Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:39
Behavioral task
behavioral1
Sample
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe
-
Size
367KB
-
MD5
1dcd98b09f1ee450bd4efb4fc75a5ba0
-
SHA1
7c9b0027fd1a9e5407bbb918ad00e68bf2df36ba
-
SHA256
bf778817e648f51f0e8314ea7eaf46f2213a99ffac001273a2a40e46079da4ff
-
SHA512
bf9ad4070cd132faa5854eb8c91d85c86be1668387d93328aea1afb62b7b68aeef9c265fe1bd95378f653990ea4aadacd936846ca99178ae2b1a404f2cf5af06
-
SSDEEP
6144:2ICLP61YFz9wXsZl8tnJfKXqPTX7D7FM6234lKm3mo8Yvi4KsLTFM6234lKm3cM9:2f61YFz9wXdtJCXqP77D7FB24lwR45Fb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pqemdbaj.exePmojocel.exeBdgafdfp.exeCeaadk32.exeBnielm32.exeOnhgbmfb.exeLoapim32.exeOddpfc32.exeOcimgp32.exeBmpfojmp.exeAijpnfif.exeBphbeplm.exeJfqahgpg.exeAeenochi.exePijbfj32.exePpmdbe32.exeEeempocb.exeJqlhdo32.exeNiebhf32.exeLdcamcih.exeAidnohbk.exePjbjhgde.exeAfiglkle.exeBfkpqn32.exeAhokfj32.exeInkccpgk.exeJqnejn32.exePqhijbog.exeJbllihbf.exeFhffaj32.exeAlbjlcao.exeBiicik32.exeFadminnn.exeAigchgkh.exeCdoajb32.exeEbbgid32.exeHjjddchg.exeLlcefjgf.exeOagmmgdm.exeGkgkbipp.exeKfmjgeaj.exeKiqpop32.exeCkiigmcd.exeKmaled32.exeEjobhppq.exePqemdbaj.exeQlkdkd32.exeNeplhf32.exeBhajdblk.exeJhngjmlo.exePedleg32.exeKfpgmdog.exeOlonpp32.exeKgbggnhc.exeDogefd32.exeDbkknojp.exeJfiale32.exeCgpgce32.exeIkkjbe32.exePflomnkb.exeIqopea32.exeQbplbi32.exeBhdgjb32.exeNbdnoo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqemdbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmojocel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loapim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmpfojmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niebhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadminnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqemdbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neplhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpgmdog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olonpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfiale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbplbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdnoo32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Kegnkh32.exe family_berbew \Windows\SysWOW64\Kanopipl.exe family_berbew \Windows\SysWOW64\Loapim32.exe family_berbew \Windows\SysWOW64\Lekhfgfc.exe family_berbew \Windows\SysWOW64\Lmgmjjdn.exe family_berbew C:\Windows\SysWOW64\Lgoacojo.exe family_berbew \Windows\SysWOW64\Ldcamcih.exe family_berbew \Windows\SysWOW64\Lipjejgp.exe family_berbew \Windows\SysWOW64\Ldenbcge.exe family_berbew \Windows\SysWOW64\Libgjj32.exe family_berbew \Windows\SysWOW64\Mcjkcplm.exe family_berbew C:\Windows\SysWOW64\Midcpj32.exe family_berbew \Windows\SysWOW64\Migpeiag.exe family_berbew \Windows\SysWOW64\Mkhmma32.exe family_berbew \Windows\SysWOW64\Mkjica32.exe family_berbew \Windows\SysWOW64\Mdcnlglc.exe family_berbew C:\Windows\SysWOW64\Mgajhbkg.exe family_berbew C:\Windows\SysWOW64\Mkobnqan.exe family_berbew C:\Windows\SysWOW64\Nnnojlpa.exe family_berbew C:\Windows\SysWOW64\Ndgggf32.exe family_berbew C:\Windows\SysWOW64\Ngfcca32.exe family_berbew C:\Windows\SysWOW64\Nkaocp32.exe family_berbew C:\Windows\SysWOW64\Nnplpl32.exe family_berbew C:\Windows\SysWOW64\Njgldmdc.exe family_berbew C:\Windows\SysWOW64\Ncoamb32.exe family_berbew C:\Windows\SysWOW64\Nhlifi32.exe family_berbew C:\Windows\SysWOW64\Nlgefh32.exe family_berbew C:\Windows\SysWOW64\Nbdnoo32.exe family_berbew C:\Windows\SysWOW64\Nhnfkigh.exe family_berbew C:\Windows\SysWOW64\Nfpjomgd.exe family_berbew C:\Windows\SysWOW64\Okoomd32.exe family_berbew C:\Windows\SysWOW64\Onmkio32.exe family_berbew C:\Windows\SysWOW64\Oomhcbjp.exe family_berbew C:\Windows\SysWOW64\Oqndkj32.exe family_berbew C:\Windows\SysWOW64\Odjpkihg.exe family_berbew C:\Windows\SysWOW64\Onbddoog.exe family_berbew C:\Windows\SysWOW64\Obnqem32.exe family_berbew C:\Windows\SysWOW64\Ogjimd32.exe family_berbew C:\Windows\SysWOW64\Ondajnme.exe family_berbew C:\Windows\SysWOW64\Ogmfbd32.exe family_berbew C:\Windows\SysWOW64\Pminkk32.exe family_berbew C:\Windows\SysWOW64\Ojkboo32.exe family_berbew C:\Windows\SysWOW64\Pphjgfqq.exe family_berbew C:\Windows\SysWOW64\Pipopl32.exe family_berbew C:\Windows\SysWOW64\Paggai32.exe family_berbew C:\Windows\SysWOW64\Pcfcmd32.exe family_berbew C:\Windows\SysWOW64\Pfdpip32.exe family_berbew C:\Windows\SysWOW64\Pmnhfjmg.exe family_berbew C:\Windows\SysWOW64\Ppmdbe32.exe family_berbew C:\Windows\SysWOW64\Pfflopdh.exe family_berbew C:\Windows\SysWOW64\Peiljl32.exe family_berbew C:\Windows\SysWOW64\Ppoqge32.exe family_berbew C:\Windows\SysWOW64\Pbmmcq32.exe family_berbew C:\Windows\SysWOW64\Pfiidobe.exe family_berbew C:\Windows\SysWOW64\Pigeqkai.exe family_berbew C:\Windows\SysWOW64\Plfamfpm.exe family_berbew C:\Windows\SysWOW64\Ppamme32.exe family_berbew C:\Windows\SysWOW64\Pndniaop.exe family_berbew C:\Windows\SysWOW64\Pijbfj32.exe family_berbew C:\Windows\SysWOW64\Qlhnbf32.exe family_berbew C:\Windows\SysWOW64\Qnfjna32.exe family_berbew C:\Windows\SysWOW64\Qeqbkkej.exe family_berbew C:\Windows\SysWOW64\Qdccfh32.exe family_berbew C:\Windows\SysWOW64\Qljkhe32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Kegnkh32.exeKanopipl.exeLoapim32.exeLekhfgfc.exeLmgmjjdn.exeLgoacojo.exeLdcamcih.exeLipjejgp.exeLdenbcge.exeLibgjj32.exeMcjkcplm.exeMidcpj32.exeMigpeiag.exeMkhmma32.exeMkjica32.exeMdcnlglc.exeMgajhbkg.exeMkobnqan.exeNnnojlpa.exeNdgggf32.exeNgfcca32.exeNkaocp32.exeNnplpl32.exeNjgldmdc.exeNcoamb32.exeNhlifi32.exeNlgefh32.exeNbdnoo32.exeNfpjomgd.exeNhnfkigh.exeOkoomd32.exeOnmkio32.exeOomhcbjp.exeOqndkj32.exeOdjpkihg.exeOnbddoog.exeObnqem32.exeOgjimd32.exeOndajnme.exeOgmfbd32.exeOjkboo32.exePminkk32.exePphjgfqq.exePipopl32.exePaggai32.exePcfcmd32.exePfdpip32.exePmnhfjmg.exePpmdbe32.exePfflopdh.exePeiljl32.exePpoqge32.exePbmmcq32.exePfiidobe.exePigeqkai.exePlfamfpm.exePpamme32.exePndniaop.exePijbfj32.exeQlhnbf32.exeQnfjna32.exeQeqbkkej.exeQdccfh32.exeQljkhe32.exepid process 2992 Kegnkh32.exe 3044 Kanopipl.exe 2580 Loapim32.exe 2596 Lekhfgfc.exe 2484 Lmgmjjdn.exe 1972 Lgoacojo.exe 2524 Ldcamcih.exe 2140 Lipjejgp.exe 2688 Ldenbcge.exe 1588 Libgjj32.exe 1668 Mcjkcplm.exe 2748 Midcpj32.exe 500 Migpeiag.exe 2544 Mkhmma32.exe 1424 Mkjica32.exe 1704 Mdcnlglc.exe 1816 Mgajhbkg.exe 1756 Mkobnqan.exe 1500 Nnnojlpa.exe 2012 Ndgggf32.exe 2180 Ngfcca32.exe 1708 Nkaocp32.exe 2208 Nnplpl32.exe 820 Njgldmdc.exe 1752 Ncoamb32.exe 2196 Nhlifi32.exe 632 Nlgefh32.exe 2388 Nbdnoo32.exe 2644 Nfpjomgd.exe 2676 Nhnfkigh.exe 2728 Okoomd32.exe 2460 Onmkio32.exe 2800 Oomhcbjp.exe 2796 Oqndkj32.exe 1824 Odjpkihg.exe 1112 Onbddoog.exe 1620 Obnqem32.exe 2548 Ogjimd32.exe 952 Ondajnme.exe 2948 Ogmfbd32.exe 944 Ojkboo32.exe 2240 Pminkk32.exe 2120 Pphjgfqq.exe 2412 Pipopl32.exe 1564 Paggai32.exe 1436 Pcfcmd32.exe 1552 Pfdpip32.exe 792 Pmnhfjmg.exe 2892 Ppmdbe32.exe 892 Pfflopdh.exe 2896 Peiljl32.exe 2184 Ppoqge32.exe 2640 Pbmmcq32.exe 2576 Pfiidobe.exe 2664 Pigeqkai.exe 2504 Plfamfpm.exe 1936 Ppamme32.exe 1344 Pndniaop.exe 1900 Pijbfj32.exe 2424 Qlhnbf32.exe 2752 Qnfjna32.exe 2924 Qeqbkkej.exe 2284 Qdccfh32.exe 2288 Qljkhe32.exe -
Loads dropped DLL 64 IoCs
Processes:
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exeKegnkh32.exeKanopipl.exeLoapim32.exeLekhfgfc.exeLmgmjjdn.exeLgoacojo.exeLdcamcih.exeLipjejgp.exeLdenbcge.exeLibgjj32.exeMcjkcplm.exeMidcpj32.exeMigpeiag.exeMkhmma32.exeMkjica32.exeMdcnlglc.exeMgajhbkg.exeMkobnqan.exeNnnojlpa.exeNdgggf32.exeNgfcca32.exeNkaocp32.exeNnplpl32.exeNjgldmdc.exeNcoamb32.exeNhlifi32.exeNlgefh32.exeNbdnoo32.exeNfpjomgd.exeNhnfkigh.exeOkoomd32.exepid process 2220 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe 2220 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe 2992 Kegnkh32.exe 2992 Kegnkh32.exe 3044 Kanopipl.exe 3044 Kanopipl.exe 2580 Loapim32.exe 2580 Loapim32.exe 2596 Lekhfgfc.exe 2596 Lekhfgfc.exe 2484 Lmgmjjdn.exe 2484 Lmgmjjdn.exe 1972 Lgoacojo.exe 1972 Lgoacojo.exe 2524 Ldcamcih.exe 2524 Ldcamcih.exe 2140 Lipjejgp.exe 2140 Lipjejgp.exe 2688 Ldenbcge.exe 2688 Ldenbcge.exe 1588 Libgjj32.exe 1588 Libgjj32.exe 1668 Mcjkcplm.exe 1668 Mcjkcplm.exe 2748 Midcpj32.exe 2748 Midcpj32.exe 500 Migpeiag.exe 500 Migpeiag.exe 2544 Mkhmma32.exe 2544 Mkhmma32.exe 1424 Mkjica32.exe 1424 Mkjica32.exe 1704 Mdcnlglc.exe 1704 Mdcnlglc.exe 1816 Mgajhbkg.exe 1816 Mgajhbkg.exe 1756 Mkobnqan.exe 1756 Mkobnqan.exe 1500 Nnnojlpa.exe 1500 Nnnojlpa.exe 2012 Ndgggf32.exe 2012 Ndgggf32.exe 2180 Ngfcca32.exe 2180 Ngfcca32.exe 1708 Nkaocp32.exe 1708 Nkaocp32.exe 2208 Nnplpl32.exe 2208 Nnplpl32.exe 820 Njgldmdc.exe 820 Njgldmdc.exe 1752 Ncoamb32.exe 1752 Ncoamb32.exe 2196 Nhlifi32.exe 2196 Nhlifi32.exe 632 Nlgefh32.exe 632 Nlgefh32.exe 2388 Nbdnoo32.exe 2388 Nbdnoo32.exe 2644 Nfpjomgd.exe 2644 Nfpjomgd.exe 2676 Nhnfkigh.exe 2676 Nhnfkigh.exe 2728 Okoomd32.exe 2728 Okoomd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iamimc32.exeQnfjna32.exeGgpimica.exeKafbec32.exePefijfii.exeBdgafdfp.exeHpbiommg.exeGangic32.exeLecgje32.exeBlbfjg32.exeBoplllob.exeLeonofpp.exeNpfgpe32.exeCnaocmmi.exePkidlk32.exeGpknlk32.exeNkmdpm32.exePcfefmnk.exePmnhfjmg.exeFjilieka.exeLcfqkl32.exeNcpcfkbg.exeAaloddnn.exeGogangdc.exeAoepcn32.exeIkhjki32.exeJbgkcb32.exeOdjbdb32.exePiekcd32.exeOjfaijcc.exeOikojfgk.exeQbplbi32.exeQgmdjp32.exeEilpeooq.exeNlbeqb32.exeOfjfhk32.exeAplifb32.exeDndlim32.exeKmefooki.exeLoapim32.exeAffhncfc.exeGmjaic32.exeMofglh32.exeOndajnme.exeEfppoc32.exeKjjmbj32.exeNkiogn32.exeJfknbe32.exeComimg32.exeCjfccn32.exeCddjebgb.exeLmlhnagm.exeCmgechbh.exeLoeebl32.exeMgimmm32.exeMkeimlfm.exeNondgn32.exeOkikfagn.exeCnkicn32.exePbkbgjcc.exeOomhcbjp.exeBghabf32.exeCldooj32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File created C:\Windows\SysWOW64\Kcdnao32.exe Kafbec32.exe File created C:\Windows\SysWOW64\Pkpagq32.exe Pefijfii.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Hdnepk32.exe Hpbiommg.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File created C:\Windows\SysWOW64\Acjobj32.dll Lecgje32.exe File created C:\Windows\SysWOW64\Bpnbkeld.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Boplllob.exe File created C:\Windows\SysWOW64\Jooafm32.dll Leonofpp.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Oehfcmhd.dll Cnaocmmi.exe File created C:\Windows\SysWOW64\Pjldghjm.exe Pkidlk32.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Oohqqlei.exe Nkmdpm32.exe File opened for modification C:\Windows\SysWOW64\Pgbafl32.exe Pcfefmnk.exe File opened for modification C:\Windows\SysWOW64\Ppmdbe32.exe Pmnhfjmg.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Fjilieka.exe File created C:\Windows\SysWOW64\Lbiqfied.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Ngkogj32.exe Ncpcfkbg.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Aaloddnn.exe File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Ajjmcaea.dll Aoepcn32.exe File created C:\Windows\SysWOW64\Jocflgga.exe Ikhjki32.exe File created C:\Windows\SysWOW64\Imfegi32.dll Jbgkcb32.exe File opened for modification C:\Windows\SysWOW64\Ohendqhd.exe Odjbdb32.exe File created C:\Windows\SysWOW64\Pmagdbci.exe Piekcd32.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Okikfagn.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Qflhbhgg.exe Qbplbi32.exe File created C:\Windows\SysWOW64\Qkhpkoen.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Epfhbign.exe Eilpeooq.exe File opened for modification C:\Windows\SysWOW64\Noqamn32.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Ojfaijcc.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Jifnmmhq.dll Aplifb32.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File created C:\Windows\SysWOW64\Kmefooki.exe Kmefooki.exe File created C:\Windows\SysWOW64\Lekhfgfc.exe Loapim32.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Affhncfc.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Mofglh32.exe File created C:\Windows\SysWOW64\Ogmfbd32.exe Ondajnme.exe File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Efppoc32.exe File created C:\Windows\SysWOW64\Kneicieh.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Nnhkcj32.exe Nkiogn32.exe File opened for modification C:\Windows\SysWOW64\Kjfjbdle.exe Jfknbe32.exe File opened for modification C:\Windows\SysWOW64\Cfgaiaci.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Cgbfamff.exe Cddjebgb.exe File opened for modification C:\Windows\SysWOW64\Lpjdjmfp.exe Lmlhnagm.exe File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe Cmgechbh.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Loeebl32.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Okikfagn.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cnkicn32.exe File opened for modification C:\Windows\SysWOW64\Pfgngh32.exe Pbkbgjcc.exe File created C:\Windows\SysWOW64\Oqndkj32.exe Oomhcbjp.exe File created C:\Windows\SysWOW64\Bopicc32.exe Bghabf32.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cldooj32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 9008 8968 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Aaobdjof.exeAdpkee32.exeMlhkpm32.exeOhaeia32.exeAnnbhi32.exeMdkqqa32.exeEijcpoac.exeIefhhbef.exeBmclhi32.exeDgodbh32.exeKfegbj32.exeDndlim32.exeKicmdo32.exeLjmlbfhi.exeOdjbdb32.exePipopl32.exeGdamqndn.exeHodpgjha.exeAmfcikek.exeDpbheh32.exeIoolqh32.exePmlmic32.exeBmhideol.exeQljkhe32.exeCgpjlnhh.exeHmlnoc32.exeJnemdecl.exePpamme32.exeKgbggnhc.exeQmicohqm.exeDfoqmo32.exeJcjdpj32.exeBbikgk32.exeIlknfn32.exeEnihne32.exeEloemi32.exeKaklpcoc.exeMcegmm32.exeNocnbmoo.exeJofbag32.exeCpeofk32.exeOclilp32.exeIgchlf32.exeIfkacb32.exeNibebfpl.exeAoffmd32.exeHdnepk32.exeAjgpbj32.exeMaoajf32.exeFpqdkf32.exeLpjdjmfp.exePcdipnqn.exeBmpfojmp.exeGbcfadgl.exeCckace32.exeFmpkjkma.exeLcfqkl32.exeNmnace32.exeNcpcfkbg.exeOoeggp32.exeMkclhl32.exeQqeicede.exeCfgaiaci.exeFcefji32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikjha32.dll" Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhkpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdebncjd.dll" Iefhhbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kicmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljmlbfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odjbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhplkhl.dll" Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" Cgpjlnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limilm32.dll" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll" Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badffggh.dll" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcegmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jofbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccdbl32.dll" Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqahbgm.dll" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfpbmji.dll" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbcfadgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmol32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mkclhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcefji32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exeKegnkh32.exeKanopipl.exeLoapim32.exeLekhfgfc.exeLmgmjjdn.exeLgoacojo.exeLdcamcih.exeLipjejgp.exeLdenbcge.exeLibgjj32.exeMcjkcplm.exeMidcpj32.exeMigpeiag.exeMkhmma32.exeMkjica32.exedescription pid process target process PID 2220 wrote to memory of 2992 2220 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Kegnkh32.exe PID 2220 wrote to memory of 2992 2220 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Kegnkh32.exe PID 2220 wrote to memory of 2992 2220 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Kegnkh32.exe PID 2220 wrote to memory of 2992 2220 1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe Kegnkh32.exe PID 2992 wrote to memory of 3044 2992 Kegnkh32.exe Kanopipl.exe PID 2992 wrote to memory of 3044 2992 Kegnkh32.exe Kanopipl.exe PID 2992 wrote to memory of 3044 2992 Kegnkh32.exe Kanopipl.exe PID 2992 wrote to memory of 3044 2992 Kegnkh32.exe Kanopipl.exe PID 3044 wrote to memory of 2580 3044 Kanopipl.exe Loapim32.exe PID 3044 wrote to memory of 2580 3044 Kanopipl.exe Loapim32.exe PID 3044 wrote to memory of 2580 3044 Kanopipl.exe Loapim32.exe PID 3044 wrote to memory of 2580 3044 Kanopipl.exe Loapim32.exe PID 2580 wrote to memory of 2596 2580 Loapim32.exe Lekhfgfc.exe PID 2580 wrote to memory of 2596 2580 Loapim32.exe Lekhfgfc.exe PID 2580 wrote to memory of 2596 2580 Loapim32.exe Lekhfgfc.exe PID 2580 wrote to memory of 2596 2580 Loapim32.exe Lekhfgfc.exe PID 2596 wrote to memory of 2484 2596 Lekhfgfc.exe Lmgmjjdn.exe PID 2596 wrote to memory of 2484 2596 Lekhfgfc.exe Lmgmjjdn.exe PID 2596 wrote to memory of 2484 2596 Lekhfgfc.exe Lmgmjjdn.exe PID 2596 wrote to memory of 2484 2596 Lekhfgfc.exe Lmgmjjdn.exe PID 2484 wrote to memory of 1972 2484 Lmgmjjdn.exe Lgoacojo.exe PID 2484 wrote to memory of 1972 2484 Lmgmjjdn.exe Lgoacojo.exe PID 2484 wrote to memory of 1972 2484 Lmgmjjdn.exe Lgoacojo.exe PID 2484 wrote to memory of 1972 2484 Lmgmjjdn.exe Lgoacojo.exe PID 1972 wrote to memory of 2524 1972 Lgoacojo.exe Ldcamcih.exe PID 1972 wrote to memory of 2524 1972 Lgoacojo.exe Ldcamcih.exe PID 1972 wrote to memory of 2524 1972 Lgoacojo.exe Ldcamcih.exe PID 1972 wrote to memory of 2524 1972 Lgoacojo.exe Ldcamcih.exe PID 2524 wrote to memory of 2140 2524 Ldcamcih.exe Lipjejgp.exe PID 2524 wrote to memory of 2140 2524 Ldcamcih.exe Lipjejgp.exe PID 2524 wrote to memory of 2140 2524 Ldcamcih.exe Lipjejgp.exe PID 2524 wrote to memory of 2140 2524 Ldcamcih.exe Lipjejgp.exe PID 2140 wrote to memory of 2688 2140 Lipjejgp.exe Ldenbcge.exe PID 2140 wrote to memory of 2688 2140 Lipjejgp.exe Ldenbcge.exe PID 2140 wrote to memory of 2688 2140 Lipjejgp.exe Ldenbcge.exe PID 2140 wrote to memory of 2688 2140 Lipjejgp.exe Ldenbcge.exe PID 2688 wrote to memory of 1588 2688 Ldenbcge.exe Libgjj32.exe PID 2688 wrote to memory of 1588 2688 Ldenbcge.exe Libgjj32.exe PID 2688 wrote to memory of 1588 2688 Ldenbcge.exe Libgjj32.exe PID 2688 wrote to memory of 1588 2688 Ldenbcge.exe Libgjj32.exe PID 1588 wrote to memory of 1668 1588 Libgjj32.exe Mcjkcplm.exe PID 1588 wrote to memory of 1668 1588 Libgjj32.exe Mcjkcplm.exe PID 1588 wrote to memory of 1668 1588 Libgjj32.exe Mcjkcplm.exe PID 1588 wrote to memory of 1668 1588 Libgjj32.exe Mcjkcplm.exe PID 1668 wrote to memory of 2748 1668 Mcjkcplm.exe Midcpj32.exe PID 1668 wrote to memory of 2748 1668 Mcjkcplm.exe Midcpj32.exe PID 1668 wrote to memory of 2748 1668 Mcjkcplm.exe Midcpj32.exe PID 1668 wrote to memory of 2748 1668 Mcjkcplm.exe Midcpj32.exe PID 2748 wrote to memory of 500 2748 Midcpj32.exe Migpeiag.exe PID 2748 wrote to memory of 500 2748 Midcpj32.exe Migpeiag.exe PID 2748 wrote to memory of 500 2748 Midcpj32.exe Migpeiag.exe PID 2748 wrote to memory of 500 2748 Midcpj32.exe Migpeiag.exe PID 500 wrote to memory of 2544 500 Migpeiag.exe Mkhmma32.exe PID 500 wrote to memory of 2544 500 Migpeiag.exe Mkhmma32.exe PID 500 wrote to memory of 2544 500 Migpeiag.exe Mkhmma32.exe PID 500 wrote to memory of 2544 500 Migpeiag.exe Mkhmma32.exe PID 2544 wrote to memory of 1424 2544 Mkhmma32.exe Mkjica32.exe PID 2544 wrote to memory of 1424 2544 Mkhmma32.exe Mkjica32.exe PID 2544 wrote to memory of 1424 2544 Mkhmma32.exe Mkjica32.exe PID 2544 wrote to memory of 1424 2544 Mkhmma32.exe Mkjica32.exe PID 1424 wrote to memory of 1704 1424 Mkjica32.exe Mdcnlglc.exe PID 1424 wrote to memory of 1704 1424 Mkjica32.exe Mdcnlglc.exe PID 1424 wrote to memory of 1704 1424 Mkjica32.exe Mdcnlglc.exe PID 1424 wrote to memory of 1704 1424 Mkjica32.exe Mdcnlglc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1dcd98b09f1ee450bd4efb4fc75a5ba0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe33⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe36⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe37⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe38⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe39⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe41⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe42⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe43⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe44⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe46⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe47⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe48⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe51⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe53⤵PID:1612
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe54⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe57⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe58⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe60⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe62⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe64⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe65⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe67⤵PID:1740
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe68⤵PID:2008
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe69⤵PID:1084
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe70⤵PID:3016
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe71⤵PID:1700
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe72⤵PID:1308
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe73⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe75⤵PID:2832
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe76⤵PID:2468
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe77⤵PID:2816
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe78⤵PID:2804
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe79⤵PID:856
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe80⤵PID:1764
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe81⤵PID:1200
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe82⤵PID:1696
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe83⤵PID:2628
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe84⤵PID:2000
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe85⤵PID:824
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe86⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe87⤵PID:2304
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe88⤵PID:2212
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe90⤵PID:2968
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe91⤵PID:2476
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe92⤵PID:2088
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe93⤵PID:2776
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe94⤵PID:3012
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe95⤵PID:1184
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe96⤵PID:2536
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe97⤵PID:2152
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe98⤵PID:1656
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe99⤵
- Drops file in System32 directory
PID:488 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe100⤵PID:448
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe101⤵PID:2176
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe102⤵PID:968
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe103⤵PID:2888
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe104⤵PID:3024
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe105⤵PID:3000
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe106⤵PID:2560
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe107⤵PID:1640
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe108⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe111⤵PID:2156
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe112⤵PID:2168
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe113⤵PID:2224
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe114⤵PID:2352
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe115⤵PID:1584
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe116⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe117⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe118⤵PID:2492
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe119⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe120⤵PID:540
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe121⤵PID:1976
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe122⤵PID:1720
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe123⤵PID:1128
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe124⤵PID:1108
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe125⤵PID:2100
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe126⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe127⤵PID:2620
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe128⤵PID:1644
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe129⤵PID:808
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe130⤵PID:784
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe131⤵PID:2404
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe132⤵PID:3036
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe133⤵PID:320
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe134⤵PID:2256
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe135⤵PID:2952
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe136⤵PID:2632
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe137⤵PID:2496
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe138⤵PID:1952
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe139⤵PID:1928
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe140⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe141⤵PID:960
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe142⤵PID:676
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe144⤵PID:912
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe145⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe146⤵PID:948
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe147⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe148⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe149⤵PID:2508
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe150⤵PID:2768
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe151⤵PID:2772
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe152⤵PID:1880
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe154⤵PID:1208
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe155⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe156⤵PID:2712
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe157⤵PID:1664
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe159⤵PID:2148
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe160⤵PID:576
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe161⤵PID:1176
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe162⤵PID:2984
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe163⤵PID:2144
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe164⤵PID:2164
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe165⤵PID:1632
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe166⤵PID:780
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe167⤵PID:2872
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe168⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe169⤵PID:2956
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe170⤵PID:564
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe171⤵PID:1400
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe172⤵PID:2340
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe173⤵PID:1180
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe174⤵PID:2432
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe175⤵PID:2104
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe176⤵PID:2136
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe177⤵PID:1948
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe178⤵PID:1020
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe179⤵PID:2236
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe180⤵PID:2552
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe181⤵PID:1688
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe182⤵PID:3008
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe183⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe184⤵PID:1940
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe185⤵PID:1924
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe186⤵PID:2852
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe187⤵PID:1616
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe188⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe189⤵PID:3100
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe190⤵PID:3140
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe191⤵PID:3180
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3220 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe193⤵PID:3260
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe194⤵PID:3300
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe195⤵PID:3340
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe196⤵PID:3380
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe197⤵PID:3420
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe198⤵PID:3460
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe199⤵
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe200⤵PID:3540
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe201⤵
- Drops file in System32 directory
PID:3580 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe202⤵
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe203⤵
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe204⤵PID:3700
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe205⤵PID:3740
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe206⤵PID:3780
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe207⤵
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe208⤵PID:3860
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe209⤵PID:3900
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe210⤵PID:3940
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe211⤵PID:3984
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe212⤵PID:4028
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe213⤵PID:4068
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe214⤵PID:3088
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe215⤵PID:1796
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe216⤵PID:3192
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe217⤵
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe218⤵PID:3120
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3336 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe220⤵PID:3408
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe221⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe222⤵PID:3488
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe223⤵PID:3432
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe224⤵PID:3592
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe225⤵PID:3644
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe226⤵PID:3692
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe227⤵PID:3640
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe228⤵PID:3680
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3756 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe230⤵PID:3840
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe231⤵PID:3936
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe232⤵PID:3992
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe233⤵PID:4024
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe234⤵
- Modifies registry class
PID:4088 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe235⤵PID:3108
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3168 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe237⤵PID:3236
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe238⤵PID:3312
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe239⤵PID:3308
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe240⤵PID:3320
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe241⤵PID:3400
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe242⤵PID:3564