Analysis
-
max time kernel
137s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 02:47
Behavioral task
behavioral1
Sample
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
285f1a518c2d7c90194f226cff209430
-
SHA1
8cbcea5293a94e527187a897b57bd69855dcca38
-
SHA256
cefc1b65105fae9933ce0835819fda29821b57ce23f533330e4cb082a2a7161d
-
SHA512
8bdf1d9fc3f59deda0dffc2978cc3f8f34d041333ef5882ca250de5dd921990e2bd6bc68b7a7ab7f2246a0a0ef0b40aad69e690aa17d18869bf29a990ad65699
-
SSDEEP
6144:NrYmCAU9CXdPipmMH/gysNkvC8vA+XTv7FYUwMOFusQ+kJ3StWbHPdBnec:NrACXwpnsKvNA+XTvZHWuEo3oWbvrec
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ahbjoe32.exeCnindhpg.exeJenmcggo.exeOgekbb32.exeDakikoom.exeOflmnh32.exeFpgpgfmh.exeOaplqh32.exeBhhiemoj.exeNmcpoedn.exeCnkkjh32.exeIojbpo32.exeLpfgmnfp.exePdmdnadc.exeBhkfkmmg.exeJlbejloe.exePmkofa32.exeLcdciiec.exeNflkbanj.exePhcgcqab.exeEklajcmc.exeHbnaeh32.exeDkokcl32.exeFfqhcq32.exeNadleilm.exeAdkqoohc.exeBdagpnbk.exeGeldkfpi.exeJlobkg32.exeCnfaohbj.exeFpbflg32.exeOgcnmc32.exeDamfao32.exeNjjmni32.exeBdickcpo.exeKnenkbio.exeNnhmnn32.exePalklf32.exeFlpmagqi.exeIhmfco32.exeAfpjel32.exeLcnmin32.exePlpjoe32.exeDnpdegjp.exeDkceokii.exeHlglidlo.exeLflbkcll.exeObjkmkjj.exeNncccnol.exeNagiji32.exePanhbfep.exeQpeahb32.exeAaoaic32.exeGicgpelg.exeKcapicdj.exeGfodeohd.exeKckqbj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakikoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhiemoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcpoedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmkofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phcgcqab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdagpnbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Damfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flpmagqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcgcqab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpdegjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmdnadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gicgpelg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfodeohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/5060-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Jlobkg32.exe family_berbew behavioral2/memory/4588-7-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Kjccdkki.exe family_berbew behavioral2/memory/3304-15-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Kkconn32.exe family_berbew behavioral2/memory/544-28-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Knchpiom.exe family_berbew behavioral2/memory/888-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Kdmqmc32.exe family_berbew behavioral2/memory/4116-39-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Lmmolepp.exe family_berbew behavioral2/memory/3712-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Lcjcnoej.exe family_berbew behavioral2/memory/3556-60-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Lcnmin32.exe family_berbew behavioral2/memory/3544-64-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mcqjon32.exe family_berbew behavioral2/memory/4816-72-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Maggnali.exe family_berbew behavioral2/memory/3056-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Mgaokl32.exe family_berbew behavioral2/memory/4940-88-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1560-95-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Megljppl.exe family_berbew C:\Windows\SysWOW64\Nelfeo32.exe family_berbew behavioral2/memory/1980-103-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nhmofj32.exe family_berbew behavioral2/memory/3112-112-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Nccokk32.exe family_berbew behavioral2/memory/4308-121-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4556-127-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ndflak32.exe family_berbew C:\Windows\SysWOW64\Nnkpnclp.exe family_berbew behavioral2/memory/4384-137-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Najmjokc.exe family_berbew behavioral2/memory/2368-144-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Okkdic32.exe family_berbew behavioral2/memory/2924-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Peahgl32.exe family_berbew behavioral2/memory/5080-159-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Plmmif32.exe family_berbew behavioral2/memory/2540-167-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Plpjoe32.exe family_berbew behavioral2/memory/3276-176-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Plbfdekd.exe family_berbew behavioral2/memory/2040-184-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Qdphngfl.exe family_berbew C:\Windows\SysWOW64\Qeodhjmo.exe family_berbew behavioral2/memory/3992-192-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Qeodhjmo.exe family_berbew behavioral2/memory/1864-204-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Aogiap32.exe family_berbew behavioral2/memory/4064-208-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ahbjoe32.exe family_berbew behavioral2/memory/4656-216-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Akccap32.exe family_berbew behavioral2/memory/4268-224-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Akepfpcl.exe family_berbew behavioral2/memory/1020-232-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Boeebnhp.exe family_berbew behavioral2/memory/4344-240-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Bnmoijje.exe family_berbew behavioral2/memory/4296-247-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Jlobkg32.exeKjccdkki.exeKkconn32.exeKnchpiom.exeKdmqmc32.exeLmmolepp.exeLcjcnoej.exeLcnmin32.exeMcqjon32.exeMaggnali.exeMgaokl32.exeMegljppl.exeNelfeo32.exeNhmofj32.exeNccokk32.exeNdflak32.exeNnkpnclp.exeNajmjokc.exeOkkdic32.exePeahgl32.exePlmmif32.exePlpjoe32.exePlbfdekd.exeQdphngfl.exeQeodhjmo.exeAogiap32.exeAhbjoe32.exeAkccap32.exeAkepfpcl.exeBoeebnhp.exeBnmoijje.exeBnoknihb.exeBdickcpo.exeCfkmkf32.exeChiigadc.exeCnfaohbj.exeChlflabp.exeCnindhpg.exeCdbfab32.exeCnkkjh32.exeCdecgbfa.exeDkokcl32.exeDbicpfdk.exeDdgplado.exeDkahilkl.exeDnpdegjp.exeDdjmba32.exeDkceokii.exeDnbakghm.exeDfiildio.exeDoaneiop.exeDijbno32.exeDodjjimm.exeEkkkoj32.exeEnigke32.exeEecphp32.exeEiahnnph.exeEehicoel.exeEblimcdf.exeEkdnei32.exeFpbflg32.exeFflohaij.exeFmfgek32.exeFbbpmb32.exepid process 4588 Jlobkg32.exe 3304 Kjccdkki.exe 544 Kkconn32.exe 888 Knchpiom.exe 4116 Kdmqmc32.exe 3712 Lmmolepp.exe 3556 Lcjcnoej.exe 3544 Lcnmin32.exe 4816 Mcqjon32.exe 3056 Maggnali.exe 4940 Mgaokl32.exe 1560 Megljppl.exe 1980 Nelfeo32.exe 3112 Nhmofj32.exe 4308 Nccokk32.exe 4556 Ndflak32.exe 4384 Nnkpnclp.exe 2368 Najmjokc.exe 2924 Okkdic32.exe 5080 Peahgl32.exe 2540 Plmmif32.exe 3276 Plpjoe32.exe 2040 Plbfdekd.exe 3992 Qdphngfl.exe 1864 Qeodhjmo.exe 4064 Aogiap32.exe 4656 Ahbjoe32.exe 4268 Akccap32.exe 1020 Akepfpcl.exe 4344 Boeebnhp.exe 4296 Bnmoijje.exe 3068 Bnoknihb.exe 116 Bdickcpo.exe 1256 Cfkmkf32.exe 2180 Chiigadc.exe 228 Cnfaohbj.exe 5020 Chlflabp.exe 1268 Cnindhpg.exe 4432 Cdbfab32.exe 1848 Cnkkjh32.exe 3484 Cdecgbfa.exe 5128 Dkokcl32.exe 5168 Dbicpfdk.exe 5208 Ddgplado.exe 5256 Dkahilkl.exe 5320 Dnpdegjp.exe 5380 Ddjmba32.exe 5436 Dkceokii.exe 5480 Dnbakghm.exe 5524 Dfiildio.exe 5580 Doaneiop.exe 5620 Dijbno32.exe 5668 Dodjjimm.exe 5708 Ekkkoj32.exe 5748 Enigke32.exe 5788 Eecphp32.exe 5828 Eiahnnph.exe 5868 Eehicoel.exe 5912 Eblimcdf.exe 5952 Ekdnei32.exe 6000 Fpbflg32.exe 6040 Fflohaij.exe 6088 Fmfgek32.exe 6128 Fbbpmb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Oaplqh32.exeJbccge32.exeObjkmkjj.exeFlpmagqi.exeMoipoh32.exeCacckp32.exeNajmjokc.exeAgimkk32.exeFeqeog32.exeQhjmdp32.exeOiccje32.exeFbplml32.exeJjpode32.exeKckqbj32.exeLpfgmnfp.exePnfiplog.exeIahgad32.exeJbojlfdp.exeMqjbddpl.exeAkepfpcl.exePjaleemj.exeMjggal32.exeMjodla32.exeNclbpf32.exeBkphhgfc.exeIolhkh32.exeKpccmhdg.exeLcmodajm.exeHlglidlo.exeNqmojd32.exeDnpdegjp.exeHfhgkmpj.exeKcidmkpq.exeEklajcmc.exeMhoahh32.exeKnchpiom.exeJllokajf.exeLokdnjkg.exeOnocomdo.exeCpbjkn32.exePpdbgncl.exeGpbpbecj.exeHoeieolb.exeEdgbii32.exeIehmmb32.exeEnigke32.exeHiipmhmk.exeLgbloglj.exeAfpjel32.exeBobabg32.exeDkahilkl.exeNnfpinmi.exeCdkifmjq.exeNjedbjej.exeNqaiecjd.exeIllfdc32.exeJcdjbk32.exeNceefd32.exeHlmchoan.exedescription ioc process File created C:\Windows\SysWOW64\Ofmdio32.exe Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Jimldogg.exe Jbccge32.exe File opened for modification C:\Windows\SysWOW64\Oiccje32.exe Objkmkjj.exe File created C:\Windows\SysWOW64\Kqqpck32.dll Flpmagqi.exe File created C:\Windows\SysWOW64\Qgnnai32.dll Moipoh32.exe File created C:\Windows\SysWOW64\Cnjdpaki.exe Cacckp32.exe File created C:\Windows\SysWOW64\Okkdic32.exe Najmjokc.exe File created C:\Windows\SysWOW64\Phlepppi.dll Agimkk32.exe File created C:\Windows\SysWOW64\Fgoakc32.exe Feqeog32.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Oonlfo32.exe Oiccje32.exe File opened for modification C:\Windows\SysWOW64\Fijdjfdb.exe Fbplml32.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jjpode32.exe File created C:\Windows\SysWOW64\Abhemohm.dll Kckqbj32.exe File created C:\Windows\SysWOW64\Gddedlaq.dll Lpfgmnfp.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Pnfiplog.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Iahgad32.exe File created C:\Windows\SysWOW64\Hlglnp32.dll Jbojlfdp.exe File created C:\Windows\SysWOW64\Nciopppp.exe Mqjbddpl.exe File created C:\Windows\SysWOW64\Gjpank32.dll Akepfpcl.exe File created C:\Windows\SysWOW64\Hlkbkddd.dll Pjaleemj.exe File opened for modification C:\Windows\SysWOW64\Mablfnne.exe Mjggal32.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mjodla32.exe File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe Qhjmdp32.exe File opened for modification C:\Windows\SysWOW64\Bajqda32.exe Bkphhgfc.exe File opened for modification C:\Windows\SysWOW64\Iialhaad.exe Iolhkh32.exe File opened for modification C:\Windows\SysWOW64\Kcapicdj.exe Kpccmhdg.exe File opened for modification C:\Windows\SysWOW64\Mjggal32.exe Lcmodajm.exe File created C:\Windows\SysWOW64\Mlkpophj.dll Hlglidlo.exe File created C:\Windows\SysWOW64\Njedbjej.exe Nqmojd32.exe File created C:\Windows\SysWOW64\Ddjmba32.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Gefklj32.dll Hfhgkmpj.exe File created C:\Windows\SysWOW64\Fmggcl32.dll Kcidmkpq.exe File created C:\Windows\SysWOW64\Ebfign32.exe Eklajcmc.exe File opened for modification C:\Windows\SysWOW64\Mohidbkl.exe Mhoahh32.exe File created C:\Windows\SysWOW64\Kdmqmc32.exe Knchpiom.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll Jllokajf.exe File opened for modification C:\Windows\SysWOW64\Lgbloglj.exe Lokdnjkg.exe File created C:\Windows\SysWOW64\Pmikmcgp.dll Onocomdo.exe File created C:\Windows\SysWOW64\Bajqda32.exe Bkphhgfc.exe File created C:\Windows\SysWOW64\Qkicbhla.dll Cpbjkn32.exe File created C:\Windows\SysWOW64\Pmhbqbae.exe Ppdbgncl.exe File created C:\Windows\SysWOW64\Ghjnkpdc.dll Gpbpbecj.exe File opened for modification C:\Windows\SysWOW64\Iliinc32.exe Hoeieolb.exe File created C:\Windows\SysWOW64\Fpmfmgnc.dll Edgbii32.exe File opened for modification C:\Windows\SysWOW64\Jlbejloe.exe Iehmmb32.exe File created C:\Windows\SysWOW64\Lmgnid32.dll Enigke32.exe File created C:\Windows\SysWOW64\Igcnla32.dll Hiipmhmk.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Lgbloglj.exe File opened for modification C:\Windows\SysWOW64\Amjbbfgo.exe Afpjel32.exe File opened for modification C:\Windows\SysWOW64\Bhkfkmmg.exe Bobabg32.exe File created C:\Windows\SysWOW64\Gkgmdnki.dll Dkahilkl.exe File created C:\Windows\SysWOW64\Lcdciiec.exe Lpfgmnfp.exe File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Nnfpinmi.exe File created C:\Windows\SysWOW64\Cpkhqmjb.dll Cdkifmjq.exe File opened for modification C:\Windows\SysWOW64\Nmcpoedn.exe Njedbjej.exe File opened for modification C:\Windows\SysWOW64\Ncpeaoih.exe Nqaiecjd.exe File created C:\Windows\SysWOW64\Ejhdfi32.dll Illfdc32.exe File created C:\Windows\SysWOW64\Jebfng32.exe Jcdjbk32.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Nceefd32.exe File created C:\Windows\SysWOW64\Heegad32.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Iialhaad.exe Iolhkh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 9556 9260 WerFault.exe Pififb32.exe -
Modifies registry class 64 IoCs
Processes:
Mmmqhl32.exeBobabg32.exeIialhaad.exeAhofoogd.exeLcnmin32.exeDkceokii.exeKflide32.exePnfiplog.exeNjedbjej.exe285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exeNjfkmphe.exeNmdgikhi.exeFbplml32.exeKofkbk32.exeCdkifmjq.exeNmjfodne.exeFlpmagqi.exeLomjicei.exeDdgplado.exeJcdjbk32.exeNclbpf32.exeLplfcf32.exeOqhoeb32.exeDoaneiop.exeDdjmba32.exeJlgepanl.exeLobjni32.exeOgcnmc32.exeQdphngfl.exeKcmmhj32.exeKcoccc32.exeEkdnei32.exeModgdicm.exeCggimh32.exePfccogfc.exeFefedmil.exeHfjdqmng.exeNnfpinmi.exeBklomh32.exeKidben32.exeMcfbkpab.exeHfcnpn32.exeJekqmhia.exeJcmdaljn.exeHihibbjo.exeNqcejcha.exeOihmedma.exeGpbpbecj.exeHnphoj32.exeMqhfoebo.exePpgomnai.exeChlflabp.exeBnmoijje.exeNqmfdj32.exeEqncnj32.exeDkahilkl.exePanhbfep.exeCnfkdb32.exeKjccdkki.exeKbhmbdle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" Mmmqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iialhaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfoqnae.dll" Lcnmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpecj32.dll" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll" Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njedbjej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll" Cdkifmjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamnhne.dll" Kofkbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll" Oqhoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnhl32.dll" Lobjni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Ogcnmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll" Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfhfd32.dll" Kcoccc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfjdqmng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bklomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll" Mcfbkpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jekqmhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcmdaljn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oihmedma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpbpbecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll" Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnfiplog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" Nqmfdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll" Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbihneaj.dll" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognaofl.dll" Kbhmbdle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exeJlobkg32.exeKjccdkki.exeKkconn32.exeKnchpiom.exeKdmqmc32.exeLmmolepp.exeLcjcnoej.exeLcnmin32.exeMcqjon32.exeMaggnali.exeMgaokl32.exeMegljppl.exeNelfeo32.exeNhmofj32.exeNccokk32.exeNdflak32.exeNnkpnclp.exeNajmjokc.exeOkkdic32.exePeahgl32.exePlmmif32.exedescription pid process target process PID 5060 wrote to memory of 4588 5060 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Jlobkg32.exe PID 5060 wrote to memory of 4588 5060 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Jlobkg32.exe PID 5060 wrote to memory of 4588 5060 285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe Jlobkg32.exe PID 4588 wrote to memory of 3304 4588 Jlobkg32.exe Kjccdkki.exe PID 4588 wrote to memory of 3304 4588 Jlobkg32.exe Kjccdkki.exe PID 4588 wrote to memory of 3304 4588 Jlobkg32.exe Kjccdkki.exe PID 3304 wrote to memory of 544 3304 Kjccdkki.exe Kkconn32.exe PID 3304 wrote to memory of 544 3304 Kjccdkki.exe Kkconn32.exe PID 3304 wrote to memory of 544 3304 Kjccdkki.exe Kkconn32.exe PID 544 wrote to memory of 888 544 Kkconn32.exe Knchpiom.exe PID 544 wrote to memory of 888 544 Kkconn32.exe Knchpiom.exe PID 544 wrote to memory of 888 544 Kkconn32.exe Knchpiom.exe PID 888 wrote to memory of 4116 888 Knchpiom.exe Kdmqmc32.exe PID 888 wrote to memory of 4116 888 Knchpiom.exe Kdmqmc32.exe PID 888 wrote to memory of 4116 888 Knchpiom.exe Kdmqmc32.exe PID 4116 wrote to memory of 3712 4116 Kdmqmc32.exe Lmmolepp.exe PID 4116 wrote to memory of 3712 4116 Kdmqmc32.exe Lmmolepp.exe PID 4116 wrote to memory of 3712 4116 Kdmqmc32.exe Lmmolepp.exe PID 3712 wrote to memory of 3556 3712 Lmmolepp.exe Lcjcnoej.exe PID 3712 wrote to memory of 3556 3712 Lmmolepp.exe Lcjcnoej.exe PID 3712 wrote to memory of 3556 3712 Lmmolepp.exe Lcjcnoej.exe PID 3556 wrote to memory of 3544 3556 Lcjcnoej.exe Lcnmin32.exe PID 3556 wrote to memory of 3544 3556 Lcjcnoej.exe Lcnmin32.exe PID 3556 wrote to memory of 3544 3556 Lcjcnoej.exe Lcnmin32.exe PID 3544 wrote to memory of 4816 3544 Lcnmin32.exe Mcqjon32.exe PID 3544 wrote to memory of 4816 3544 Lcnmin32.exe Mcqjon32.exe PID 3544 wrote to memory of 4816 3544 Lcnmin32.exe Mcqjon32.exe PID 4816 wrote to memory of 3056 4816 Mcqjon32.exe Maggnali.exe PID 4816 wrote to memory of 3056 4816 Mcqjon32.exe Maggnali.exe PID 4816 wrote to memory of 3056 4816 Mcqjon32.exe Maggnali.exe PID 3056 wrote to memory of 4940 3056 Maggnali.exe Mgaokl32.exe PID 3056 wrote to memory of 4940 3056 Maggnali.exe Mgaokl32.exe PID 3056 wrote to memory of 4940 3056 Maggnali.exe Mgaokl32.exe PID 4940 wrote to memory of 1560 4940 Mgaokl32.exe Megljppl.exe PID 4940 wrote to memory of 1560 4940 Mgaokl32.exe Megljppl.exe PID 4940 wrote to memory of 1560 4940 Mgaokl32.exe Megljppl.exe PID 1560 wrote to memory of 1980 1560 Megljppl.exe Nelfeo32.exe PID 1560 wrote to memory of 1980 1560 Megljppl.exe Nelfeo32.exe PID 1560 wrote to memory of 1980 1560 Megljppl.exe Nelfeo32.exe PID 1980 wrote to memory of 3112 1980 Nelfeo32.exe Nhmofj32.exe PID 1980 wrote to memory of 3112 1980 Nelfeo32.exe Nhmofj32.exe PID 1980 wrote to memory of 3112 1980 Nelfeo32.exe Nhmofj32.exe PID 3112 wrote to memory of 4308 3112 Nhmofj32.exe Nccokk32.exe PID 3112 wrote to memory of 4308 3112 Nhmofj32.exe Nccokk32.exe PID 3112 wrote to memory of 4308 3112 Nhmofj32.exe Nccokk32.exe PID 4308 wrote to memory of 4556 4308 Nccokk32.exe Ndflak32.exe PID 4308 wrote to memory of 4556 4308 Nccokk32.exe Ndflak32.exe PID 4308 wrote to memory of 4556 4308 Nccokk32.exe Ndflak32.exe PID 4556 wrote to memory of 4384 4556 Ndflak32.exe Nnkpnclp.exe PID 4556 wrote to memory of 4384 4556 Ndflak32.exe Nnkpnclp.exe PID 4556 wrote to memory of 4384 4556 Ndflak32.exe Nnkpnclp.exe PID 4384 wrote to memory of 2368 4384 Nnkpnclp.exe Najmjokc.exe PID 4384 wrote to memory of 2368 4384 Nnkpnclp.exe Najmjokc.exe PID 4384 wrote to memory of 2368 4384 Nnkpnclp.exe Najmjokc.exe PID 2368 wrote to memory of 2924 2368 Najmjokc.exe Okkdic32.exe PID 2368 wrote to memory of 2924 2368 Najmjokc.exe Okkdic32.exe PID 2368 wrote to memory of 2924 2368 Najmjokc.exe Okkdic32.exe PID 2924 wrote to memory of 5080 2924 Okkdic32.exe Peahgl32.exe PID 2924 wrote to memory of 5080 2924 Okkdic32.exe Peahgl32.exe PID 2924 wrote to memory of 5080 2924 Okkdic32.exe Peahgl32.exe PID 5080 wrote to memory of 2540 5080 Peahgl32.exe Plmmif32.exe PID 5080 wrote to memory of 2540 5080 Peahgl32.exe Plmmif32.exe PID 5080 wrote to memory of 2540 5080 Peahgl32.exe Plmmif32.exe PID 2540 wrote to memory of 3276 2540 Plmmif32.exe Plpjoe32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\285f1a518c2d7c90194f226cff209430_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe24⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3992 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe26⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe27⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe29⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe31⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe33⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe35⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe36⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe40⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe42⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe44⤵
- Executes dropped EXE
PID:5168 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe50⤵
- Executes dropped EXE
PID:5480 -
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe51⤵
- Executes dropped EXE
PID:5524 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe53⤵
- Executes dropped EXE
PID:5620 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe54⤵
- Executes dropped EXE
PID:5668 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe55⤵
- Executes dropped EXE
PID:5708 -
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe57⤵
- Executes dropped EXE
PID:5788 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe58⤵
- Executes dropped EXE
PID:5828 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe59⤵
- Executes dropped EXE
PID:5868 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe60⤵
- Executes dropped EXE
PID:5912 -
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:6000 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe63⤵
- Executes dropped EXE
PID:6040 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe64⤵
- Executes dropped EXE
PID:6088 -
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe65⤵
- Executes dropped EXE
PID:6128 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe66⤵PID:5136
-
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe69⤵PID:5392
-
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe70⤵PID:5468
-
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe71⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe73⤵PID:5696
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe74⤵PID:5776
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe75⤵PID:5824
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe76⤵PID:5896
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe77⤵PID:5960
-
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe78⤵PID:6024
-
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe80⤵PID:5176
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe81⤵PID:5444
-
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe83⤵PID:5700
-
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe84⤵PID:5812
-
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe85⤵PID:5932
-
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe86⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe87⤵PID:3640
-
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe88⤵PID:5504
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe89⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe90⤵PID:5864
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe91⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe92⤵
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe94⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe95⤵PID:5692
-
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe96⤵PID:5892
-
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe97⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6164 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe99⤵PID:6208
-
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe100⤵PID:6252
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe101⤵PID:6296
-
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe102⤵PID:6344
-
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe103⤵PID:6388
-
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe104⤵PID:6432
-
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe105⤵PID:6476
-
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe106⤵PID:6520
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe107⤵PID:6560
-
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe108⤵
- Modifies registry class
PID:6604 -
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe109⤵
- Modifies registry class
PID:6648 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe110⤵PID:6692
-
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe111⤵PID:6736
-
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6776 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe113⤵
- Modifies registry class
PID:6828 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe114⤵PID:6872
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:6916 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe116⤵PID:6960
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe117⤵
- Drops file in System32 directory
PID:7004 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe118⤵
- Drops file in System32 directory
PID:7044 -
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe119⤵PID:7088
-
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe120⤵
- Drops file in System32 directory
PID:7132 -
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe121⤵PID:6148
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6216 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe123⤵PID:6284
-
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe124⤵PID:6352
-
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe125⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe126⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe127⤵PID:6420
-
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe128⤵PID:6472
-
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe129⤵PID:6548
-
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6596 -
C:\Windows\SysWOW64\Kofkbk32.exeC:\Windows\system32\Kofkbk32.exe131⤵
- Modifies registry class
PID:6688 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe132⤵PID:6744
-
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6812 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6892 -
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe135⤵PID:6944
-
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe136⤵PID:7028
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe137⤵
- Drops file in System32 directory
PID:7108 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe138⤵
- Drops file in System32 directory
PID:7164 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe139⤵PID:6276
-
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe140⤵PID:1516
-
C:\Windows\SysWOW64\Lnoaaaad.exeC:\Windows\system32\Lnoaaaad.exe141⤵PID:5360
-
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe142⤵PID:6496
-
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe143⤵PID:6644
-
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe144⤵PID:6788
-
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe145⤵PID:6940
-
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe146⤵
- Modifies registry class
PID:7128 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6228 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe148⤵PID:6384
-
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe149⤵
- Modifies registry class
PID:6452 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe150⤵PID:6800
-
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe151⤵PID:7080
-
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe152⤵PID:6336
-
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe153⤵PID:6600
-
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe154⤵
- Drops file in System32 directory
PID:7012 -
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe155⤵
- Drops file in System32 directory
PID:6196 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe156⤵
- Modifies registry class
PID:6728 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe157⤵PID:6396
-
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe158⤵PID:6204
-
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe159⤵PID:6324
-
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe160⤵PID:7188
-
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe161⤵PID:7240
-
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe162⤵
- Modifies registry class
PID:7284 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe163⤵
- Drops file in System32 directory
- Modifies registry class
PID:7328 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe164⤵
- Modifies registry class
PID:7368 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe165⤵
- Modifies registry class
PID:7416 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe166⤵PID:7460
-
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7500 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7544 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe169⤵PID:7592
-
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe170⤵PID:7636
-
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe171⤵
- Drops file in System32 directory
- Modifies registry class
PID:7680 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7724 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7764 -
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7812 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe175⤵
- Drops file in System32 directory
PID:7856 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe176⤵PID:7900
-
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe177⤵PID:7944
-
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7988 -
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe179⤵PID:8036
-
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8080 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe181⤵
- Drops file in System32 directory
PID:8120 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe182⤵PID:8168
-
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe183⤵PID:7204
-
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe184⤵PID:7268
-
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7316 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe186⤵PID:7404
-
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe187⤵PID:7496
-
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe188⤵PID:7536
-
C:\Windows\SysWOW64\Pfoann32.exeC:\Windows\system32\Pfoann32.exe189⤵PID:7632
-
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe190⤵
- Drops file in System32 directory
- Modifies registry class
PID:7660 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe191⤵PID:7756
-
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe192⤵PID:7820
-
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe193⤵PID:7888
-
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe194⤵PID:7924
-
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8044 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8100 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe197⤵PID:8160
-
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:224 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe200⤵PID:6904
-
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe201⤵
- Drops file in System32 directory
PID:7276 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7396 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7528 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe204⤵PID:7588
-
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe205⤵
- Modifies registry class
PID:7744 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe206⤵PID:7864
-
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe207⤵PID:7980
-
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe208⤵PID:8088
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe209⤵PID:432
-
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe210⤵PID:5088
-
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7224 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe212⤵
- Drops file in System32 directory
PID:7324 -
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7612 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7836 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe215⤵
- Drops file in System32 directory
- Modifies registry class
PID:8096 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8148 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe217⤵PID:7172
-
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7508 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe219⤵
- Modifies registry class
PID:7720 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe220⤵PID:8108
-
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe221⤵
- Drops file in System32 directory
PID:7936 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe222⤵PID:1320
-
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe223⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe224⤵PID:7832
-
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe225⤵
- Drops file in System32 directory
- Modifies registry class
PID:8020 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe226⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe227⤵
- Modifies registry class
PID:7604 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe228⤵PID:7176
-
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe229⤵
- Drops file in System32 directory
PID:7388 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe230⤵PID:5040
-
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe231⤵PID:7732
-
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe232⤵PID:8200
-
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8244 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8284 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe235⤵PID:8328
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe236⤵PID:8372
-
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe237⤵PID:8412
-
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8456 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe239⤵PID:8500
-
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe240⤵
- Drops file in System32 directory
PID:8540 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe241⤵
- Modifies registry class
PID:8584 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe242⤵PID:8628