Iaelanmg.exe 1032 Ioliqbjn.exe 1304 Jliohkak.exe 1364 Jjmpbopd.exe 1780 Jcgapdeb.exe 1856 Jkbfdfbm.exe 1772 Kglcogeo.exe 2988 Knhhaaki.exe 1468 Kmobhmnn.exe 1728 Lfhfab32.exe 1992 Leopgo32.exe 2780 Lnhdqdnd.exe 2492 Mcifdj32.exe 2636 Mmakmp32.exe 2612 Mnaggcej.exe 2644 Mdpldi32.exe 2896 Nmkncofl.exe 2476 Nbhfke32.exe 2036 Nlpkdkkd.exe 792 Nhiholof.exe 2660 Odbeilbg.exe 2736 Odebolpe.exe 1952 Oghhfg32.exe 1228 Ooclji32.exe 744 Poeipifl.exe 1796 Peanbblf.exe 1664 Pahogc32.exe 340 Pggdejno.exe 2268 Qjhmfekp.exe 1248 Qcqaok32.exe 2292 Anolkh32.exe 1832 Aigmnqgm.exe 964 Aboaff32.exe 3012 Bnfblgca.exe 396 Bgnfdm32.exe 2252 Bcegin32.exe 536 Bmnlbcfg.exe 1280 Bcgdom32.exe 2632 Bbmapj32.exe 1784 Bbonei32.exe 2944 Ciifbchf.exe 2876 Cofnjj32.exe 1688 Chnbcpmn.exe 2224 Cojhejbh.exe 2764 Ckahkk32.exe 1968 Ckcepj32.exe 2884 Ddliip32.exe 940 Diibag32.exe 2652 Dpegcq32.exe -
Loads dropped DLL 64 IoCs
Processes:
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exeQqeicede.exeAjbggjfq.exeAfiglkle.exeBfpnmj32.exeBjbcfn32.exeClmbddgp.exeCpkkjc32.exeDhmfod32.exeDpmdofno.exeEcpjfq32.exeFkbdkb32.exeFcbbjcif.exeGnpmfqap.exeGeoonjeg.exeHpmiig32.exeIaelanmg.exeIoliqbjn.exeJliohkak.exeJjmpbopd.exeJcgapdeb.exeJkbfdfbm.exeKglcogeo.exeKnhhaaki.exeKmobhmnn.exeLfhfab32.exeLeopgo32.exeLnhdqdnd.exeMcifdj32.exeMmakmp32.exeMnaggcej.exeMdpldi32.exepid process 2020 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe 2020 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe 1384 Qqeicede.exe 1384 Qqeicede.exe 2544 Ajbggjfq.exe 2544 Ajbggjfq.exe 2524 Afiglkle.exe 2524 Afiglkle.exe 2424 Bfpnmj32.exe 2424 Bfpnmj32.exe 2404 Bjbcfn32.exe 2404 Bjbcfn32.exe 2452 Clmbddgp.exe 2452 Clmbddgp.exe 268 Cpkkjc32.exe 268 Cpkkjc32.exe 1500 Dhmfod32.exe 1500 Dhmfod32.exe 2488 Dpmdofno.exe 2488 Dpmdofno.exe 2144 Ecpjfq32.exe 2144 Ecpjfq32.exe 1648 Fkbdkb32.exe 1648 Fkbdkb32.exe 480 Fcbbjcif.exe 480 Fcbbjcif.exe 1448 Gnpmfqap.exe 1448 Gnpmfqap.exe 1572 Geoonjeg.exe 1572 Geoonjeg.exe 2240 Hpmiig32.exe 2240 Hpmiig32.exe 1312 Iaelanmg.exe 1312 Iaelanmg.exe 1032 Ioliqbjn.exe 1032 Ioliqbjn.exe 1304 Jliohkak.exe 1304 Jliohkak.exe 1364 Jjmpbopd.exe 1364 Jjmpbopd.exe 1780 Jcgapdeb.exe 1780 Jcgapdeb.exe 1856 Jkbfdfbm.exe 1856 Jkbfdfbm.exe 1772 Kglcogeo.exe 1772 Kglcogeo.exe 2988 Knhhaaki.exe 2988 Knhhaaki.exe 1468 Kmobhmnn.exe 1468 Kmobhmnn.exe 1728 Lfhfab32.exe 1728 Lfhfab32.exe 1992 Leopgo32.exe 1992 Leopgo32.exe 2780 Lnhdqdnd.exe 2780 Lnhdqdnd.exe 2492 Mcifdj32.exe 2492 Mcifdj32.exe 2636 Mmakmp32.exe 2636 Mmakmp32.exe 2612 Mnaggcej.exe 2612 Mnaggcej.exe 2644 Mdpldi32.exe 2644 Mdpldi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Biceoj32.exeNfglfdeb.exeOmfnnnhj.exeLmbabj32.exeLimhpihl.exeAfliclij.exeDppigchi.exeHmefad32.exeJbpfpd32.exeFkkfgi32.exePeefcjlg.exeGhlfjq32.exePkjphcff.exeBmpkqklh.exeDcbjni32.exeHpmiig32.exeJmlfmn32.exeCagjqbam.exeMoccnoni.exeKfdfdf32.exeIeqbbl32.exeEhpalp32.exeDqaode32.exePknakhig.exeQamjmh32.exeHcblqb32.exeDlhdjh32.exeEdenjc32.exeHhkopj32.exeEfhqmadd.exePhcleoho.exeHlhddh32.exeEfhenccl.exeFgcgebhd.exeFchkbg32.exeKnbgnhfd.exeDkhpfo32.exeDadehh32.exeHclhjpjc.exeNkbcgnie.exeIilceh32.exePgamgken.exeGfogneop.exeIkjhki32.exeNllbdp32.exeJgkphj32.exeQjbehfbo.exeJieaofmp.exeNpdkdjhp.exeOfnpnkgf.exeJmhnkfpa.exeAnhpkg32.exeJqfhqe32.exeBcpgdhpp.exeMijamjnm.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Gdbchd32.exe File opened for modification C:\Windows\SysWOW64\Cldnqe32.exe Biceoj32.exe File created C:\Windows\SysWOW64\Biheek32.dll Nfglfdeb.exe File created C:\Windows\SysWOW64\Ooggpiek.exe Omfnnnhj.exe File created C:\Windows\SysWOW64\Cbjhhiqm.dll Lmbabj32.exe File opened for modification C:\Windows\SysWOW64\Mioeeifi.exe Limhpihl.exe File created C:\Windows\SysWOW64\Ijmdql32.exe File created C:\Windows\SysWOW64\Boemlbpk.exe Afliclij.exe File created C:\Windows\SysWOW64\Dihmpinj.exe Dppigchi.exe File created C:\Windows\SysWOW64\Hhogaamj.exe Hmefad32.exe File created C:\Windows\SysWOW64\Lpeeon32.dll Jbpfpd32.exe File created C:\Windows\SysWOW64\Dncodq32.dll File opened for modification C:\Windows\SysWOW64\Ggagmjbq.exe Fkkfgi32.exe File created C:\Windows\SysWOW64\Okmjae32.dll Peefcjlg.exe File opened for modification C:\Windows\SysWOW64\Hfpfdeon.exe Ghlfjq32.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Pkjphcff.exe File created C:\Windows\SysWOW64\Bigkel32.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Dcdfdi32.exe Dcbjni32.exe File created C:\Windows\SysWOW64\Iaelanmg.exe Hpmiig32.exe File created C:\Windows\SysWOW64\Jnenhj32.dll Jmlfmn32.exe File created C:\Windows\SysWOW64\Dajgfboj.exe Cagjqbam.exe File created C:\Windows\SysWOW64\Koqdolib.dll Moccnoni.exe File opened for modification C:\Windows\SysWOW64\Kbkgig32.exe Kfdfdf32.exe File opened for modification C:\Windows\SysWOW64\Ihooog32.exe Ieqbbl32.exe File created C:\Windows\SysWOW64\Njhhcj32.dll File opened for modification C:\Windows\SysWOW64\Deimaa32.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Ehpalp32.exe File created C:\Windows\SysWOW64\Qgnonqai.dll Dqaode32.exe File created C:\Windows\SysWOW64\Pdffcn32.exe Pknakhig.exe File opened for modification C:\Windows\SysWOW64\Adncoc32.exe Qamjmh32.exe File opened for modification C:\Windows\SysWOW64\Hagianlf.exe Hcblqb32.exe File opened for modification C:\Windows\SysWOW64\Eagiho32.exe Dlhdjh32.exe File opened for modification C:\Windows\SysWOW64\Edhkpcdb.exe Edenjc32.exe File opened for modification C:\Windows\SysWOW64\Jaaoakmc.exe File created C:\Windows\SysWOW64\Gfbaonni.dll Hhkopj32.exe File created C:\Windows\SysWOW64\Iodcmd32.dll Efhqmadd.exe File opened for modification C:\Windows\SysWOW64\Aepbmhpl.exe Phcleoho.exe File created C:\Windows\SysWOW64\Lpefmn32.dll Hlhddh32.exe File created C:\Windows\SysWOW64\Ckkika32.dll Efhenccl.exe File created C:\Windows\SysWOW64\Phnkdd32.dll Fgcgebhd.exe File created C:\Windows\SysWOW64\Foahmh32.exe Fchkbg32.exe File opened for modification C:\Windows\SysWOW64\Kdlpkb32.exe Knbgnhfd.exe File created C:\Windows\SysWOW64\Dgoakpjn.exe Dkhpfo32.exe File created C:\Windows\SysWOW64\Ilgjmckn.dll Dadehh32.exe File created C:\Windows\SysWOW64\Kfnhec32.dll Hclhjpjc.exe File created C:\Windows\SysWOW64\Gdbcbcgp.dll Nkbcgnie.exe File opened for modification C:\Windows\SysWOW64\Iecdji32.exe Iilceh32.exe File created C:\Windows\SysWOW64\Klhmnf32.dll Pgamgken.exe File opened for modification C:\Windows\SysWOW64\Gmipko32.exe Gfogneop.exe File opened for modification C:\Windows\SysWOW64\Ifolhann.exe Ikjhki32.exe File created C:\Windows\SysWOW64\Ncfjajma.exe Nllbdp32.exe File opened for modification C:\Windows\SysWOW64\Jpcdqpqj.exe Jgkphj32.exe File created C:\Windows\SysWOW64\Qamjmh32.exe Qjbehfbo.exe File created C:\Windows\SysWOW64\Qomcdf32.exe File created C:\Windows\SysWOW64\Hnjblg32.dll Jieaofmp.exe File created C:\Windows\SysWOW64\Nfppfcmj.exe Npdkdjhp.exe File created C:\Windows\SysWOW64\Lddagi32.exe File created C:\Windows\SysWOW64\Gilhpe32.exe File created C:\Windows\SysWOW64\Olmela32.exe Ofnpnkgf.exe File created C:\Windows\SysWOW64\Cpgkadij.dll Jmhnkfpa.exe File opened for modification C:\Windows\SysWOW64\Afcdpi32.exe Anhpkg32.exe File created C:\Windows\SysWOW64\Jqhdfe32.exe Jqfhqe32.exe File created C:\Windows\SysWOW64\Baleem32.dll Bcpgdhpp.exe File created C:\Windows\SysWOW64\Llpenogi.dll Mijamjnm.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 1736 4544 -
Modifies registry class 64 IoCs
Processes:
Giipab32.exeIhdpbq32.exePgopak32.exeCofnjj32.exeMcqombic.exeMjfphf32.exeKmficl32.exeLonlkcho.exeCcgnelll.exeHajhpgag.exePcqebd32.exeLbfcbdce.exeCjakccop.exeHqiqjlga.exePcbncfjd.exeNllbdp32.exeKcajceke.exeKjmoeo32.exePdcgeejf.exeJnemfa32.exeNklopg32.exeBimphc32.exeQiioon32.exeNdhlhg32.exeNibqqh32.exeBmpkqklh.exeFpbihl32.exeKmdofebo.exeBckjhl32.exeLgkhdddo.exeGgagmjbq.exeEfhqmadd.exeDckcnj32.exeBbjmpcab.exeLkggmldl.exeDnefhpma.exeLemdncoa.exePfeeff32.exeFhbbcail.exeBfcnfh32.exeHboddk32.exeKhkbbc32.exeHcfceeff.exeQjhmfekp.exeKmiolk32.exeBdfooh32.exeObecld32.exeHbekojlp.exeMpngmb32.exeIljifm32.exeEgmabg32.exeBlniinac.exeLngpac32.exePljlbf32.exeMjdcbf32.exeLmhbgpia.exeGeddoa32.exeFclkldqe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfklg32.dll" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgopak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnein32.dll" Cofnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohbak32.dll" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjfphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdeopaj.dll" Lonlkcho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejffpah.dll" Hajhpgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbbhd32.dll" Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfcbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkbglmp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbminqj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapldp32.dll" Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpdbdcc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmkm32.dll" Nllbdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcajceke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpijenld.dll" Pdcgeejf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnemfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpcdopi.dll" Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" Qiioon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdcgeejf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhlhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibqqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdofebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckjhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfnoac.dll" Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dckcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiooq32.dll" Lkggmldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lemdncoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeeff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgglmgeb.dll" Bfcnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbeeddm.dll" Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcfceeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flacnl32.dll" Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmiolk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmflbo32.dll" Obecld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbekojlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfdiko32.dll" Mpngmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmlmc32.dll" Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doebph32.dll" Lmhbgpia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaompll.dll" Fclkldqe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exeQqeicede.exeAjbggjfq.exeAfiglkle.exeBfpnmj32.exeBjbcfn32.exeClmbddgp.exeCpkkjc32.exeDhmfod32.exeDpmdofno.exeEcpjfq32.exeFkbdkb32.exeFcbbjcif.exeGnpmfqap.exeGeoonjeg.exeHpmiig32.exedescription pid process target process PID 2020 wrote to memory of 1384 2020 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Qqeicede.exe PID 2020 wrote to memory of 1384 2020 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Qqeicede.exe PID 2020 wrote to memory of 1384 2020 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Qqeicede.exe PID 2020 wrote to memory of 1384 2020 048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe Qqeicede.exe PID 1384 wrote to memory of 2544 1384 Qqeicede.exe Ajbggjfq.exe PID 1384 wrote to memory of 2544 1384 Qqeicede.exe Ajbggjfq.exe PID 1384 wrote to memory of 2544 1384 Qqeicede.exe Ajbggjfq.exe PID 1384 wrote to memory of 2544 1384 Qqeicede.exe Ajbggjfq.exe PID 2544 wrote to memory of 2524 2544 Ajbggjfq.exe Afiglkle.exe PID 2544 wrote to memory of 2524 2544 Ajbggjfq.exe Afiglkle.exe PID 2544 wrote to memory of 2524 2544 Ajbggjfq.exe Afiglkle.exe PID 2544 wrote to memory of 2524 2544 Ajbggjfq.exe Afiglkle.exe PID 2524 wrote to memory of 2424 2524 Afiglkle.exe Bfpnmj32.exe PID 2524 wrote to memory of 2424 2524 Afiglkle.exe Bfpnmj32.exe PID 2524 wrote to memory of 2424 2524 Afiglkle.exe Bfpnmj32.exe PID 2524 wrote to memory of 2424 2524 Afiglkle.exe Bfpnmj32.exe PID 2424 wrote to memory of 2404 2424 Bfpnmj32.exe Bjbcfn32.exe PID 2424 wrote to memory of 2404 2424 Bfpnmj32.exe Bjbcfn32.exe PID 2424 wrote to memory of 2404 2424 Bfpnmj32.exe Bjbcfn32.exe PID 2424 wrote to memory of 2404 2424 Bfpnmj32.exe Bjbcfn32.exe PID 2404 wrote to memory of 2452 2404 Bjbcfn32.exe Clmbddgp.exe PID 2404 wrote to memory of 2452 2404 Bjbcfn32.exe Clmbddgp.exe PID 2404 wrote to memory of 2452 2404 Bjbcfn32.exe Clmbddgp.exe PID 2404 wrote to memory of 2452 2404 Bjbcfn32.exe Clmbddgp.exe PID 2452 wrote to memory of 268 2452 Clmbddgp.exe Cpkkjc32.exe PID 2452 wrote to memory of 268 2452 Clmbddgp.exe Cpkkjc32.exe PID 2452 wrote to memory of 268 2452 Clmbddgp.exe Cpkkjc32.exe PID 2452 wrote to memory of 268 2452 Clmbddgp.exe Cpkkjc32.exe PID 268 wrote to memory of 1500 268 Cpkkjc32.exe Dhmfod32.exe PID 268 wrote to memory of 1500 268 Cpkkjc32.exe Dhmfod32.exe PID 268 wrote to memory of 1500 268 Cpkkjc32.exe Dhmfod32.exe PID 268 wrote to memory of 1500 268 Cpkkjc32.exe Dhmfod32.exe PID 1500 wrote to memory of 2488 1500 Dhmfod32.exe Dpmdofno.exe PID 1500 wrote to memory of 2488 1500 Dhmfod32.exe Dpmdofno.exe PID 1500 wrote to memory of 2488 1500 Dhmfod32.exe Dpmdofno.exe PID 1500 wrote to memory of 2488 1500 Dhmfod32.exe Dpmdofno.exe PID 2488 wrote to memory of 2144 2488 Dpmdofno.exe Ecpjfq32.exe PID 2488 wrote to memory of 2144 2488 Dpmdofno.exe Ecpjfq32.exe PID 2488 wrote to memory of 2144 2488 Dpmdofno.exe Ecpjfq32.exe PID 2488 wrote to memory of 2144 2488 Dpmdofno.exe Ecpjfq32.exe PID 2144 wrote to memory of 1648 2144 Ecpjfq32.exe Fkbdkb32.exe PID 2144 wrote to memory of 1648 2144 Ecpjfq32.exe Fkbdkb32.exe PID 2144 wrote to memory of 1648 2144 Ecpjfq32.exe Fkbdkb32.exe PID 2144 wrote to memory of 1648 2144 Ecpjfq32.exe Fkbdkb32.exe PID 1648 wrote to memory of 480 1648 Fkbdkb32.exe Fcbbjcif.exe PID 1648 wrote to memory of 480 1648 Fkbdkb32.exe Fcbbjcif.exe PID 1648 wrote to memory of 480 1648 Fkbdkb32.exe Fcbbjcif.exe PID 1648 wrote to memory of 480 1648 Fkbdkb32.exe Fcbbjcif.exe PID 480 wrote to memory of 1448 480 Fcbbjcif.exe Gnpmfqap.exe PID 480 wrote to memory of 1448 480 Fcbbjcif.exe Gnpmfqap.exe PID 480 wrote to memory of 1448 480 Fcbbjcif.exe Gnpmfqap.exe PID 480 wrote to memory of 1448 480 Fcbbjcif.exe Gnpmfqap.exe PID 1448 wrote to memory of 1572 1448 Gnpmfqap.exe Geoonjeg.exe PID 1448 wrote to memory of 1572 1448 Gnpmfqap.exe Geoonjeg.exe PID 1448 wrote to memory of 1572 1448 Gnpmfqap.exe Geoonjeg.exe PID 1448 wrote to memory of 1572 1448 Gnpmfqap.exe Geoonjeg.exe PID 1572 wrote to memory of 2240 1572 Geoonjeg.exe Hpmiig32.exe PID 1572 wrote to memory of 2240 1572 Geoonjeg.exe Hpmiig32.exe PID 1572 wrote to memory of 2240 1572 Geoonjeg.exe Hpmiig32.exe PID 1572 wrote to memory of 2240 1572 Geoonjeg.exe Hpmiig32.exe PID 2240 wrote to memory of 1312 2240 Hpmiig32.exe Iaelanmg.exe PID 2240 wrote to memory of 1312 2240 Hpmiig32.exe Iaelanmg.exe PID 2240 wrote to memory of 1312 2240 Hpmiig32.exe Iaelanmg.exe PID 2240 wrote to memory of 1312 2240 Hpmiig32.exe Iaelanmg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\048f294b52f09d67f330488ddedc7de0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe33⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe36⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe37⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe38⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe39⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe40⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe41⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe42⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe43⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe44⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe46⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe47⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe48⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe49⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe50⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe51⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe52⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe53⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe54⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe56⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe57⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe59⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe60⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe61⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe62⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe63⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe64⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe65⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe66⤵PID:1696
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe67⤵PID:3004
-
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe68⤵PID:2260
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe69⤵PID:2076
-
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe70⤵PID:1556
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe71⤵PID:864
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe73⤵PID:1132
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe74⤵PID:2368
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe75⤵PID:2064
-
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe76⤵PID:2628
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe77⤵PID:2432
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe78⤵PID:520
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe79⤵PID:2656
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe80⤵PID:2500
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe82⤵PID:932
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe83⤵PID:1512
-
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe84⤵PID:1852
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe85⤵PID:2812
-
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe86⤵PID:2300
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe87⤵PID:2244
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe88⤵PID:1768
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe89⤵PID:1428
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe91⤵PID:1988
-
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe92⤵PID:2056
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe93⤵PID:2936
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe94⤵PID:2408
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe95⤵PID:2532
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe96⤵PID:2160
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe97⤵PID:944
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe98⤵PID:1460
-
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe99⤵PID:2032
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe100⤵PID:1676
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe102⤵PID:1996
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe103⤵PID:1552
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe104⤵PID:2588
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe105⤵PID:1792
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe106⤵PID:2980
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe107⤵PID:564
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe108⤵PID:1520
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe109⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe110⤵PID:2416
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe111⤵PID:2384
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe112⤵PID:2324
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe113⤵PID:1816
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe114⤵PID:788
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe115⤵PID:1420
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe116⤵PID:2788
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe117⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe118⤵PID:1184
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe119⤵PID:668
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe120⤵PID:2784
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe121⤵PID:2996
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe122⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe123⤵PID:2448
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe124⤵PID:580
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe125⤵PID:2732
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe127⤵PID:1984
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe129⤵PID:1716
-
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe130⤵PID:2820
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe131⤵PID:1920
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe132⤵PID:2356
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe133⤵PID:2864
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe134⤵PID:2796
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe135⤵PID:2420
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe136⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe137⤵PID:924
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe138⤵PID:1656
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe139⤵PID:2164
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe140⤵PID:872
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe141⤵PID:1976
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe142⤵PID:1960
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe143⤵PID:2232
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe144⤵PID:2352
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe145⤵PID:2512
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe146⤵PID:2704
-
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe147⤵PID:2336
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe148⤵PID:2332
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe149⤵PID:2136
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe150⤵PID:1356
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe151⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe152⤵PID:3028
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe153⤵PID:2564
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe154⤵PID:1564
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe155⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe157⤵PID:1488
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe158⤵PID:612
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe159⤵PID:1628
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe160⤵PID:2536
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe161⤵PID:2176
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe162⤵PID:2768
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe163⤵PID:2460
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe164⤵PID:1788
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe165⤵PID:2984
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe166⤵PID:2592
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe167⤵PID:2248
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe168⤵PID:888
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe169⤵PID:1680
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe170⤵PID:2312
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe171⤵PID:2600
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe172⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe173⤵PID:936
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe174⤵PID:1040
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe175⤵PID:1548
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe176⤵PID:2116
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe177⤵PID:2968
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe178⤵PID:1672
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe179⤵PID:1964
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe180⤵PID:560
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe181⤵PID:2328
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe182⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe183⤵PID:2680
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe184⤵PID:2684
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe185⤵PID:928
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe186⤵PID:2084
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe187⤵PID:1284
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe188⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe189⤵PID:2284
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe190⤵PID:2192
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe191⤵PID:1584
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe192⤵PID:3000
-
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe193⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe194⤵PID:2412
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe195⤵PID:824
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe196⤵PID:2348
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe197⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe198⤵PID:1704
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe199⤵PID:2288
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe200⤵PID:2728
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe201⤵PID:1260
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe202⤵PID:1608
-
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe203⤵
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe204⤵PID:3140
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe205⤵PID:3180
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3220 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe207⤵PID:3264
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe208⤵PID:3304
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe209⤵PID:3344
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe210⤵PID:3384
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe211⤵PID:3424
-
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe212⤵PID:3476
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe213⤵
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe214⤵PID:3604
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3648 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe217⤵PID:3728
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe218⤵PID:3768
-
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe219⤵PID:3808
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe220⤵PID:3848
-
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe221⤵PID:3888
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe222⤵PID:3928
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe223⤵PID:3968
-
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe224⤵PID:4008
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe225⤵PID:4048
-
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe227⤵
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe228⤵PID:3152
-
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe229⤵PID:3208
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe230⤵PID:3232
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe231⤵PID:3320
-
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe232⤵
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe233⤵PID:3420
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe234⤵PID:3460
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe235⤵PID:3516
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe236⤵PID:3552
-
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe237⤵PID:3636
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe238⤵PID:3696
-
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe239⤵PID:3740
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe240⤵PID:3836
-
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe241⤵PID:3860
-
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe242⤵PID:3900