Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:43
Behavioral task
behavioral1
Sample
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe
-
Size
177KB
-
MD5
15ce2b6211deafd088bb8718a6225480
-
SHA1
ad670e4ac9f9171163915c1d84d48aa036a0b62a
-
SHA256
bd2d1333f8edaf73d2a5dd623de91c302ff2585145d46b00641724d1e6b478ef
-
SHA512
9a66d145cd0acf768db25c50ce9979f4a215f999f2dc4328feac64e27a4f510296c043efd261f5727e00a590fe65c0c9d9d31bfd4397c325c26b33e82d2612a7
-
SSDEEP
3072:4fQxG2zrqwDOCx4b7g3q/haR5sS+vfvLHhjh8g1eGFyOsa:4fQYG/c7ga/harSvLHh98gwG0ON
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mfihkoal.exeDeenjpcd.exeOfdclinq.exeFjnkpf32.exeLgdfgbhf.exePamlel32.exeLdjpbign.exeGncldi32.exeMopbgn32.exeCbgobp32.exeIfdjeoep.exeNajpll32.exeDemofaol.exeDadbdkld.exeDiphbfdi.exeElfcbo32.exeMmjomogn.exeElieipej.exeChgimh32.exePicojhcm.exeAfajafoa.exeCjonncab.exeIphgln32.exeImaapa32.exeHajfgnjc.exeDblhmoio.exeLpfnckhe.exeGipngg32.exeAkgibd32.exeMgedmb32.exeKobkbaac.exeNdbile32.exeMmndfnpl.exePbagipfi.exeBjbndpmd.exeFjfhkl32.exeKenjgi32.exeCodeih32.exeElpqemll.exeOdgodl32.exePgfjhcge.exeIediin32.exeCnabffeo.exeCmhglq32.exeBpbmqe32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdclinq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnkpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdfgbhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamlel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjpbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najpll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diphbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elieipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgimh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afajafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfnckhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipngg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgibd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgedmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkbaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmndfnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpqemll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgodl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbmqe32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Glgjednf.exe family_berbew \Windows\SysWOW64\Hddlof32.exe family_berbew \Windows\SysWOW64\Hhbdee32.exe family_berbew \Windows\SysWOW64\Hdiejfej.exe family_berbew \Windows\SysWOW64\Hdkape32.exe family_berbew \Windows\SysWOW64\Hoebpc32.exe family_berbew \Windows\SysWOW64\Ieagbm32.exe family_berbew behavioral1/memory/2420-79-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew \Windows\SysWOW64\Iajemnia.exe family_berbew \Windows\SysWOW64\Inafbooe.exe family_berbew \Windows\SysWOW64\Idmkdh32.exe family_berbew \Windows\SysWOW64\Jjmpbopd.exe family_berbew \Windows\SysWOW64\Jolepe32.exe family_berbew \Windows\SysWOW64\Jlpeij32.exe family_berbew \Windows\SysWOW64\Kbokgpgg.exe family_berbew \Windows\SysWOW64\Kkileele.exe family_berbew \Windows\SysWOW64\Kjoifb32.exe family_berbew C:\Windows\SysWOW64\Kcgmoggn.exe family_berbew C:\Windows\SysWOW64\Konndhmb.exe family_berbew C:\Windows\SysWOW64\Lopkjhko.exe family_berbew C:\Windows\SysWOW64\Lcncpfaf.exe family_berbew C:\Windows\SysWOW64\Leopgo32.exe family_berbew C:\Windows\SysWOW64\Liminmmk.exe family_berbew C:\Windows\SysWOW64\Llnaoh32.exe family_berbew C:\Windows\SysWOW64\Meicnm32.exe family_berbew C:\Windows\SysWOW64\Mhgoji32.exe family_berbew C:\Windows\SysWOW64\Mpbdnk32.exe family_berbew C:\Windows\SysWOW64\Mabphn32.exe family_berbew C:\Windows\SysWOW64\Mmhamoho.exe family_berbew C:\Windows\SysWOW64\Mbeiefff.exe family_berbew C:\Windows\SysWOW64\Nmkncofl.exe family_berbew behavioral1/memory/1680-352-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew C:\Windows\SysWOW64\Nbhfke32.exe family_berbew C:\Windows\SysWOW64\Neklbppb.exe family_berbew C:\Windows\SysWOW64\Nlbgikia.exe family_berbew C:\Windows\SysWOW64\Nehomq32.exe family_berbew behavioral1/memory/2592-378-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew C:\Windows\SysWOW64\Nlpkdkkd.exe family_berbew behavioral1/memory/2824-427-0x00000000002B0000-0x00000000002F0000-memory.dmp family_berbew C:\Windows\SysWOW64\Odgodl32.exe family_berbew C:\Windows\SysWOW64\Ocllehcj.exe family_berbew C:\Windows\SysWOW64\Olbchn32.exe family_berbew C:\Windows\SysWOW64\Oaaifdhb.exe family_berbew C:\Windows\SysWOW64\Pcaepg32.exe family_berbew C:\Windows\SysWOW64\Pdbahpec.exe family_berbew C:\Windows\SysWOW64\Pafbadcm.exe family_berbew C:\Windows\SysWOW64\Pjcckf32.exe family_berbew C:\Windows\SysWOW64\Pakllc32.exe family_berbew C:\Windows\SysWOW64\Pjfpafmb.exe family_berbew C:\Windows\SysWOW64\Qfmafg32.exe family_berbew C:\Windows\SysWOW64\Qmgibqjc.exe family_berbew C:\Windows\SysWOW64\Qglmpi32.exe family_berbew C:\Windows\SysWOW64\Pdldnomh.exe family_berbew C:\Windows\SysWOW64\Qjkjle32.exe family_berbew C:\Windows\SysWOW64\Afajafoa.exe family_berbew C:\Windows\SysWOW64\Amkbnp32.exe family_berbew C:\Windows\SysWOW64\Aojojl32.exe family_berbew behavioral1/memory/2000-471-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/940-466-0x00000000002C0000-0x0000000000300000-memory.dmp family_berbew behavioral1/memory/2000-465-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew C:\Windows\SysWOW64\Ommfga32.exe family_berbew behavioral1/memory/2824-426-0x00000000002B0000-0x00000000002F0000-memory.dmp family_berbew C:\Windows\SysWOW64\Nhlddkmc.exe family_berbew C:\Windows\SysWOW64\Aeggbbci.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Glgjednf.exeHddlof32.exeHhbdee32.exeHdiejfej.exeHdkape32.exeHoebpc32.exeIeagbm32.exeIajemnia.exeInafbooe.exeIdmkdh32.exeJjmpbopd.exeJolepe32.exeJlpeij32.exeKbokgpgg.exeKkileele.exeKjoifb32.exeKcgmoggn.exeKonndhmb.exeLopkjhko.exeLcncpfaf.exeLeopgo32.exeLiminmmk.exeLlnaoh32.exeMeicnm32.exeMhgoji32.exeMpbdnk32.exeMabphn32.exeMmhamoho.exeMbeiefff.exeNmkncofl.exeNbhfke32.exeNlpkdkkd.exeNehomq32.exeNlbgikia.exeNeklbppb.exeNhlddkmc.exeOmmfga32.exeOdgodl32.exeOlbchn32.exeOcllehcj.exeOaaifdhb.exePcaepg32.exePdbahpec.exePafbadcm.exePjcckf32.exePakllc32.exePjfpafmb.exePdldnomh.exeQfmafg32.exeQmgibqjc.exeQglmpi32.exeQjkjle32.exeAfajafoa.exeAmkbnp32.exeAojojl32.exeAeggbbci.exeAbkhkgbb.exeAidphq32.exeAnahqh32.exeAgjmim32.exeAjhiei32.exeAennba32.exeAkhfoldn.exeBmibgd32.exepid process 2084 Glgjednf.exe 2680 Hddlof32.exe 2536 Hhbdee32.exe 2500 Hdiejfej.exe 2420 Hdkape32.exe 2388 Hoebpc32.exe 2888 Ieagbm32.exe 540 Iajemnia.exe 1536 Inafbooe.exe 1988 Idmkdh32.exe 284 Jjmpbopd.exe 1604 Jolepe32.exe 2304 Jlpeij32.exe 800 Kbokgpgg.exe 2788 Kkileele.exe 1412 Kjoifb32.exe 1708 Kcgmoggn.exe 2628 Konndhmb.exe 2912 Lopkjhko.exe 1844 Lcncpfaf.exe 2124 Leopgo32.exe 1972 Liminmmk.exe 628 Llnaoh32.exe 1052 Meicnm32.exe 2784 Mhgoji32.exe 2076 Mpbdnk32.exe 2780 Mabphn32.exe 1680 Mmhamoho.exe 2992 Mbeiefff.exe 3020 Nmkncofl.exe 2592 Nbhfke32.exe 2684 Nlpkdkkd.exe 2512 Nehomq32.exe 2460 Nlbgikia.exe 2824 Neklbppb.exe 2348 Nhlddkmc.exe 1640 Ommfga32.exe 940 Odgodl32.exe 2000 Olbchn32.exe 1836 Ocllehcj.exe 2152 Oaaifdhb.exe 796 Pcaepg32.exe 752 Pdbahpec.exe 2136 Pafbadcm.exe 2432 Pjcckf32.exe 2176 Pakllc32.exe 1028 Pjfpafmb.exe 992 Pdldnomh.exe 936 Qfmafg32.exe 3032 Qmgibqjc.exe 2796 Qglmpi32.exe 1216 Qjkjle32.exe 1272 Afajafoa.exe 2768 Amkbnp32.exe 2576 Aojojl32.exe 2604 Aeggbbci.exe 2660 Abkhkgbb.exe 2488 Aidphq32.exe 2436 Anahqh32.exe 2616 Agjmim32.exe 772 Ajhiei32.exe 1572 Aennba32.exe 1668 Akhfoldn.exe 2012 Bmibgd32.exe -
Loads dropped DLL 64 IoCs
Processes:
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exeGlgjednf.exeHddlof32.exeHhbdee32.exeHdiejfej.exeHdkape32.exeHoebpc32.exeIeagbm32.exeIajemnia.exeInafbooe.exeIdmkdh32.exeJjmpbopd.exeJolepe32.exeJlpeij32.exeKbokgpgg.exeKkileele.exeKjoifb32.exeKcgmoggn.exeKonndhmb.exeLopkjhko.exeLcncpfaf.exeLeopgo32.exeLiminmmk.exeLlnaoh32.exeMeicnm32.exeMhgoji32.exeMpbdnk32.exeMabphn32.exeMmhamoho.exeMbeiefff.exeNmkncofl.exeNbhfke32.exepid process 1152 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe 1152 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe 2084 Glgjednf.exe 2084 Glgjednf.exe 2680 Hddlof32.exe 2680 Hddlof32.exe 2536 Hhbdee32.exe 2536 Hhbdee32.exe 2500 Hdiejfej.exe 2500 Hdiejfej.exe 2420 Hdkape32.exe 2420 Hdkape32.exe 2388 Hoebpc32.exe 2388 Hoebpc32.exe 2888 Ieagbm32.exe 2888 Ieagbm32.exe 540 Iajemnia.exe 540 Iajemnia.exe 1536 Inafbooe.exe 1536 Inafbooe.exe 1988 Idmkdh32.exe 1988 Idmkdh32.exe 284 Jjmpbopd.exe 284 Jjmpbopd.exe 1604 Jolepe32.exe 1604 Jolepe32.exe 2304 Jlpeij32.exe 2304 Jlpeij32.exe 800 Kbokgpgg.exe 800 Kbokgpgg.exe 2788 Kkileele.exe 2788 Kkileele.exe 1412 Kjoifb32.exe 1412 Kjoifb32.exe 1708 Kcgmoggn.exe 1708 Kcgmoggn.exe 2628 Konndhmb.exe 2628 Konndhmb.exe 2912 Lopkjhko.exe 2912 Lopkjhko.exe 1844 Lcncpfaf.exe 1844 Lcncpfaf.exe 2124 Leopgo32.exe 2124 Leopgo32.exe 1972 Liminmmk.exe 1972 Liminmmk.exe 628 Llnaoh32.exe 628 Llnaoh32.exe 1052 Meicnm32.exe 1052 Meicnm32.exe 2784 Mhgoji32.exe 2784 Mhgoji32.exe 2076 Mpbdnk32.exe 2076 Mpbdnk32.exe 2780 Mabphn32.exe 2780 Mabphn32.exe 1680 Mmhamoho.exe 1680 Mmhamoho.exe 2992 Mbeiefff.exe 2992 Mbeiefff.exe 3020 Nmkncofl.exe 3020 Nmkncofl.exe 2592 Nbhfke32.exe 2592 Nbhfke32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Enbnkigh.exeFelajbpg.exeMldgbcoe.exeQfkgdd32.exeGhidcceo.exeGhofam32.exeHgeelf32.exeMndhnd32.exeGpgjnbnl.exeKcdjoaee.exeAejlnmkm.exeBdinnqon.exeJfagemej.exeDhhhbg32.exeGaplfinb.exeAnhbdpje.exeJldbgb32.exePfnmmn32.exeImjmhkpj.exePaafmp32.exeBqijljfd.exeJnofgg32.exePpcmfn32.exeCdkkcp32.exeMopdpg32.exeDcbjni32.exePafbadcm.exeHmjlhfof.exeDmepkn32.exeAjcipc32.exeHldlga32.exeOpodknco.exeHjmlhbbg.exeBlibghmm.exeEjcofica.exeGminbfoh.exeMopbgn32.exeHnppaill.exeHjdfjo32.exeOmnkicen.exeDhleaq32.exeNlpkdkkd.exedescription ioc process File created C:\Windows\SysWOW64\Eoajel32.exe Enbnkigh.exe File opened for modification C:\Windows\SysWOW64\Fcpacf32.exe Felajbpg.exe File created C:\Windows\SysWOW64\Mdplfflp.exe Mldgbcoe.exe File created C:\Windows\SysWOW64\Apclnj32.exe Qfkgdd32.exe File created C:\Windows\SysWOW64\Hjdjbd32.dll Ghidcceo.exe File created C:\Windows\SysWOW64\Pjaihpcj.dll File created C:\Windows\SysWOW64\Gdegfn32.exe Ghofam32.exe File created C:\Windows\SysWOW64\Hoqjqhjf.exe Hgeelf32.exe File created C:\Windows\SysWOW64\Mgmmfjip.exe Mndhnd32.exe File created C:\Windows\SysWOW64\Gipngg32.exe Gpgjnbnl.exe File created C:\Windows\SysWOW64\Hbfein32.dll File created C:\Windows\SysWOW64\Hknmke32.dll File created C:\Windows\SysWOW64\Khabghdl.exe Kcdjoaee.exe File opened for modification C:\Windows\SysWOW64\Aobpfb32.exe Aejlnmkm.exe File created C:\Windows\SysWOW64\Alakfjbc.dll Bdinnqon.exe File created C:\Windows\SysWOW64\Jmlobg32.exe Jfagemej.exe File opened for modification C:\Windows\SysWOW64\Dmepkn32.exe Dhhhbg32.exe File opened for modification C:\Windows\SysWOW64\Ghidcceo.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Bijnecld.dll Anhbdpje.exe File created C:\Windows\SysWOW64\Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Joekimld.exe Jldbgb32.exe File created C:\Windows\SysWOW64\Gghloe32.exe File created C:\Windows\SysWOW64\Dcfknooi.exe File created C:\Windows\SysWOW64\Elooehob.dll Kcdjoaee.exe File opened for modification C:\Windows\SysWOW64\Piliii32.exe Pfnmmn32.exe File created C:\Windows\SysWOW64\Fojegeeg.dll Imjmhkpj.exe File created C:\Windows\SysWOW64\Iclafh32.dll Paafmp32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Dkhgnk32.dll File created C:\Windows\SysWOW64\Iflmlfcn.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Pilbocej.exe Ppcmfn32.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Cdkkcp32.exe File opened for modification C:\Windows\SysWOW64\Lcneklck.exe File created C:\Windows\SysWOW64\Qddcbgfn.dll Mopdpg32.exe File opened for modification C:\Windows\SysWOW64\Dhobgp32.exe Dcbjni32.exe File opened for modification C:\Windows\SysWOW64\Ofmgmhgh.exe File created C:\Windows\SysWOW64\Figicd32.dll Pafbadcm.exe File created C:\Windows\SysWOW64\Hloiib32.exe Hmjlhfof.exe File created C:\Windows\SysWOW64\Elnpioai.dll Dmepkn32.exe File created C:\Windows\SysWOW64\Jjgonf32.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Ajcipc32.exe File created C:\Windows\SysWOW64\Mcfabpac.dll File opened for modification C:\Windows\SysWOW64\Ampncd32.exe File created C:\Windows\SysWOW64\Bphmfo32.exe File created C:\Windows\SysWOW64\Mgigpgkd.exe File created C:\Windows\SysWOW64\Mgomoboc.exe File created C:\Windows\SysWOW64\Lgapeogq.dll Hldlga32.exe File created C:\Windows\SysWOW64\Obmpgjbb.exe Opodknco.exe File created C:\Windows\SysWOW64\Gmeckg32.dll File created C:\Windows\SysWOW64\Lqpiopdh.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hjmlhbbg.exe File created C:\Windows\SysWOW64\Bbcjca32.exe Blibghmm.exe File created C:\Windows\SysWOW64\Jbpcbe32.dll File created C:\Windows\SysWOW64\Hedllgjk.exe File created C:\Windows\SysWOW64\Hdpbking.dll Ejcofica.exe File created C:\Windows\SysWOW64\Gpgjnbnl.exe Gminbfoh.exe File opened for modification C:\Windows\SysWOW64\Mnncii32.exe File created C:\Windows\SysWOW64\Oijoclhk.dll Mopbgn32.exe File opened for modification C:\Windows\SysWOW64\Ihiabfhk.exe Hnppaill.exe File opened for modification C:\Windows\SysWOW64\Hdlkcdog.exe Hjdfjo32.exe File created C:\Windows\SysWOW64\Ochcem32.exe Omnkicen.exe File created C:\Windows\SysWOW64\Lklfdlbn.dll Dhleaq32.exe File created C:\Windows\SysWOW64\Cihncn32.dll Nlpkdkkd.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 2352 752 -
Modifies registry class 64 IoCs
Processes:
Boidnh32.exeCmjdaqgi.exeKghmhegc.exeKfgjdlme.exeDeiipp32.exeJldbgb32.exeJjnhhjjk.exeJcciqi32.exeBfbjdf32.exeGoiafp32.exeJcandb32.exeAidphq32.exeLngnfnji.exeGfhgpg32.exeHhcndhap.exeJdpjba32.exeDblhmoio.exeDekeeonn.exeKjihalag.exeBgahkngh.exeIcbipe32.exeMeicnm32.exeLcomce32.exeAqbdkk32.exeBqolji32.exeFdgdji32.exeAmjpgdik.exeAmkbnp32.exeHnjbeh32.exeImahkg32.exeBleilh32.exeGpmjcg32.exeBkqiek32.exeGaplfinb.exeOhpnag32.exePcqebd32.exeKnfopnkk.exeBmnofp32.exeDfcgbb32.exeClkicbfa.exeFlqkjo32.exeNeklbppb.exeKalipcmb.exeJgmaog32.exeOijjka32.exeHkdemk32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boidnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjdaqgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deiipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jldbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aclcmbmo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll" Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpjegfd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goiafp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgbhffog.dll" Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnfkge32.dll" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloiniaa.dll" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgofm32.dll" Hhcndhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleppqce.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpjba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dekeeonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbknmg32.dll" Kjihalag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcjgd32.dll" Icbipe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgkdjfb.dll" Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpachc32.dll" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcmmc32.dll" Amjpgdik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkbnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnddef32.dll" Imahkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bleilh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpmjcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaplfinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohpnag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcqebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll" Bmnofp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplmhi32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnkmfoc.dll" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flqkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhhc32.dll" Kalipcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmaog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liolokfg.dll" Oijjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlokefce.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exeGlgjednf.exeHddlof32.exeHhbdee32.exeHdiejfej.exeHdkape32.exeHoebpc32.exeIeagbm32.exeIajemnia.exeInafbooe.exeIdmkdh32.exeJjmpbopd.exeJolepe32.exeJlpeij32.exeKbokgpgg.exeKkileele.exedescription pid process target process PID 1152 wrote to memory of 2084 1152 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Glgjednf.exe PID 1152 wrote to memory of 2084 1152 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Glgjednf.exe PID 1152 wrote to memory of 2084 1152 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Glgjednf.exe PID 1152 wrote to memory of 2084 1152 15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe Glgjednf.exe PID 2084 wrote to memory of 2680 2084 Glgjednf.exe Hddlof32.exe PID 2084 wrote to memory of 2680 2084 Glgjednf.exe Hddlof32.exe PID 2084 wrote to memory of 2680 2084 Glgjednf.exe Hddlof32.exe PID 2084 wrote to memory of 2680 2084 Glgjednf.exe Hddlof32.exe PID 2680 wrote to memory of 2536 2680 Hddlof32.exe Hhbdee32.exe PID 2680 wrote to memory of 2536 2680 Hddlof32.exe Hhbdee32.exe PID 2680 wrote to memory of 2536 2680 Hddlof32.exe Hhbdee32.exe PID 2680 wrote to memory of 2536 2680 Hddlof32.exe Hhbdee32.exe PID 2536 wrote to memory of 2500 2536 Hhbdee32.exe Hdiejfej.exe PID 2536 wrote to memory of 2500 2536 Hhbdee32.exe Hdiejfej.exe PID 2536 wrote to memory of 2500 2536 Hhbdee32.exe Hdiejfej.exe PID 2536 wrote to memory of 2500 2536 Hhbdee32.exe Hdiejfej.exe PID 2500 wrote to memory of 2420 2500 Hdiejfej.exe Hdkape32.exe PID 2500 wrote to memory of 2420 2500 Hdiejfej.exe Hdkape32.exe PID 2500 wrote to memory of 2420 2500 Hdiejfej.exe Hdkape32.exe PID 2500 wrote to memory of 2420 2500 Hdiejfej.exe Hdkape32.exe PID 2420 wrote to memory of 2388 2420 Hdkape32.exe Hoebpc32.exe PID 2420 wrote to memory of 2388 2420 Hdkape32.exe Hoebpc32.exe PID 2420 wrote to memory of 2388 2420 Hdkape32.exe Hoebpc32.exe PID 2420 wrote to memory of 2388 2420 Hdkape32.exe Hoebpc32.exe PID 2388 wrote to memory of 2888 2388 Hoebpc32.exe Ieagbm32.exe PID 2388 wrote to memory of 2888 2388 Hoebpc32.exe Ieagbm32.exe PID 2388 wrote to memory of 2888 2388 Hoebpc32.exe Ieagbm32.exe PID 2388 wrote to memory of 2888 2388 Hoebpc32.exe Ieagbm32.exe PID 2888 wrote to memory of 540 2888 Ieagbm32.exe Iajemnia.exe PID 2888 wrote to memory of 540 2888 Ieagbm32.exe Iajemnia.exe PID 2888 wrote to memory of 540 2888 Ieagbm32.exe Iajemnia.exe PID 2888 wrote to memory of 540 2888 Ieagbm32.exe Iajemnia.exe PID 540 wrote to memory of 1536 540 Iajemnia.exe Inafbooe.exe PID 540 wrote to memory of 1536 540 Iajemnia.exe Inafbooe.exe PID 540 wrote to memory of 1536 540 Iajemnia.exe Inafbooe.exe PID 540 wrote to memory of 1536 540 Iajemnia.exe Inafbooe.exe PID 1536 wrote to memory of 1988 1536 Inafbooe.exe Idmkdh32.exe PID 1536 wrote to memory of 1988 1536 Inafbooe.exe Idmkdh32.exe PID 1536 wrote to memory of 1988 1536 Inafbooe.exe Idmkdh32.exe PID 1536 wrote to memory of 1988 1536 Inafbooe.exe Idmkdh32.exe PID 1988 wrote to memory of 284 1988 Idmkdh32.exe Jjmpbopd.exe PID 1988 wrote to memory of 284 1988 Idmkdh32.exe Jjmpbopd.exe PID 1988 wrote to memory of 284 1988 Idmkdh32.exe Jjmpbopd.exe PID 1988 wrote to memory of 284 1988 Idmkdh32.exe Jjmpbopd.exe PID 284 wrote to memory of 1604 284 Jjmpbopd.exe Jolepe32.exe PID 284 wrote to memory of 1604 284 Jjmpbopd.exe Jolepe32.exe PID 284 wrote to memory of 1604 284 Jjmpbopd.exe Jolepe32.exe PID 284 wrote to memory of 1604 284 Jjmpbopd.exe Jolepe32.exe PID 1604 wrote to memory of 2304 1604 Jolepe32.exe Jlpeij32.exe PID 1604 wrote to memory of 2304 1604 Jolepe32.exe Jlpeij32.exe PID 1604 wrote to memory of 2304 1604 Jolepe32.exe Jlpeij32.exe PID 1604 wrote to memory of 2304 1604 Jolepe32.exe Jlpeij32.exe PID 2304 wrote to memory of 800 2304 Jlpeij32.exe Kbokgpgg.exe PID 2304 wrote to memory of 800 2304 Jlpeij32.exe Kbokgpgg.exe PID 2304 wrote to memory of 800 2304 Jlpeij32.exe Kbokgpgg.exe PID 2304 wrote to memory of 800 2304 Jlpeij32.exe Kbokgpgg.exe PID 800 wrote to memory of 2788 800 Kbokgpgg.exe Kkileele.exe PID 800 wrote to memory of 2788 800 Kbokgpgg.exe Kkileele.exe PID 800 wrote to memory of 2788 800 Kbokgpgg.exe Kkileele.exe PID 800 wrote to memory of 2788 800 Kbokgpgg.exe Kkileele.exe PID 2788 wrote to memory of 1412 2788 Kkileele.exe Kjoifb32.exe PID 2788 wrote to memory of 1412 2788 Kkileele.exe Kjoifb32.exe PID 2788 wrote to memory of 1412 2788 Kkileele.exe Kjoifb32.exe PID 2788 wrote to memory of 1412 2788 Kkileele.exe Kjoifb32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15ce2b6211deafd088bb8718a6225480_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe34⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe35⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe37⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe38⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe40⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe41⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe42⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe43⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe44⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe46⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe47⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe48⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe49⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe50⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe51⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe52⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe53⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe58⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe60⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe61⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe62⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe63⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe64⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe65⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe66⤵PID:1120
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe68⤵PID:2484
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe69⤵PID:2236
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe70⤵PID:1132
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe71⤵PID:1764
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe72⤵PID:1768
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe73⤵PID:1956
-
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe74⤵PID:2856
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe75⤵PID:684
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe76⤵PID:1696
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe77⤵PID:2476
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe78⤵PID:2480
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe79⤵PID:2412
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe80⤵PID:2528
-
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe81⤵PID:1908
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe82⤵PID:1652
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe83⤵PID:1320
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe84⤵PID:2308
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe85⤵PID:1672
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe86⤵PID:1040
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe87⤵PID:1772
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe88⤵PID:1468
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe89⤵PID:1760
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe90⤵PID:2164
-
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe92⤵PID:2032
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe93⤵PID:2300
-
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe94⤵PID:1388
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe95⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe96⤵PID:2820
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe97⤵PID:2624
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe98⤵PID:2004
-
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe99⤵PID:1240
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe100⤵PID:2320
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe101⤵PID:1548
-
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe102⤵PID:920
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe103⤵PID:1600
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe104⤵PID:2924
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe105⤵PID:436
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe106⤵PID:112
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe107⤵PID:1960
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe108⤵PID:2696
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe109⤵PID:2156
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe110⤵PID:2252
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe111⤵PID:2952
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe112⤵PID:2652
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe113⤵PID:2828
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe114⤵PID:528
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe115⤵PID:1004
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe116⤵PID:1616
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe117⤵PID:1940
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe118⤵PID:2116
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe119⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe120⤵PID:1276
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe121⤵PID:2108
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe122⤵PID:2792
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe123⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe124⤵PID:2104
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe125⤵PID:2668
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe126⤵PID:2408
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe127⤵PID:1700
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe128⤵PID:1784
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe129⤵PID:2112
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe130⤵PID:2756
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe131⤵PID:960
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe133⤵PID:2980
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe134⤵PID:2868
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe135⤵PID:2588
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe136⤵PID:1728
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe137⤵PID:2008
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe138⤵PID:916
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe139⤵PID:744
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe140⤵PID:2700
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe141⤵PID:1980
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe142⤵PID:2708
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe143⤵PID:2072
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe144⤵PID:2892
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe145⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe146⤵PID:2884
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe147⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe148⤵PID:2568
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe149⤵PID:1716
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe151⤵PID:2040
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe152⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe153⤵PID:1984
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe154⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe155⤵PID:840
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe156⤵PID:2200
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe157⤵PID:2840
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe158⤵PID:680
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe159⤵PID:2336
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe160⤵PID:1644
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe162⤵PID:2748
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe163⤵PID:3008
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe164⤵PID:1812
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe165⤵PID:2544
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe166⤵PID:2440
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe167⤵PID:2216
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe168⤵PID:2180
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe169⤵PID:2096
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe171⤵PID:2380
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe172⤵PID:2416
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe173⤵PID:2312
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe174⤵PID:1808
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe175⤵PID:1092
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe176⤵PID:2452
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe177⤵PID:2916
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe178⤵PID:1788
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe179⤵PID:1904
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe180⤵PID:1748
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe181⤵PID:2832
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe182⤵PID:476
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe183⤵PID:1632
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe184⤵PID:1352
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe185⤵PID:2848
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe186⤵PID:1184
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe187⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe188⤵PID:888
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe189⤵PID:2600
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe190⤵PID:2492
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe191⤵PID:2520
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe192⤵PID:1568
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe193⤵PID:2572
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe194⤵PID:1044
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe195⤵PID:320
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe196⤵PID:2128
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe197⤵PID:1508
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe198⤵PID:1528
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe199⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe200⤵PID:3136
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe201⤵PID:3184
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe202⤵PID:3224
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe203⤵PID:3264
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe204⤵PID:3304
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe205⤵PID:3348
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe206⤵PID:3388
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe207⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe208⤵PID:3468
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe209⤵PID:3508
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe210⤵PID:3548
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe211⤵PID:3588
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe212⤵PID:3628
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe213⤵PID:3668
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe215⤵PID:3748
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe216⤵PID:3788
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe217⤵
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe218⤵PID:3868
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe219⤵PID:3908
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe220⤵PID:3948
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe221⤵PID:3988
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe222⤵PID:4028
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe223⤵PID:4072
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe224⤵PID:3080
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3152 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe226⤵PID:3192
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe227⤵PID:3240
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe228⤵PID:3280
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe229⤵PID:3320
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe230⤵PID:3380
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe231⤵PID:3400
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe232⤵PID:3484
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe234⤵PID:3576
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe235⤵PID:3636
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe236⤵PID:3680
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe237⤵PID:3732
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe238⤵PID:3784
-
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe239⤵PID:3840
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe240⤵PID:3888
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe241⤵PID:3932
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe242⤵PID:3980