Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 22:09
Behavioral task
behavioral1
Sample
0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe
-
Size
276KB
-
MD5
0110a86cccea56f44953bfa815d2e760
-
SHA1
f08601adbda0f2d6dbb2758f06981cc16188a693
-
SHA256
5a6a20635f8f22d35ecc5c753566188b92a9731b63a5b81a0501daa24908b29c
-
SHA512
002edd91ce85c7fc7f90686ab38d21b46f66e94d505b073c19c97aa1281e7d5322dbd1e465600ed424cf609d39f6c1cf621094a81af25f85181ae0b4c262632a
-
SSDEEP
6144:k450507Czz03qpdWZHEFJ7aWN1rtMsQBOSGaF+:Ja0U2HEGWN1RMs1S7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dmmmfc32.exeLiibgkoo.exeOkcchbnn.exeGnbelong.exeJljgni32.exeLppkgi32.exeMdgkjopd.exeHdhbci32.exeLfhiepbn.exeEgndgdai.exeGqhadmhc.exeNlefjpid.exeAemafjeg.exeCafbmdbh.exeDbiocd32.exeCobhdhha.exeBacgohjk.exeKajiigba.exeKfbemi32.exePmgnan32.exeJmkmjoec.exeHflndjin.exeJddqgdii.exeCfbhlb32.exeBjnhnn32.exeEjjdmp32.exeNmjicn32.exeGljpncgc.exeBdckobhd.exeMnhnfckm.exeJjkiie32.exeIcifjk32.exeBpjldc32.exeIigcobid.exeCbnfmo32.exeHfhfhbce.exeCnabffeo.exeEkblplgo.exeGemfghek.exeCnimiblo.exeHghdjn32.exeOmgfdhbq.exeJdbfjm32.exeEpnldd32.exeLhegcg32.exePbagipfi.exePaaddgkj.exePiliii32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okcchbnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdgkjopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfhiepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egndgdai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqhadmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlefjpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemafjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cafbmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobhdhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacgohjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmgnan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbhlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjnhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejjdmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdckobhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhnfckm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjkiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icifjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigcobid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gemfghek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgfdhbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epnldd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paaddgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piliii32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Fbpbpkpj.exe family_berbew \Windows\SysWOW64\Gnkmqkbi.exe family_berbew \Windows\SysWOW64\Gmbfggdo.exe family_berbew \Windows\SysWOW64\Gljpncgc.exe family_berbew \Windows\SysWOW64\Hbiaemkk.exe family_berbew \Windows\SysWOW64\Hanogipc.exe family_berbew C:\Windows\SysWOW64\Hfmddp32.exe family_berbew \Windows\SysWOW64\Idcacc32.exe family_berbew \Windows\SysWOW64\Ifdjeoep.exe family_berbew C:\Windows\SysWOW64\Jenpajfb.exe family_berbew \Windows\SysWOW64\Jniefm32.exe family_berbew \Windows\SysWOW64\Klehgh32.exe family_berbew \Windows\SysWOW64\Kcdjoaee.exe family_berbew behavioral1/memory/1648-194-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew \Windows\SysWOW64\Kfebambf.exe family_berbew behavioral1/memory/2092-209-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew behavioral1/memory/2428-203-0x0000000000360000-0x00000000003A2000-memory.dmp family_berbew \Windows\SysWOW64\Ldoimh32.exe family_berbew C:\Windows\SysWOW64\Lfbbjpgd.exe family_berbew C:\Windows\SysWOW64\Mpmcielb.exe family_berbew C:\Windows\SysWOW64\Mbpipp32.exe family_berbew behavioral1/memory/3052-265-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/memory/2092-264-0x0000000000250000-0x0000000000292000-memory.dmp family_berbew C:\Windows\SysWOW64\Mnifja32.exe family_berbew C:\Windows\SysWOW64\Njdqka32.exe family_berbew C:\Windows\SysWOW64\Nbbbdcgi.exe family_berbew C:\Windows\SysWOW64\Obdojcef.exe family_berbew C:\Windows\SysWOW64\Omqlpp32.exe family_berbew C:\Windows\SysWOW64\Oanefo32.exe family_berbew C:\Windows\SysWOW64\Pilfpqaa.exe family_berbew C:\Windows\SysWOW64\Pgpgjepk.exe family_berbew C:\Windows\SysWOW64\Pjcmap32.exe family_berbew C:\Windows\SysWOW64\Popeif32.exe family_berbew C:\Windows\SysWOW64\Qgmfchei.exe family_berbew C:\Windows\SysWOW64\Qhmcmk32.exe family_berbew C:\Windows\SysWOW64\Anlhkbhq.exe family_berbew C:\Windows\SysWOW64\Aqmamm32.exe family_berbew C:\Windows\SysWOW64\Abpjjeim.exe family_berbew C:\Windows\SysWOW64\Bcpgdhpp.exe family_berbew C:\Windows\SysWOW64\Bbeded32.exe family_berbew C:\Windows\SysWOW64\Bnldjekl.exe family_berbew C:\Windows\SysWOW64\Bammlq32.exe family_berbew C:\Windows\SysWOW64\Bmcnqama.exe family_berbew C:\Windows\SysWOW64\Cjgoje32.exe family_berbew C:\Windows\SysWOW64\Cfnoogbo.exe family_berbew C:\Windows\SysWOW64\Ccbphk32.exe family_berbew C:\Windows\SysWOW64\Clmdmm32.exe family_berbew C:\Windows\SysWOW64\Cbiiog32.exe family_berbew C:\Windows\SysWOW64\Cpmjhk32.exe family_berbew C:\Windows\SysWOW64\Daofpchf.exe family_berbew C:\Windows\SysWOW64\Dbncjf32.exe family_berbew C:\Windows\SysWOW64\Dkigoimd.exe family_berbew C:\Windows\SysWOW64\Ddblgn32.exe family_berbew C:\Windows\SysWOW64\Dklddhka.exe family_berbew C:\Windows\SysWOW64\Dhpemm32.exe family_berbew C:\Windows\SysWOW64\Dmmmfc32.exe family_berbew C:\Windows\SysWOW64\Dgeaoinb.exe family_berbew C:\Windows\SysWOW64\Epmfgo32.exe family_berbew C:\Windows\SysWOW64\Emagacdm.exe family_berbew C:\Windows\SysWOW64\Eihgfd32.exe family_berbew C:\Windows\SysWOW64\Eoepnk32.exe family_berbew C:\Windows\SysWOW64\Ecbhdi32.exe family_berbew C:\Windows\SysWOW64\Eknmhk32.exe family_berbew C:\Windows\SysWOW64\Eaheeecg.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Fbpbpkpj.exeGnkmqkbi.exeGmbfggdo.exeGljpncgc.exeHbiaemkk.exeHanogipc.exeHfmddp32.exeIdcacc32.exeIfdjeoep.exeJenpajfb.exeJniefm32.exeKlehgh32.exeKcdjoaee.exeKfebambf.exeLdoimh32.exeLfbbjpgd.exeMpmcielb.exeMbpipp32.exeMnifja32.exeNjdqka32.exeNbbbdcgi.exeObdojcef.exeOmqlpp32.exeOanefo32.exePilfpqaa.exePgpgjepk.exePjcmap32.exePopeif32.exeQgmfchei.exeQhmcmk32.exeAnlhkbhq.exeAqmamm32.exeAbpjjeim.exeBcpgdhpp.exeBbeded32.exeBnldjekl.exeBammlq32.exeBmcnqama.exeCjgoje32.exeCfnoogbo.exeCcbphk32.exeClmdmm32.exeCbiiog32.exeCpmjhk32.exeDaofpchf.exeDbncjf32.exeDkigoimd.exeDdblgn32.exeDklddhka.exeDhpemm32.exeDmmmfc32.exeDgeaoinb.exeEpmfgo32.exeEmagacdm.exeEihgfd32.exeEoepnk32.exeEcbhdi32.exeEknmhk32.exeEaheeecg.exeFpmbfbgo.exeFamope32.exeGncldi32.exeGiipab32.exeHcdnhoac.exepid process 2896 Fbpbpkpj.exe 2100 Gnkmqkbi.exe 2584 Gmbfggdo.exe 2700 Gljpncgc.exe 2384 Hbiaemkk.exe 2436 Hanogipc.exe 1204 Hfmddp32.exe 1648 Idcacc32.exe 2428 Ifdjeoep.exe 2116 Jenpajfb.exe 1756 Jniefm32.exe 832 Klehgh32.exe 2092 Kcdjoaee.exe 936 Kfebambf.exe 524 Ldoimh32.exe 2240 Lfbbjpgd.exe 3052 Mpmcielb.exe 1796 Mbpipp32.exe 976 Mnifja32.exe 1104 Njdqka32.exe 2256 Nbbbdcgi.exe 1688 Obdojcef.exe 1900 Omqlpp32.exe 1140 Oanefo32.exe 1600 Pilfpqaa.exe 2828 Pgpgjepk.exe 2492 Pjcmap32.exe 2704 Popeif32.exe 2644 Qgmfchei.exe 2536 Qhmcmk32.exe 588 Anlhkbhq.exe 2020 Aqmamm32.exe 2420 Abpjjeim.exe 1272 Bcpgdhpp.exe 2980 Bbeded32.exe 2276 Bnldjekl.exe 1656 Bammlq32.exe 1616 Bmcnqama.exe 1668 Cjgoje32.exe 2220 Cfnoogbo.exe 2228 Ccbphk32.exe 2172 Clmdmm32.exe 2552 Cbiiog32.exe 2928 Cpmjhk32.exe 1100 Daofpchf.exe 1108 Dbncjf32.exe 2192 Dkigoimd.exe 1160 Ddblgn32.exe 1584 Dklddhka.exe 1692 Dhpemm32.exe 1308 Dmmmfc32.exe 1592 Dgeaoinb.exe 2852 Epmfgo32.exe 2264 Emagacdm.exe 1808 Eihgfd32.exe 2660 Eoepnk32.exe 2528 Ecbhdi32.exe 1628 Eknmhk32.exe 1508 Eaheeecg.exe 2340 Fpmbfbgo.exe 1888 Famope32.exe 2988 Gncldi32.exe 1476 Giipab32.exe 2148 Hcdnhoac.exe -
Loads dropped DLL 64 IoCs
Processes:
0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exeFbpbpkpj.exeGnkmqkbi.exeGmbfggdo.exeGljpncgc.exeHbiaemkk.exeHanogipc.exeHfmddp32.exeIdcacc32.exeIfdjeoep.exeJenpajfb.exeJniefm32.exeKlehgh32.exeKcdjoaee.exeKfebambf.exeLdoimh32.exeLfbbjpgd.exeMpmcielb.exeMbpipp32.exeMnifja32.exeNjdqka32.exeNbbbdcgi.exeObdojcef.exeOmqlpp32.exeOanefo32.exePilfpqaa.exePgpgjepk.exePjcmap32.exePopeif32.exeQgmfchei.exeQhmcmk32.exeAnlhkbhq.exepid process 2956 0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe 2956 0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe 2896 Fbpbpkpj.exe 2896 Fbpbpkpj.exe 2100 Gnkmqkbi.exe 2100 Gnkmqkbi.exe 2584 Gmbfggdo.exe 2584 Gmbfggdo.exe 2700 Gljpncgc.exe 2700 Gljpncgc.exe 2384 Hbiaemkk.exe 2384 Hbiaemkk.exe 2436 Hanogipc.exe 2436 Hanogipc.exe 1204 Hfmddp32.exe 1204 Hfmddp32.exe 1648 Idcacc32.exe 1648 Idcacc32.exe 2428 Ifdjeoep.exe 2428 Ifdjeoep.exe 2116 Jenpajfb.exe 2116 Jenpajfb.exe 1756 Jniefm32.exe 1756 Jniefm32.exe 832 Klehgh32.exe 832 Klehgh32.exe 2092 Kcdjoaee.exe 2092 Kcdjoaee.exe 936 Kfebambf.exe 936 Kfebambf.exe 524 Ldoimh32.exe 524 Ldoimh32.exe 2240 Lfbbjpgd.exe 2240 Lfbbjpgd.exe 3052 Mpmcielb.exe 3052 Mpmcielb.exe 1796 Mbpipp32.exe 1796 Mbpipp32.exe 976 Mnifja32.exe 976 Mnifja32.exe 1104 Njdqka32.exe 1104 Njdqka32.exe 2256 Nbbbdcgi.exe 2256 Nbbbdcgi.exe 1688 Obdojcef.exe 1688 Obdojcef.exe 1900 Omqlpp32.exe 1900 Omqlpp32.exe 1140 Oanefo32.exe 1140 Oanefo32.exe 1600 Pilfpqaa.exe 1600 Pilfpqaa.exe 2828 Pgpgjepk.exe 2828 Pgpgjepk.exe 2492 Pjcmap32.exe 2492 Pjcmap32.exe 2704 Popeif32.exe 2704 Popeif32.exe 2644 Qgmfchei.exe 2644 Qgmfchei.exe 2536 Qhmcmk32.exe 2536 Qhmcmk32.exe 588 Anlhkbhq.exe 588 Anlhkbhq.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jabponba.exeJflgph32.exeDmepkn32.exeEbappk32.exeHehhqk32.exeBacihmoo.exeMjeffc32.exeKckhdg32.exeLdoimh32.exeKajiigba.exeNdggib32.exeKocodbpk.exeJkopndcb.exeAilqfooi.exeCpcpjbah.exeBdckobhd.exeInjlkf32.exePonklpcg.exeOmnkicen.exeKgocid32.exeDgildi32.exeAjjinaco.exeJidngh32.exeHbccklmj.exeCqneaodd.exeOjeobm32.exeGpggei32.exeKmficl32.exeOqkpmaif.exeAlmihjlj.exeLdokhn32.exeOgbgbn32.exeDklddhka.exeDbdagg32.exeMfjann32.exeDjafaf32.exeJlmddi32.exeBnhjae32.exePaknelgk.exeLiibgkoo.exeDlfgehqk.exePdndggcl.exeNiilmi32.exeLlcfck32.exeJlddpkgh.exeEclfhgaf.exeNjjcip32.exeHghdjn32.exeOaqeogll.exeJplinckj.exedescription ioc process File created C:\Windows\SysWOW64\Jllqplnp.exe Jabponba.exe File created C:\Windows\SysWOW64\Jgnchplb.exe Jflgph32.exe File opened for modification C:\Windows\SysWOW64\Dbaice32.exe Dmepkn32.exe File created C:\Windows\SysWOW64\Dnhanebc.dll Jabponba.exe File created C:\Windows\SysWOW64\Efoifiep.exe Ebappk32.exe File opened for modification C:\Windows\SysWOW64\Hghdjn32.exe Hehhqk32.exe File created C:\Windows\SysWOW64\Bogjaamh.exe Bacihmoo.exe File created C:\Windows\SysWOW64\Moedaakj.dll Mjeffc32.exe File created C:\Windows\SysWOW64\Pkhmod32.dll Kckhdg32.exe File created C:\Windows\SysWOW64\Lfbbjpgd.exe Ldoimh32.exe File opened for modification C:\Windows\SysWOW64\Lonibk32.exe Kajiigba.exe File opened for modification C:\Windows\SysWOW64\Nomkfk32.exe Ndggib32.exe File created C:\Windows\SysWOW64\Aejlka32.dll Kocodbpk.exe File created C:\Windows\SysWOW64\Qfcekf32.dll Jkopndcb.exe File created C:\Windows\SysWOW64\Abdeoe32.exe Ailqfooi.exe File created C:\Windows\SysWOW64\Chagol32.dll Cpcpjbah.exe File opened for modification C:\Windows\SysWOW64\Gdjblboj.exe File created C:\Windows\SysWOW64\Bpjldc32.exe Bdckobhd.exe File created C:\Windows\SysWOW64\Ieeqpi32.exe Injlkf32.exe File opened for modification C:\Windows\SysWOW64\Pblcbn32.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Loldpieb.dll Omnkicen.exe File created C:\Windows\SysWOW64\Jfkloj32.dll Kgocid32.exe File created C:\Windows\SysWOW64\Fjhcif32.dll Dgildi32.exe File opened for modification C:\Windows\SysWOW64\Agnjge32.exe Ajjinaco.exe File opened for modification C:\Windows\SysWOW64\Jifkmh32.exe Jidngh32.exe File created C:\Windows\SysWOW64\Hklhca32.exe Hbccklmj.exe File created C:\Windows\SysWOW64\Cghmni32.exe Cqneaodd.exe File created C:\Windows\SysWOW64\Epaqjmil.dll Ojeobm32.exe File created C:\Windows\SysWOW64\Giolnomh.exe Gpggei32.exe File opened for modification C:\Windows\SysWOW64\Koibpd32.exe Kmficl32.exe File created C:\Windows\SysWOW64\Okpdjjil.exe Oqkpmaif.exe File opened for modification C:\Windows\SysWOW64\Abgaeddg.exe Almihjlj.exe File created C:\Windows\SysWOW64\Ffmicb32.dll Ldokhn32.exe File opened for modification C:\Windows\SysWOW64\Akejdp32.exe File opened for modification C:\Windows\SysWOW64\Cpkaai32.exe File opened for modification C:\Windows\SysWOW64\Opjlkc32.exe Ogbgbn32.exe File created C:\Windows\SysWOW64\Nolffjap.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dklddhka.exe File created C:\Windows\SysWOW64\Hmdkip32.dll Dbdagg32.exe File opened for modification C:\Windows\SysWOW64\Jpjndh32.exe File created C:\Windows\SysWOW64\Naagdj32.dll File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe Mfjann32.exe File opened for modification C:\Windows\SysWOW64\Dbmkfh32.exe Djafaf32.exe File created C:\Windows\SysWOW64\Kokppd32.exe Jlmddi32.exe File created C:\Windows\SysWOW64\Ahlghold.dll Bnhjae32.exe File created C:\Windows\SysWOW64\Jpigjb32.dll File created C:\Windows\SysWOW64\Dgmfbf32.dll File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Paknelgk.exe File created C:\Windows\SysWOW64\Cccdlddl.dll Liibgkoo.exe File created C:\Windows\SysWOW64\Kelddd32.dll Dlfgehqk.exe File created C:\Windows\SysWOW64\Nkjggmal.exe File created C:\Windows\SysWOW64\Pqdelh32.exe Pdndggcl.exe File opened for modification C:\Windows\SysWOW64\Njjieace.exe Niilmi32.exe File created C:\Windows\SysWOW64\Klfbmd32.dll File created C:\Windows\SysWOW64\Ldokhn32.exe Llcfck32.exe File created C:\Windows\SysWOW64\Jlgaek32.exe Jlddpkgh.exe File created C:\Windows\SysWOW64\Gphflo32.dll File created C:\Windows\SysWOW64\Ehinpnpm.exe Eclfhgaf.exe File created C:\Windows\SysWOW64\Gjoflo32.dll File created C:\Windows\SysWOW64\Jcikkcdp.dll File created C:\Windows\SysWOW64\Hfiocpon.dll Njjcip32.exe File created C:\Windows\SysWOW64\Icoepohq.exe Hghdjn32.exe File created C:\Windows\SysWOW64\Eikkoh32.dll Oaqeogll.exe File opened for modification C:\Windows\SysWOW64\Jidngh32.exe Jplinckj.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3932 4404 -
Modifies registry class 64 IoCs
Processes:
Cobhdhha.exeGcikfhed.exeOkcchbnn.exeQkbpgeai.exeCdqkifmb.exeOqkpmaif.exeFmaqgaae.exeFcoolj32.exeQfljmmjl.exeJlgaek32.exeHhjgll32.exeMgjnhaco.exeMimgeigj.exeJgjmoace.exeMpnngi32.exePqgilnji.exeJgnchplb.exeNogmin32.exeQboikm32.exeDbbklnpj.exeAafnpkii.exeGiipab32.exeBfjmia32.exeHjplao32.exeNccmng32.exeHofjem32.exeMphiqbon.exeKhohkamc.exeIjdppm32.exeEfeoedjo.exeIcafgmbe.exeCkfjjqhd.exeJohlpoij.exePmgnan32.exeJcnoejch.exeJfhmehji.exeHjkbfpah.exeDgbgon32.exeJadlgjjq.exeIeeqpi32.exeLcdhgn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdgbec32.dll" Gcikfhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okcchbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkbpgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcbkhnk.dll" Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnehd32.dll" Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll" Qfljmmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfbf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nciija32.dll" Hhjgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacldi32.dll" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifhgh32.dll" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgjmoace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqgilnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgnchplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nogmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qboikm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbklnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapafl32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giipab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfjmia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjplao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqigm32.dll" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelglc32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnjaegb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfehcipm.dll" Khohkamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijdppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efeoedjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalaioi.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icafgmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldpgbhe.dll" Ckfjjqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgmqq32.dll" Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmgnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll" Jcnoejch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfhmehji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbpadcl.dll" Hjkbfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakjff32.dll" Jadlgjjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffndn32.dll" Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcdhgn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exeFbpbpkpj.exeGnkmqkbi.exeGmbfggdo.exeGljpncgc.exeHbiaemkk.exeHanogipc.exeHfmddp32.exeIdcacc32.exeIfdjeoep.exeJenpajfb.exeJniefm32.exeKlehgh32.exeKcdjoaee.exeKfebambf.exeLdoimh32.exedescription pid process target process PID 2956 wrote to memory of 2896 2956 0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe Fbpbpkpj.exe PID 2956 wrote to memory of 2896 2956 0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe Fbpbpkpj.exe PID 2956 wrote to memory of 2896 2956 0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe Fbpbpkpj.exe PID 2956 wrote to memory of 2896 2956 0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe Fbpbpkpj.exe PID 2896 wrote to memory of 2100 2896 Fbpbpkpj.exe Gnkmqkbi.exe PID 2896 wrote to memory of 2100 2896 Fbpbpkpj.exe Gnkmqkbi.exe PID 2896 wrote to memory of 2100 2896 Fbpbpkpj.exe Gnkmqkbi.exe PID 2896 wrote to memory of 2100 2896 Fbpbpkpj.exe Gnkmqkbi.exe PID 2100 wrote to memory of 2584 2100 Gnkmqkbi.exe Gmbfggdo.exe PID 2100 wrote to memory of 2584 2100 Gnkmqkbi.exe Gmbfggdo.exe PID 2100 wrote to memory of 2584 2100 Gnkmqkbi.exe Gmbfggdo.exe PID 2100 wrote to memory of 2584 2100 Gnkmqkbi.exe Gmbfggdo.exe PID 2584 wrote to memory of 2700 2584 Gmbfggdo.exe Gljpncgc.exe PID 2584 wrote to memory of 2700 2584 Gmbfggdo.exe Gljpncgc.exe PID 2584 wrote to memory of 2700 2584 Gmbfggdo.exe Gljpncgc.exe PID 2584 wrote to memory of 2700 2584 Gmbfggdo.exe Gljpncgc.exe PID 2700 wrote to memory of 2384 2700 Gljpncgc.exe Hbiaemkk.exe PID 2700 wrote to memory of 2384 2700 Gljpncgc.exe Hbiaemkk.exe PID 2700 wrote to memory of 2384 2700 Gljpncgc.exe Hbiaemkk.exe PID 2700 wrote to memory of 2384 2700 Gljpncgc.exe Hbiaemkk.exe PID 2384 wrote to memory of 2436 2384 Hbiaemkk.exe Hanogipc.exe PID 2384 wrote to memory of 2436 2384 Hbiaemkk.exe Hanogipc.exe PID 2384 wrote to memory of 2436 2384 Hbiaemkk.exe Hanogipc.exe PID 2384 wrote to memory of 2436 2384 Hbiaemkk.exe Hanogipc.exe PID 2436 wrote to memory of 1204 2436 Hanogipc.exe Hfmddp32.exe PID 2436 wrote to memory of 1204 2436 Hanogipc.exe Hfmddp32.exe PID 2436 wrote to memory of 1204 2436 Hanogipc.exe Hfmddp32.exe PID 2436 wrote to memory of 1204 2436 Hanogipc.exe Hfmddp32.exe PID 1204 wrote to memory of 1648 1204 Hfmddp32.exe Idcacc32.exe PID 1204 wrote to memory of 1648 1204 Hfmddp32.exe Idcacc32.exe PID 1204 wrote to memory of 1648 1204 Hfmddp32.exe Idcacc32.exe PID 1204 wrote to memory of 1648 1204 Hfmddp32.exe Idcacc32.exe PID 1648 wrote to memory of 2428 1648 Idcacc32.exe Ifdjeoep.exe PID 1648 wrote to memory of 2428 1648 Idcacc32.exe Ifdjeoep.exe PID 1648 wrote to memory of 2428 1648 Idcacc32.exe Ifdjeoep.exe PID 1648 wrote to memory of 2428 1648 Idcacc32.exe Ifdjeoep.exe PID 2428 wrote to memory of 2116 2428 Ifdjeoep.exe Jenpajfb.exe PID 2428 wrote to memory of 2116 2428 Ifdjeoep.exe Jenpajfb.exe PID 2428 wrote to memory of 2116 2428 Ifdjeoep.exe Jenpajfb.exe PID 2428 wrote to memory of 2116 2428 Ifdjeoep.exe Jenpajfb.exe PID 2116 wrote to memory of 1756 2116 Jenpajfb.exe Jniefm32.exe PID 2116 wrote to memory of 1756 2116 Jenpajfb.exe Jniefm32.exe PID 2116 wrote to memory of 1756 2116 Jenpajfb.exe Jniefm32.exe PID 2116 wrote to memory of 1756 2116 Jenpajfb.exe Jniefm32.exe PID 1756 wrote to memory of 832 1756 Jniefm32.exe Klehgh32.exe PID 1756 wrote to memory of 832 1756 Jniefm32.exe Klehgh32.exe PID 1756 wrote to memory of 832 1756 Jniefm32.exe Klehgh32.exe PID 1756 wrote to memory of 832 1756 Jniefm32.exe Klehgh32.exe PID 832 wrote to memory of 2092 832 Klehgh32.exe Kcdjoaee.exe PID 832 wrote to memory of 2092 832 Klehgh32.exe Kcdjoaee.exe PID 832 wrote to memory of 2092 832 Klehgh32.exe Kcdjoaee.exe PID 832 wrote to memory of 2092 832 Klehgh32.exe Kcdjoaee.exe PID 2092 wrote to memory of 936 2092 Kcdjoaee.exe Kfebambf.exe PID 2092 wrote to memory of 936 2092 Kcdjoaee.exe Kfebambf.exe PID 2092 wrote to memory of 936 2092 Kcdjoaee.exe Kfebambf.exe PID 2092 wrote to memory of 936 2092 Kcdjoaee.exe Kfebambf.exe PID 936 wrote to memory of 524 936 Kfebambf.exe Ldoimh32.exe PID 936 wrote to memory of 524 936 Kfebambf.exe Ldoimh32.exe PID 936 wrote to memory of 524 936 Kfebambf.exe Ldoimh32.exe PID 936 wrote to memory of 524 936 Kfebambf.exe Ldoimh32.exe PID 524 wrote to memory of 2240 524 Ldoimh32.exe Lfbbjpgd.exe PID 524 wrote to memory of 2240 524 Ldoimh32.exe Lfbbjpgd.exe PID 524 wrote to memory of 2240 524 Ldoimh32.exe Lfbbjpgd.exe PID 524 wrote to memory of 2240 524 Ldoimh32.exe Lfbbjpgd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0110a86cccea56f44953bfa815d2e760_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe33⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe34⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe35⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe36⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe37⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe38⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe40⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe41⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe42⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe43⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe44⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe45⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe46⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe47⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe48⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe49⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe51⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe53⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe54⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe55⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe56⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe58⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe59⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe60⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe62⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe63⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe65⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe66⤵PID:2456
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe67⤵PID:268
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe68⤵PID:2712
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe69⤵PID:1456
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe70⤵PID:1252
-
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe71⤵PID:3064
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe72⤵PID:908
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe73⤵PID:1412
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe74⤵PID:2004
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe75⤵PID:3008
-
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe76⤵PID:2848
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe78⤵PID:2676
-
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe79⤵PID:2776
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe80⤵PID:844
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe81⤵PID:956
-
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe82⤵PID:2672
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe83⤵PID:944
-
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe84⤵PID:1940
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe85⤵PID:1920
-
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe86⤵PID:1488
-
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe87⤵PID:2088
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe89⤵PID:2944
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe90⤵PID:1468
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe91⤵PID:2108
-
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe92⤵PID:1968
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe93⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe94⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe95⤵PID:2860
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe96⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe97⤵PID:2868
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe98⤵PID:2968
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe99⤵PID:1640
-
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe101⤵PID:2900
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe102⤵PID:928
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe103⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe104⤵PID:1244
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe105⤵PID:2200
-
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe106⤵PID:1892
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe107⤵PID:2120
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe108⤵PID:1828
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe109⤵PID:596
-
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1372 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe111⤵PID:3004
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe112⤵PID:2576
-
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe113⤵PID:2716
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe114⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe115⤵PID:2680
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe116⤵PID:1632
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe117⤵PID:1912
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe118⤵PID:2076
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe119⤵PID:2224
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe120⤵PID:2012
-
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe121⤵PID:1608
-
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe123⤵PID:2280
-
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe124⤵PID:1596
-
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe125⤵PID:2624
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe126⤵PID:2416
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe127⤵PID:1028
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe128⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe129⤵PID:1080
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe130⤵PID:2724
-
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe131⤵PID:436
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe132⤵PID:2292
-
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe133⤵PID:792
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe135⤵PID:2864
-
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe136⤵PID:2688
-
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe137⤵PID:2424
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe138⤵PID:2360
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe139⤵PID:640
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe140⤵PID:1652
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe141⤵PID:592
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe142⤵PID:2692
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe143⤵PID:1788
-
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe144⤵PID:1528
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe145⤵PID:1824
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe146⤵PID:3036
-
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe147⤵PID:2508
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe148⤵PID:2548
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe149⤵PID:1432
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe150⤵PID:1740
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe151⤵PID:1604
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe152⤵PID:676
-
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe153⤵PID:1964
-
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe154⤵PID:1568
-
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe155⤵PID:2840
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe156⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe157⤵PID:1316
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe158⤵PID:1936
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe159⤵PID:876
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe160⤵PID:1172
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe161⤵PID:2300
-
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe162⤵PID:2316
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe163⤵PID:1724
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe164⤵PID:2556
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe165⤵PID:1008
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe166⤵PID:1708
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe167⤵PID:2736
-
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe168⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe169⤵PID:1748
-
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe171⤵PID:2588
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe172⤵PID:2156
-
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe173⤵PID:2308
-
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe174⤵PID:2496
-
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe175⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe176⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe177⤵PID:1744
-
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe178⤵PID:2488
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe179⤵PID:1720
-
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe180⤵PID:900
-
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe181⤵PID:836
-
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe182⤵PID:840
-
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe183⤵PID:2412
-
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe184⤵PID:2936
-
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe185⤵PID:1704
-
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe186⤵PID:2612
-
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe187⤵PID:1096
-
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe188⤵PID:1424
-
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe189⤵PID:1764
-
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe190⤵PID:2152
-
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe191⤵PID:3084
-
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe192⤵PID:3124
-
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe193⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe194⤵PID:3204
-
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3244 -
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe197⤵PID:3324
-
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe198⤵PID:3364
-
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe199⤵PID:3404
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe200⤵
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe201⤵PID:3484
-
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe202⤵PID:3524
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe203⤵PID:3568
-
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe204⤵PID:3608
-
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe205⤵PID:3648
-
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe206⤵PID:3688
-
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe207⤵PID:3728
-
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe208⤵PID:3768
-
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe209⤵PID:3808
-
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe210⤵
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe211⤵PID:3888
-
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe212⤵PID:3928
-
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe213⤵PID:3968
-
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe214⤵PID:4008
-
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe215⤵PID:4052
-
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe216⤵PID:4092
-
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe217⤵PID:3116
-
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe218⤵PID:3172
-
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe219⤵PID:3220
-
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe220⤵PID:3268
-
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe221⤵PID:3316
-
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe222⤵PID:3384
-
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe223⤵PID:3424
-
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe224⤵
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Giolnomh.exeC:\Windows\system32\Giolnomh.exe225⤵PID:3520
-
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe226⤵PID:3544
-
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe227⤵PID:3624
-
C:\Windows\SysWOW64\Gkebafoa.exeC:\Windows\system32\Gkebafoa.exe228⤵PID:3672
-
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe229⤵PID:3736
-
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe230⤵PID:3776
-
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe231⤵PID:3828
-
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe232⤵PID:3872
-
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe233⤵PID:3916
-
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe234⤵PID:3952
-
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4024 -
C:\Windows\SysWOW64\Hfjbmb32.exeC:\Windows\system32\Hfjbmb32.exe236⤵PID:4064
-
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe237⤵PID:3104
-
C:\Windows\SysWOW64\Imggplgm.exeC:\Windows\system32\Imggplgm.exe238⤵PID:3156
-
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe239⤵PID:3236
-
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe240⤵PID:3292
-
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe241⤵PID:3340
-
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3412