Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 00:52
Behavioral task
behavioral1
Sample
7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe
-
Size
374KB
-
MD5
7025b24bf2d64970163e2ef6586841e0
-
SHA1
4507020a207d9d2f6eb234a480b770878cbe8b82
-
SHA256
4ca4e46811932c405dcc9ff9a869dfb6bc85e773debe361a904c4737537b9b35
-
SHA512
fec684b148c5468a94d37133de4af4b7f73e24ba7b0b4c69c4df3b443f0fdb24b9522f8b489463c0f2fcc6d0bd3a8c2eced52b19c6f84a69971baada63a6d795
-
SSDEEP
6144:nRZad1+YsHHvvvn8CDVkp7+Eu6QnFw5+0pU8oStTf3runG/qoxfIkeI1SHkF63lE:nraPrvE6uidyzwr6AxfLeI1Su63lgMBG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gngcgp32.exeLpgajgeg.exeAboaff32.exeAgdmdg32.exeAhgnke32.exeFgiepced.exePnjofo32.exeAjeeeblb.exeFmcoja32.exeMponel32.exeNljddpfe.exeFokdfajl.exeGnpmfqap.exeIhdmihpn.exeJoihjfnl.exeBajqfq32.exeOcllehcj.exeAnneqafn.exeFbjpblip.exeKhkpijma.exeCllkin32.exeIibfajdc.exePmjqcc32.exeEhjona32.exeBpafkknm.exeFmbhok32.exeHddlof32.exeLnjafd32.exeComdkipe.exeLnbdko32.exeCjbmjplb.exeIaeiieeb.exeFjaonpnn.exeBpgljfbl.exeAjmfad32.exeDebplg32.exeQododfek.exeCnckjddd.exeDhmhhmlm.exeLogbhl32.exeJfiale32.exeAbeemhkh.exeKcopdb32.exeEccmffjf.exeIgonafba.exePcibkm32.exeApalea32.exeEkjgpm32.exeClmbddgp.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngcgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgajgeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aboaff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiepced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mponel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljddpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fokdfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpmfqap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdmihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joihjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjpblip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkpijma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmjqcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjafd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comdkipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Debplg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnckjddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfiale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccmffjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apalea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjgpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmbddgp.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Aalmklfi.exe family_berbew \Windows\SysWOW64\Aigaon32.exe family_berbew \Windows\SysWOW64\Apcfahio.exe family_berbew \Windows\SysWOW64\Aljgfioc.exe family_berbew \Windows\SysWOW64\Blmdlhmp.exe family_berbew C:\Windows\SysWOW64\Beehencq.exe family_berbew \Windows\SysWOW64\Begeknan.exe family_berbew \Windows\SysWOW64\Bpafkknm.exe family_berbew \Windows\SysWOW64\Bcaomf32.exe family_berbew C:\Windows\SysWOW64\Cpeofk32.exe family_berbew \Windows\SysWOW64\Cllpkl32.exe family_berbew C:\Windows\SysWOW64\Ccfhhffh.exe family_berbew \Windows\SysWOW64\Cjbmjplb.exe family_berbew \Windows\SysWOW64\Cfinoq32.exe family_berbew \Windows\SysWOW64\Cobbhfhg.exe family_berbew C:\Windows\SysWOW64\Dkhcmgnl.exe family_berbew C:\Windows\SysWOW64\Dbbkja32.exe family_berbew C:\Windows\SysWOW64\Dhmcfkme.exe family_berbew C:\Windows\SysWOW64\Djnpnc32.exe family_berbew behavioral1/memory/1072-251-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew C:\Windows\SysWOW64\Ddeaalpg.exe family_berbew C:\Windows\SysWOW64\Dqlafm32.exe family_berbew C:\Windows\SysWOW64\Dcknbh32.exe family_berbew C:\Windows\SysWOW64\Eihfjo32.exe family_berbew behavioral1/memory/2904-296-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew C:\Windows\SysWOW64\Ebpkce32.exe family_berbew C:\Windows\SysWOW64\Eflgccbp.exe family_berbew C:\Windows\SysWOW64\Ecpgmhai.exe family_berbew C:\Windows\SysWOW64\Ekklaj32.exe family_berbew C:\Windows\SysWOW64\Enihne32.exe family_berbew C:\Windows\SysWOW64\Epieghdk.exe family_berbew C:\Windows\SysWOW64\Ebgacddo.exe family_berbew C:\Windows\SysWOW64\Ennaieib.exe family_berbew C:\Windows\SysWOW64\Ebinic32.exe family_berbew C:\Windows\SysWOW64\Fjdbnf32.exe family_berbew C:\Windows\SysWOW64\Fmcoja32.exe family_berbew C:\Windows\SysWOW64\Fnbkddem.exe family_berbew behavioral1/memory/1860-417-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew C:\Windows\SysWOW64\Faagpp32.exe family_berbew C:\Windows\SysWOW64\Fmhheqje.exe family_berbew C:\Windows\SysWOW64\Fpfdalii.exe family_berbew C:\Windows\SysWOW64\Fioija32.exe family_berbew behavioral1/memory/2232-467-0x0000000000290000-0x00000000002C5000-memory.dmp family_berbew C:\Windows\SysWOW64\Fphafl32.exe family_berbew C:\Windows\SysWOW64\Fmlapp32.exe family_berbew C:\Windows\SysWOW64\Gpknlk32.exe family_berbew C:\Windows\SysWOW64\Gpmjak32.exe family_berbew C:\Windows\SysWOW64\Gbkgnfbd.exe family_berbew C:\Windows\SysWOW64\Ghhofmql.exe family_berbew C:\Windows\SysWOW64\Gbnccfpb.exe family_berbew C:\Windows\SysWOW64\Gdopkn32.exe family_berbew C:\Windows\SysWOW64\Glfhll32.exe family_berbew C:\Windows\SysWOW64\Gmgdddmq.exe family_berbew C:\Windows\SysWOW64\Gdamqndn.exe family_berbew C:\Windows\SysWOW64\Ggpimica.exe family_berbew C:\Windows\SysWOW64\Gkkemh32.exe family_berbew C:\Windows\SysWOW64\Gphmeo32.exe family_berbew C:\Windows\SysWOW64\Hgbebiao.exe family_berbew C:\Windows\SysWOW64\Hmlnoc32.exe family_berbew C:\Windows\SysWOW64\Hdfflm32.exe family_berbew C:\Windows\SysWOW64\Hgdbhi32.exe family_berbew C:\Windows\SysWOW64\Hnojdcfi.exe family_berbew C:\Windows\SysWOW64\Hpmgqnfl.exe family_berbew C:\Windows\SysWOW64\Hejoiedd.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Aalmklfi.exeAigaon32.exeApcfahio.exeAljgfioc.exeBlmdlhmp.exeBeehencq.exeBegeknan.exeBpafkknm.exeBcaomf32.exeCpeofk32.exeCllpkl32.exeCcfhhffh.exeCjbmjplb.exeCfinoq32.exeCobbhfhg.exeDkhcmgnl.exeDbbkja32.exeDhmcfkme.exeDjnpnc32.exeDdeaalpg.exeDqlafm32.exeDcknbh32.exeEihfjo32.exeEbpkce32.exeEflgccbp.exeEcpgmhai.exeEkklaj32.exeEnihne32.exeEpieghdk.exeEbgacddo.exeEnnaieib.exeEbinic32.exeFjdbnf32.exeFmcoja32.exeFnbkddem.exeFaagpp32.exeFmhheqje.exeFpfdalii.exeFioija32.exeFphafl32.exeFmlapp32.exeGpknlk32.exeGpmjak32.exeGbkgnfbd.exeGhhofmql.exeGbnccfpb.exeGdopkn32.exeGlfhll32.exeGmgdddmq.exeGdamqndn.exeGgpimica.exeGkkemh32.exeGphmeo32.exeHgbebiao.exeHmlnoc32.exeHdfflm32.exeHgdbhi32.exeHnojdcfi.exeHpmgqnfl.exeHejoiedd.exeHiekid32.exeHpocfncj.exeHgilchkf.exeHhjhkq32.exepid process 1236 Aalmklfi.exe 2332 Aigaon32.exe 2712 Apcfahio.exe 2628 Aljgfioc.exe 2524 Blmdlhmp.exe 2552 Beehencq.exe 2992 Begeknan.exe 1436 Bpafkknm.exe 2828 Bcaomf32.exe 1968 Cpeofk32.exe 1256 Cllpkl32.exe 2308 Ccfhhffh.exe 2208 Cjbmjplb.exe 2448 Cfinoq32.exe 532 Cobbhfhg.exe 1508 Dkhcmgnl.exe 1812 Dbbkja32.exe 1072 Dhmcfkme.exe 832 Djnpnc32.exe 1044 Ddeaalpg.exe 2880 Dqlafm32.exe 888 Dcknbh32.exe 2904 Eihfjo32.exe 3008 Ebpkce32.exe 872 Eflgccbp.exe 1768 Ecpgmhai.exe 2068 Ekklaj32.exe 2248 Enihne32.exe 2704 Epieghdk.exe 2640 Ebgacddo.exe 2800 Ennaieib.exe 2608 Ebinic32.exe 2568 Fjdbnf32.exe 1860 Fmcoja32.exe 2756 Fnbkddem.exe 2944 Faagpp32.exe 2228 Fmhheqje.exe 1920 Fpfdalii.exe 2232 Fioija32.exe 2200 Fphafl32.exe 1908 Fmlapp32.exe 1184 Gpknlk32.exe 620 Gpmjak32.exe 2352 Gbkgnfbd.exe 1356 Ghhofmql.exe 1340 Gbnccfpb.exe 936 Gdopkn32.exe 2272 Glfhll32.exe 772 Gmgdddmq.exe 1504 Gdamqndn.exe 2916 Ggpimica.exe 1708 Gkkemh32.exe 3028 Gphmeo32.exe 2720 Hgbebiao.exe 2788 Hmlnoc32.exe 2632 Hdfflm32.exe 2428 Hgdbhi32.exe 2732 Hnojdcfi.exe 2672 Hpmgqnfl.exe 1612 Hejoiedd.exe 1976 Hiekid32.exe 1560 Hpocfncj.exe 2832 Hgilchkf.exe 2892 Hhjhkq32.exe -
Loads dropped DLL 64 IoCs
Processes:
7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exeAalmklfi.exeAigaon32.exeApcfahio.exeAljgfioc.exeBlmdlhmp.exeBeehencq.exeBegeknan.exeBpafkknm.exeBcaomf32.exeCpeofk32.exeCllpkl32.exeCcfhhffh.exeCjbmjplb.exeCfinoq32.exeCobbhfhg.exeDkhcmgnl.exeDbbkja32.exeDhmcfkme.exeDjnpnc32.exeDdeaalpg.exeDqlafm32.exeDcknbh32.exeEihfjo32.exeEbpkce32.exeEflgccbp.exeEcpgmhai.exeEkklaj32.exeEnihne32.exeEpieghdk.exeEbgacddo.exeEnnaieib.exepid process 1960 7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe 1960 7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe 1236 Aalmklfi.exe 1236 Aalmklfi.exe 2332 Aigaon32.exe 2332 Aigaon32.exe 2712 Apcfahio.exe 2712 Apcfahio.exe 2628 Aljgfioc.exe 2628 Aljgfioc.exe 2524 Blmdlhmp.exe 2524 Blmdlhmp.exe 2552 Beehencq.exe 2552 Beehencq.exe 2992 Begeknan.exe 2992 Begeknan.exe 1436 Bpafkknm.exe 1436 Bpafkknm.exe 2828 Bcaomf32.exe 2828 Bcaomf32.exe 1968 Cpeofk32.exe 1968 Cpeofk32.exe 1256 Cllpkl32.exe 1256 Cllpkl32.exe 2308 Ccfhhffh.exe 2308 Ccfhhffh.exe 2208 Cjbmjplb.exe 2208 Cjbmjplb.exe 2448 Cfinoq32.exe 2448 Cfinoq32.exe 532 Cobbhfhg.exe 532 Cobbhfhg.exe 1508 Dkhcmgnl.exe 1508 Dkhcmgnl.exe 1812 Dbbkja32.exe 1812 Dbbkja32.exe 1072 Dhmcfkme.exe 1072 Dhmcfkme.exe 832 Djnpnc32.exe 832 Djnpnc32.exe 1044 Ddeaalpg.exe 1044 Ddeaalpg.exe 2880 Dqlafm32.exe 2880 Dqlafm32.exe 888 Dcknbh32.exe 888 Dcknbh32.exe 2904 Eihfjo32.exe 2904 Eihfjo32.exe 3008 Ebpkce32.exe 3008 Ebpkce32.exe 872 Eflgccbp.exe 872 Eflgccbp.exe 1768 Ecpgmhai.exe 1768 Ecpgmhai.exe 2068 Ekklaj32.exe 2068 Ekklaj32.exe 2248 Enihne32.exe 2248 Enihne32.exe 2704 Epieghdk.exe 2704 Epieghdk.exe 2640 Ebgacddo.exe 2640 Ebgacddo.exe 2800 Ennaieib.exe 2800 Ennaieib.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hiekid32.exeCgbfamff.exeJaeafklf.exeDjklnnaj.exeMdcpdp32.exeHpocfncj.exeHjfcpo32.exeOlkfmi32.exeFdhlnhhc.exeGembhj32.exeLlnofpcg.exeIpgbjl32.exeGlgjednf.exeIoliqbjn.exeKneicieh.exeCnaocmmi.exeKmefooki.exeElhnof32.exeFnqqgm32.exeHfjnla32.exeNoljjglk.exeNadimacd.exeCpkmcldj.exeElajgpmj.exeOonafa32.exePdaoog32.exeGnmgmbhb.exeKfbcbd32.exeDccagcgk.exeBkmhnjlh.exeEbefgm32.exeLajhofao.exeBhajdblk.exeCgpjlnhh.exeAoohekal.exeJagnlkjd.exeLbnemk32.exeHdiejfej.exeBlbfjg32.exeHabfipdj.exeJdkjnl32.exeLhelbh32.exeBnqned32.exeLcaiiejc.exeHeihnoph.exeAfkdakjb.exeBhfcpb32.exeDgeaoinb.exedescription ioc process File created C:\Windows\SysWOW64\Hpocfncj.exe Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Cmlong32.exe Cgbfamff.exe File created C:\Windows\SysWOW64\Nhjpke32.dll Jaeafklf.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Dhffckeo.dll Mdcpdp32.exe File created C:\Windows\SysWOW64\Nbniiffi.dll Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Hmeolj32.exe Hjfcpo32.exe File created C:\Windows\SysWOW64\Ogjbid32.dll File opened for modification C:\Windows\SysWOW64\Obdojcef.exe Olkfmi32.exe File created C:\Windows\SysWOW64\Fgfhjcgg.exe Fdhlnhhc.exe File opened for modification C:\Windows\SysWOW64\Glgjednf.exe Gembhj32.exe File created C:\Windows\SysWOW64\Edeomgho.dll File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Icfofg32.exe Ipgbjl32.exe File created C:\Windows\SysWOW64\Ocbjdb32.dll Glgjednf.exe File created C:\Windows\SysWOW64\Kflfocla.dll Ioliqbjn.exe File created C:\Windows\SysWOW64\Ecbhdi32.exe File created C:\Windows\SysWOW64\Aomnhd32.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Kneicieh.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cnaocmmi.exe File created C:\Windows\SysWOW64\Kqqboncb.exe Kmefooki.exe File created C:\Windows\SysWOW64\Gohdlpmi.dll Elhnof32.exe File opened for modification C:\Windows\SysWOW64\Fqomci32.exe Fnqqgm32.exe File opened for modification C:\Windows\SysWOW64\Hmcfhkjg.exe Hfjnla32.exe File created C:\Windows\SysWOW64\Bqlldigd.dll Noljjglk.exe File created C:\Windows\SysWOW64\Kkidapal.dll Nadimacd.exe File opened for modification C:\Windows\SysWOW64\Cnnnnh32.exe Cpkmcldj.exe File opened for modification C:\Windows\SysWOW64\Eggndi32.exe Elajgpmj.exe File created C:\Windows\SysWOW64\Mgjnhaco.exe File opened for modification C:\Windows\SysWOW64\Ogeigofa.exe Oonafa32.exe File created C:\Windows\SysWOW64\Bifjqh32.dll Pdaoog32.exe File created C:\Windows\SysWOW64\Qlhpnakf.dll Gnmgmbhb.exe File created C:\Windows\SysWOW64\Ddbddikd.dll Kfbcbd32.exe File created C:\Windows\SysWOW64\Gqahqd32.exe File created C:\Windows\SysWOW64\Ompefj32.exe File created C:\Windows\SysWOW64\Odifab32.dll Dccagcgk.exe File created C:\Windows\SysWOW64\Bajqfq32.exe Bkmhnjlh.exe File created C:\Windows\SysWOW64\Eknkpbdf.exe Ebefgm32.exe File created C:\Windows\SysWOW64\Mmahdggc.exe Lajhofao.exe File created C:\Windows\SysWOW64\Bnkbam32.exe Bhajdblk.exe File created C:\Windows\SysWOW64\Eelloqic.dll Cgpjlnhh.exe File opened for modification C:\Windows\SysWOW64\Aekqmbod.exe Aoohekal.exe File created C:\Windows\SysWOW64\Jkpjmlfb.dll Jagnlkjd.exe File opened for modification C:\Windows\SysWOW64\Fdmhbplb.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll File created C:\Windows\SysWOW64\Lihmjejl.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Dolpccdl.dll Hdiejfej.exe File opened for modification C:\Windows\SysWOW64\Lohccp32.exe File opened for modification C:\Windows\SysWOW64\Mdghaf32.exe File created C:\Windows\SysWOW64\Cacldi32.dll File created C:\Windows\SysWOW64\Boqbfb32.exe Blbfjg32.exe File opened for modification C:\Windows\SysWOW64\Igonafba.exe Habfipdj.exe File created C:\Windows\SysWOW64\Akainj32.dll Jdkjnl32.exe File created C:\Windows\SysWOW64\Lkdhoc32.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Bggaoocn.dll Bnqned32.exe File created C:\Windows\SysWOW64\Okhdnm32.dll File opened for modification C:\Windows\SysWOW64\Objaha32.exe File opened for modification C:\Windows\SysWOW64\Lfpeeqig.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Aekeef32.dll File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe File created C:\Windows\SysWOW64\Gamgjj32.dll Heihnoph.exe File opened for modification C:\Windows\SysWOW64\Amelne32.exe Afkdakjb.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Ehjkan32.dll Dgeaoinb.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4208 5900 -
Modifies registry class 64 IoCs
Processes:
Jpdkii32.exeJkebjf32.exeKdbpnk32.exeHbiaemkk.exeJaijak32.exeFlgeqgog.exeJgcdki32.exeQbplbi32.exeBhajdblk.exeKcbakpdo.exeCpnojioo.exeFfklhqao.exeDjclbl32.exeNjlockkm.exeEjmhkiig.exeDphmloih.exePkcpei32.exeEapfagno.exeJkmeoa32.exeHjqqap32.exeNgibaj32.exeFenmdm32.exeCpcnonob.exeKbcdbp32.exeJjmpbopd.exeGfhladfn.exeNoljjglk.exeDaejhjkj.exeFnejbmko.exeGifaciae.exeMfihkoal.exeEnfenplo.exeDdgjdk32.exeDkgippgb.exeDdpobo32.exeKngfih32.exeEjehgkdp.exeFfcllo32.exeJcmafj32.exeHbhomd32.exeCpmhpbkc.exeDacpkc32.exeBehnnm32.exeIoliqbjn.exeJgagfi32.exeFmjgcipg.exeMgmahg32.exeOfelmloo.exePfikmh32.exeJnnnalph.exePecgea32.exeMmldme32.exeHgilchkf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpdkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inahjg32.dll" Jkebjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnifgpff.dll" Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbfgoak.dll" Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpfmb32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbplbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlhkl32.dll" Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpkenb.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apknlk32.dll" Djclbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnfie32.dll" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dphmloih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfeim32.dll" Eapfagno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebppdgme.dll" Hjqqap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpinomjo.dll" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpcnonob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgffb32.dll" Kbcdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjmpbopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfhladfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daejhjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjdeeh.dll" Fnejbmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gifaciae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkck32.dll" Dkgippgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejehgkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgefl32.dll" Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpmhpbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbged32.dll" Fmjgcipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfnae32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhlga32.dll" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkoigpo.dll" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exeAalmklfi.exeAigaon32.exeApcfahio.exeAljgfioc.exeBlmdlhmp.exeBeehencq.exeBegeknan.exeBpafkknm.exeBcaomf32.exeCpeofk32.exeCllpkl32.exeCcfhhffh.exeCjbmjplb.exeCfinoq32.exeCobbhfhg.exedescription pid process target process PID 1960 wrote to memory of 1236 1960 7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe Aalmklfi.exe PID 1960 wrote to memory of 1236 1960 7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe Aalmklfi.exe PID 1960 wrote to memory of 1236 1960 7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe Aalmklfi.exe PID 1960 wrote to memory of 1236 1960 7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe Aalmklfi.exe PID 1236 wrote to memory of 2332 1236 Aalmklfi.exe Aigaon32.exe PID 1236 wrote to memory of 2332 1236 Aalmklfi.exe Aigaon32.exe PID 1236 wrote to memory of 2332 1236 Aalmklfi.exe Aigaon32.exe PID 1236 wrote to memory of 2332 1236 Aalmklfi.exe Aigaon32.exe PID 2332 wrote to memory of 2712 2332 Aigaon32.exe Apcfahio.exe PID 2332 wrote to memory of 2712 2332 Aigaon32.exe Apcfahio.exe PID 2332 wrote to memory of 2712 2332 Aigaon32.exe Apcfahio.exe PID 2332 wrote to memory of 2712 2332 Aigaon32.exe Apcfahio.exe PID 2712 wrote to memory of 2628 2712 Apcfahio.exe Aljgfioc.exe PID 2712 wrote to memory of 2628 2712 Apcfahio.exe Aljgfioc.exe PID 2712 wrote to memory of 2628 2712 Apcfahio.exe Aljgfioc.exe PID 2712 wrote to memory of 2628 2712 Apcfahio.exe Aljgfioc.exe PID 2628 wrote to memory of 2524 2628 Aljgfioc.exe Blmdlhmp.exe PID 2628 wrote to memory of 2524 2628 Aljgfioc.exe Blmdlhmp.exe PID 2628 wrote to memory of 2524 2628 Aljgfioc.exe Blmdlhmp.exe PID 2628 wrote to memory of 2524 2628 Aljgfioc.exe Blmdlhmp.exe PID 2524 wrote to memory of 2552 2524 Blmdlhmp.exe Beehencq.exe PID 2524 wrote to memory of 2552 2524 Blmdlhmp.exe Beehencq.exe PID 2524 wrote to memory of 2552 2524 Blmdlhmp.exe Beehencq.exe PID 2524 wrote to memory of 2552 2524 Blmdlhmp.exe Beehencq.exe PID 2552 wrote to memory of 2992 2552 Beehencq.exe Begeknan.exe PID 2552 wrote to memory of 2992 2552 Beehencq.exe Begeknan.exe PID 2552 wrote to memory of 2992 2552 Beehencq.exe Begeknan.exe PID 2552 wrote to memory of 2992 2552 Beehencq.exe Begeknan.exe PID 2992 wrote to memory of 1436 2992 Begeknan.exe Bpafkknm.exe PID 2992 wrote to memory of 1436 2992 Begeknan.exe Bpafkknm.exe PID 2992 wrote to memory of 1436 2992 Begeknan.exe Bpafkknm.exe PID 2992 wrote to memory of 1436 2992 Begeknan.exe Bpafkknm.exe PID 1436 wrote to memory of 2828 1436 Bpafkknm.exe Bcaomf32.exe PID 1436 wrote to memory of 2828 1436 Bpafkknm.exe Bcaomf32.exe PID 1436 wrote to memory of 2828 1436 Bpafkknm.exe Bcaomf32.exe PID 1436 wrote to memory of 2828 1436 Bpafkknm.exe Bcaomf32.exe PID 2828 wrote to memory of 1968 2828 Bcaomf32.exe Cpeofk32.exe PID 2828 wrote to memory of 1968 2828 Bcaomf32.exe Cpeofk32.exe PID 2828 wrote to memory of 1968 2828 Bcaomf32.exe Cpeofk32.exe PID 2828 wrote to memory of 1968 2828 Bcaomf32.exe Cpeofk32.exe PID 1968 wrote to memory of 1256 1968 Cpeofk32.exe Cllpkl32.exe PID 1968 wrote to memory of 1256 1968 Cpeofk32.exe Cllpkl32.exe PID 1968 wrote to memory of 1256 1968 Cpeofk32.exe Cllpkl32.exe PID 1968 wrote to memory of 1256 1968 Cpeofk32.exe Cllpkl32.exe PID 1256 wrote to memory of 2308 1256 Cllpkl32.exe Ccfhhffh.exe PID 1256 wrote to memory of 2308 1256 Cllpkl32.exe Ccfhhffh.exe PID 1256 wrote to memory of 2308 1256 Cllpkl32.exe Ccfhhffh.exe PID 1256 wrote to memory of 2308 1256 Cllpkl32.exe Ccfhhffh.exe PID 2308 wrote to memory of 2208 2308 Ccfhhffh.exe Cjbmjplb.exe PID 2308 wrote to memory of 2208 2308 Ccfhhffh.exe Cjbmjplb.exe PID 2308 wrote to memory of 2208 2308 Ccfhhffh.exe Cjbmjplb.exe PID 2308 wrote to memory of 2208 2308 Ccfhhffh.exe Cjbmjplb.exe PID 2208 wrote to memory of 2448 2208 Cjbmjplb.exe Cfinoq32.exe PID 2208 wrote to memory of 2448 2208 Cjbmjplb.exe Cfinoq32.exe PID 2208 wrote to memory of 2448 2208 Cjbmjplb.exe Cfinoq32.exe PID 2208 wrote to memory of 2448 2208 Cjbmjplb.exe Cfinoq32.exe PID 2448 wrote to memory of 532 2448 Cfinoq32.exe Cobbhfhg.exe PID 2448 wrote to memory of 532 2448 Cfinoq32.exe Cobbhfhg.exe PID 2448 wrote to memory of 532 2448 Cfinoq32.exe Cobbhfhg.exe PID 2448 wrote to memory of 532 2448 Cfinoq32.exe Cobbhfhg.exe PID 532 wrote to memory of 1508 532 Cobbhfhg.exe Dkhcmgnl.exe PID 532 wrote to memory of 1508 532 Cobbhfhg.exe Dkhcmgnl.exe PID 532 wrote to memory of 1508 532 Cobbhfhg.exe Dkhcmgnl.exe PID 532 wrote to memory of 1508 532 Cobbhfhg.exe Dkhcmgnl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7025b24bf2d64970163e2ef6586841e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe33⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe34⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe36⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe38⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe39⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe40⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe41⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe42⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe43⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe44⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe45⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe46⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe47⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe48⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe49⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe50⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe51⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe52⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe53⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe54⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe56⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe58⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe59⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe60⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe61⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe65⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe66⤵PID:876
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe67⤵PID:2368
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe68⤵PID:996
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe69⤵PID:804
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe70⤵PID:1344
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe71⤵PID:1500
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe73⤵PID:2008
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe74⤵PID:2868
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe75⤵PID:2416
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe76⤵PID:2420
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe77⤵PID:2740
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe78⤵PID:2212
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe79⤵PID:1948
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe80⤵PID:1520
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe81⤵PID:2884
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe82⤵PID:2316
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe83⤵PID:1756
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe84⤵PID:684
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe85⤵PID:2252
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe86⤵PID:2400
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe87⤵PID:2256
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe88⤵PID:2600
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe89⤵PID:2536
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe90⤵PID:2560
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe91⤵PID:2964
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe92⤵PID:2952
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe93⤵PID:2972
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe94⤵PID:2472
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe95⤵PID:612
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe96⤵PID:1240
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe97⤵PID:2324
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe98⤵PID:836
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe99⤵PID:288
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe100⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe101⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe102⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe103⤵PID:1924
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe104⤵PID:2696
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe105⤵PID:2656
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe106⤵PID:2660
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe107⤵PID:1732
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe108⤵PID:2752
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe109⤵PID:1936
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe110⤵PID:1576
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe111⤵PID:2280
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe112⤵PID:1484
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe113⤵PID:2452
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe114⤵PID:1800
-
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe115⤵PID:3004
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe116⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe117⤵PID:748
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe118⤵PID:2668
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe119⤵PID:1928
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe120⤵PID:1312
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe121⤵PID:2836
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe123⤵PID:2888
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe124⤵PID:1328
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe125⤵PID:2060
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe126⤵PID:1568
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe127⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe128⤵PID:2716
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe129⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe130⤵PID:2596
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe131⤵PID:304
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe132⤵PID:1492
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe133⤵PID:1608
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe134⤵PID:812
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe135⤵PID:2064
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe136⤵PID:2876
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe137⤵PID:1284
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe138⤵PID:1648
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe139⤵PID:1952
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe140⤵PID:1572
-
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe141⤵PID:2288
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe142⤵PID:940
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe143⤵PID:2920
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe144⤵PID:2264
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe145⤵PID:2664
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe146⤵PID:2736
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe147⤵PID:280
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe148⤵PID:1628
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe149⤵PID:536
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe150⤵PID:1096
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe151⤵PID:2996
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe152⤵PID:2772
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe153⤵PID:1604
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe154⤵PID:1964
-
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe155⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe156⤵PID:444
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe157⤵PID:676
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe158⤵PID:2652
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe159⤵PID:1956
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe160⤵PID:1736
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe161⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe162⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe163⤵PID:1944
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe164⤵PID:1616
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe165⤵PID:1128
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe166⤵PID:1460
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe167⤵PID:2192
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe168⤵PID:2872
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe169⤵PID:2980
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe170⤵PID:2896
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe171⤵PID:2364
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe172⤵PID:2168
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe173⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe174⤵PID:2388
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe175⤵PID:2320
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe176⤵PID:1440
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe177⤵PID:1592
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe178⤵PID:1672
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe179⤵PID:2128
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe180⤵PID:2444
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe181⤵PID:2156
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe182⤵PID:2088
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe183⤵PID:1852
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe184⤵PID:1552
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe185⤵PID:2544
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe186⤵PID:1720
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe187⤵PID:2680
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe188⤵PID:896
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe189⤵PID:2932
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe190⤵PID:3096
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe191⤵PID:3136
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe192⤵PID:3176
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe193⤵PID:3216
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe194⤵PID:3256
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe195⤵PID:3296
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe196⤵PID:3336
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe197⤵PID:3376
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe198⤵PID:3416
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe199⤵PID:3456
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3496 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe201⤵PID:3536
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe202⤵PID:3576
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe203⤵PID:3616
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe204⤵PID:3656
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe205⤵PID:3696
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe206⤵PID:3736
-
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe207⤵PID:3776
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe208⤵PID:3816
-
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3856 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe210⤵PID:3896
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe211⤵PID:3936
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe212⤵PID:3976
-
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe213⤵PID:4016
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe214⤵PID:4056
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe215⤵PID:1600
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe216⤵PID:3088
-
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe217⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe218⤵
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe219⤵PID:3240
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe220⤵PID:3280
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe221⤵PID:3352
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe222⤵PID:3388
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe223⤵PID:3448
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe224⤵PID:3492
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe225⤵PID:3552
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe226⤵PID:3596
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe227⤵PID:3644
-
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe228⤵PID:3676
-
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe229⤵PID:3752
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe230⤵PID:3788
-
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe231⤵PID:3864
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe232⤵PID:3892
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe233⤵PID:3916
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe234⤵PID:3996
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe235⤵
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe236⤵PID:4092
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe237⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe238⤵PID:3164
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe239⤵PID:3236
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe240⤵PID:3288
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe241⤵PID:3324
-
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe242⤵
- Drops file in System32 directory
PID:3404