Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 14:15
Behavioral task
behavioral1
Sample
bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe
-
Size
176KB
-
MD5
bc967748e29fbdaa0bf654ae624e6c10
-
SHA1
fb7aaad2fe39fce0ae2528b3e3d298a182cc56d5
-
SHA256
933b1c61c44e3eea0afcbcb847d0cb82c98ca2cde77f11e2a87cd675e8c7d77e
-
SHA512
3c280b7511ef3612e34cda456a9fb87b1df0f8296cc1ee422b666694cef98fe63632a6d6ed5b5811394bbf4e8e1f4d8e74db959323005497105877922a3d3103
-
SSDEEP
3072:Ixm9DJY4PHsE1cjENRZ9wmAOIayGsOOJF4EISi/i4gG4npAjmA39QQIckJI:2mDJ5ME1nTZ9EaUn4yjK99QQd
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ghkndf32.exeHhejnc32.exePopeif32.exeAfgkfl32.exeNfnneb32.exeGnaooi32.exeHelgmg32.exeAecaidjl.exeEobapbbg.exeOaaifdhb.exeMlkjne32.exeCjgoje32.exeGdniqh32.exeDdfcje32.exeFjgalndh.exePjadmnic.exeJdpgjhbm.exeJeadap32.exeDklddhka.exeGncldi32.exeDkqbaecc.exeNehomq32.exeAkhfoldn.exeDcfpel32.exeDobgihgp.exeMpdqdkie.exeJgojpjem.exeIaonhm32.exeIeigfk32.exeBbokmqie.exeFqglggcp.exeEggndi32.exePnopldgn.exeOgkkfmml.exePcnejk32.exeFlehkhai.exeGepehphc.exeImokehhl.exeLhmjkaoc.exeAcmhepko.exeIpjoplgo.exeDdomif32.exeGbjlaplk.exeJpfhoi32.exeBfhmqhkd.exeMbpipp32.exeObdojcef.exePiqpkpml.exeOfhick32.exeBbgqjdce.exeQobbofgn.exeJgfqaiod.exeFmfnhj32.exeKqfdnljm.exeHfpdkl32.exeDhkkbmnp.exeIjdqna32.exeCofnjj32.exeFbbofjnh.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnaooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobapbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgalndh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpgjhbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeadap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehomq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdqdkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaonhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieigfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqglggcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogkkfmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmhepko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddomif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjlaplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piqpkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfnhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfdnljm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbofjnh.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/1888-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Jbgbni32.exe family_berbew behavioral1/memory/1888-6-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew C:\Windows\SysWOW64\Jokcgmee.exe family_berbew behavioral1/memory/2844-25-0x0000000001F70000-0x0000000001FAE000-memory.dmp family_berbew \Windows\SysWOW64\Jmocpado.exe family_berbew behavioral1/memory/2316-37-0x00000000005D0000-0x000000000060E000-memory.dmp family_berbew behavioral1/memory/2620-41-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Jifdebic.exe family_berbew behavioral1/memory/3052-54-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Kgkafo32.exe family_berbew behavioral1/memory/3052-66-0x0000000000310000-0x000000000034E000-memory.dmp family_berbew \Windows\SysWOW64\Keoapb32.exe family_berbew behavioral1/memory/2412-80-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Kmjfdejp.exe family_berbew behavioral1/memory/2412-87-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew C:\Windows\SysWOW64\Knjbnh32.exe family_berbew behavioral1/memory/2692-107-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Kjqccigf.exe family_berbew behavioral1/memory/2764-125-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Kaklpcoc.exe family_berbew behavioral1/memory/2764-128-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/764-134-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Kmaled32.exe family_berbew behavioral1/memory/1636-152-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Lpphap32.exe family_berbew behavioral1/memory/992-160-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Lpbefoai.exe family_berbew behavioral1/memory/992-173-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew C:\Windows\SysWOW64\Lflmci32.exe family_berbew \Windows\SysWOW64\Lhmjkaoc.exe family_berbew behavioral1/memory/1732-199-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/memory/3036-201-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/memory/592-193-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew \Windows\SysWOW64\Leajdfnm.exe family_berbew behavioral1/memory/2068-215-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Lmolnh32.exe family_berbew behavioral1/memory/292-225-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Ldidkbpb.exe family_berbew behavioral1/memory/412-238-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mkclhl32.exe family_berbew behavioral1/memory/2136-247-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mmahdggc.exe family_berbew behavioral1/memory/1740-254-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mmceigep.exe family_berbew behavioral1/memory/1740-263-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/1740-268-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/1952-270-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mdmmfa32.exe family_berbew behavioral1/memory/1952-271-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/1620-276-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mcbjgn32.exe family_berbew behavioral1/memory/1704-290-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mimbdhhb.exe family_berbew behavioral1/memory/1144-298-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Mgqcmlgl.exe family_berbew behavioral1/memory/1452-313-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/memory/1964-320-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Miooigfo.exe family_berbew C:\Windows\SysWOW64\Nlphkb32.exe family_berbew behavioral1/memory/1696-340-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/1988-342-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew C:\Windows\SysWOW64\Nondgn32.exe family_berbew behavioral1/memory/1696-336-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jbgbni32.exeJokcgmee.exeJmocpado.exeJifdebic.exeKgkafo32.exeKeoapb32.exeKmjfdejp.exeKnjbnh32.exeKjqccigf.exeKaklpcoc.exeKmaled32.exeLpphap32.exeLpbefoai.exeLflmci32.exeLhmjkaoc.exeLeajdfnm.exeLmolnh32.exeLdidkbpb.exeMkclhl32.exeMmahdggc.exeMmceigep.exeMdmmfa32.exeMcbjgn32.exeMimbdhhb.exeMgqcmlgl.exeMiooigfo.exeNlphkb32.exeNondgn32.exeNlbeqb32.exeNncahjgl.exeNkgbbo32.exeNnennj32.exeNdpfkdmf.exeNpfgpe32.exeNgpolo32.exeOqideepg.exeOqkqkdne.exeOfhick32.exeOopnlacm.exeOhibdf32.exeOikojfgk.exeOkikfagn.exePfoocjfd.exePogclp32.exePbfpik32.exePedleg32.exePiphee32.exePjadmnic.exePefijfii.exePkpagq32.exePmanoifd.exePclfkc32.exePjenhm32.exePnajilng.exePapfegmk.exePjhknm32.exePikkiijf.exeQcpofbjl.exeQimhoi32.exeQpgpkcpp.exeQbelgood.exeAipddi32.exeApimacnn.exeAfcenm32.exepid process 2844 Jbgbni32.exe 2316 Jokcgmee.exe 2620 Jmocpado.exe 3052 Jifdebic.exe 2748 Kgkafo32.exe 2412 Keoapb32.exe 2984 Kmjfdejp.exe 2692 Knjbnh32.exe 2764 Kjqccigf.exe 764 Kaklpcoc.exe 1636 Kmaled32.exe 992 Lpphap32.exe 592 Lpbefoai.exe 1732 Lflmci32.exe 3036 Lhmjkaoc.exe 2068 Leajdfnm.exe 292 Lmolnh32.exe 412 Ldidkbpb.exe 2136 Mkclhl32.exe 1740 Mmahdggc.exe 1952 Mmceigep.exe 1620 Mdmmfa32.exe 1704 Mcbjgn32.exe 1144 Mimbdhhb.exe 1452 Mgqcmlgl.exe 1964 Miooigfo.exe 1696 Nlphkb32.exe 1988 Nondgn32.exe 1880 Nlbeqb32.exe 2636 Nncahjgl.exe 2800 Nkgbbo32.exe 2648 Nnennj32.exe 2444 Ndpfkdmf.exe 1992 Npfgpe32.exe 2716 Ngpolo32.exe 2856 Oqideepg.exe 2888 Oqkqkdne.exe 1892 Ofhick32.exe 344 Oopnlacm.exe 1900 Ohibdf32.exe 1688 Oikojfgk.exe 1668 Okikfagn.exe 2104 Pfoocjfd.exe 1296 Pogclp32.exe 2928 Pbfpik32.exe 2936 Pedleg32.exe 1804 Piphee32.exe 1108 Pjadmnic.exe 932 Pefijfii.exe 1388 Pkpagq32.exe 1868 Pmanoifd.exe 2340 Pclfkc32.exe 1692 Pjenhm32.exe 2972 Pnajilng.exe 2568 Papfegmk.exe 2552 Pjhknm32.exe 2440 Pikkiijf.exe 2176 Qcpofbjl.exe 2144 Qimhoi32.exe 2740 Qpgpkcpp.exe 2708 Qbelgood.exe 996 Aipddi32.exe 1092 Apimacnn.exe 2400 Afcenm32.exe -
Loads dropped DLL 64 IoCs
Processes:
bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exeJbgbni32.exeJokcgmee.exeJmocpado.exeJifdebic.exeKgkafo32.exeKeoapb32.exeKmjfdejp.exeKnjbnh32.exeKjqccigf.exeKaklpcoc.exeKmaled32.exeLpphap32.exeLpbefoai.exeLflmci32.exeLhmjkaoc.exeLeajdfnm.exeLmolnh32.exeLdidkbpb.exeMkclhl32.exeMmahdggc.exeMmceigep.exeMdmmfa32.exeMcbjgn32.exeMimbdhhb.exeMgqcmlgl.exeMiooigfo.exeNlphkb32.exeNondgn32.exeNlbeqb32.exeNncahjgl.exeNkgbbo32.exepid process 1888 bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe 1888 bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe 2844 Jbgbni32.exe 2844 Jbgbni32.exe 2316 Jokcgmee.exe 2316 Jokcgmee.exe 2620 Jmocpado.exe 2620 Jmocpado.exe 3052 Jifdebic.exe 3052 Jifdebic.exe 2748 Kgkafo32.exe 2748 Kgkafo32.exe 2412 Keoapb32.exe 2412 Keoapb32.exe 2984 Kmjfdejp.exe 2984 Kmjfdejp.exe 2692 Knjbnh32.exe 2692 Knjbnh32.exe 2764 Kjqccigf.exe 2764 Kjqccigf.exe 764 Kaklpcoc.exe 764 Kaklpcoc.exe 1636 Kmaled32.exe 1636 Kmaled32.exe 992 Lpphap32.exe 992 Lpphap32.exe 592 Lpbefoai.exe 592 Lpbefoai.exe 1732 Lflmci32.exe 1732 Lflmci32.exe 3036 Lhmjkaoc.exe 3036 Lhmjkaoc.exe 2068 Leajdfnm.exe 2068 Leajdfnm.exe 292 Lmolnh32.exe 292 Lmolnh32.exe 412 Ldidkbpb.exe 412 Ldidkbpb.exe 2136 Mkclhl32.exe 2136 Mkclhl32.exe 1740 Mmahdggc.exe 1740 Mmahdggc.exe 1952 Mmceigep.exe 1952 Mmceigep.exe 1620 Mdmmfa32.exe 1620 Mdmmfa32.exe 1704 Mcbjgn32.exe 1704 Mcbjgn32.exe 1144 Mimbdhhb.exe 1144 Mimbdhhb.exe 1452 Mgqcmlgl.exe 1452 Mgqcmlgl.exe 1964 Miooigfo.exe 1964 Miooigfo.exe 1696 Nlphkb32.exe 1696 Nlphkb32.exe 1988 Nondgn32.exe 1988 Nondgn32.exe 1880 Nlbeqb32.exe 1880 Nlbeqb32.exe 2636 Nncahjgl.exe 2636 Nncahjgl.exe 2800 Nkgbbo32.exe 2800 Nkgbbo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jliohkak.exeNlnnnk32.exeIamdkfnc.exeKofopj32.exeIibfajdc.exeEoigpa32.exeDegiggjm.exeFlehkhai.exeNaalga32.exeFcjeon32.exeEclbcj32.exeFjhcegll.exeGcgnnlle.exeNofdklgl.exeJpfhoi32.exeGpncej32.exeIpehmebh.exeFagjnn32.exeDnlkmkpn.exeLnjafd32.exeFjdnlhco.exeMcnpojca.exeAkiobk32.exeIbehla32.exeKnnkpobc.exeKlngkfge.exeDlgldibq.exeHndlem32.exeJkhejkcq.exeCdoajb32.exeDdomif32.exeDkkbkp32.exeLghlndfa.exeHpgfki32.exeChnbcpmn.exeDedlag32.exeMjaddn32.exeMkqqnq32.exeLblcfnhj.exeQeaedd32.exeGppipc32.exeFlqmbd32.exeGeeemeif.exePjadmnic.exeBjlqhoba.exeDfdjhndl.exeEccpoo32.exeJmdepg32.exeGebbnpfp.exeMfmndn32.exeJcpkpe32.exeMjekfd32.exeCkafbbph.exeHmeolj32.exeImleli32.exeCgkocj32.exedescription ioc process File created C:\Windows\SysWOW64\Lgeajlgp.dll Jliohkak.exe File created C:\Windows\SysWOW64\Okppejbk.dll Nlnnnk32.exe File created C:\Windows\SysWOW64\Pclmghko.dll Iamdkfnc.exe File opened for modification C:\Windows\SysWOW64\Kbdklf32.exe Kofopj32.exe File created C:\Windows\SysWOW64\Ilabmedg.exe Iibfajdc.exe File opened for modification C:\Windows\SysWOW64\Ompefj32.exe File created C:\Windows\SysWOW64\Ebgclm32.exe Eoigpa32.exe File created C:\Windows\SysWOW64\Onejdijo.dll Degiggjm.exe File opened for modification C:\Windows\SysWOW64\Fbopgb32.exe Flehkhai.exe File created C:\Windows\SysWOW64\Obmolfok.dll Naalga32.exe File created C:\Windows\SysWOW64\Ojbkibad.dll Fcjeon32.exe File created C:\Windows\SysWOW64\Aaiioe32.dll Eclbcj32.exe File created C:\Windows\SysWOW64\Qmfpeb32.dll Fjhcegll.exe File opened for modification C:\Windows\SysWOW64\Gfejjgli.exe Gcgnnlle.exe File opened for modification C:\Windows\SysWOW64\Neplhf32.exe Nofdklgl.exe File opened for modification C:\Windows\SysWOW64\Jgqpkc32.exe Jpfhoi32.exe File created C:\Windows\SysWOW64\Onaiomjo.dll File opened for modification C:\Windows\SysWOW64\Gjdhbc32.exe Gpncej32.exe File created C:\Windows\SysWOW64\Ifoqjo32.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Pdmkonce.dll Fagjnn32.exe File created C:\Windows\SysWOW64\Pdefbe32.dll Dnlkmkpn.exe File created C:\Windows\SysWOW64\Lbemfbdk.exe Lnjafd32.exe File created C:\Windows\SysWOW64\Dgbdoe32.dll Fjdnlhco.exe File opened for modification C:\Windows\SysWOW64\Mfllkece.exe Mcnpojca.exe File opened for modification C:\Windows\SysWOW64\Aodkci32.exe Akiobk32.exe File created C:\Windows\SysWOW64\Cpmddpid.dll Ibehla32.exe File created C:\Windows\SysWOW64\Mmpife32.dll Knnkpobc.exe File created C:\Windows\SysWOW64\Mhniklfm.dll Klngkfge.exe File created C:\Windows\SysWOW64\Plnoej32.dll Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Ipehmebh.exe Hndlem32.exe File created C:\Windows\SysWOW64\Nbdmji32.dll Jkhejkcq.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Dhkiid32.exe Ddomif32.exe File created C:\Windows\SysWOW64\Daejhjkj.exe Dkkbkp32.exe File created C:\Windows\SysWOW64\Hejcbh32.dll Lghlndfa.exe File opened for modification C:\Windows\SysWOW64\Hbfbgd32.exe Hpgfki32.exe File opened for modification C:\Windows\SysWOW64\Cohkpj32.exe Chnbcpmn.exe File created C:\Windows\SysWOW64\Alinabdk.dll Dedlag32.exe File created C:\Windows\SysWOW64\Iocnkj32.dll Mjaddn32.exe File opened for modification C:\Windows\SysWOW64\Mmbmeifk.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Ldjpbign.exe Lblcfnhj.exe File opened for modification C:\Windows\SysWOW64\Qkkmqnck.exe Qeaedd32.exe File opened for modification C:\Windows\SysWOW64\Gaafhloq.exe Gppipc32.exe File created C:\Windows\SysWOW64\Onoflapg.dll Gppipc32.exe File created C:\Windows\SysWOW64\Anllfndp.dll Jpfhoi32.exe File opened for modification C:\Windows\SysWOW64\Foojop32.exe Flqmbd32.exe File created C:\Windows\SysWOW64\Ggcaiqhj.exe Geeemeif.exe File created C:\Windows\SysWOW64\Pefijfii.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Mbiaej32.dll Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dfdjhndl.exe File opened for modification C:\Windows\SysWOW64\Ejmhkiig.exe Eccpoo32.exe File created C:\Windows\SysWOW64\Pbjdnlob.dll Jmdepg32.exe File created C:\Windows\SysWOW64\Qlfgce32.dll File created C:\Windows\SysWOW64\Bkfeekif.dll Gebbnpfp.exe File created C:\Windows\SysWOW64\Mmgfqh32.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Jkgcab32.exe Jcpkpe32.exe File created C:\Windows\SysWOW64\Bkijnbae.dll Mjekfd32.exe File created C:\Windows\SysWOW64\Nloone32.dll File created C:\Windows\SysWOW64\Lnfhlh32.dll Ckafbbph.exe File created C:\Windows\SysWOW64\Opglafab.exe File opened for modification C:\Windows\SysWOW64\Fhgnge32.exe Fjdnlhco.exe File created C:\Windows\SysWOW64\Helgmg32.exe Hmeolj32.exe File opened for modification C:\Windows\SysWOW64\Ipjahd32.exe Imleli32.exe File created C:\Windows\SysWOW64\Coalledf.dll Cgkocj32.exe -
Drops file in Windows directory 2 IoCs
Processes:
description ioc process File created C:\Windows\system32†Dhhhbg32.¿xe File opened for modification C:\Windows\system32†Dhhhbg32.¿xe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4672 3304 -
Modifies registry class 64 IoCs
Processes:
Obdojcef.exeLflmci32.exeIkkjbe32.exeNdjfeo32.exeFgigil32.exeJmfafgbd.exeNlphkb32.exeGcokiaji.exeLblcfnhj.exeAnlfbi32.exeElldgehk.exePiphee32.exeEnakbp32.exeMagqncba.exeJblnaq32.exeOehklddp.exePclfkc32.exeAmelne32.exeGjngmmnp.exeKkileele.exeMmbmeifk.exeLeajdfnm.exeMmahdggc.exeJgqpkc32.exeKhkpijma.exeGmpjagfa.exeFolfoj32.exeKnjbnh32.exeOopnlacm.exeLlcefjgf.exeJlpeij32.exePfdabino.exeCafgle32.exeLqhfhigj.exeFjegog32.exeNefbga32.exeHmeolj32.exeMlkjne32.exeBfkifhib.exePkpagq32.exeJnpinc32.exeGqnbhf32.exeFebfomdd.exeJfknbe32.exeCgejac32.exeDhkiid32.exeGeeemeif.exeEbgclm32.exeIajemnia.exeMimemp32.exeMkqqnq32.exeInjndk32.exeIpjahd32.exeGepehphc.exeCilibi32.exeNblpfepo.exeCpcnonob.exeHmalldcn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbcbk32.dll" Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmphi32.dll" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncniim32.dll" Lblcfnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Anlfbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elldgehk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdgpmfa.dll" Jblnaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehklddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjngmmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" Mmbmeifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjbkk32.dll" Leajdfnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojndakj.dll" Jgqpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkpijma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoppjjm.dll" Gmpjagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Folfoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlpeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmmfimm.dll" Fjegog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbgkbdb.dll" Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfeoelgo.dll" Bfkifhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekligg.dll" Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfknbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijngkeln.dll" Ebgclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimkgkgm.dll" Iajemnia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cilibi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nblpfepo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggfcl32.dll" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exeJbgbni32.exeJokcgmee.exeJmocpado.exeJifdebic.exeKgkafo32.exeKeoapb32.exeKmjfdejp.exeKnjbnh32.exeKjqccigf.exeKaklpcoc.exeKmaled32.exeLpphap32.exeLpbefoai.exeLflmci32.exeLhmjkaoc.exedescription pid process target process PID 1888 wrote to memory of 2844 1888 bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe Jbgbni32.exe PID 1888 wrote to memory of 2844 1888 bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe Jbgbni32.exe PID 1888 wrote to memory of 2844 1888 bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe Jbgbni32.exe PID 1888 wrote to memory of 2844 1888 bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe Jbgbni32.exe PID 2844 wrote to memory of 2316 2844 Jbgbni32.exe Jokcgmee.exe PID 2844 wrote to memory of 2316 2844 Jbgbni32.exe Jokcgmee.exe PID 2844 wrote to memory of 2316 2844 Jbgbni32.exe Jokcgmee.exe PID 2844 wrote to memory of 2316 2844 Jbgbni32.exe Jokcgmee.exe PID 2316 wrote to memory of 2620 2316 Jokcgmee.exe Jmocpado.exe PID 2316 wrote to memory of 2620 2316 Jokcgmee.exe Jmocpado.exe PID 2316 wrote to memory of 2620 2316 Jokcgmee.exe Jmocpado.exe PID 2316 wrote to memory of 2620 2316 Jokcgmee.exe Jmocpado.exe PID 2620 wrote to memory of 3052 2620 Jmocpado.exe Jifdebic.exe PID 2620 wrote to memory of 3052 2620 Jmocpado.exe Jifdebic.exe PID 2620 wrote to memory of 3052 2620 Jmocpado.exe Jifdebic.exe PID 2620 wrote to memory of 3052 2620 Jmocpado.exe Jifdebic.exe PID 3052 wrote to memory of 2748 3052 Jifdebic.exe Kgkafo32.exe PID 3052 wrote to memory of 2748 3052 Jifdebic.exe Kgkafo32.exe PID 3052 wrote to memory of 2748 3052 Jifdebic.exe Kgkafo32.exe PID 3052 wrote to memory of 2748 3052 Jifdebic.exe Kgkafo32.exe PID 2748 wrote to memory of 2412 2748 Kgkafo32.exe Keoapb32.exe PID 2748 wrote to memory of 2412 2748 Kgkafo32.exe Keoapb32.exe PID 2748 wrote to memory of 2412 2748 Kgkafo32.exe Keoapb32.exe PID 2748 wrote to memory of 2412 2748 Kgkafo32.exe Keoapb32.exe PID 2412 wrote to memory of 2984 2412 Keoapb32.exe Kmjfdejp.exe PID 2412 wrote to memory of 2984 2412 Keoapb32.exe Kmjfdejp.exe PID 2412 wrote to memory of 2984 2412 Keoapb32.exe Kmjfdejp.exe PID 2412 wrote to memory of 2984 2412 Keoapb32.exe Kmjfdejp.exe PID 2984 wrote to memory of 2692 2984 Kmjfdejp.exe Knjbnh32.exe PID 2984 wrote to memory of 2692 2984 Kmjfdejp.exe Knjbnh32.exe PID 2984 wrote to memory of 2692 2984 Kmjfdejp.exe Knjbnh32.exe PID 2984 wrote to memory of 2692 2984 Kmjfdejp.exe Knjbnh32.exe PID 2692 wrote to memory of 2764 2692 Knjbnh32.exe Kjqccigf.exe PID 2692 wrote to memory of 2764 2692 Knjbnh32.exe Kjqccigf.exe PID 2692 wrote to memory of 2764 2692 Knjbnh32.exe Kjqccigf.exe PID 2692 wrote to memory of 2764 2692 Knjbnh32.exe Kjqccigf.exe PID 2764 wrote to memory of 764 2764 Kjqccigf.exe Kaklpcoc.exe PID 2764 wrote to memory of 764 2764 Kjqccigf.exe Kaklpcoc.exe PID 2764 wrote to memory of 764 2764 Kjqccigf.exe Kaklpcoc.exe PID 2764 wrote to memory of 764 2764 Kjqccigf.exe Kaklpcoc.exe PID 764 wrote to memory of 1636 764 Kaklpcoc.exe Kmaled32.exe PID 764 wrote to memory of 1636 764 Kaklpcoc.exe Kmaled32.exe PID 764 wrote to memory of 1636 764 Kaklpcoc.exe Kmaled32.exe PID 764 wrote to memory of 1636 764 Kaklpcoc.exe Kmaled32.exe PID 1636 wrote to memory of 992 1636 Kmaled32.exe Lpphap32.exe PID 1636 wrote to memory of 992 1636 Kmaled32.exe Lpphap32.exe PID 1636 wrote to memory of 992 1636 Kmaled32.exe Lpphap32.exe PID 1636 wrote to memory of 992 1636 Kmaled32.exe Lpphap32.exe PID 992 wrote to memory of 592 992 Lpphap32.exe Lpbefoai.exe PID 992 wrote to memory of 592 992 Lpphap32.exe Lpbefoai.exe PID 992 wrote to memory of 592 992 Lpphap32.exe Lpbefoai.exe PID 992 wrote to memory of 592 992 Lpphap32.exe Lpbefoai.exe PID 592 wrote to memory of 1732 592 Lpbefoai.exe Lflmci32.exe PID 592 wrote to memory of 1732 592 Lpbefoai.exe Lflmci32.exe PID 592 wrote to memory of 1732 592 Lpbefoai.exe Lflmci32.exe PID 592 wrote to memory of 1732 592 Lpbefoai.exe Lflmci32.exe PID 1732 wrote to memory of 3036 1732 Lflmci32.exe Lhmjkaoc.exe PID 1732 wrote to memory of 3036 1732 Lflmci32.exe Lhmjkaoc.exe PID 1732 wrote to memory of 3036 1732 Lflmci32.exe Lhmjkaoc.exe PID 1732 wrote to memory of 3036 1732 Lflmci32.exe Lhmjkaoc.exe PID 3036 wrote to memory of 2068 3036 Lhmjkaoc.exe Leajdfnm.exe PID 3036 wrote to memory of 2068 3036 Lhmjkaoc.exe Leajdfnm.exe PID 3036 wrote to memory of 2068 3036 Lhmjkaoc.exe Leajdfnm.exe PID 3036 wrote to memory of 2068 3036 Lhmjkaoc.exe Leajdfnm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bc967748e29fbdaa0bf654ae624e6c10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe34⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe35⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe36⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe37⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe38⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe41⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe42⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe43⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe44⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe45⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe46⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe47⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe50⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe52⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe54⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe55⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe57⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe60⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe61⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe62⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe63⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe64⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe65⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe66⤵PID:296
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe67⤵PID:1720
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe68⤵PID:2396
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe69⤵PID:1968
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe70⤵PID:1604
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe71⤵PID:1956
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe72⤵PID:1940
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe73⤵PID:1176
-
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe74⤵PID:1744
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe75⤵PID:1332
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe76⤵PID:1564
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe77⤵PID:2600
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe78⤵PID:2572
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe79⤵PID:2580
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe80⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe81⤵PID:2752
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe82⤵PID:312
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe83⤵PID:1632
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe84⤵PID:1560
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe85⤵PID:1928
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe86⤵PID:1012
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe87⤵PID:1136
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe88⤵PID:1916
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe89⤵PID:2168
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe90⤵PID:1736
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe91⤵PID:2832
-
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe92⤵PID:2668
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe93⤵PID:1532
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe95⤵PID:2652
-
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe96⤵PID:2012
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe98⤵PID:1872
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe99⤵PID:2472
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe100⤵PID:2816
-
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe101⤵PID:2100
-
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe102⤵PID:2148
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe103⤵PID:1924
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe104⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe105⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe106⤵PID:1608
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe107⤵PID:1556
-
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe108⤵PID:2528
-
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe109⤵PID:2524
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe110⤵PID:2448
-
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe111⤵PID:1208
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe112⤵PID:772
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe113⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe114⤵PID:2292
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe115⤵PID:2300
-
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe116⤵PID:832
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe117⤵PID:308
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe118⤵PID:2588
-
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe119⤵PID:1592
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe120⤵PID:2812
-
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe121⤵PID:1876
-
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe122⤵PID:2544
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe123⤵PID:2036
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe124⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe125⤵PID:2508
-
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe127⤵PID:2868
-
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe128⤵PID:3068
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe129⤵PID:1584
-
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe130⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe131⤵PID:2980
-
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe132⤵PID:3048
-
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe133⤵PID:1476
-
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe134⤵PID:488
-
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe135⤵PID:2808
-
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe136⤵PID:2132
-
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe137⤵PID:1672
-
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe138⤵PID:2256
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe139⤵PID:2420
-
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe140⤵PID:2484
-
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe141⤵PID:2760
-
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe142⤵PID:1860
-
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe143⤵PID:1028
-
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe144⤵PID:2236
-
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe146⤵PID:1944
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe147⤵PID:2360
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe148⤵PID:612
-
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe149⤵PID:2112
-
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe150⤵PID:2520
-
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe151⤵PID:2512
-
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe152⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe153⤵
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe154⤵PID:1072
-
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe155⤵PID:2932
-
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe156⤵PID:2376
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe157⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe158⤵PID:2912
-
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe159⤵PID:2556
-
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe160⤵PID:2424
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe161⤵PID:2776
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe164⤵PID:2128
-
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe165⤵PID:1812
-
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe166⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe167⤵PID:1980
-
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe168⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe169⤵PID:2428
-
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe170⤵PID:2724
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe171⤵PID:948
-
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe172⤵PID:884
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe173⤵PID:2408
-
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe174⤵PID:2872
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe175⤵PID:2940
-
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe176⤵PID:1528
-
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe177⤵PID:1368
-
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe178⤵PID:1644
-
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe179⤵PID:2020
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe180⤵PID:1232
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe181⤵PID:2624
-
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe182⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe183⤵PID:1380
-
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe184⤵PID:2892
-
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe185⤵PID:2532
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe186⤵PID:2244
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe188⤵PID:1376
-
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe189⤵PID:2964
-
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe190⤵PID:1912
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe191⤵PID:1624
-
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe192⤵PID:2072
-
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe194⤵PID:3096
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe195⤵PID:3136
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe196⤵PID:3176
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe197⤵PID:3216
-
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe198⤵PID:3256
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe199⤵PID:3296
-
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3336 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe201⤵PID:3376
-
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe202⤵PID:3416
-
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe203⤵PID:3456
-
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe204⤵PID:3496
-
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe205⤵PID:3536
-
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe206⤵PID:3576
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe207⤵PID:3616
-
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe208⤵PID:3656
-
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3696 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe210⤵
- Modifies registry class
PID:3736 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe211⤵PID:3776
-
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe212⤵PID:3816
-
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe213⤵
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe214⤵PID:3896
-
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe215⤵PID:3936
-
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe216⤵PID:3976
-
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe217⤵PID:4016
-
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe218⤵
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe219⤵PID:864
-
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe220⤵PID:3084
-
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe221⤵PID:3152
-
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe222⤵PID:3188
-
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe223⤵PID:3248
-
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe224⤵PID:3292
-
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe225⤵PID:3316
-
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe226⤵PID:3388
-
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe227⤵PID:3448
-
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe228⤵PID:3492
-
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe229⤵PID:3552
-
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe230⤵PID:3612
-
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe231⤵
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe232⤵PID:3704
-
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe233⤵PID:3748
-
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe234⤵PID:3788
-
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe235⤵PID:3848
-
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe236⤵PID:3868
-
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe237⤵PID:3952
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe238⤵PID:3996
-
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe239⤵PID:4044
-
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe240⤵PID:4080
-
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe241⤵PID:3104
-
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe242⤵PID:3116