Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:25
Behavioral task
behavioral1
Sample
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe
-
Size
378KB
-
MD5
13322faa972aaec35250efccb6e35420
-
SHA1
d5779e1bc5e71025bd914b64006f9763ee7265aa
-
SHA256
a077cd9185fa98c5bced725719c0f699eb192685488ed03a585cc01ecea2b33f
-
SHA512
ee0bcde16f28a9d8676c9f12997c1428bc9df85d4e9e7c95f3481c0b2e0477340b70006314d10f916c843439a7419b173944b5349cff201f85846b5a59baa1d1
-
SSDEEP
6144:PdB6O+KgXiwEPeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42Gp:PX1+O1PeYr75lTefkY660fIaDZkY6605
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lmebnb32.exeGlfhll32.exeAemkjiem.exeKkaiqk32.exeHgbebiao.exeKmaled32.exeAlenki32.exeGdamqndn.exeNnhkcj32.exeNigome32.exeEmieil32.exeQhooggdn.exeObafnlpn.exePgplkb32.exeLbfdaigg.exeMkhofjoj.exeLlfifq32.exeMonhhk32.exeOgeigofa.exeMelfncqb.exeKpmlkp32.exeKgbggnhc.exeMcegmm32.exeHanlnp32.exeKbqecg32.exeOnhgbmfb.exeJnqphi32.exeGmbdnn32.exeCobbhfhg.exeGmgdddmq.exeHedocp32.exeApcfahio.exeCkafbbph.exeChemfl32.exeIkpjgkjq.exeJoplbl32.exeGdniqh32.exeGangic32.exePmdjdh32.exeGpqpjj32.exeKohkfj32.exeBpcbqk32.exeDjbiicon.exeEmhlfmgj.exeGpmjak32.exeMabgcd32.exeIgonafba.exeIfnechbj.exeFiglolbf.exeKjljhjkl.exeJifdebic.exeBocolb32.exeBlmdlhmp.exeDbpodagk.exeNdmjedoi.exeMffimglk.exeKfegbj32.exeLpbefoai.exeMkmhaj32.exeNiikceid.exeHellne32.exeGikaio32.exeMbpgggol.exeEmeopn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emieil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Monhhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Melfncqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbggnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnqphi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chemfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohkfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igonafba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Figlolbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niikceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeopn32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Oiellh32.exe family_berbew \Windows\SysWOW64\Oqqapjnk.exe family_berbew \Windows\SysWOW64\Ogjimd32.exe family_berbew \Windows\SysWOW64\Ojieip32.exe family_berbew C:\Windows\SysWOW64\Ocajbekl.exe family_berbew C:\Windows\SysWOW64\Ofpfnqjp.exe family_berbew C:\Windows\SysWOW64\Pjmodopf.exe family_berbew C:\Windows\SysWOW64\Ppjglfon.exe family_berbew \Windows\SysWOW64\Pbiciana.exe family_berbew \Windows\SysWOW64\Ppmdbe32.exe family_berbew C:\Windows\SysWOW64\Pigeqkai.exe family_berbew C:\Windows\SysWOW64\Plfamfpm.exe family_berbew C:\Windows\SysWOW64\Pabjem32.exe family_berbew C:\Windows\SysWOW64\Ajphib32.exe family_berbew C:\Windows\SysWOW64\Alenki32.exe family_berbew C:\Windows\SysWOW64\Aiinen32.exe family_berbew C:\Windows\SysWOW64\Ailkjmpo.exe family_berbew C:\Windows\SysWOW64\Bbdocc32.exe family_berbew C:\Windows\SysWOW64\Bingpmnl.exe family_berbew C:\Windows\SysWOW64\Blmdlhmp.exe family_berbew C:\Windows\SysWOW64\Bokphdld.exe family_berbew C:\Windows\SysWOW64\Bhcdaibd.exe family_berbew C:\Windows\SysWOW64\Bhfagipa.exe family_berbew C:\Windows\SysWOW64\Banepo32.exe family_berbew C:\Windows\SysWOW64\Bgknheej.exe family_berbew C:\Windows\SysWOW64\Bkfjhd32.exe family_berbew C:\Windows\SysWOW64\Cljcelan.exe family_berbew C:\Windows\SysWOW64\Ccdlbf32.exe family_berbew C:\Windows\SysWOW64\Cfbhnaho.exe family_berbew C:\Windows\SysWOW64\Cgbdhd32.exe family_berbew C:\Windows\SysWOW64\Cfgaiaci.exe family_berbew C:\Windows\SysWOW64\Chemfl32.exe family_berbew C:\Windows\SysWOW64\Cckace32.exe family_berbew C:\Windows\SysWOW64\Dbpodagk.exe family_berbew C:\Windows\SysWOW64\Dhjgal32.exe family_berbew C:\Windows\SysWOW64\Dkhcmgnl.exe family_berbew C:\Windows\SysWOW64\Ddagfm32.exe family_berbew C:\Windows\SysWOW64\Dhmcfkme.exe family_berbew C:\Windows\SysWOW64\Dbehoa32.exe family_berbew C:\Windows\SysWOW64\Djpmccqq.exe family_berbew C:\Windows\SysWOW64\Dmoipopd.exe family_berbew C:\Windows\SysWOW64\Dchali32.exe family_berbew C:\Windows\SysWOW64\Djbiicon.exe family_berbew C:\Windows\SysWOW64\Emcbkn32.exe family_berbew C:\Windows\SysWOW64\Ejgcdb32.exe family_berbew C:\Windows\SysWOW64\Emeopn32.exe family_berbew C:\Windows\SysWOW64\Efncicpm.exe family_berbew C:\Windows\SysWOW64\Enihne32.exe family_berbew C:\Windows\SysWOW64\Eiomkn32.exe family_berbew C:\Windows\SysWOW64\Elmigj32.exe family_berbew C:\Windows\SysWOW64\Enkece32.exe family_berbew C:\Windows\SysWOW64\Egdilkbf.exe family_berbew C:\Windows\SysWOW64\Fnpnndgp.exe family_berbew C:\Windows\SysWOW64\Faokjpfd.exe family_berbew C:\Windows\SysWOW64\Fcmgfkeg.exe family_berbew C:\Windows\SysWOW64\Faagpp32.exe family_berbew C:\Windows\SysWOW64\Ffnphf32.exe family_berbew C:\Windows\SysWOW64\Ffpmnf32.exe family_berbew C:\Windows\SysWOW64\Flmefm32.exe family_berbew C:\Windows\SysWOW64\Fbgmbg32.exe family_berbew C:\Windows\SysWOW64\Gpknlk32.exe family_berbew C:\Windows\SysWOW64\Gfefiemq.exe family_berbew C:\Windows\SysWOW64\Gangic32.exe family_berbew C:\Windows\SysWOW64\Ghhofmql.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Oiellh32.exeOqqapjnk.exeOgjimd32.exeOjieip32.exeOcajbekl.exeOfpfnqjp.exePminkk32.exePccfge32.exePjmodopf.exePpjglfon.exePbiciana.exePlahag32.exePpmdbe32.exePigeqkai.exePlfamfpm.exePbpjiphi.exePabjem32.exeQbbfopeg.exeQhooggdn.exeQnigda32.exeQagcpljo.exeAdeplhib.exeAhakmf32.exeAjphib32.exeAmndem32.exeAplpai32.exeAhchbf32.exeAjbdna32.exeAalmklfi.exeAdjigg32.exeAfiecb32.exeAjdadamj.exeAlenki32.exeAfkbib32.exeAiinen32.exeApcfahio.exeAbbbnchb.exeAepojo32.exeAilkjmpo.exeBbdocc32.exeBingpmnl.exeBlmdlhmp.exeBokphdld.exeBhcdaibd.exeBkaqmeah.exeBalijo32.exeBegeknan.exeBhfagipa.exeBghabf32.exeBnbjopoi.exeBanepo32.exeBdlblj32.exeBgknheej.exeBkfjhd32.exeBaqbenep.exeBpcbqk32.exeBcaomf32.exeCkignd32.exeCngcjo32.exeCljcelan.exeCdakgibq.exeCcdlbf32.exeCfbhnaho.exeCnippoha.exepid process 2392 Oiellh32.exe 3040 Oqqapjnk.exe 2672 Ogjimd32.exe 2736 Ojieip32.exe 2576 Ocajbekl.exe 2472 Ofpfnqjp.exe 2064 Pminkk32.exe 2800 Pccfge32.exe 2828 Pjmodopf.exe 908 Ppjglfon.exe 672 Pbiciana.exe 2688 Plahag32.exe 1248 Ppmdbe32.exe 2108 Pigeqkai.exe 1912 Plfamfpm.exe 1932 Pbpjiphi.exe 2412 Pabjem32.exe 2020 Qbbfopeg.exe 1068 Qhooggdn.exe 2912 Qnigda32.exe 944 Qagcpljo.exe 2084 Adeplhib.exe 620 Ahakmf32.exe 1508 Ajphib32.exe 1100 Amndem32.exe 3028 Aplpai32.exe 3048 Ahchbf32.exe 2476 Ajbdna32.exe 2496 Aalmklfi.exe 2960 Adjigg32.exe 2588 Afiecb32.exe 636 Ajdadamj.exe 2880 Alenki32.exe 772 Afkbib32.exe 2964 Aiinen32.exe 1552 Apcfahio.exe 2560 Abbbnchb.exe 2900 Aepojo32.exe 2508 Ailkjmpo.exe 1388 Bbdocc32.exe 1748 Bingpmnl.exe 2540 Blmdlhmp.exe 2024 Bokphdld.exe 2008 Bhcdaibd.exe 1732 Bkaqmeah.exe 1576 Balijo32.exe 3044 Begeknan.exe 2908 Bhfagipa.exe 2640 Bghabf32.exe 2692 Bnbjopoi.exe 2784 Banepo32.exe 2176 Bdlblj32.exe 2184 Bgknheej.exe 1868 Bkfjhd32.exe 2976 Baqbenep.exe 2768 Bpcbqk32.exe 1452 Bcaomf32.exe 2716 Ckignd32.exe 1544 Cngcjo32.exe 2076 Cljcelan.exe 856 Cdakgibq.exe 1648 Ccdlbf32.exe 1000 Cfbhnaho.exe 1240 Cnippoha.exe -
Loads dropped DLL 64 IoCs
Processes:
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exeOiellh32.exeOqqapjnk.exeOgjimd32.exeOjieip32.exeOcajbekl.exeOfpfnqjp.exePminkk32.exePccfge32.exePjmodopf.exePpjglfon.exePbiciana.exePlahag32.exePpmdbe32.exePigeqkai.exePlfamfpm.exePbpjiphi.exePabjem32.exeQbbfopeg.exeQhooggdn.exeQnigda32.exeQagcpljo.exeAdeplhib.exeAhakmf32.exeAjphib32.exeAmndem32.exeAplpai32.exeAhchbf32.exeAjbdna32.exeAalmklfi.exeAdjigg32.exeAfiecb32.exepid process 2208 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe 2208 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe 2392 Oiellh32.exe 2392 Oiellh32.exe 3040 Oqqapjnk.exe 3040 Oqqapjnk.exe 2672 Ogjimd32.exe 2672 Ogjimd32.exe 2736 Ojieip32.exe 2736 Ojieip32.exe 2576 Ocajbekl.exe 2576 Ocajbekl.exe 2472 Ofpfnqjp.exe 2472 Ofpfnqjp.exe 2064 Pminkk32.exe 2064 Pminkk32.exe 2800 Pccfge32.exe 2800 Pccfge32.exe 2828 Pjmodopf.exe 2828 Pjmodopf.exe 908 Ppjglfon.exe 908 Ppjglfon.exe 672 Pbiciana.exe 672 Pbiciana.exe 2688 Plahag32.exe 2688 Plahag32.exe 1248 Ppmdbe32.exe 1248 Ppmdbe32.exe 2108 Pigeqkai.exe 2108 Pigeqkai.exe 1912 Plfamfpm.exe 1912 Plfamfpm.exe 1932 Pbpjiphi.exe 1932 Pbpjiphi.exe 2412 Pabjem32.exe 2412 Pabjem32.exe 2020 Qbbfopeg.exe 2020 Qbbfopeg.exe 1068 Qhooggdn.exe 1068 Qhooggdn.exe 2912 Qnigda32.exe 2912 Qnigda32.exe 944 Qagcpljo.exe 944 Qagcpljo.exe 2084 Adeplhib.exe 2084 Adeplhib.exe 620 Ahakmf32.exe 620 Ahakmf32.exe 1508 Ajphib32.exe 1508 Ajphib32.exe 1100 Amndem32.exe 1100 Amndem32.exe 3028 Aplpai32.exe 3028 Aplpai32.exe 3048 Ahchbf32.exe 3048 Ahchbf32.exe 2476 Ajbdna32.exe 2476 Ajbdna32.exe 2496 Aalmklfi.exe 2496 Aalmklfi.exe 2960 Adjigg32.exe 2960 Adjigg32.exe 2588 Afiecb32.exe 2588 Afiecb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aiinen32.exeDdagfm32.exeNncahjgl.exeMpigfa32.exeBafidiio.exeHpgfki32.exeNpojdpef.exeKeoapb32.exeMmahdggc.exeOfjfhk32.exePfjbgnme.exeAekodi32.exeMkeimlfm.exeKneicieh.exeIeidmbcc.exeKjljhjkl.exeMoiklogi.exeDbhnhp32.exeJnffgd32.exeNenobfak.exeGicbeald.exeDlnbeh32.exeIedkbc32.exeJgojpjem.exeJdehon32.exeOiellh32.exeOcajbekl.exeBoqbfb32.exeBekkcljk.exeHdildlie.exeFpfdalii.exeHpapln32.exeMmhodf32.exeOddpfc32.exeLghjel32.exeBgknheej.exeMmfbogcn.exeNehmdhja.exeJbdonb32.exeEcqqpgli.exeDbpodagk.exeEflgccbp.exeIqopea32.exeAhgnke32.exeDhbfdjdp.exeObafnlpn.exeIllgimph.exeNlcnda32.exeBhcdaibd.exeIncpoe32.exeMppepcfg.exeHenidd32.exePciifc32.exeBehnnm32.exeAlenki32.exeFfkcbgek.exeOjahnj32.exeCclkfdnc.exeFjmaaddo.exeHhckpk32.exeBkfjhd32.exeNajdnj32.exeQpgpkcpp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Aiinen32.exe File created C:\Windows\SysWOW64\Dhmcfkme.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Nncahjgl.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Mbiaej32.dll Bafidiio.exe File created C:\Windows\SysWOW64\Hojgfemq.exe Hpgfki32.exe File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Npojdpef.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Keoapb32.exe File opened for modification C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Heldepab.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Aekodi32.exe File created C:\Windows\SysWOW64\Mihiih32.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Cqljpedj.dll Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Ijdqna32.exe Ieidmbcc.exe File created C:\Windows\SysWOW64\Bhlhkl32.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Dfnfdcqd.dll Moiklogi.exe File opened for modification C:\Windows\SysWOW64\Edekcace.dll Dbhnhp32.exe File created C:\Windows\SysWOW64\Jfnnha32.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Niikceid.exe Nenobfak.exe File created C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File created C:\Windows\SysWOW64\Dkqbaecc.exe Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Inkccpgk.exe Iedkbc32.exe File created C:\Windows\SysWOW64\Dpcfqoam.dll Jgojpjem.exe File created C:\Windows\SysWOW64\Jgcdki32.exe Jdehon32.exe File opened for modification C:\Windows\SysWOW64\Oqqapjnk.exe Oiellh32.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Ocajbekl.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Boqbfb32.exe File opened for modification C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Hhehek32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Clphjpmh.dll Fpfdalii.exe File created C:\Windows\SysWOW64\Lponfjoo.dll Hpapln32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Ogblbo32.exe Oddpfc32.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Lghjel32.exe File created C:\Windows\SysWOW64\Bkfjhd32.exe Bgknheej.exe File created C:\Windows\SysWOW64\Mpdnkb32.exe Mmfbogcn.exe File opened for modification C:\Windows\SysWOW64\Lblqijln.dll Nehmdhja.exe File created C:\Windows\SysWOW64\Jqgoiokm.exe Jbdonb32.exe File created C:\Windows\SysWOW64\Amfidj32.dll Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Ddokpmfo.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Njqaac32.dll Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Idklfpon.exe Iqopea32.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Ahgnke32.exe File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Obafnlpn.exe File opened for modification C:\Windows\SysWOW64\Ipgbjl32.exe Illgimph.exe File opened for modification C:\Windows\SysWOW64\Npojdpef.exe Nlcnda32.exe File created C:\Windows\SysWOW64\Bkaqmeah.exe Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Incpoe32.exe File created C:\Windows\SysWOW64\Mdkqqa32.exe Mppepcfg.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File opened for modification C:\Windows\SysWOW64\Adnopfoj.exe Aekodi32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Behnnm32.exe File created C:\Windows\SysWOW64\Afkbib32.exe Alenki32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Olpdjf32.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Dglpkenb.dll Cclkfdnc.exe File created C:\Windows\SysWOW64\Fnhnbb32.exe Fjmaaddo.exe File opened for modification C:\Windows\SysWOW64\Hlngpjlj.exe Hhckpk32.exe File created C:\Windows\SysWOW64\Baqbenep.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Gjlegpjp.dll Najdnj32.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qpgpkcpp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 9204 9180 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Alenki32.exeLemaif32.exeAlbjlcao.exeDhbfdjdp.exeEccmffjf.exeHdfflm32.exeHogmmjfo.exeMgljbm32.exePfjbgnme.exeHpgfki32.exeLflmci32.exeNhdlkdkg.exeOkgnab32.exeObafnlpn.exeAnafhopc.exeEmnndlod.exeCngcjo32.exeMpbaebdd.exePqkmjh32.exeHlngpjlj.exeHhehek32.exeLbqabkql.exeNkeelohh.exeOkikfagn.exeGjfdhbld.exeKjifhc32.exeEnkece32.exeGhhofmql.exeEdnpej32.exeNigome32.exeKicmdo32.exeMbpgggol.exeIqalka32.exeKjljhjkl.exeKifpdelo.exeLeonofpp.exeLkncmmle.exeBfadgq32.exeDhjgal32.exeBkommo32.exeBocolb32.exeLjmlbfhi.exeNkpegi32.exeLhpfqama.exeIeidmbcc.exePlahag32.exeKpmlkp32.exeMggpgmof.exeMeccii32.exeBpgljfbl.exeJdpndnei.exeLlcefjgf.exeNiebhf32.exeNejiih32.exeQlkdkd32.exeCoelaaoi.exeFiihdlpc.exeIlncom32.exeJgagfi32.exeBbdocc32.exeBkfjhd32.exeIoijbj32.exeGddifnbk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eccmffjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmnie32.dll" Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhkga32.dll" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgmpikn.dll" Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll" Mbpgggol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefbii32.dll" Lkncmmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgjljo.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpgljfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13322faa972aaec35250efccb6e35420_NeikiAnalytics.exeOiellh32.exeOqqapjnk.exeOgjimd32.exeOjieip32.exeOcajbekl.exeOfpfnqjp.exePminkk32.exePccfge32.exePjmodopf.exePpjglfon.exePbiciana.exePlahag32.exePpmdbe32.exePigeqkai.exePlfamfpm.exedescription pid process target process PID 2208 wrote to memory of 2392 2208 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Oiellh32.exe PID 2208 wrote to memory of 2392 2208 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Oiellh32.exe PID 2208 wrote to memory of 2392 2208 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Oiellh32.exe PID 2208 wrote to memory of 2392 2208 13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe Oiellh32.exe PID 2392 wrote to memory of 3040 2392 Oiellh32.exe Oqqapjnk.exe PID 2392 wrote to memory of 3040 2392 Oiellh32.exe Oqqapjnk.exe PID 2392 wrote to memory of 3040 2392 Oiellh32.exe Oqqapjnk.exe PID 2392 wrote to memory of 3040 2392 Oiellh32.exe Oqqapjnk.exe PID 3040 wrote to memory of 2672 3040 Oqqapjnk.exe Ogjimd32.exe PID 3040 wrote to memory of 2672 3040 Oqqapjnk.exe Ogjimd32.exe PID 3040 wrote to memory of 2672 3040 Oqqapjnk.exe Ogjimd32.exe PID 3040 wrote to memory of 2672 3040 Oqqapjnk.exe Ogjimd32.exe PID 2672 wrote to memory of 2736 2672 Ogjimd32.exe Ojieip32.exe PID 2672 wrote to memory of 2736 2672 Ogjimd32.exe Ojieip32.exe PID 2672 wrote to memory of 2736 2672 Ogjimd32.exe Ojieip32.exe PID 2672 wrote to memory of 2736 2672 Ogjimd32.exe Ojieip32.exe PID 2736 wrote to memory of 2576 2736 Ojieip32.exe Ocajbekl.exe PID 2736 wrote to memory of 2576 2736 Ojieip32.exe Ocajbekl.exe PID 2736 wrote to memory of 2576 2736 Ojieip32.exe Ocajbekl.exe PID 2736 wrote to memory of 2576 2736 Ojieip32.exe Ocajbekl.exe PID 2576 wrote to memory of 2472 2576 Ocajbekl.exe Ofpfnqjp.exe PID 2576 wrote to memory of 2472 2576 Ocajbekl.exe Ofpfnqjp.exe PID 2576 wrote to memory of 2472 2576 Ocajbekl.exe Ofpfnqjp.exe PID 2576 wrote to memory of 2472 2576 Ocajbekl.exe Ofpfnqjp.exe PID 2472 wrote to memory of 2064 2472 Ofpfnqjp.exe Pminkk32.exe PID 2472 wrote to memory of 2064 2472 Ofpfnqjp.exe Pminkk32.exe PID 2472 wrote to memory of 2064 2472 Ofpfnqjp.exe Pminkk32.exe PID 2472 wrote to memory of 2064 2472 Ofpfnqjp.exe Pminkk32.exe PID 2064 wrote to memory of 2800 2064 Pminkk32.exe Pccfge32.exe PID 2064 wrote to memory of 2800 2064 Pminkk32.exe Pccfge32.exe PID 2064 wrote to memory of 2800 2064 Pminkk32.exe Pccfge32.exe PID 2064 wrote to memory of 2800 2064 Pminkk32.exe Pccfge32.exe PID 2800 wrote to memory of 2828 2800 Pccfge32.exe Pjmodopf.exe PID 2800 wrote to memory of 2828 2800 Pccfge32.exe Pjmodopf.exe PID 2800 wrote to memory of 2828 2800 Pccfge32.exe Pjmodopf.exe PID 2800 wrote to memory of 2828 2800 Pccfge32.exe Pjmodopf.exe PID 2828 wrote to memory of 908 2828 Pjmodopf.exe Ppjglfon.exe PID 2828 wrote to memory of 908 2828 Pjmodopf.exe Ppjglfon.exe PID 2828 wrote to memory of 908 2828 Pjmodopf.exe Ppjglfon.exe PID 2828 wrote to memory of 908 2828 Pjmodopf.exe Ppjglfon.exe PID 908 wrote to memory of 672 908 Ppjglfon.exe Pbiciana.exe PID 908 wrote to memory of 672 908 Ppjglfon.exe Pbiciana.exe PID 908 wrote to memory of 672 908 Ppjglfon.exe Pbiciana.exe PID 908 wrote to memory of 672 908 Ppjglfon.exe Pbiciana.exe PID 672 wrote to memory of 2688 672 Pbiciana.exe Plahag32.exe PID 672 wrote to memory of 2688 672 Pbiciana.exe Plahag32.exe PID 672 wrote to memory of 2688 672 Pbiciana.exe Plahag32.exe PID 672 wrote to memory of 2688 672 Pbiciana.exe Plahag32.exe PID 2688 wrote to memory of 1248 2688 Plahag32.exe Ppmdbe32.exe PID 2688 wrote to memory of 1248 2688 Plahag32.exe Ppmdbe32.exe PID 2688 wrote to memory of 1248 2688 Plahag32.exe Ppmdbe32.exe PID 2688 wrote to memory of 1248 2688 Plahag32.exe Ppmdbe32.exe PID 1248 wrote to memory of 2108 1248 Ppmdbe32.exe Pigeqkai.exe PID 1248 wrote to memory of 2108 1248 Ppmdbe32.exe Pigeqkai.exe PID 1248 wrote to memory of 2108 1248 Ppmdbe32.exe Pigeqkai.exe PID 1248 wrote to memory of 2108 1248 Ppmdbe32.exe Pigeqkai.exe PID 2108 wrote to memory of 1912 2108 Pigeqkai.exe Plfamfpm.exe PID 2108 wrote to memory of 1912 2108 Pigeqkai.exe Plfamfpm.exe PID 2108 wrote to memory of 1912 2108 Pigeqkai.exe Plfamfpm.exe PID 2108 wrote to memory of 1912 2108 Pigeqkai.exe Plfamfpm.exe PID 1912 wrote to memory of 1932 1912 Plfamfpm.exe Pbpjiphi.exe PID 1912 wrote to memory of 1932 1912 Plfamfpm.exe Pbpjiphi.exe PID 1912 wrote to memory of 1932 1912 Plfamfpm.exe Pbpjiphi.exe PID 1912 wrote to memory of 1932 1912 Plfamfpm.exe Pbpjiphi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13322faa972aaec35250efccb6e35420_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe33⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe35⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe38⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe39⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe40⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe42⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe44⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe46⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe47⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe48⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe49⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe50⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe51⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe53⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe58⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe59⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe61⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe62⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe63⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe64⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe65⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe66⤵PID:2288
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe67⤵PID:2600
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe68⤵PID:2904
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe69⤵PID:2988
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe70⤵PID:1584
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe71⤵PID:2188
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe72⤵PID:552
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe74⤵PID:1728
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe75⤵PID:1816
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe78⤵PID:2824
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe79⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe80⤵PID:564
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe81⤵PID:324
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe82⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe83⤵PID:2340
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe84⤵PID:1744
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe85⤵PID:2464
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe86⤵PID:1824
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe87⤵PID:1752
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe88⤵PID:2616
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe89⤵PID:2376
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe90⤵PID:860
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe92⤵PID:2656
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe93⤵PID:2088
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe94⤵PID:2420
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe95⤵PID:1560
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe96⤵PID:1628
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe97⤵PID:2776
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe98⤵PID:1764
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe99⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe100⤵PID:2192
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe102⤵PID:1960
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe103⤵PID:748
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe104⤵PID:2876
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe106⤵PID:584
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe107⤵PID:2608
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe108⤵PID:1920
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe109⤵PID:2324
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe110⤵PID:1520
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe112⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe113⤵PID:816
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe114⤵PID:2124
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe115⤵PID:1692
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe116⤵PID:1368
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe117⤵PID:312
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe118⤵PID:2596
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe119⤵PID:1556
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe121⤵PID:2000
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe122⤵PID:2808
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe123⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe124⤵PID:2044
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe125⤵PID:2708
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe126⤵PID:1988
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe127⤵PID:556
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe128⤵PID:2748
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe129⤵PID:660
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe130⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe131⤵PID:2772
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe132⤵PID:1536
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe133⤵PID:2444
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe134⤵PID:2984
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe135⤵PID:2752
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe136⤵PID:1064
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe137⤵PID:2720
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe138⤵PID:2760
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe139⤵PID:1420
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe140⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe141⤵PID:1656
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe143⤵PID:1160
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe145⤵PID:2532
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe146⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe147⤵PID:1924
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe148⤵PID:1488
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe149⤵PID:2564
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe150⤵PID:2040
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe152⤵PID:2696
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe154⤵PID:2424
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1032 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe156⤵PID:1244
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe157⤵PID:2416
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe158⤵PID:1948
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe159⤵PID:2652
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe160⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe162⤵PID:2456
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe163⤵PID:2152
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe164⤵PID:2092
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe165⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe166⤵PID:2260
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe167⤵PID:1644
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe168⤵PID:2872
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe169⤵PID:2968
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe170⤵PID:2664
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe171⤵PID:2512
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe172⤵PID:2796
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe173⤵PID:1604
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe174⤵PID:1612
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe175⤵PID:2500
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe177⤵PID:2204
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe178⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe179⤵PID:1392
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe180⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe181⤵PID:2480
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe182⤵PID:2492
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe183⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe184⤵PID:1968
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe185⤵PID:1864
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe186⤵PID:3100
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe187⤵PID:3140
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe188⤵PID:3180
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe189⤵
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe190⤵PID:3260
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe191⤵PID:3300
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe192⤵PID:3340
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe194⤵PID:3420
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe195⤵PID:3460
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe196⤵PID:3500
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe197⤵PID:3540
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe198⤵PID:3580
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe199⤵PID:3620
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe200⤵PID:3660
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe201⤵
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe202⤵PID:3712
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe203⤵PID:3752
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe204⤵PID:3792
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe205⤵
- Drops file in System32 directory
PID:3832 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe206⤵
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe207⤵PID:3912
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3952 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe209⤵PID:3992
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe210⤵PID:4032
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe211⤵PID:4072
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe212⤵PID:3092
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe213⤵PID:3152
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe214⤵PID:3208
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe215⤵PID:3256
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe216⤵PID:3316
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe217⤵PID:3356
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe218⤵PID:3416
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe219⤵PID:3392
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe220⤵PID:3512
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe221⤵PID:3568
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe222⤵PID:3628
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3684 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe224⤵PID:3744
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe225⤵PID:3800
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe227⤵PID:3864
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe228⤵PID:3904
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3960 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe230⤵PID:3928
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe231⤵PID:4064
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe232⤵PID:3084
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe233⤵PID:3148
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe234⤵PID:3228
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe235⤵PID:3284
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe236⤵
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe237⤵PID:3368
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3404 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe239⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe240⤵PID:3532
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe241⤵PID:3604
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3668