Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:25
Behavioral task
behavioral1
Sample
256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe
-
Size
1000KB
-
MD5
256b1e205a3d49e73f7dadf22b2f17d0
-
SHA1
fff453861d9028d5b7ca6c18fc32db3a1aec5c78
-
SHA256
4493892c48200140c8e265453aaf57386ab96df624d57d8f0f232d97b8596972
-
SHA512
4fb3042e4bf398149945293ce7f016534920eb011752b2b022f1e88dc944c69a473a69b32e87e9b47411df7214e61c91e9b9552d388e7bae7298bc0e58b8eab9
-
SSDEEP
12288:D8wVTtHBFLPj3TmLnWrOxNuxC97hFq9o7:D3tHBFLPj368MoC9Dq9o7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iibfajdc.exeClbnhmjo.exeDkadjn32.exeMjekfd32.exeAgdmdg32.exeCmedlk32.exeBlobjaba.exeMbeiefff.exeDebplg32.exeAohdmdoh.exeNgibaj32.exeQmicohqm.exeCffljlpc.exeCpkmcldj.exeDklddhka.exeDbifnj32.exeIncpoe32.exeFikejl32.exeGhkndf32.exePnalad32.exeEhjona32.exeHjipenda.exeJlckbh32.exeNeqnqofm.exeBpgljfbl.exeGpncej32.exeHhejnc32.exeNigafnck.exeBdqlajbb.exeAmfcikek.exeQbplbi32.exeQqeicede.exeGjngmmnp.exeGaafhloq.exeKnmamp32.exeLkjjma32.exeMfjann32.exeNilhhdga.exeGnmgmbhb.exeHjndlqal.exeDpeekh32.exeGeoonjeg.exeMmakmp32.exeHhhgcc32.exeJedcpi32.exeLbfook32.exePamiog32.exeMqbbagjo.exeOpnpimdf.exeFfbicfoc.exeEolmip32.exeKlhemhpk.exePejmfqan.exeOdebolpe.exeKkileele.exeEkjgpm32.exeNijnln32.exeAaheie32.exeMedeaaej.exeNhdhif32.exeLollckbk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjekfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blobjaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbeiefff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngibaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnalad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjona32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjipenda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffljlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigafnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjngmmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaafhloq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkjjma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilhhdga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjndlqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geoonjeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmakmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnpimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pejmfqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjgpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaheie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medeaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lollckbk.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\Fnpnndgp.exe family_berbew \Windows\SysWOW64\Fhkpmjln.exe family_berbew C:\Windows\SysWOW64\Ffbicfoc.exe family_berbew \Windows\SysWOW64\Gkgkbipp.exe family_berbew C:\Windows\SysWOW64\Gkkemh32.exe family_berbew \Windows\SysWOW64\Hnojdcfi.exe family_berbew \Windows\SysWOW64\Hcnpbi32.exe family_berbew \Windows\SysWOW64\Icbimi32.exe family_berbew C:\Windows\SysWOW64\Idceea32.exe family_berbew \Windows\SysWOW64\Incpoe32.exe family_berbew \Windows\SysWOW64\Jgnamk32.exe family_berbew \Windows\SysWOW64\Jfcnngnd.exe family_berbew \Windows\SysWOW64\Jfghif32.exe family_berbew \Windows\SysWOW64\Kaceodek.exe family_berbew \Windows\SysWOW64\Knjbnh32.exe family_berbew \Windows\SysWOW64\Kifpdelo.exe family_berbew C:\Windows\SysWOW64\Lijjoe32.exe family_berbew C:\Windows\SysWOW64\Lhpfqama.exe family_berbew C:\Windows\SysWOW64\Lkncmmle.exe family_berbew C:\Windows\SysWOW64\Lhbcfa32.exe family_berbew C:\Windows\SysWOW64\Lollckbk.exe family_berbew C:\Windows\SysWOW64\Mggpgmof.exe family_berbew C:\Windows\SysWOW64\Mmahdggc.exe family_berbew behavioral1/memory/2484-284-0x0000000000320000-0x0000000000356000-memory.dmp family_berbew C:\Windows\SysWOW64\Mihiih32.exe family_berbew C:\Windows\SysWOW64\Mdmmfa32.exe family_berbew C:\Windows\SysWOW64\Mmfbogcn.exe family_berbew C:\Windows\SysWOW64\Mlkopcge.exe family_berbew C:\Windows\SysWOW64\Mhbped32.exe family_berbew C:\Windows\SysWOW64\Nolhan32.exe family_berbew C:\Windows\SysWOW64\Nlphkb32.exe family_berbew C:\Windows\SysWOW64\Ndkmpe32.exe family_berbew C:\Windows\SysWOW64\Nncahjgl.exe family_berbew C:\Windows\SysWOW64\Naajoinb.exe family_berbew C:\Windows\SysWOW64\Nhkbkc32.exe family_berbew C:\Windows\SysWOW64\Npfgpe32.exe family_berbew C:\Windows\SysWOW64\Ojahnj32.exe family_berbew C:\Windows\SysWOW64\Ocimgp32.exe family_berbew C:\Windows\SysWOW64\Ohibdf32.exe family_berbew behavioral1/memory/2896-449-0x0000000000310000-0x0000000000346000-memory.dmp family_berbew C:\Windows\SysWOW64\Okgnab32.exe family_berbew C:\Windows\SysWOW64\Okikfagn.exe family_berbew behavioral1/memory/2868-468-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew C:\Windows\SysWOW64\Onhgbmfb.exe family_berbew C:\Windows\SysWOW64\Pnjdhmdo.exe family_berbew C:\Windows\SysWOW64\Pedleg32.exe family_berbew C:\Windows\SysWOW64\Pefijfii.exe family_berbew C:\Windows\SysWOW64\Pgeefbhm.exe family_berbew C:\Windows\SysWOW64\Pamiog32.exe family_berbew C:\Windows\SysWOW64\Pfjbgnme.exe family_berbew C:\Windows\SysWOW64\Pgioaa32.exe family_berbew C:\Windows\SysWOW64\Pjhknm32.exe family_berbew C:\Windows\SysWOW64\Qmfgjh32.exe family_berbew C:\Windows\SysWOW64\Qfokbnip.exe family_berbew C:\Windows\SysWOW64\Qmicohqm.exe family_berbew C:\Windows\SysWOW64\Qfahhm32.exe family_berbew C:\Windows\SysWOW64\Apimacnn.exe family_berbew C:\Windows\SysWOW64\Afcenm32.exe family_berbew C:\Windows\SysWOW64\Ahdaee32.exe family_berbew C:\Windows\SysWOW64\Anojbobe.exe family_berbew C:\Windows\SysWOW64\Ajejgp32.exe family_berbew C:\Windows\SysWOW64\Aekodi32.exe family_berbew C:\Windows\SysWOW64\Amfcikek.exe family_berbew C:\Windows\SysWOW64\Adpkee32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Fnpnndgp.exeFhkpmjln.exeFfbicfoc.exeGkgkbipp.exeGkkemh32.exeHnojdcfi.exeHcnpbi32.exeIcbimi32.exeIdceea32.exeIncpoe32.exeJgnamk32.exeJfcnngnd.exeJfghif32.exeKaceodek.exeKnjbnh32.exeKifpdelo.exeLijjoe32.exeLhpfqama.exeLkncmmle.exeLhbcfa32.exeLollckbk.exeMggpgmof.exeMmahdggc.exeMihiih32.exeMdmmfa32.exeMmfbogcn.exeMlkopcge.exeMhbped32.exeNolhan32.exeNlphkb32.exeNdkmpe32.exeNncahjgl.exeNaajoinb.exeNhkbkc32.exeNpfgpe32.exeOjahnj32.exeOcimgp32.exeOhibdf32.exeOkgnab32.exeOkikfagn.exeOnhgbmfb.exePnjdhmdo.exePedleg32.exePefijfii.exePgeefbhm.exePamiog32.exePfjbgnme.exePgioaa32.exePjhknm32.exeQmfgjh32.exeQfokbnip.exeQmicohqm.exeQfahhm32.exeApimacnn.exeAfcenm32.exeAhdaee32.exeAnojbobe.exeAjejgp32.exeAekodi32.exeAmfcikek.exeAdpkee32.exeBpgljfbl.exeBhndldcn.exeBioqclil.exepid process 1264 Fnpnndgp.exe 2004 Fhkpmjln.exe 2784 Ffbicfoc.exe 2808 Gkgkbipp.exe 2692 Gkkemh32.exe 2620 Hnojdcfi.exe 2000 Hcnpbi32.exe 2032 Icbimi32.exe 1612 Idceea32.exe 2852 Incpoe32.exe 2960 Jgnamk32.exe 1432 Jfcnngnd.exe 2052 Jfghif32.exe 1244 Kaceodek.exe 2296 Knjbnh32.exe 1040 Kifpdelo.exe 848 Lijjoe32.exe 1524 Lhpfqama.exe 2496 Lkncmmle.exe 1536 Lhbcfa32.exe 1028 Lollckbk.exe 2484 Mggpgmof.exe 1824 Mmahdggc.exe 1972 Mihiih32.exe 832 Mdmmfa32.exe 1492 Mmfbogcn.exe 1688 Mlkopcge.exe 1700 Mhbped32.exe 1676 Nolhan32.exe 2360 Nlphkb32.exe 2564 Ndkmpe32.exe 2796 Nncahjgl.exe 1928 Naajoinb.exe 2604 Nhkbkc32.exe 860 Npfgpe32.exe 2916 Ojahnj32.exe 2896 Ocimgp32.exe 2860 Ohibdf32.exe 2868 Okgnab32.exe 1916 Okikfagn.exe 2036 Onhgbmfb.exe 1728 Pnjdhmdo.exe 2536 Pedleg32.exe 3020 Pefijfii.exe 1752 Pgeefbhm.exe 1724 Pamiog32.exe 2140 Pfjbgnme.exe 1716 Pgioaa32.exe 960 Pjhknm32.exe 1060 Qmfgjh32.exe 1580 Qfokbnip.exe 2996 Qmicohqm.exe 2284 Qfahhm32.exe 1588 Apimacnn.exe 2292 Afcenm32.exe 548 Ahdaee32.exe 2764 Anojbobe.exe 2792 Ajejgp32.exe 2560 Aekodi32.exe 1520 Amfcikek.exe 2544 Adpkee32.exe 1660 Bpgljfbl.exe 1328 Bhndldcn.exe 1320 Bioqclil.exe -
Loads dropped DLL 64 IoCs
Processes:
256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exeFnpnndgp.exeFhkpmjln.exeFfbicfoc.exeGkgkbipp.exeGkkemh32.exeHnojdcfi.exeHcnpbi32.exeIcbimi32.exeIdceea32.exeIncpoe32.exeJgnamk32.exeJfcnngnd.exeJfghif32.exeKaceodek.exeKnjbnh32.exeKifpdelo.exeLijjoe32.exeLhpfqama.exeLkncmmle.exeLhbcfa32.exeLollckbk.exeMggpgmof.exeMmahdggc.exeMihiih32.exeMdmmfa32.exeMmfbogcn.exeMlkopcge.exeMhbped32.exeNolhan32.exeNlphkb32.exeNdkmpe32.exepid process 2408 256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe 2408 256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe 1264 Fnpnndgp.exe 1264 Fnpnndgp.exe 2004 Fhkpmjln.exe 2004 Fhkpmjln.exe 2784 Ffbicfoc.exe 2784 Ffbicfoc.exe 2808 Gkgkbipp.exe 2808 Gkgkbipp.exe 2692 Gkkemh32.exe 2692 Gkkemh32.exe 2620 Hnojdcfi.exe 2620 Hnojdcfi.exe 2000 Hcnpbi32.exe 2000 Hcnpbi32.exe 2032 Icbimi32.exe 2032 Icbimi32.exe 1612 Idceea32.exe 1612 Idceea32.exe 2852 Incpoe32.exe 2852 Incpoe32.exe 2960 Jgnamk32.exe 2960 Jgnamk32.exe 1432 Jfcnngnd.exe 1432 Jfcnngnd.exe 2052 Jfghif32.exe 2052 Jfghif32.exe 1244 Kaceodek.exe 1244 Kaceodek.exe 2296 Knjbnh32.exe 2296 Knjbnh32.exe 1040 Kifpdelo.exe 1040 Kifpdelo.exe 848 Lijjoe32.exe 848 Lijjoe32.exe 1524 Lhpfqama.exe 1524 Lhpfqama.exe 2496 Lkncmmle.exe 2496 Lkncmmle.exe 1536 Lhbcfa32.exe 1536 Lhbcfa32.exe 1028 Lollckbk.exe 1028 Lollckbk.exe 2484 Mggpgmof.exe 2484 Mggpgmof.exe 1824 Mmahdggc.exe 1824 Mmahdggc.exe 1972 Mihiih32.exe 1972 Mihiih32.exe 832 Mdmmfa32.exe 832 Mdmmfa32.exe 1492 Mmfbogcn.exe 1492 Mmfbogcn.exe 1688 Mlkopcge.exe 1688 Mlkopcge.exe 1700 Mhbped32.exe 1700 Mhbped32.exe 1676 Nolhan32.exe 1676 Nolhan32.exe 2360 Nlphkb32.exe 2360 Nlphkb32.exe 2564 Ndkmpe32.exe 2564 Ndkmpe32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Laegiq32.exeJkebjf32.exeHjipenda.exeOpfbngfb.exeBaojapfj.exeEjobhppq.exeKkileele.exeElajgpmj.exeFpoolael.exeJblnaq32.exeBbmapj32.exeGildahhp.exeDlkepi32.exeConkepdq.exeQjhmfekp.exeKllnhg32.exeEaheeecg.exeMieeibkn.exeMmahdggc.exeHmdmcanc.exeJhafhe32.exePlgolf32.exeGpcmpijk.exeFmjgcipg.exePalepb32.exeHidcef32.exePmlmic32.exeGjngmmnp.exeHbnbkbja.exeDldkmlhl.exeDgeaoinb.exeKgclio32.exeCnimiblo.exePedleg32.exeJkbfdfbm.exeAnolkh32.exeKoddccaa.exePhhjblpa.exeQngopb32.exeJpdnbbah.exeDpapaj32.exeAhdaee32.exeHakphqja.exeOebimf32.exeFnndan32.exeOehdan32.exeEndhhp32.exePdaheq32.exeBlobjaba.exeGeoonjeg.exePqkobqhd.exeHjfcpo32.exeBgdibkam.exeFamope32.exePaknelgk.exeAekodi32.exeCckdlnjg.exeIbkkjp32.exeMnomjl32.exeMdacop32.exedescription ioc process File created C:\Windows\SysWOW64\Lbfdaigg.exe Laegiq32.exe File opened for modification C:\Windows\SysWOW64\Kbokgpgg.exe Jkebjf32.exe File opened for modification C:\Windows\SysWOW64\Ihmpobck.exe Hjipenda.exe File created C:\Windows\SysWOW64\Odohol32.dll Opfbngfb.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Baojapfj.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Kbcdbp32.exe Kkileele.exe File opened for modification C:\Windows\SysWOW64\Eggndi32.exe Elajgpmj.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fpoolael.exe File created C:\Windows\SysWOW64\Jkebjf32.exe Jblnaq32.exe File created C:\Windows\SysWOW64\Bekmle32.exe Bbmapj32.exe File opened for modification C:\Windows\SysWOW64\Gmgpbf32.exe Gildahhp.exe File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Clalod32.exe Conkepdq.exe File created C:\Windows\SysWOW64\Qndigd32.exe Qjhmfekp.exe File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Kllnhg32.exe File created C:\Windows\SysWOW64\Edfbaabj.exe Eaheeecg.exe File created C:\Windows\SysWOW64\Mbmjah32.exe Mieeibkn.exe File opened for modification C:\Windows\SysWOW64\Mihiih32.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Hgmalg32.exe Hmdmcanc.exe File opened for modification C:\Windows\SysWOW64\Jaijak32.exe Jhafhe32.exe File created C:\Windows\SysWOW64\Oqlecd32.dll Plgolf32.exe File created C:\Windows\SysWOW64\Affcmdmb.dll Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gpcmpijk.exe File opened for modification C:\Windows\SysWOW64\Fbgpkpnn.exe Fmjgcipg.exe File opened for modification C:\Windows\SysWOW64\Oioggmmc.exe Opfbngfb.exe File opened for modification C:\Windows\SysWOW64\Pejmfqan.exe Palepb32.exe File created C:\Windows\SysWOW64\Hakkgc32.exe Hidcef32.exe File created C:\Windows\SysWOW64\Pokieo32.exe Pmlmic32.exe File created C:\Windows\SysWOW64\Gcenaf32.dll Gjngmmnp.exe File created C:\Windows\SysWOW64\Fnlqmbam.dll Hbnbkbja.exe File created C:\Windows\SysWOW64\Ldikdp32.dll Dldkmlhl.exe File opened for modification C:\Windows\SysWOW64\Elajgpmj.exe Dgeaoinb.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Kgclio32.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Pefijfii.exe Pedleg32.exe File created C:\Windows\SysWOW64\Jblnaq32.exe Jkbfdfbm.exe File created C:\Windows\SysWOW64\Dgnjacmq.dll Anolkh32.exe File opened for modification C:\Windows\SysWOW64\Klhemhpk.exe Koddccaa.exe File opened for modification C:\Windows\SysWOW64\Qgmfchei.exe Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Agpcihcf.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Jfofol32.exe Jpdnbbah.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Hoopae32.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Ocfigjlp.exe Oebimf32.exe File opened for modification C:\Windows\SysWOW64\Fjeefofk.exe Fnndan32.exe File opened for modification C:\Windows\SysWOW64\Omcifpnp.exe Oehdan32.exe File created C:\Windows\SysWOW64\Ecqqpgli.exe Endhhp32.exe File created C:\Windows\SysWOW64\Pmlmic32.exe Pdaheq32.exe File created C:\Windows\SysWOW64\Dhnook32.dll Blobjaba.exe File created C:\Windows\SysWOW64\Gngcgp32.exe Geoonjeg.exe File created C:\Windows\SysWOW64\Pjcckf32.exe Pqkobqhd.exe File created C:\Windows\SysWOW64\Figicd32.dll Pqkobqhd.exe File created C:\Windows\SysWOW64\Ejecol32.dll Hjfcpo32.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Fpoolael.exe Famope32.exe File opened for modification C:\Windows\SysWOW64\Pdjjag32.exe Paknelgk.exe File created C:\Windows\SysWOW64\Amfcikek.exe Aekodi32.exe File created C:\Windows\SysWOW64\Dldhdc32.exe Cckdlnjg.exe File created C:\Windows\SysWOW64\Kbcdbp32.exe Kkileele.exe File created C:\Windows\SysWOW64\Hembkl32.dll Ibkkjp32.exe File opened for modification C:\Windows\SysWOW64\Mfjann32.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Mgecadnb.dll Mdacop32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1952 1728 WerFault.exe Dpapaj32.exe -
Modifies registry class 64 IoCs
Processes:
Alnalh32.exeGljnej32.exeIedkbc32.exeDnjngk32.exeHelngnie.exeMkqqnq32.exeKklikejc.exeFilgbdfd.exeKonndhmb.exeCeebklai.exeHakphqja.exeQgmfchei.exeHfjpdjjo.exeJaoqqflp.exePihgic32.exeIhbqdh32.exeLfjcfb32.exeMnojacgm.exePdjjag32.exeDlkepi32.exeAbhkfg32.exeQppkfhlc.exeOnhgbmfb.exeMlhkpm32.exeIbehla32.exeOcimgp32.exeOkgnab32.exeJhoice32.exeDldkmlhl.exeJefpeh32.exeGjdhbc32.exeChqoipkk.exeDhmhhmlm.exeIbejdjln.exeNcnngfna.exeAmfcikek.exeMbcmpfhi.exeHjipenda.exeMihiih32.exeAjejgp32.exeHjfcpo32.exePejmfqan.exeLkgngb32.exePaiaplin.exeJfcnngnd.exePokieo32.exeIegjqk32.exeKohnoc32.exeMfglep32.exeMlkopcge.exeJabdql32.exeFokdfajl.exeIigpli32.exePnjofo32.exeBbokmqie.exeDbkknojp.exeBmhkmm32.exeBhjlli32.exeBjpaop32.exePnalad32.exeDcccpl32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gljnej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iedkbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnjngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Helngnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpjflkfg.dll" Kklikejc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filgbdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Konndhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkfljge.dll" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pihgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihbqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfjcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abhkfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhkpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibehla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocimgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhoice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhclbka.dll" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chqoipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmhhmlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibejdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncnngfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbcmpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdelj32.dll" Hjipenda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejecol32.dll" Hjfcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejmfqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkgngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll" Pokieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iegjqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiil32.dll" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkabpebk.dll" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fokdfajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imglhaji.dll" Iigpli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbkknojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmhkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnjngk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnalad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcccpl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exeFnpnndgp.exeFhkpmjln.exeFfbicfoc.exeGkgkbipp.exeGkkemh32.exeHnojdcfi.exeHcnpbi32.exeIcbimi32.exeIdceea32.exeIncpoe32.exeJgnamk32.exeJfcnngnd.exeJfghif32.exeKaceodek.exeKnjbnh32.exedescription pid process target process PID 2408 wrote to memory of 1264 2408 256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe Fnpnndgp.exe PID 2408 wrote to memory of 1264 2408 256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe Fnpnndgp.exe PID 2408 wrote to memory of 1264 2408 256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe Fnpnndgp.exe PID 2408 wrote to memory of 1264 2408 256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe Fnpnndgp.exe PID 1264 wrote to memory of 2004 1264 Fnpnndgp.exe Fhkpmjln.exe PID 1264 wrote to memory of 2004 1264 Fnpnndgp.exe Fhkpmjln.exe PID 1264 wrote to memory of 2004 1264 Fnpnndgp.exe Fhkpmjln.exe PID 1264 wrote to memory of 2004 1264 Fnpnndgp.exe Fhkpmjln.exe PID 2004 wrote to memory of 2784 2004 Fhkpmjln.exe Ffbicfoc.exe PID 2004 wrote to memory of 2784 2004 Fhkpmjln.exe Ffbicfoc.exe PID 2004 wrote to memory of 2784 2004 Fhkpmjln.exe Ffbicfoc.exe PID 2004 wrote to memory of 2784 2004 Fhkpmjln.exe Ffbicfoc.exe PID 2784 wrote to memory of 2808 2784 Ffbicfoc.exe Gkgkbipp.exe PID 2784 wrote to memory of 2808 2784 Ffbicfoc.exe Gkgkbipp.exe PID 2784 wrote to memory of 2808 2784 Ffbicfoc.exe Gkgkbipp.exe PID 2784 wrote to memory of 2808 2784 Ffbicfoc.exe Gkgkbipp.exe PID 2808 wrote to memory of 2692 2808 Gkgkbipp.exe Gkkemh32.exe PID 2808 wrote to memory of 2692 2808 Gkgkbipp.exe Gkkemh32.exe PID 2808 wrote to memory of 2692 2808 Gkgkbipp.exe Gkkemh32.exe PID 2808 wrote to memory of 2692 2808 Gkgkbipp.exe Gkkemh32.exe PID 2692 wrote to memory of 2620 2692 Gkkemh32.exe Hnojdcfi.exe PID 2692 wrote to memory of 2620 2692 Gkkemh32.exe Hnojdcfi.exe PID 2692 wrote to memory of 2620 2692 Gkkemh32.exe Hnojdcfi.exe PID 2692 wrote to memory of 2620 2692 Gkkemh32.exe Hnojdcfi.exe PID 2620 wrote to memory of 2000 2620 Hnojdcfi.exe Hcnpbi32.exe PID 2620 wrote to memory of 2000 2620 Hnojdcfi.exe Hcnpbi32.exe PID 2620 wrote to memory of 2000 2620 Hnojdcfi.exe Hcnpbi32.exe PID 2620 wrote to memory of 2000 2620 Hnojdcfi.exe Hcnpbi32.exe PID 2000 wrote to memory of 2032 2000 Hcnpbi32.exe Icbimi32.exe PID 2000 wrote to memory of 2032 2000 Hcnpbi32.exe Icbimi32.exe PID 2000 wrote to memory of 2032 2000 Hcnpbi32.exe Icbimi32.exe PID 2000 wrote to memory of 2032 2000 Hcnpbi32.exe Icbimi32.exe PID 2032 wrote to memory of 1612 2032 Icbimi32.exe Idceea32.exe PID 2032 wrote to memory of 1612 2032 Icbimi32.exe Idceea32.exe PID 2032 wrote to memory of 1612 2032 Icbimi32.exe Idceea32.exe PID 2032 wrote to memory of 1612 2032 Icbimi32.exe Idceea32.exe PID 1612 wrote to memory of 2852 1612 Idceea32.exe Incpoe32.exe PID 1612 wrote to memory of 2852 1612 Idceea32.exe Incpoe32.exe PID 1612 wrote to memory of 2852 1612 Idceea32.exe Incpoe32.exe PID 1612 wrote to memory of 2852 1612 Idceea32.exe Incpoe32.exe PID 2852 wrote to memory of 2960 2852 Incpoe32.exe Jgnamk32.exe PID 2852 wrote to memory of 2960 2852 Incpoe32.exe Jgnamk32.exe PID 2852 wrote to memory of 2960 2852 Incpoe32.exe Jgnamk32.exe PID 2852 wrote to memory of 2960 2852 Incpoe32.exe Jgnamk32.exe PID 2960 wrote to memory of 1432 2960 Jgnamk32.exe Jfcnngnd.exe PID 2960 wrote to memory of 1432 2960 Jgnamk32.exe Jfcnngnd.exe PID 2960 wrote to memory of 1432 2960 Jgnamk32.exe Jfcnngnd.exe PID 2960 wrote to memory of 1432 2960 Jgnamk32.exe Jfcnngnd.exe PID 1432 wrote to memory of 2052 1432 Jfcnngnd.exe Jfghif32.exe PID 1432 wrote to memory of 2052 1432 Jfcnngnd.exe Jfghif32.exe PID 1432 wrote to memory of 2052 1432 Jfcnngnd.exe Jfghif32.exe PID 1432 wrote to memory of 2052 1432 Jfcnngnd.exe Jfghif32.exe PID 2052 wrote to memory of 1244 2052 Jfghif32.exe Kaceodek.exe PID 2052 wrote to memory of 1244 2052 Jfghif32.exe Kaceodek.exe PID 2052 wrote to memory of 1244 2052 Jfghif32.exe Kaceodek.exe PID 2052 wrote to memory of 1244 2052 Jfghif32.exe Kaceodek.exe PID 1244 wrote to memory of 2296 1244 Kaceodek.exe Knjbnh32.exe PID 1244 wrote to memory of 2296 1244 Kaceodek.exe Knjbnh32.exe PID 1244 wrote to memory of 2296 1244 Kaceodek.exe Knjbnh32.exe PID 1244 wrote to memory of 2296 1244 Kaceodek.exe Knjbnh32.exe PID 2296 wrote to memory of 1040 2296 Knjbnh32.exe Kifpdelo.exe PID 2296 wrote to memory of 1040 2296 Knjbnh32.exe Kifpdelo.exe PID 2296 wrote to memory of 1040 2296 Knjbnh32.exe Kifpdelo.exe PID 2296 wrote to memory of 1040 2296 Knjbnh32.exe Kifpdelo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\256b1e205a3d49e73f7dadf22b2f17d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe34⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe35⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe36⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe37⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe39⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe41⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe43⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe45⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe46⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe48⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe49⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe50⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe51⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe52⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe54⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe55⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe56⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe58⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe62⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe64⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe65⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe66⤵PID:2952
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe67⤵PID:316
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe68⤵PID:540
-
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe69⤵PID:552
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe70⤵PID:1036
-
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe71⤵PID:328
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe72⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe73⤵PID:1384
-
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe74⤵PID:1540
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe75⤵PID:1636
-
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe76⤵PID:1708
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe77⤵PID:2144
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe78⤵PID:2176
-
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe79⤵PID:2244
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe80⤵PID:2708
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe81⤵PID:2596
-
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe82⤵PID:1640
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe83⤵PID:2428
-
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe84⤵PID:2616
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe86⤵PID:1448
-
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe88⤵PID:480
-
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe89⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe90⤵PID:1092
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe91⤵PID:1344
-
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe92⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe93⤵PID:1988
-
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe94⤵PID:2248
-
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe95⤵PID:1572
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe96⤵PID:1316
-
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe97⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe98⤵PID:2204
-
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe99⤵PID:2644
-
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe100⤵PID:3044
-
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe101⤵PID:1312
-
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe102⤵PID:672
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe103⤵PID:340
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe105⤵PID:1868
-
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe106⤵PID:2256
-
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe107⤵PID:1864
-
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe110⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe111⤵PID:2172
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe112⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe113⤵PID:2908
-
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe114⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe115⤵PID:796
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe116⤵PID:2884
-
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe117⤵PID:404
-
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe118⤵PID:1356
-
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe120⤵PID:2304
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe121⤵PID:2260
-
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe122⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe123⤵PID:2096
-
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe124⤵PID:2580
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe125⤵PID:1552
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe126⤵PID:2900
-
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe127⤵PID:1288
-
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe128⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe129⤵PID:776
-
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe130⤵PID:2308
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe131⤵PID:2368
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe132⤵PID:2540
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe133⤵PID:2384
-
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe134⤵PID:2772
-
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe135⤵PID:2572
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe136⤵PID:2656
-
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe137⤵PID:1516
-
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe138⤵PID:816
-
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe139⤵PID:1820
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe140⤵PID:956
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe141⤵PID:1000
-
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe142⤵PID:904
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe143⤵PID:2760
-
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe144⤵PID:2836
-
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe145⤵PID:2724
-
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe146⤵PID:1804
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe147⤵PID:3008
-
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe148⤵PID:2120
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe149⤵PID:2488
-
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe150⤵PID:2768
-
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe151⤵PID:2588
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe152⤵PID:1444
-
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe153⤵PID:1952
-
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe154⤵PID:2516
-
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe155⤵PID:640
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe156⤵PID:1592
-
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe157⤵PID:2776
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe158⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe159⤵PID:1608
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe160⤵PID:3012
-
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe161⤵PID:2944
-
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe162⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe163⤵PID:2804
-
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe164⤵PID:1504
-
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe165⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe166⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe167⤵PID:2080
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe168⤵PID:1992
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe169⤵PID:580
-
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe170⤵PID:1248
-
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe171⤵PID:2728
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe172⤵PID:2480
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe173⤵PID:1808
-
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe175⤵PID:1944
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe176⤵PID:1584
-
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe177⤵PID:3000
-
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe179⤵PID:2752
-
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe180⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe181⤵PID:928
-
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe182⤵PID:2980
-
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe183⤵PID:2924
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe184⤵PID:808
-
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe185⤵PID:1280
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe186⤵PID:2152
-
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe187⤵PID:3040
-
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe188⤵PID:2148
-
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe189⤵PID:1744
-
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe190⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe191⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe192⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe193⤵PID:2452
-
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe194⤵PID:916
-
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe195⤵PID:2592
-
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe196⤵PID:1108
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe197⤵PID:2696
-
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe198⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe200⤵PID:3140
-
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3180 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe202⤵PID:3220
-
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3260 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe204⤵PID:3300
-
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe205⤵PID:3340
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe206⤵PID:3380
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe207⤵PID:3424
-
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe208⤵PID:3464
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe209⤵PID:3504
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe210⤵PID:3544
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe211⤵PID:3584
-
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe212⤵PID:3624
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe213⤵PID:3664
-
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe214⤵PID:3704
-
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe215⤵PID:3744
-
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe216⤵PID:3784
-
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe217⤵PID:3824
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe219⤵PID:3904
-
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe220⤵PID:3944
-
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe221⤵PID:3984
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe222⤵PID:4024
-
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe223⤵PID:4064
-
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe224⤵PID:2552
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe225⤵PID:3084
-
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe226⤵PID:3156
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe227⤵PID:3196
-
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe228⤵PID:3244
-
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe229⤵PID:3288
-
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe230⤵
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe231⤵PID:3356
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe232⤵
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe233⤵PID:3496
-
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe234⤵PID:3560
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe235⤵PID:3604
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe236⤵PID:3648
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe237⤵PID:3700
-
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe238⤵
- Modifies registry class
PID:3752 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe239⤵PID:3756
-
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe240⤵PID:3852
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe241⤵PID:3844
-
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe242⤵PID:3960