Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 22:26
Behavioral task
behavioral1
Sample
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe
-
Size
276KB
-
MD5
02de46bc365f9d1ab305012dc3edad50
-
SHA1
7ac5c0d1306ffa50fcd378a5d77dfb298139d48e
-
SHA256
a01a77d60f0ea0befdc79c56015eafa768e385d3f2df503737edae07f0591bfa
-
SHA512
7b168ea776985d4275335fa83954a0793e79004fa6e56e48a4eb03ccde0b6d5192a5bbe11c4225f7b1e99eb8c7f2fa83a25641f39bb2d0601c2f87299127d98a
-
SSDEEP
6144:zH2wXdShrydWZHEFJ7aWN1rtMsQBOSGaF+:z2KS+2HEGWN1RMs1S7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Penfelgm.exeLbnemk32.exeNnennj32.exePmdjdh32.exeBghjhp32.exeDcenlceh.exeIigoqe32.exeNcancbha.exeBnbjopoi.exeIoijbj32.exeNhiffc32.exeEnfenplo.exeEchfaf32.exeAlenki32.exeBhahlj32.exeNejiih32.exeFfnphf32.exeJiondcpk.exeLhggmchi.exeCobbhfhg.exeEflgccbp.exeCdbdjhmp.exeOgjimd32.exeCbnbobin.exeEpdkli32.exeGhoegl32.exePeiljl32.exeAigaon32.exeEbinic32.exeBhkdeggl.exeDhdcji32.exePjmodopf.exeFehjeo32.exeJcgogk32.exeAlegac32.exeCgpgce32.exeBiicik32.exeEgafleqm.exeBebkpn32.exeNolhan32.exeOoeggp32.exeBifgdk32.exeEmkaol32.exeKibjkgca.exeOngnonkb.exeAmndem32.exeHgbebiao.exeQmicohqm.exeBfcampgf.exeCohigamf.exeJedefejo.exeOiellh32.exeBpcbqk32.exeCkignd32.exeKemejc32.exeKjnfniii.exeHdfflm32.exeHnagjbdf.exeHjjddchg.exeMhbped32.exePmqdkj32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iigoqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolhan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kibjkgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedefejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Iidbke32.exe family_berbew \Windows\SysWOW64\Icjfhn32.exe family_berbew C:\Windows\SysWOW64\Iigoqe32.exe family_berbew \Windows\SysWOW64\Ifkojiim.exe family_berbew C:\Windows\SysWOW64\Iclcnnji.exe family_berbew C:\Windows\SysWOW64\Ikggbpgd.exe family_berbew C:\Windows\SysWOW64\Infdolgh.exe family_berbew \Windows\SysWOW64\Jilhldfn.exe family_berbew C:\Windows\SysWOW64\Jgnhga32.exe family_berbew \Windows\SysWOW64\Jbdlejmn.exe family_berbew C:\Windows\SysWOW64\Jedefejo.exe family_berbew \Windows\SysWOW64\Jgcabqic.exe family_berbew \Windows\SysWOW64\Jakfkfpc.exe family_berbew C:\Windows\SysWOW64\Jjdkdl32.exe family_berbew C:\Windows\SysWOW64\Khcnad32.exe family_berbew C:\Windows\SysWOW64\Kbkodl32.exe family_berbew C:\Windows\SysWOW64\Lhggmchi.exe family_berbew C:\Windows\SysWOW64\Labhkh32.exe family_berbew C:\Windows\SysWOW64\Lhlqhb32.exe family_berbew C:\Windows\SysWOW64\Lkkmdn32.exe family_berbew C:\Windows\SysWOW64\Lpjbad32.exe family_berbew C:\Windows\SysWOW64\Lchnnp32.exe family_berbew C:\Windows\SysWOW64\Libgjj32.exe family_berbew C:\Windows\SysWOW64\Mgfgdn32.exe family_berbew C:\Windows\SysWOW64\Mlcple32.exe family_berbew C:\Windows\SysWOW64\Mpolmdkg.exe family_berbew C:\Windows\SysWOW64\Mekdekin.exe family_berbew C:\Windows\SysWOW64\Mkhmma32.exe family_berbew C:\Windows\SysWOW64\Mcodno32.exe family_berbew C:\Windows\SysWOW64\Mkjica32.exe family_berbew C:\Windows\SysWOW64\Mhnjle32.exe family_berbew C:\Windows\SysWOW64\Mohbip32.exe family_berbew C:\Windows\SysWOW64\Mnkbdlbd.exe family_berbew C:\Windows\SysWOW64\Mkobnqan.exe family_berbew C:\Windows\SysWOW64\Njbcim32.exe family_berbew C:\Windows\SysWOW64\Nplkfgoe.exe family_berbew C:\Windows\SysWOW64\Ngfcca32.exe family_berbew C:\Windows\SysWOW64\Nnplpl32.exe family_berbew C:\Windows\SysWOW64\Ncmdhb32.exe family_berbew C:\Windows\SysWOW64\Nleiqhcg.exe family_berbew C:\Windows\SysWOW64\Ncoamb32.exe family_berbew C:\Windows\SysWOW64\Njiijlbp.exe family_berbew C:\Windows\SysWOW64\Nofabc32.exe family_berbew C:\Windows\SysWOW64\Nfpjomgd.exe family_berbew C:\Windows\SysWOW64\Nmjblg32.exe family_berbew C:\Windows\SysWOW64\Nohnhc32.exe family_berbew C:\Windows\SysWOW64\Odegpj32.exe family_berbew C:\Windows\SysWOW64\Okoomd32.exe family_berbew C:\Windows\SysWOW64\Onmkio32.exe family_berbew C:\Windows\SysWOW64\Oicpfh32.exe family_berbew C:\Windows\SysWOW64\Okalbc32.exe family_berbew C:\Windows\SysWOW64\Obkdonic.exe family_berbew C:\Windows\SysWOW64\Oghlgdgk.exe family_berbew C:\Windows\SysWOW64\Ojficpfn.exe family_berbew C:\Windows\SysWOW64\Ogjimd32.exe family_berbew C:\Windows\SysWOW64\Ondajnme.exe family_berbew C:\Windows\SysWOW64\Oenifh32.exe family_berbew C:\Windows\SysWOW64\Ofpfnqjp.exe family_berbew C:\Windows\SysWOW64\Pccfge32.exe family_berbew C:\Windows\SysWOW64\Pjmodopf.exe family_berbew C:\Windows\SysWOW64\Pmlkpjpj.exe family_berbew C:\Windows\SysWOW64\Piblek32.exe family_berbew C:\Windows\SysWOW64\Plahag32.exe family_berbew C:\Windows\SysWOW64\Pfflopdh.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Iidbke32.exeIcjfhn32.exeIigoqe32.exeIclcnnji.exeIfkojiim.exeIkggbpgd.exeInfdolgh.exeIfmlpigj.exeJilhldfn.exeJgnhga32.exeJbdlejmn.exeJedefejo.exeJgcabqic.exeJakfkfpc.exeJcjbgaog.exeJfhocmnk.exeJjdkdl32.exeJmbgpg32.exeJpqclb32.exeKjhdokbo.exeKmgpkfab.exeKpemgbqf.exeKebepion.exeKinaqg32.exeKllmmc32.exeKnjiin32.exeKbfeimng.exeKhcnad32.exeKpjfba32.exeKomfnnck.exeKbhbom32.exeKegnkh32.exeKibjkgca.exeKjcgco32.exeKoocdnai.exeKbkodl32.exeLhggmchi.exeLkfciogm.exeLekhfgfc.exeLdnhad32.exeLfmdnp32.exeLkhpnnej.exeLmgmjjdn.exeLabhkh32.exeLpeifeca.exeLhlqhb32.exeLgoacojo.exeLkkmdn32.exeLmiipi32.exeLadeqhjd.exeLpgele32.exeLbfahp32.exeLganiohl.exeLganiohl.exeLkmjin32.exeLmkfei32.exeLpjbad32.exeLdenbcge.exeLchnnp32.exeLgdjnofi.exeLibgjj32.exeLmnbkinf.exeLlqcfe32.exeLoooca32.exepid process 2208 Iidbke32.exe 3068 Icjfhn32.exe 2592 Iigoqe32.exe 2568 Iclcnnji.exe 2868 Ifkojiim.exe 2508 Ikggbpgd.exe 2872 Infdolgh.exe 3044 Ifmlpigj.exe 3016 Jilhldfn.exe 2648 Jgnhga32.exe 2816 Jbdlejmn.exe 1940 Jedefejo.exe 1620 Jgcabqic.exe 2212 Jakfkfpc.exe 1892 Jcjbgaog.exe 276 Jfhocmnk.exe 2324 Jjdkdl32.exe 356 Jmbgpg32.exe 2140 Jpqclb32.exe 1812 Kjhdokbo.exe 1948 Kmgpkfab.exe 2428 Kpemgbqf.exe 2372 Kebepion.exe 1504 Kinaqg32.exe 2156 Kllmmc32.exe 3064 Knjiin32.exe 2536 Kbfeimng.exe 2784 Khcnad32.exe 2624 Kpjfba32.exe 2740 Komfnnck.exe 2760 Kbhbom32.exe 2332 Kegnkh32.exe 1240 Kibjkgca.exe 1712 Kjcgco32.exe 2716 Koocdnai.exe 2852 Kbkodl32.exe 1944 Lhggmchi.exe 2340 Lkfciogm.exe 1888 Lekhfgfc.exe 2652 Ldnhad32.exe 2224 Lfmdnp32.exe 1516 Lkhpnnej.exe 2044 Lmgmjjdn.exe 2908 Labhkh32.exe 1900 Lpeifeca.exe 3000 Lhlqhb32.exe 2004 Lgoacojo.exe 2152 Lkkmdn32.exe 3052 Lmiipi32.exe 2604 Ladeqhjd.exe 2456 Lpgele32.exe 1368 Lbfahp32.exe 2476 Lganiohl.exe 1632 Lganiohl.exe 2748 Lkmjin32.exe 912 Lmkfei32.exe 1156 Lpjbad32.exe 2892 Ldenbcge.exe 2268 Lchnnp32.exe 2136 Lgdjnofi.exe 1608 Libgjj32.exe 2692 Lmnbkinf.exe 2384 Llqcfe32.exe 2228 Loooca32.exe -
Loads dropped DLL 64 IoCs
Processes:
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exeIidbke32.exeIcjfhn32.exeIigoqe32.exeIclcnnji.exeIfkojiim.exeIkggbpgd.exeInfdolgh.exeIfmlpigj.exeJilhldfn.exeJgnhga32.exeJbdlejmn.exeJedefejo.exeJgcabqic.exeJakfkfpc.exeJcjbgaog.exeJfhocmnk.exeJjdkdl32.exeJmbgpg32.exeJpqclb32.exeKjhdokbo.exeKmgpkfab.exeKpemgbqf.exeKebepion.exeKinaqg32.exeKllmmc32.exeKnjiin32.exeKbfeimng.exeKhcnad32.exeKpjfba32.exeKomfnnck.exeKbhbom32.exepid process 2088 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe 2088 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe 2208 Iidbke32.exe 2208 Iidbke32.exe 3068 Icjfhn32.exe 3068 Icjfhn32.exe 2592 Iigoqe32.exe 2592 Iigoqe32.exe 2568 Iclcnnji.exe 2568 Iclcnnji.exe 2868 Ifkojiim.exe 2868 Ifkojiim.exe 2508 Ikggbpgd.exe 2508 Ikggbpgd.exe 2872 Infdolgh.exe 2872 Infdolgh.exe 3044 Ifmlpigj.exe 3044 Ifmlpigj.exe 3016 Jilhldfn.exe 3016 Jilhldfn.exe 2648 Jgnhga32.exe 2648 Jgnhga32.exe 2816 Jbdlejmn.exe 2816 Jbdlejmn.exe 1940 Jedefejo.exe 1940 Jedefejo.exe 1620 Jgcabqic.exe 1620 Jgcabqic.exe 2212 Jakfkfpc.exe 2212 Jakfkfpc.exe 1892 Jcjbgaog.exe 1892 Jcjbgaog.exe 276 Jfhocmnk.exe 276 Jfhocmnk.exe 2324 Jjdkdl32.exe 2324 Jjdkdl32.exe 356 Jmbgpg32.exe 356 Jmbgpg32.exe 2140 Jpqclb32.exe 2140 Jpqclb32.exe 1812 Kjhdokbo.exe 1812 Kjhdokbo.exe 1948 Kmgpkfab.exe 1948 Kmgpkfab.exe 2428 Kpemgbqf.exe 2428 Kpemgbqf.exe 2372 Kebepion.exe 2372 Kebepion.exe 1504 Kinaqg32.exe 1504 Kinaqg32.exe 2156 Kllmmc32.exe 2156 Kllmmc32.exe 3064 Knjiin32.exe 3064 Knjiin32.exe 2536 Kbfeimng.exe 2536 Kbfeimng.exe 2784 Khcnad32.exe 2784 Khcnad32.exe 2624 Kpjfba32.exe 2624 Kpjfba32.exe 2740 Komfnnck.exe 2740 Komfnnck.exe 2760 Kbhbom32.exe 2760 Kbhbom32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pfdpip32.exeAbbbnchb.exeLkncmmle.exeBppoqeja.exeMofecpnl.exePaggai32.exeBhkdeggl.exeOndajnme.exeNdkmpe32.exeFiaeoang.exeLflmci32.exeNolhan32.exePbiciana.exeQeqbkkej.exeLhmjkaoc.exeLecgje32.exeFidoim32.exeJgnamk32.exeJjojofgn.exeFjgoce32.exeBioqclil.exeGkihhhnm.exeIoijbj32.exeOobjaqaj.exeCcngld32.exeAhchbf32.exeBloqah32.exeKahojc32.exeCdikkg32.exeLkhpnnej.exeAmejeljk.exeAmpqjm32.exeQfahhm32.exeAjbdna32.exeAiedjneg.exeBifgdk32.exeDpbheh32.exeGkgkbipp.exeJbllihbf.exeNlphkb32.exeObafnlpn.exeDlkepi32.exeEkelld32.exeQhooggdn.exeEfncicpm.exeBjlqhoba.exeCdbdjhmp.exeJcjbgaog.exeLekhfgfc.exeMlmlecec.exeNehmdhja.exeNoqamn32.exeEbmgcohn.exeClaifkkf.exeGhhofmql.exeIhankokm.exeMgimmm32.exeMeagci32.exePgeefbhm.exeAlbjlcao.exeAnccmo32.exeJakfkfpc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Afmonbqk.exe Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Lkncmmle.exe File opened for modification C:\Windows\SysWOW64\Eddpkh32.dll Bppoqeja.exe File created C:\Windows\SysWOW64\Ljfekqdn.dll Mofecpnl.exe File created C:\Windows\SysWOW64\Ppjglfon.exe Paggai32.exe File created C:\Windows\SysWOW64\Ilpedi32.dll Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Ondajnme.exe File created C:\Windows\SysWOW64\Oghmhi32.dll Ndkmpe32.exe File created C:\Windows\SysWOW64\Globlmmj.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Lflmci32.exe File opened for modification C:\Windows\SysWOW64\Nefpnhlc.exe Nolhan32.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pbiciana.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qeqbkkej.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Lhmjkaoc.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File opened for modification C:\Windows\SysWOW64\Fmpkjkma.exe Fidoim32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Jiakjb32.exe Jjojofgn.exe File opened for modification C:\Windows\SysWOW64\Ckjpacfp.exe Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File created C:\Windows\SysWOW64\Qhbpij32.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Ocnfbo32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Ccngld32.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Opanhd32.dll Bloqah32.exe File created C:\Windows\SysWOW64\Kpkofpgq.exe Kahojc32.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Lmgmjjdn.exe Lkhpnnej.exe File created C:\Windows\SysWOW64\Jeahel32.dll Amejeljk.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Qedhdjnh.exe Qfahhm32.exe File created C:\Windows\SysWOW64\Cclkfdnc.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Ampqjm32.exe Aiedjneg.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Plnoej32.dll Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Biapcobb.dll Jbllihbf.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nlphkb32.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Qjmkcbcb.exe Qhooggdn.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Efncicpm.exe File created C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Chnqkg32.exe Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Jfhocmnk.exe Jcjbgaog.exe File created C:\Windows\SysWOW64\Ldnhad32.exe Lekhfgfc.exe File opened for modification C:\Windows\SysWOW64\Nolhan32.exe Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Nehmdhja.exe File opened for modification C:\Windows\SysWOW64\Nncahjgl.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Claifkkf.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Igdogl32.exe Ihankokm.exe File created C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Mmhodf32.exe Meagci32.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pgeefbhm.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Albjlcao.exe File created C:\Windows\SysWOW64\Amfcikek.exe Anccmo32.exe File created C:\Windows\SysWOW64\Nmqcdceo.dll Jakfkfpc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 8560 8444 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Nlphkb32.exeAhgnke32.exeBmmiij32.exeNaikkk32.exeBhfagipa.exeIoijbj32.exeBkaqmeah.exeGicbeald.exeEflgccbp.exeFhhcgj32.exeOomhcbjp.exeGpmjak32.exeFjgoce32.exeBhkdeggl.exeCgejac32.exeKjcgco32.exeMdqafgnf.exeIqopea32.exeNcjqhmkm.exeOkoomd32.exeAigaon32.exeKemejc32.exeLajhofao.exeAbjebn32.exePgobhcac.exeFacdeo32.exeInngcfid.exeIblpjdpk.exeNnennj32.exeCojema32.exeOnbddoog.exeEmhlfmgj.exeAlenki32.exeMkgfckcj.exeHjjddchg.exeIhankokm.exeJbjochdi.exeMlkopcge.exeQbcpbo32.exeEbpkce32.exeHcplhi32.exeAbpfhcje.exeLflmci32.exeDfdjhndl.exeEcejkf32.exeObkdonic.exePlahag32.exeBpfcgg32.exeDdagfm32.exeGkkemh32.exeHcifgjgc.exeNbfjdn32.exeOhqbqhde.exePqkmjh32.exeAjhgmpfg.exeHicodd32.exeKjjmbj32.exeLpphap32.exeNhfipcid.exeBblogakg.exeLkhpnnej.exeMcodno32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Bmmiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oomhcbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpmjak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpedi32.dll" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll" Cgejac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjcgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaooali.dll" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqopea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnaeh32.dll" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjeknjd.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iblpjdpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnennj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabnbook.dll" Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihankokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbcpbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcfkhh32.dll" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenen32.dll" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhgoq32.dll" Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkhpnnej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcodno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exeIidbke32.exeIcjfhn32.exeIigoqe32.exeIclcnnji.exeIfkojiim.exeIkggbpgd.exeInfdolgh.exeIfmlpigj.exeJilhldfn.exeJgnhga32.exeJbdlejmn.exeJedefejo.exeJgcabqic.exeJakfkfpc.exeJcjbgaog.exedescription pid process target process PID 2088 wrote to memory of 2208 2088 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iidbke32.exe PID 2088 wrote to memory of 2208 2088 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iidbke32.exe PID 2088 wrote to memory of 2208 2088 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iidbke32.exe PID 2088 wrote to memory of 2208 2088 02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe Iidbke32.exe PID 2208 wrote to memory of 3068 2208 Iidbke32.exe Icjfhn32.exe PID 2208 wrote to memory of 3068 2208 Iidbke32.exe Icjfhn32.exe PID 2208 wrote to memory of 3068 2208 Iidbke32.exe Icjfhn32.exe PID 2208 wrote to memory of 3068 2208 Iidbke32.exe Icjfhn32.exe PID 3068 wrote to memory of 2592 3068 Icjfhn32.exe Iigoqe32.exe PID 3068 wrote to memory of 2592 3068 Icjfhn32.exe Iigoqe32.exe PID 3068 wrote to memory of 2592 3068 Icjfhn32.exe Iigoqe32.exe PID 3068 wrote to memory of 2592 3068 Icjfhn32.exe Iigoqe32.exe PID 2592 wrote to memory of 2568 2592 Iigoqe32.exe Iclcnnji.exe PID 2592 wrote to memory of 2568 2592 Iigoqe32.exe Iclcnnji.exe PID 2592 wrote to memory of 2568 2592 Iigoqe32.exe Iclcnnji.exe PID 2592 wrote to memory of 2568 2592 Iigoqe32.exe Iclcnnji.exe PID 2568 wrote to memory of 2868 2568 Iclcnnji.exe Ifkojiim.exe PID 2568 wrote to memory of 2868 2568 Iclcnnji.exe Ifkojiim.exe PID 2568 wrote to memory of 2868 2568 Iclcnnji.exe Ifkojiim.exe PID 2568 wrote to memory of 2868 2568 Iclcnnji.exe Ifkojiim.exe PID 2868 wrote to memory of 2508 2868 Ifkojiim.exe Ikggbpgd.exe PID 2868 wrote to memory of 2508 2868 Ifkojiim.exe Ikggbpgd.exe PID 2868 wrote to memory of 2508 2868 Ifkojiim.exe Ikggbpgd.exe PID 2868 wrote to memory of 2508 2868 Ifkojiim.exe Ikggbpgd.exe PID 2508 wrote to memory of 2872 2508 Ikggbpgd.exe Infdolgh.exe PID 2508 wrote to memory of 2872 2508 Ikggbpgd.exe Infdolgh.exe PID 2508 wrote to memory of 2872 2508 Ikggbpgd.exe Infdolgh.exe PID 2508 wrote to memory of 2872 2508 Ikggbpgd.exe Infdolgh.exe PID 2872 wrote to memory of 3044 2872 Infdolgh.exe Ifmlpigj.exe PID 2872 wrote to memory of 3044 2872 Infdolgh.exe Ifmlpigj.exe PID 2872 wrote to memory of 3044 2872 Infdolgh.exe Ifmlpigj.exe PID 2872 wrote to memory of 3044 2872 Infdolgh.exe Ifmlpigj.exe PID 3044 wrote to memory of 3016 3044 Ifmlpigj.exe Jilhldfn.exe PID 3044 wrote to memory of 3016 3044 Ifmlpigj.exe Jilhldfn.exe PID 3044 wrote to memory of 3016 3044 Ifmlpigj.exe Jilhldfn.exe PID 3044 wrote to memory of 3016 3044 Ifmlpigj.exe Jilhldfn.exe PID 3016 wrote to memory of 2648 3016 Jilhldfn.exe Jgnhga32.exe PID 3016 wrote to memory of 2648 3016 Jilhldfn.exe Jgnhga32.exe PID 3016 wrote to memory of 2648 3016 Jilhldfn.exe Jgnhga32.exe PID 3016 wrote to memory of 2648 3016 Jilhldfn.exe Jgnhga32.exe PID 2648 wrote to memory of 2816 2648 Jgnhga32.exe Jbdlejmn.exe PID 2648 wrote to memory of 2816 2648 Jgnhga32.exe Jbdlejmn.exe PID 2648 wrote to memory of 2816 2648 Jgnhga32.exe Jbdlejmn.exe PID 2648 wrote to memory of 2816 2648 Jgnhga32.exe Jbdlejmn.exe PID 2816 wrote to memory of 1940 2816 Jbdlejmn.exe Jedefejo.exe PID 2816 wrote to memory of 1940 2816 Jbdlejmn.exe Jedefejo.exe PID 2816 wrote to memory of 1940 2816 Jbdlejmn.exe Jedefejo.exe PID 2816 wrote to memory of 1940 2816 Jbdlejmn.exe Jedefejo.exe PID 1940 wrote to memory of 1620 1940 Jedefejo.exe Jgcabqic.exe PID 1940 wrote to memory of 1620 1940 Jedefejo.exe Jgcabqic.exe PID 1940 wrote to memory of 1620 1940 Jedefejo.exe Jgcabqic.exe PID 1940 wrote to memory of 1620 1940 Jedefejo.exe Jgcabqic.exe PID 1620 wrote to memory of 2212 1620 Jgcabqic.exe Jakfkfpc.exe PID 1620 wrote to memory of 2212 1620 Jgcabqic.exe Jakfkfpc.exe PID 1620 wrote to memory of 2212 1620 Jgcabqic.exe Jakfkfpc.exe PID 1620 wrote to memory of 2212 1620 Jgcabqic.exe Jakfkfpc.exe PID 2212 wrote to memory of 1892 2212 Jakfkfpc.exe Jcjbgaog.exe PID 2212 wrote to memory of 1892 2212 Jakfkfpc.exe Jcjbgaog.exe PID 2212 wrote to memory of 1892 2212 Jakfkfpc.exe Jcjbgaog.exe PID 2212 wrote to memory of 1892 2212 Jakfkfpc.exe Jcjbgaog.exe PID 1892 wrote to memory of 276 1892 Jcjbgaog.exe Jfhocmnk.exe PID 1892 wrote to memory of 276 1892 Jcjbgaog.exe Jfhocmnk.exe PID 1892 wrote to memory of 276 1892 Jcjbgaog.exe Jfhocmnk.exe PID 1892 wrote to memory of 276 1892 Jcjbgaog.exe Jfhocmnk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02de46bc365f9d1ab305012dc3edad50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:356 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe33⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe36⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe37⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe39⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe41⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe44⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe45⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe46⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe47⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe48⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe49⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe50⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe51⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe53⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe55⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe56⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe57⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe58⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe59⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe60⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe61⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe62⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe63⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe64⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe65⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe66⤵PID:2764
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe67⤵PID:2900
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe68⤵PID:1628
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe69⤵PID:896
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe70⤵PID:1924
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe71⤵PID:2756
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe72⤵PID:2520
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe73⤵PID:2848
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe74⤵PID:2980
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe75⤵PID:2680
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe76⤵PID:2924
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe77⤵PID:2096
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe78⤵PID:1396
-
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe79⤵
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe80⤵PID:1176
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe81⤵
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe82⤵PID:2420
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe83⤵PID:1496
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe84⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe85⤵PID:2772
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe86⤵PID:2164
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe87⤵PID:2016
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe88⤵PID:2768
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe89⤵PID:940
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe90⤵PID:1152
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe91⤵PID:2444
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe92⤵PID:3024
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe93⤵PID:2060
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe94⤵PID:1188
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe95⤵
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe96⤵PID:1196
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe97⤵PID:2304
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe98⤵PID:2148
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe99⤵PID:2364
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe100⤵PID:616
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe101⤵PID:1748
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe102⤵PID:1864
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe103⤵PID:2724
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe104⤵PID:2240
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe105⤵PID:2688
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe106⤵PID:1076
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe107⤵PID:816
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe108⤵PID:1388
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe109⤵PID:1624
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe110⤵PID:1168
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe111⤵PID:1908
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe112⤵PID:1768
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe114⤵PID:2588
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe115⤵PID:1252
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe116⤵PID:2036
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe117⤵PID:2936
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe118⤵PID:2580
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe119⤵PID:2920
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe120⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe121⤵PID:2352
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe122⤵PID:2104
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe123⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe124⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe125⤵PID:2640
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe126⤵PID:2500
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe127⤵PID:1868
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe128⤵PID:1916
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe129⤵PID:1920
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe130⤵PID:2068
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe131⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe132⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe133⤵PID:784
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe134⤵PID:1736
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe136⤵PID:2932
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe137⤵PID:636
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe138⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe140⤵PID:1324
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe141⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe142⤵PID:1644
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe143⤵PID:1904
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe144⤵PID:2200
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe145⤵PID:2176
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe146⤵PID:2964
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe147⤵PID:2076
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe148⤵PID:1404
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe150⤵PID:2800
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe151⤵PID:2972
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe152⤵PID:2100
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe153⤵PID:3048
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe154⤵PID:1528
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe155⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe156⤵PID:596
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe158⤵PID:2956
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe159⤵PID:1612
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe160⤵PID:2492
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe161⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe162⤵PID:2676
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe163⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe164⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe165⤵PID:2448
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe166⤵PID:2804
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe167⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe168⤵PID:1256
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe169⤵PID:2080
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe170⤵PID:2836
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe173⤵PID:1020
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe174⤵PID:2608
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe175⤵PID:2260
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe176⤵PID:2008
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe177⤵PID:2556
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe178⤵PID:2232
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe179⤵PID:1148
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe180⤵PID:1272
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe181⤵PID:3084
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3124 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe183⤵PID:3164
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe184⤵PID:3204
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe185⤵PID:3244
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe186⤵PID:3284
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe187⤵PID:3324
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe188⤵PID:3364
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe189⤵
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe190⤵PID:3444
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe191⤵
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe192⤵PID:3524
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe193⤵PID:3564
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe194⤵PID:3604
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe195⤵PID:3644
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe196⤵PID:3684
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe197⤵PID:3724
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe198⤵PID:3752
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe199⤵PID:3776
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe200⤵PID:3820
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3860 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe202⤵PID:3900
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe203⤵PID:3940
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe204⤵
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe205⤵
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe206⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe207⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe208⤵PID:3120
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe209⤵PID:3176
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe210⤵PID:3228
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe211⤵PID:3276
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe212⤵PID:3336
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe215⤵PID:3496
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe216⤵
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe217⤵PID:3596
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe218⤵PID:3656
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe219⤵
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe220⤵PID:3764
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe221⤵PID:956
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe222⤵
- Drops file in System32 directory
PID:3828 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe223⤵PID:3884
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe224⤵PID:3928
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe225⤵PID:3988
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe226⤵PID:4044
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe227⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe228⤵PID:1344
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe229⤵PID:3344
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe230⤵PID:3268
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3332 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe233⤵PID:3468
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe234⤵PID:3536
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe235⤵PID:2988
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe236⤵PID:3668
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe237⤵PID:3740
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe238⤵PID:3812
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe239⤵
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe240⤵
- Modifies registry class
PID:3916 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe241⤵PID:3976
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe242⤵PID:4036