Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 01:32
Behavioral task
behavioral1
Sample
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe
-
Size
240KB
-
MD5
1ccf306419b42c380b49791cd48cce30
-
SHA1
1917247a7cb2aa7768388e36f8d002c63a01e065
-
SHA256
9485af7556be8c67677e01aa31f2f88d14f1d76ce7983113f1873c15ba972ec2
-
SHA512
4bc428190ebb94625bf1d6e3cb556bf7dabdc9c14f2e41df786d8d078b03bd04f322f1778f8754d1e6b4031b8b05b1a2b8f64db8cf19e14ea1e699189115babf
-
SSDEEP
6144:UWwZFWo/EcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:U9Z3/tycSly8DSUA1YHVD
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jpepkk32.exeKobkbaac.exeIjklknbn.exeOehicoom.exeAmmmlcgi.exeKdlpkb32.exeFbbofjnh.exeMoenkf32.exeQjgjpi32.exeAjamfh32.exeOchenfdn.exeQdhqpe32.exeHanogipc.exeQaablcej.exeDokfme32.exeGedbfimc.exeQpaohjkk.exeCjjkpe32.exePnkglj32.exeNpdhaq32.exeBphdpe32.exeLhnkffeo.exeBffbdadk.exeLmqgec32.exeBomhnb32.exeCiohqa32.exeCffljlpc.exeNphbfplf.exeNoplmlok.exeOekjjl32.exeHjacjifm.exeGbnenk32.exeOdckfb32.exeCaaggpdh.exeBnapnm32.exeDgalhgpg.exeBkjdndjo.exeFjfhkl32.exeJddqgdii.exeOeehln32.exePghfnc32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkbaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbofjnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moenkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdhqpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnkglj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdhaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffbdadk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqgec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noplmlok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekjjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbnenk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhqpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odckfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgalhgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Phnnho32.exe family_berbew \Windows\SysWOW64\Pkofjijm.exe family_berbew \Windows\SysWOW64\Pqnlhpfb.exe family_berbew \Windows\SysWOW64\Pmdmmalf.exe family_berbew \Windows\SysWOW64\Qqbecp32.exe family_berbew C:\Windows\SysWOW64\Ajmfad32.exe family_berbew C:\Windows\SysWOW64\Acekjjmk.exe family_berbew \Windows\SysWOW64\Abkhkgbb.exe family_berbew C:\Windows\SysWOW64\Aekqmbod.exe family_berbew C:\Windows\SysWOW64\Akhfoldn.exe family_berbew C:\Windows\SysWOW64\Bepjha32.exe family_berbew C:\Windows\SysWOW64\Bcegin32.exe family_berbew \Windows\SysWOW64\Bffpki32.exe family_berbew C:\Windows\SysWOW64\Bfhmqhkd.exe family_berbew \Windows\SysWOW64\Bpqain32.exe family_berbew C:\Windows\SysWOW64\Chlfnp32.exe family_berbew C:\Windows\SysWOW64\Cffljlpc.exe family_berbew C:\Windows\SysWOW64\Dgjfek32.exe family_berbew C:\Windows\SysWOW64\Dmdnbecj.exe family_berbew C:\Windows\SysWOW64\Dbafjlaa.exe family_berbew C:\Windows\SysWOW64\Dohgomgf.exe family_berbew C:\Windows\SysWOW64\Dojddmec.exe family_berbew C:\Windows\SysWOW64\Diphbfdi.exe family_berbew C:\Windows\SysWOW64\Eoompl32.exe family_berbew C:\Windows\SysWOW64\Endjaief.exe family_berbew C:\Windows\SysWOW64\Ecfldoph.exe family_berbew behavioral1/memory/2120-390-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/memory/2120-389-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew C:\Windows\SysWOW64\Flqmbd32.exe family_berbew C:\Windows\SysWOW64\Fofpoo32.exe family_berbew C:\Windows\SysWOW64\Fgadda32.exe family_berbew C:\Windows\SysWOW64\Fbbofjnh.exe family_berbew C:\Windows\SysWOW64\Fcmben32.exe family_berbew C:\Windows\SysWOW64\Gcheib32.exe family_berbew C:\Windows\SysWOW64\Gildahhp.exe family_berbew C:\Windows\SysWOW64\Gpelnb32.exe family_berbew C:\Windows\SysWOW64\Halbai32.exe family_berbew C:\Windows\SysWOW64\Hlafnbal.exe family_berbew C:\Windows\SysWOW64\Hanogipc.exe family_berbew C:\Windows\SysWOW64\Helgmg32.exe family_berbew C:\Windows\SysWOW64\Hfmddp32.exe family_berbew C:\Windows\SysWOW64\Idadnd32.exe family_berbew C:\Windows\SysWOW64\Ijklknbn.exe family_berbew C:\Windows\SysWOW64\Idcacc32.exe family_berbew C:\Windows\SysWOW64\Ijmipn32.exe family_berbew C:\Windows\SysWOW64\Ifdjeoep.exe family_berbew C:\Windows\SysWOW64\Imnbbi32.exe family_berbew C:\Windows\SysWOW64\Ibkkjp32.exe family_berbew C:\Windows\SysWOW64\Ibmgpoia.exe family_berbew C:\Windows\SysWOW64\Jlelhe32.exe family_berbew C:\Windows\SysWOW64\Jbpdeogo.exe family_berbew C:\Windows\SysWOW64\Jlhhndno.exe family_berbew C:\Windows\SysWOW64\Jaeafklf.exe family_berbew C:\Windows\SysWOW64\Hmglajcd.exe family_berbew C:\Windows\SysWOW64\Jgaiobjn.exe family_berbew C:\Windows\SysWOW64\Jagnlkjd.exe family_berbew C:\Windows\SysWOW64\Jhafhe32.exe family_berbew C:\Windows\SysWOW64\Hjfcpo32.exe family_berbew C:\Windows\SysWOW64\Jnnnalph.exe family_berbew C:\Windows\SysWOW64\Hfbaql32.exe family_berbew C:\Windows\SysWOW64\Jgfcja32.exe family_berbew C:\Windows\SysWOW64\Ffibkj32.exe family_berbew C:\Windows\SysWOW64\Eolmip32.exe family_berbew C:\Windows\SysWOW64\Ekjgpm32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Phnnho32.exePkofjijm.exePqnlhpfb.exePmdmmalf.exeQqbecp32.exeAjmfad32.exeAcekjjmk.exeAbkhkgbb.exeAekqmbod.exeAkhfoldn.exeBepjha32.exeBcegin32.exeBffpki32.exeBfhmqhkd.exeBpqain32.exeChlfnp32.exeChnbcpmn.exeCffljlpc.exeCdjmcpnl.exeDgjfek32.exeDmdnbecj.exeDbafjlaa.exeDohgomgf.exeDojddmec.exeDiphbfdi.exeDchmkkkj.exeEoompl32.exeEdlfhc32.exeEndjaief.exeEkjgpm32.exeEcfldoph.exeEolmip32.exeFlqmbd32.exeFfibkj32.exeFcmben32.exeFbbofjnh.exeFofpoo32.exeFgadda32.exeGcheib32.exeGildahhp.exeGpelnb32.exeHfbaql32.exeHalbai32.exeHlafnbal.exeHanogipc.exeHjfcpo32.exeHelgmg32.exeHfmddp32.exeHmglajcd.exeIdadnd32.exeIjklknbn.exeIdcacc32.exeIjmipn32.exeIfdjeoep.exeImnbbi32.exeIbkkjp32.exeIbmgpoia.exeJlelhe32.exeJbpdeogo.exeJlhhndno.exeJaeafklf.exeJgaiobjn.exeJagnlkjd.exeJhafhe32.exepid process 1776 Phnnho32.exe 2476 Pkofjijm.exe 2436 Pqnlhpfb.exe 2492 Pmdmmalf.exe 2504 Qqbecp32.exe 2352 Ajmfad32.exe 3052 Acekjjmk.exe 1364 Abkhkgbb.exe 1328 Aekqmbod.exe 2832 Akhfoldn.exe 2000 Bepjha32.exe 2400 Bcegin32.exe 1784 Bffpki32.exe 1720 Bfhmqhkd.exe 2740 Bpqain32.exe 2544 Chlfnp32.exe 1080 Chnbcpmn.exe 1048 Cffljlpc.exe 1532 Cdjmcpnl.exe 1656 Dgjfek32.exe 1056 Dmdnbecj.exe 2984 Dbafjlaa.exe 880 Dohgomgf.exe 2164 Dojddmec.exe 900 Diphbfdi.exe 2088 Dchmkkkj.exe 1704 Eoompl32.exe 2784 Edlfhc32.exe 2536 Endjaief.exe 2648 Ekjgpm32.exe 2120 Ecfldoph.exe 2596 Eolmip32.exe 2452 Flqmbd32.exe 1816 Ffibkj32.exe 2856 Fcmben32.exe 1888 Fbbofjnh.exe 1284 Fofpoo32.exe 2588 Fgadda32.exe 1100 Gcheib32.exe 2624 Gildahhp.exe 2952 Gpelnb32.exe 2960 Hfbaql32.exe 3056 Halbai32.exe 2192 Hlafnbal.exe 460 Hanogipc.exe 2100 Hjfcpo32.exe 2660 Helgmg32.exe 1192 Hfmddp32.exe 240 Hmglajcd.exe 2416 Idadnd32.exe 2956 Ijklknbn.exe 2440 Idcacc32.exe 2228 Ijmipn32.exe 2456 Ifdjeoep.exe 1684 Imnbbi32.exe 556 Ibkkjp32.exe 2796 Ibmgpoia.exe 2444 Jlelhe32.exe 564 Jbpdeogo.exe 1640 Jlhhndno.exe 372 Jaeafklf.exe 1540 Jgaiobjn.exe 2136 Jagnlkjd.exe 324 Jhafhe32.exe -
Loads dropped DLL 64 IoCs
Processes:
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exePhnnho32.exePkofjijm.exePqnlhpfb.exePmdmmalf.exeQqbecp32.exeAjmfad32.exeAcekjjmk.exeAbkhkgbb.exeAekqmbod.exeAkhfoldn.exeBepjha32.exeBcegin32.exeBffpki32.exeBfhmqhkd.exeBpqain32.exeChlfnp32.exeChnbcpmn.exeCffljlpc.exeCdjmcpnl.exeDgjfek32.exeDmdnbecj.exeDbafjlaa.exeDohgomgf.exeDojddmec.exeDiphbfdi.exeDchmkkkj.exeEoompl32.exeEdlfhc32.exeEndjaief.exeEkjgpm32.exeEcfldoph.exepid process 2300 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe 2300 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe 1776 Phnnho32.exe 1776 Phnnho32.exe 2476 Pkofjijm.exe 2476 Pkofjijm.exe 2436 Pqnlhpfb.exe 2436 Pqnlhpfb.exe 2492 Pmdmmalf.exe 2492 Pmdmmalf.exe 2504 Qqbecp32.exe 2504 Qqbecp32.exe 2352 Ajmfad32.exe 2352 Ajmfad32.exe 3052 Acekjjmk.exe 3052 Acekjjmk.exe 1364 Abkhkgbb.exe 1364 Abkhkgbb.exe 1328 Aekqmbod.exe 1328 Aekqmbod.exe 2832 Akhfoldn.exe 2832 Akhfoldn.exe 2000 Bepjha32.exe 2000 Bepjha32.exe 2400 Bcegin32.exe 2400 Bcegin32.exe 1784 Bffpki32.exe 1784 Bffpki32.exe 1720 Bfhmqhkd.exe 1720 Bfhmqhkd.exe 2740 Bpqain32.exe 2740 Bpqain32.exe 2544 Chlfnp32.exe 2544 Chlfnp32.exe 1080 Chnbcpmn.exe 1080 Chnbcpmn.exe 1048 Cffljlpc.exe 1048 Cffljlpc.exe 1532 Cdjmcpnl.exe 1532 Cdjmcpnl.exe 1656 Dgjfek32.exe 1656 Dgjfek32.exe 1056 Dmdnbecj.exe 1056 Dmdnbecj.exe 2984 Dbafjlaa.exe 2984 Dbafjlaa.exe 880 Dohgomgf.exe 880 Dohgomgf.exe 2164 Dojddmec.exe 2164 Dojddmec.exe 900 Diphbfdi.exe 900 Diphbfdi.exe 2088 Dchmkkkj.exe 2088 Dchmkkkj.exe 1704 Eoompl32.exe 1704 Eoompl32.exe 2784 Edlfhc32.exe 2784 Edlfhc32.exe 2536 Endjaief.exe 2536 Endjaief.exe 2648 Ekjgpm32.exe 2648 Ekjgpm32.exe 2120 Ecfldoph.exe 2120 Ecfldoph.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bcegin32.exeGgfpgi32.exeCmedlk32.exeAljjjb32.exeLadgkmlj.exeGanbjb32.exeMhfhaoec.exeMkaghg32.exeNqmnjd32.exeMaanab32.exeMoenkf32.exeDnnkec32.exeHfmddp32.exeBqijljfd.exeJfekec32.exeKngekdnf.exeNladco32.exeAjjgei32.exeDcdkef32.exeQjgjpi32.exeAppbcn32.exeFiakkcma.exeBmdefk32.exeFqdiga32.exeLdokfakl.exeMnijnjbh.exeMnncii32.exeCfbhlb32.exeKgclio32.exeOhfqmi32.exeHbdjcffd.exeKpgionie.exeAgolnbok.exeFgdgcfmb.exeEojlbb32.exeHnhgha32.exeKbjbge32.exeEcogodlk.exeIikifegp.exeNbpqmfmd.exeBcoffd32.exeBkmhnjlh.exeCjbmll32.exeGiejkp32.exedescription ioc process File created C:\Windows\SysWOW64\Bffpki32.exe Bcegin32.exe File opened for modification C:\Windows\SysWOW64\Glchpp32.exe Ggfpgi32.exe File created C:\Windows\SysWOW64\Aapikqel.exe File opened for modification C:\Windows\SysWOW64\Eelfedpa.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Allgoa32.exe Aljjjb32.exe File created C:\Windows\SysWOW64\Piihaccl.dll Ladgkmlj.exe File created C:\Windows\SysWOW64\Giejkp32.exe Ganbjb32.exe File created C:\Windows\SysWOW64\Hdqcfdkh.dll Mhfhaoec.exe File created C:\Windows\SysWOW64\Eefdgeig.exe File created C:\Windows\SysWOW64\Ncmjnjgd.dll File opened for modification C:\Windows\SysWOW64\Mchoid32.exe Mkaghg32.exe File created C:\Windows\SysWOW64\Njeccjcd.exe Nqmnjd32.exe File created C:\Windows\SysWOW64\Ompjookk.dll Maanab32.exe File opened for modification C:\Windows\SysWOW64\Nhmbdl32.exe Moenkf32.exe File created C:\Windows\SysWOW64\Ppiodh32.dll Dnnkec32.exe File created C:\Windows\SysWOW64\Faconabh.dll File opened for modification C:\Windows\SysWOW64\Hmglajcd.exe Hfmddp32.exe File created C:\Windows\SysWOW64\Alecllfh.dll Bqijljfd.exe File created C:\Windows\SysWOW64\Jpmooind.exe Jfekec32.exe File created C:\Windows\SysWOW64\Khojcj32.exe Kngekdnf.exe File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Nladco32.exe File opened for modification C:\Windows\SysWOW64\Aeokba32.exe Ajjgei32.exe File opened for modification C:\Windows\SysWOW64\Modano32.exe File created C:\Windows\SysWOW64\Dnjoco32.exe Dcdkef32.exe File opened for modification C:\Windows\SysWOW64\Khojcj32.exe Kngekdnf.exe File created C:\Windows\SysWOW64\Qaablcej.exe Qjgjpi32.exe File created C:\Windows\SysWOW64\Dccpbd32.dll Appbcn32.exe File created C:\Windows\SysWOW64\Fqhclqnc.exe Fiakkcma.exe File opened for modification C:\Windows\SysWOW64\Bbannb32.exe Bmdefk32.exe File created C:\Windows\SysWOW64\Ffaaoh32.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Lngpog32.exe Ldokfakl.exe File created C:\Windows\SysWOW64\Mlmjgnaa.exe Mnijnjbh.exe File created C:\Windows\SysWOW64\Jfidah32.dll Mnncii32.exe File created C:\Windows\SysWOW64\Hlokefce.dll Cfbhlb32.exe File created C:\Windows\SysWOW64\Ljlkmo32.dll File created C:\Windows\SysWOW64\Klpdaf32.exe Kgclio32.exe File created C:\Windows\SysWOW64\Ihgpkinf.exe File opened for modification C:\Windows\SysWOW64\Opbopn32.exe File created C:\Windows\SysWOW64\Bngnoa32.dll File created C:\Windows\SysWOW64\Mapecq32.dll Ohfqmi32.exe File opened for modification C:\Windows\SysWOW64\Hmjoqo32.exe Hbdjcffd.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Kpgionie.exe File created C:\Windows\SysWOW64\Allefimb.exe Agolnbok.exe File opened for modification C:\Windows\SysWOW64\Fplllkdc.exe Fgdgcfmb.exe File created C:\Windows\SysWOW64\Fdgdji32.exe Eojlbb32.exe File created C:\Windows\SysWOW64\Hdbpekam.exe Hnhgha32.exe File opened for modification C:\Windows\SysWOW64\Kopikdgn.exe File created C:\Windows\SysWOW64\Ldbjfdld.dll File created C:\Windows\SysWOW64\Iofiimkd.exe File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe Kbjbge32.exe File created C:\Windows\SysWOW64\Epfhde32.exe Ecogodlk.exe File created C:\Windows\SysWOW64\Bpdjjj32.dll File created C:\Windows\SysWOW64\Iafnjg32.exe Iikifegp.exe File opened for modification C:\Windows\SysWOW64\Klpdaf32.exe Kgclio32.exe File created C:\Windows\SysWOW64\Deankpkm.dll Nbpqmfmd.exe File opened for modification C:\Windows\SysWOW64\Bmhkojab.exe Bcoffd32.exe File created C:\Windows\SysWOW64\Qockekei.dll File opened for modification C:\Windows\SysWOW64\Mfdjpo32.exe File opened for modification C:\Windows\SysWOW64\Pdllci32.exe File opened for modification C:\Windows\SysWOW64\Apdobg32.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bkmhnjlh.exe File opened for modification C:\Windows\SysWOW64\Dgfmep32.exe Cjbmll32.exe File created C:\Windows\SysWOW64\Pndcenao.dll Giejkp32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 2440 1732 -
Modifies registry class 64 IoCs
Processes:
Bakaaepk.exeIbkkjp32.exeBqolji32.exeGncgbkki.exeCnflae32.exeFamcbf32.exeIdbgbahq.exeOmjbihpn.exeApppkekc.exeObkcajde.exeMpkhoj32.exeFbbofjnh.exeGghmmilh.exeIacjjacb.exeOhdfqbio.exeLkelpd32.exeCenmfbml.exeDlhaaogd.exeBbannb32.exeLngnfnji.exeOalhqohl.exeHhlcal32.exeDpaceg32.exeOcefpnom.exeLkbpke32.exeLlbnnq32.exePlmpblnb.exeNnafnopi.exeGnbejb32.exeDkhnmfle.exeLofkoamf.exeAphehidc.exeElgfkhpi.exeEpfhde32.exePbepkh32.exe1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exeNbniid32.exeDbaice32.exeHfjbmb32.exeAjcldpkd.exeFcmben32.exeJlelhe32.exeEjfbfo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll" Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqolji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Famcbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idbgbahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcipdg32.dll" Omjbihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apppkekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obkcajde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpkhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbbofjnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejilio32.dll" Ohdfqbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkelpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cenmfbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmepgeck.dll" Bbannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lngnfnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oalhqohl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpaceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocefpnom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkbpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llbnnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbopcm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkhnmfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aphehidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjlnacb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhjl32.dll" Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epfhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimelc32.dll" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmpqk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll" Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajcldpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclmgema.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiqmcii.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlkmo32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejfbfo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exePhnnho32.exePkofjijm.exePqnlhpfb.exePmdmmalf.exeQqbecp32.exeAjmfad32.exeAcekjjmk.exeAbkhkgbb.exeAekqmbod.exeAkhfoldn.exeBepjha32.exeBcegin32.exeBffpki32.exeBfhmqhkd.exeBpqain32.exedescription pid process target process PID 2300 wrote to memory of 1776 2300 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Phnnho32.exe PID 2300 wrote to memory of 1776 2300 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Phnnho32.exe PID 2300 wrote to memory of 1776 2300 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Phnnho32.exe PID 2300 wrote to memory of 1776 2300 1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe Phnnho32.exe PID 1776 wrote to memory of 2476 1776 Phnnho32.exe Pkofjijm.exe PID 1776 wrote to memory of 2476 1776 Phnnho32.exe Pkofjijm.exe PID 1776 wrote to memory of 2476 1776 Phnnho32.exe Pkofjijm.exe PID 1776 wrote to memory of 2476 1776 Phnnho32.exe Pkofjijm.exe PID 2476 wrote to memory of 2436 2476 Pkofjijm.exe Pqnlhpfb.exe PID 2476 wrote to memory of 2436 2476 Pkofjijm.exe Pqnlhpfb.exe PID 2476 wrote to memory of 2436 2476 Pkofjijm.exe Pqnlhpfb.exe PID 2476 wrote to memory of 2436 2476 Pkofjijm.exe Pqnlhpfb.exe PID 2436 wrote to memory of 2492 2436 Pqnlhpfb.exe Pmdmmalf.exe PID 2436 wrote to memory of 2492 2436 Pqnlhpfb.exe Pmdmmalf.exe PID 2436 wrote to memory of 2492 2436 Pqnlhpfb.exe Pmdmmalf.exe PID 2436 wrote to memory of 2492 2436 Pqnlhpfb.exe Pmdmmalf.exe PID 2492 wrote to memory of 2504 2492 Pmdmmalf.exe Qqbecp32.exe PID 2492 wrote to memory of 2504 2492 Pmdmmalf.exe Qqbecp32.exe PID 2492 wrote to memory of 2504 2492 Pmdmmalf.exe Qqbecp32.exe PID 2492 wrote to memory of 2504 2492 Pmdmmalf.exe Qqbecp32.exe PID 2504 wrote to memory of 2352 2504 Qqbecp32.exe Ajmfad32.exe PID 2504 wrote to memory of 2352 2504 Qqbecp32.exe Ajmfad32.exe PID 2504 wrote to memory of 2352 2504 Qqbecp32.exe Ajmfad32.exe PID 2504 wrote to memory of 2352 2504 Qqbecp32.exe Ajmfad32.exe PID 2352 wrote to memory of 3052 2352 Ajmfad32.exe Acekjjmk.exe PID 2352 wrote to memory of 3052 2352 Ajmfad32.exe Acekjjmk.exe PID 2352 wrote to memory of 3052 2352 Ajmfad32.exe Acekjjmk.exe PID 2352 wrote to memory of 3052 2352 Ajmfad32.exe Acekjjmk.exe PID 3052 wrote to memory of 1364 3052 Acekjjmk.exe Abkhkgbb.exe PID 3052 wrote to memory of 1364 3052 Acekjjmk.exe Abkhkgbb.exe PID 3052 wrote to memory of 1364 3052 Acekjjmk.exe Abkhkgbb.exe PID 3052 wrote to memory of 1364 3052 Acekjjmk.exe Abkhkgbb.exe PID 1364 wrote to memory of 1328 1364 Abkhkgbb.exe Aekqmbod.exe PID 1364 wrote to memory of 1328 1364 Abkhkgbb.exe Aekqmbod.exe PID 1364 wrote to memory of 1328 1364 Abkhkgbb.exe Aekqmbod.exe PID 1364 wrote to memory of 1328 1364 Abkhkgbb.exe Aekqmbod.exe PID 1328 wrote to memory of 2832 1328 Aekqmbod.exe Akhfoldn.exe PID 1328 wrote to memory of 2832 1328 Aekqmbod.exe Akhfoldn.exe PID 1328 wrote to memory of 2832 1328 Aekqmbod.exe Akhfoldn.exe PID 1328 wrote to memory of 2832 1328 Aekqmbod.exe Akhfoldn.exe PID 2832 wrote to memory of 2000 2832 Akhfoldn.exe Bepjha32.exe PID 2832 wrote to memory of 2000 2832 Akhfoldn.exe Bepjha32.exe PID 2832 wrote to memory of 2000 2832 Akhfoldn.exe Bepjha32.exe PID 2832 wrote to memory of 2000 2832 Akhfoldn.exe Bepjha32.exe PID 2000 wrote to memory of 2400 2000 Bepjha32.exe Bcegin32.exe PID 2000 wrote to memory of 2400 2000 Bepjha32.exe Bcegin32.exe PID 2000 wrote to memory of 2400 2000 Bepjha32.exe Bcegin32.exe PID 2000 wrote to memory of 2400 2000 Bepjha32.exe Bcegin32.exe PID 2400 wrote to memory of 1784 2400 Bcegin32.exe Bffpki32.exe PID 2400 wrote to memory of 1784 2400 Bcegin32.exe Bffpki32.exe PID 2400 wrote to memory of 1784 2400 Bcegin32.exe Bffpki32.exe PID 2400 wrote to memory of 1784 2400 Bcegin32.exe Bffpki32.exe PID 1784 wrote to memory of 1720 1784 Bffpki32.exe Bfhmqhkd.exe PID 1784 wrote to memory of 1720 1784 Bffpki32.exe Bfhmqhkd.exe PID 1784 wrote to memory of 1720 1784 Bffpki32.exe Bfhmqhkd.exe PID 1784 wrote to memory of 1720 1784 Bffpki32.exe Bfhmqhkd.exe PID 1720 wrote to memory of 2740 1720 Bfhmqhkd.exe Bpqain32.exe PID 1720 wrote to memory of 2740 1720 Bfhmqhkd.exe Bpqain32.exe PID 1720 wrote to memory of 2740 1720 Bfhmqhkd.exe Bpqain32.exe PID 1720 wrote to memory of 2740 1720 Bfhmqhkd.exe Bpqain32.exe PID 2740 wrote to memory of 2544 2740 Bpqain32.exe Chlfnp32.exe PID 2740 wrote to memory of 2544 2740 Bpqain32.exe Chlfnp32.exe PID 2740 wrote to memory of 2544 2740 Bpqain32.exe Chlfnp32.exe PID 2740 wrote to memory of 2544 2740 Bpqain32.exe Chlfnp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1ccf306419b42c380b49791cd48cce30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe33⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe34⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe35⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe38⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe39⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe40⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe41⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe42⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe43⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe44⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe45⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe47⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe48⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe50⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe51⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe53⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe54⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe55⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe56⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe58⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe60⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe62⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe63⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe65⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe66⤵PID:1316
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe67⤵PID:1728
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe68⤵PID:1092
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe69⤵PID:1112
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe70⤵PID:2052
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe71⤵PID:2020
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe72⤵PID:2484
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe73⤵PID:1308
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe74⤵PID:2712
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe76⤵PID:2968
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe77⤵PID:2016
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe78⤵PID:2320
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe79⤵PID:1468
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe80⤵PID:1636
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe81⤵PID:2248
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe82⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe83⤵PID:3020
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe84⤵PID:628
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe85⤵PID:1828
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe86⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe87⤵PID:1180
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe88⤵PID:2024
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe89⤵PID:1572
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe90⤵PID:1596
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe91⤵PID:1068
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe92⤵PID:2328
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe93⤵PID:1236
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe94⤵PID:2668
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe95⤵PID:2012
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe96⤵PID:1908
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe97⤵PID:2392
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe98⤵PID:2776
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe99⤵PID:860
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe100⤵
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe101⤵PID:1340
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe102⤵PID:964
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe103⤵PID:980
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe104⤵PID:2284
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe105⤵PID:1616
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe106⤵PID:436
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe107⤵PID:2560
-
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe108⤵PID:2804
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe110⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe111⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe112⤵PID:2308
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe113⤵PID:1772
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe114⤵PID:2244
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe115⤵PID:864
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe116⤵PID:2072
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe117⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe118⤵PID:1536
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe119⤵PID:2616
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe120⤵PID:2640
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe121⤵PID:1124
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe122⤵PID:840
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe123⤵PID:2788
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe124⤵PID:1196
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe125⤵PID:584
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe126⤵PID:1996
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe127⤵PID:608
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe128⤵PID:2240
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe129⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe130⤵PID:1936
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe131⤵PID:1488
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe132⤵PID:1916
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe133⤵PID:1172
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe134⤵PID:2700
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe138⤵PID:1508
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe139⤵PID:1104
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe140⤵PID:2872
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe141⤵PID:2172
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe142⤵PID:2112
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe143⤵PID:2576
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe144⤵PID:2608
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe145⤵PID:2792
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe146⤵PID:1924
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe147⤵PID:2840
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe148⤵PID:3060
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe149⤵PID:1156
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe150⤵PID:984
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe151⤵PID:2216
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe152⤵PID:2424
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe153⤵PID:2464
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe154⤵PID:2396
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe155⤵PID:2408
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe156⤵PID:2176
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe157⤵PID:2744
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe158⤵PID:2264
-
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe159⤵PID:1796
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe160⤵PID:2412
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe161⤵PID:2040
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe162⤵PID:2448
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe163⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe164⤵PID:2684
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe165⤵PID:2168
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe166⤵PID:2708
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe167⤵PID:1972
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe168⤵PID:2568
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe169⤵PID:2376
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe170⤵PID:2004
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe171⤵PID:2008
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe172⤵PID:2256
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe173⤵PID:1576
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe175⤵PID:1976
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe176⤵PID:1920
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe177⤵PID:528
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe178⤵PID:1384
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe179⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe180⤵PID:2356
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe181⤵PID:764
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe182⤵PID:2468
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe183⤵PID:2344
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe184⤵PID:2816
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe185⤵PID:2304
-
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe186⤵PID:940
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe187⤵PID:892
-
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe188⤵PID:1584
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe189⤵PID:2748
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe190⤵PID:1556
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe191⤵PID:2628
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe192⤵PID:876
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe193⤵PID:948
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe194⤵PID:1732
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe195⤵PID:1752
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe196⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe197⤵PID:3136
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe198⤵PID:3176
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe199⤵PID:3216
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe200⤵PID:3256
-
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe201⤵PID:3296
-
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe202⤵PID:3336
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe204⤵PID:3420
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe205⤵PID:3460
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe206⤵PID:3500
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe207⤵PID:3540
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe208⤵PID:3580
-
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe209⤵PID:3620
-
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe210⤵PID:3660
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe211⤵PID:3700
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe212⤵PID:3740
-
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe213⤵PID:3780
-
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe214⤵PID:3820
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe215⤵PID:3860
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe216⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe217⤵PID:3944
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe218⤵PID:3984
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe219⤵PID:4028
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe220⤵PID:4068
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe221⤵PID:3080
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe222⤵PID:3128
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe223⤵PID:3148
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3236 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe225⤵PID:3276
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe226⤵PID:3320
-
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe227⤵PID:3372
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe228⤵PID:3392
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe229⤵PID:3480
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe230⤵PID:3532
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3552 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe232⤵PID:3632
-
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe233⤵PID:3680
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe234⤵PID:3724
-
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe235⤵
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe236⤵PID:3804
-
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe237⤵PID:3876
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe238⤵PID:3916
-
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe239⤵PID:3968
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe240⤵PID:4024
-
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4056 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe242⤵PID:3116