Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe
-
Size
80KB
-
MD5
8fff6c153edff0ccc2cbaa8ae517f510
-
SHA1
831d5499224ab914f586652516822fb1a0ebe293
-
SHA256
8891eb2cf8baf7fe366ccf97bfb2517927565d2e3e87ff22d928f06e3e5ae9ca
-
SHA512
d408d302f39d21599d79b08d43f5f9c92437a3f32bd306befb7d9d101363ddea611d382f3f84c234b7a23c2cb0d27894e372ad5e13ea570014d6f1e342807610
-
SSDEEP
1536:UlXipVzU41m3l9ChI4qtZqmCqx2LMwS5DUHRbPa9b6i+sIk:UlXipVz/I3l0hIbZqm9KjS5DSCopsIk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Apajlhka.exeJnhqdkde.exeMcodno32.exeNfkpdn32.exePgobhcac.exeAmhpnkch.exeMgfgdn32.exeNjkfpl32.exeOclilp32.exeAjjcbpdd.exeIbocjk32.exeIfnechbj.exeJqfffqpm.exePclfkc32.exeAlhjai32.exeEjbfhfaj.exeIfcbodli.exeLijjoe32.exeNdmjedoi.exeDoehqead.exeKegnkh32.exeMlgigdoh.exeEajaoq32.exeGieojq32.exePnjdhmdo.exeChpmpg32.exeMhjpaf32.exeNnbhek32.exeBdlblj32.exeOmdneebf.exeJnkmjk32.exeFiaeoang.exeNkiogn32.exeObkdonic.exeFejgko32.exePnajilng.exeJclomamd.exeFmcoja32.exeFmjejphb.exeNhkbkc32.exeKmmcjehm.exeNaajoinb.exeEplkpgnh.exeNmjblg32.exeDbehoa32.exeEqonkmdh.exeGbkgnfbd.exeMpdnkb32.exeBldcpf32.exeLmkfei32.exePfdpip32.exeCndbcc32.exeFdapak32.exeDhpiojfb.exeLkmjin32.exeGaemjbcg.exeIjgdngmf.exeJfqahgpg.exeChnqkg32.exeCnkicn32.exeCllpkl32.exeEalnephf.exeGfefiemq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhqdkde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhpnkch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfgdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibocjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnechbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkmjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkdonic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jclomamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfqahgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe -
Executes dropped EXE 64 IoCs
Processes:
Imnafd32.exeIjaapifk.exeIbmfdkcf.exeIjdnehci.exeIkekmq32.exeIbocjk32.exeIiikfehq.exeIoccco32.exeIbapoj32.exeJgnhga32.exeJnhqdkde.exeJagmpg32.exeJklanp32.exeJnkmjk32.exeJcgfbb32.exeJnmjok32.exeJakfkfpc.exeJcjbgaog.exeJjdkdl32.exeJmbgpg32.exeJclomamd.exeJjfgjk32.exeJmdcfg32.exeKcolba32.exeKbalnnam.exeKmgpkfab.exeKpemgbqf.exeKebepion.exeKmimafop.exeKfaajlfp.exeKedaeh32.exeKomfnnck.exeKakbjibo.exeKegnkh32.exeKoocdnai.exeKeikqhhe.exeKdlkld32.exeLekhfgfc.exeLpeifeca.exeLdqegd32.exeLgoacojo.exeLadeqhjd.exeLkmjin32.exeLmkfei32.exeLpjbad32.exeLefkjkmc.exeLibgjj32.exeLplogdmj.exeLoooca32.exeMgfgdn32.exeMidcpj32.exeMhgclfje.exeMpolmdkg.exeMcmhiojk.exeMekdekin.exeMhjpaf32.exeMlelaeqk.exeMochnppo.exeMcodno32.exeMdqafgnf.exeMlgigdoh.exeMnieom32.exeMadapkmp.exeMdcnlglc.exepid process 2756 Imnafd32.exe 2768 Ijaapifk.exe 1808 Ibmfdkcf.exe 2908 Ijdnehci.exe 2624 Ikekmq32.exe 2220 Ibocjk32.exe 1420 Iiikfehq.exe 2748 Ioccco32.exe 1888 Ibapoj32.exe 2388 Jgnhga32.exe 1984 Jnhqdkde.exe 1144 Jagmpg32.exe 1660 Jklanp32.exe 1460 Jnkmjk32.exe 1804 Jcgfbb32.exe 2972 Jnmjok32.exe 324 Jakfkfpc.exe 1116 Jcjbgaog.exe 1160 Jjdkdl32.exe 2472 Jmbgpg32.exe 2072 Jclomamd.exe 1940 Jjfgjk32.exe 1192 Jmdcfg32.exe 1724 Kcolba32.exe 3012 Kbalnnam.exe 2884 Kmgpkfab.exe 1600 Kpemgbqf.exe 2780 Kebepion.exe 2700 Kmimafop.exe 2656 Kfaajlfp.exe 2836 Kedaeh32.exe 2736 Komfnnck.exe 3048 Kakbjibo.exe 2816 Kegnkh32.exe 792 Koocdnai.exe 1784 Keikqhhe.exe 1252 Kdlkld32.exe 1148 Lekhfgfc.exe 2216 Lpeifeca.exe 1088 Ldqegd32.exe 2224 Lgoacojo.exe 2356 Ladeqhjd.exe 2284 Lkmjin32.exe 1504 Lmkfei32.exe 1508 Lpjbad32.exe 2568 Lefkjkmc.exe 672 Libgjj32.exe 1396 Lplogdmj.exe 2268 Loooca32.exe 1372 Mgfgdn32.exe 1604 Midcpj32.exe 3004 Mhgclfje.exe 2724 Mpolmdkg.exe 2728 Mcmhiojk.exe 2608 Mekdekin.exe 2600 Mhjpaf32.exe 3028 Mlelaeqk.exe 2804 Mochnppo.exe 2260 Mcodno32.exe 1512 Mdqafgnf.exe 2420 Mlgigdoh.exe 1652 Mnieom32.exe 2108 Madapkmp.exe 320 Mdcnlglc.exe -
Loads dropped DLL 64 IoCs
Processes:
8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exeImnafd32.exeIjaapifk.exeIbmfdkcf.exeIjdnehci.exeIkekmq32.exeIbocjk32.exeIiikfehq.exeIoccco32.exeIbapoj32.exeJgnhga32.exeJnhqdkde.exeJagmpg32.exeJklanp32.exeJnkmjk32.exeJcgfbb32.exeJnmjok32.exeJakfkfpc.exeJcjbgaog.exeJjdkdl32.exeJmbgpg32.exeJclomamd.exeJjfgjk32.exeJmdcfg32.exeKcolba32.exeKbalnnam.exeKmgpkfab.exeKpemgbqf.exeKebepion.exeKmimafop.exeKfaajlfp.exeKedaeh32.exepid process 2500 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe 2500 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe 2756 Imnafd32.exe 2756 Imnafd32.exe 2768 Ijaapifk.exe 2768 Ijaapifk.exe 1808 Ibmfdkcf.exe 1808 Ibmfdkcf.exe 2908 Ijdnehci.exe 2908 Ijdnehci.exe 2624 Ikekmq32.exe 2624 Ikekmq32.exe 2220 Ibocjk32.exe 2220 Ibocjk32.exe 1420 Iiikfehq.exe 1420 Iiikfehq.exe 2748 Ioccco32.exe 2748 Ioccco32.exe 1888 Ibapoj32.exe 1888 Ibapoj32.exe 2388 Jgnhga32.exe 2388 Jgnhga32.exe 1984 Jnhqdkde.exe 1984 Jnhqdkde.exe 1144 Jagmpg32.exe 1144 Jagmpg32.exe 1660 Jklanp32.exe 1660 Jklanp32.exe 1460 Jnkmjk32.exe 1460 Jnkmjk32.exe 1804 Jcgfbb32.exe 1804 Jcgfbb32.exe 2972 Jnmjok32.exe 2972 Jnmjok32.exe 324 Jakfkfpc.exe 324 Jakfkfpc.exe 1116 Jcjbgaog.exe 1116 Jcjbgaog.exe 1160 Jjdkdl32.exe 1160 Jjdkdl32.exe 2472 Jmbgpg32.exe 2472 Jmbgpg32.exe 2072 Jclomamd.exe 2072 Jclomamd.exe 1940 Jjfgjk32.exe 1940 Jjfgjk32.exe 1192 Jmdcfg32.exe 1192 Jmdcfg32.exe 1724 Kcolba32.exe 1724 Kcolba32.exe 3012 Kbalnnam.exe 3012 Kbalnnam.exe 2884 Kmgpkfab.exe 2884 Kmgpkfab.exe 1600 Kpemgbqf.exe 1600 Kpemgbqf.exe 2780 Kebepion.exe 2780 Kebepion.exe 2700 Kmimafop.exe 2700 Kmimafop.exe 2656 Kfaajlfp.exe 2656 Kfaajlfp.exe 2836 Kedaeh32.exe 2836 Kedaeh32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Omgaek32.exeDngoibmo.exePpbfpd32.exeCnaocmmi.exeDhjgal32.exeEpdkli32.exeGbnccfpb.exeLihmjejl.exePmanoifd.exeEccmffjf.exeLmkfei32.exeKgnnln32.exeLbnemk32.exeLflmci32.exeAaaoij32.exeEalnephf.exePapfegmk.exeKpemgbqf.exeOopnlacm.exeFmjejphb.exeIdceea32.exeNgfcca32.exeAlhjai32.exeFejgko32.exeGogangdc.exeNaajoinb.exeOjcecjee.exeQbbfopeg.exeCpjiajeb.exeNocnbmoo.exeQbcpbo32.exeGhkllmoi.exeIkpjgkjq.exeNjbcim32.exeEbgacddo.exeFioija32.exeEmkaol32.exeMohbip32.exeNcoamb32.exeDgdmmgpj.exeJmocpado.exeJifdebic.exeCjdfmo32.exe8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exeMlelaeqk.exeEmhlfmgj.exeNajdnj32.exeKfaajlfp.exeFmcoja32.exeCjfccn32.exeBoiccdnf.exeDjnpnc32.exeIfnechbj.exeJjojofgn.exeKfgdhjmk.exeLimfed32.exePnomcl32.exeKmgpkfab.exePmqdkj32.exeBkfjhd32.exeJbjochdi.exeLemaif32.exeNpdjje32.exedescription ioc process File created C:\Windows\SysWOW64\Nbdppp32.dll Omgaek32.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dngoibmo.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Cppkph32.exe Cnaocmmi.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Dhjgal32.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Pdklej32.dll Lihmjejl.exe File created C:\Windows\SysWOW64\Cbnnqb32.dll Pmanoifd.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Lpjbad32.exe Lmkfei32.exe File created C:\Windows\SysWOW64\Kjljhjkl.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Lemaif32.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Lijjoe32.exe Lflmci32.exe File created C:\Windows\SysWOW64\Dkjgaecj.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Dlgohm32.dll Ealnephf.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Kebepion.exe Kpemgbqf.exe File created C:\Windows\SysWOW64\Llgodg32.dll Oopnlacm.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Njdpomfe.exe Ngfcca32.exe File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Alhjai32.exe File created C:\Windows\SysWOW64\Facklcaq.dll Fejgko32.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gogangdc.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Pofgpn32.dll Qbbfopeg.exe File created C:\Windows\SysWOW64\Cciemedf.exe Cpjiajeb.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Inngcfid.exe Ikpjgkjq.exe File created C:\Windows\SysWOW64\Jagbha32.dll Njbcim32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fioija32.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Mnkbdlbd.exe Mohbip32.exe File created C:\Windows\SysWOW64\Nplhpb32.dll Ncoamb32.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Jonplmcb.exe Jmocpado.exe File opened for modification C:\Windows\SysWOW64\Jkdpanhg.exe Jifdebic.exe File created C:\Windows\SysWOW64\Lnfhlh32.dll Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Imnafd32.exe 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Pfliqila.dll Mlelaeqk.exe File created C:\Windows\SysWOW64\Epfhbign.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Nialog32.exe Najdnj32.exe File created C:\Windows\SysWOW64\Lggiipie.dll Kfaajlfp.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Jkdalhhc.dll Boiccdnf.exe File created C:\Windows\SysWOW64\Mdeced32.dll Djnpnc32.exe File created C:\Windows\SysWOW64\Jnemdecl.exe Ifnechbj.exe File opened for modification C:\Windows\SysWOW64\Jiakjb32.exe Jjojofgn.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Bibkki32.dll Limfed32.exe File created C:\Windows\SysWOW64\Lijfoo32.dll Pnomcl32.exe File created C:\Windows\SysWOW64\Kpemgbqf.exe Kmgpkfab.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Hfmpcjge.dll Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jbjochdi.exe File created C:\Windows\SysWOW64\Ckqfeoma.dll Lemaif32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6296 6264 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Ndbcpd32.exePnjdhmdo.exeKegnkh32.exeHiekid32.exeQbcpbo32.exeEqpgol32.exeLdqegd32.exePpoqge32.exeBanepo32.exeHhjhkq32.exeIdmhkpml.exeLajhofao.exeEcqqpgli.exeEplkpgnh.exeKedaeh32.exeBhcdaibd.exeFehjeo32.exeKfgdhjmk.exePfjbgnme.exeCklmgb32.exeBingpmnl.exeEpaogi32.exeIkpjgkjq.exeMcbjgn32.exePnlqnl32.exeNohnhc32.exeHlfdkoin.exeOqideepg.exeOelmai32.exeDbehoa32.exeQbbfopeg.exeEihfjo32.exeKeoapb32.exePjmodopf.exeGbijhg32.exeQpecfc32.exeFmhheqje.exeMijfnh32.exeDfamcogo.exeEjkima32.exeDchali32.exePkpagq32.exeCadhnmnm.exeCgejac32.exeObkdonic.exeBkfjhd32.exeEcmkghcl.exeGieojq32.exeKaklpcoc.exeOkikfagn.exeEjbfhfaj.exeLmolnh32.exeMeagci32.exeLplogdmj.exeAlhjai32.exeHcplhi32.exeNialog32.exeOopnlacm.exeJagmpg32.exeChemfl32.exeDjnpnc32.exeFckjalhj.exeBfadgq32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alefel32.dll" Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll" Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpokk32.dll" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokcq32.dll" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphcda32.dll" Kedaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" Bhcdaibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongdpbkl.dll" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delpclld.dll" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqdgkecq.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lplogdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofqfokm.dll" Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagmpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exeImnafd32.exeIjaapifk.exeIbmfdkcf.exeIjdnehci.exeIkekmq32.exeIbocjk32.exeIiikfehq.exeIoccco32.exeIbapoj32.exeJgnhga32.exeJnhqdkde.exeJagmpg32.exeJklanp32.exeJnkmjk32.exeJcgfbb32.exedescription pid process target process PID 2500 wrote to memory of 2756 2500 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe Imnafd32.exe PID 2500 wrote to memory of 2756 2500 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe Imnafd32.exe PID 2500 wrote to memory of 2756 2500 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe Imnafd32.exe PID 2500 wrote to memory of 2756 2500 8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe Imnafd32.exe PID 2756 wrote to memory of 2768 2756 Imnafd32.exe Ijaapifk.exe PID 2756 wrote to memory of 2768 2756 Imnafd32.exe Ijaapifk.exe PID 2756 wrote to memory of 2768 2756 Imnafd32.exe Ijaapifk.exe PID 2756 wrote to memory of 2768 2756 Imnafd32.exe Ijaapifk.exe PID 2768 wrote to memory of 1808 2768 Ijaapifk.exe Ibmfdkcf.exe PID 2768 wrote to memory of 1808 2768 Ijaapifk.exe Ibmfdkcf.exe PID 2768 wrote to memory of 1808 2768 Ijaapifk.exe Ibmfdkcf.exe PID 2768 wrote to memory of 1808 2768 Ijaapifk.exe Ibmfdkcf.exe PID 1808 wrote to memory of 2908 1808 Ibmfdkcf.exe Ijdnehci.exe PID 1808 wrote to memory of 2908 1808 Ibmfdkcf.exe Ijdnehci.exe PID 1808 wrote to memory of 2908 1808 Ibmfdkcf.exe Ijdnehci.exe PID 1808 wrote to memory of 2908 1808 Ibmfdkcf.exe Ijdnehci.exe PID 2908 wrote to memory of 2624 2908 Ijdnehci.exe Ikekmq32.exe PID 2908 wrote to memory of 2624 2908 Ijdnehci.exe Ikekmq32.exe PID 2908 wrote to memory of 2624 2908 Ijdnehci.exe Ikekmq32.exe PID 2908 wrote to memory of 2624 2908 Ijdnehci.exe Ikekmq32.exe PID 2624 wrote to memory of 2220 2624 Ikekmq32.exe Ibocjk32.exe PID 2624 wrote to memory of 2220 2624 Ikekmq32.exe Ibocjk32.exe PID 2624 wrote to memory of 2220 2624 Ikekmq32.exe Ibocjk32.exe PID 2624 wrote to memory of 2220 2624 Ikekmq32.exe Ibocjk32.exe PID 2220 wrote to memory of 1420 2220 Ibocjk32.exe Iiikfehq.exe PID 2220 wrote to memory of 1420 2220 Ibocjk32.exe Iiikfehq.exe PID 2220 wrote to memory of 1420 2220 Ibocjk32.exe Iiikfehq.exe PID 2220 wrote to memory of 1420 2220 Ibocjk32.exe Iiikfehq.exe PID 1420 wrote to memory of 2748 1420 Iiikfehq.exe Ioccco32.exe PID 1420 wrote to memory of 2748 1420 Iiikfehq.exe Ioccco32.exe PID 1420 wrote to memory of 2748 1420 Iiikfehq.exe Ioccco32.exe PID 1420 wrote to memory of 2748 1420 Iiikfehq.exe Ioccco32.exe PID 2748 wrote to memory of 1888 2748 Ioccco32.exe Ibapoj32.exe PID 2748 wrote to memory of 1888 2748 Ioccco32.exe Ibapoj32.exe PID 2748 wrote to memory of 1888 2748 Ioccco32.exe Ibapoj32.exe PID 2748 wrote to memory of 1888 2748 Ioccco32.exe Ibapoj32.exe PID 1888 wrote to memory of 2388 1888 Ibapoj32.exe Jgnhga32.exe PID 1888 wrote to memory of 2388 1888 Ibapoj32.exe Jgnhga32.exe PID 1888 wrote to memory of 2388 1888 Ibapoj32.exe Jgnhga32.exe PID 1888 wrote to memory of 2388 1888 Ibapoj32.exe Jgnhga32.exe PID 2388 wrote to memory of 1984 2388 Jgnhga32.exe Jnhqdkde.exe PID 2388 wrote to memory of 1984 2388 Jgnhga32.exe Jnhqdkde.exe PID 2388 wrote to memory of 1984 2388 Jgnhga32.exe Jnhqdkde.exe PID 2388 wrote to memory of 1984 2388 Jgnhga32.exe Jnhqdkde.exe PID 1984 wrote to memory of 1144 1984 Jnhqdkde.exe Jagmpg32.exe PID 1984 wrote to memory of 1144 1984 Jnhqdkde.exe Jagmpg32.exe PID 1984 wrote to memory of 1144 1984 Jnhqdkde.exe Jagmpg32.exe PID 1984 wrote to memory of 1144 1984 Jnhqdkde.exe Jagmpg32.exe PID 1144 wrote to memory of 1660 1144 Jagmpg32.exe Jklanp32.exe PID 1144 wrote to memory of 1660 1144 Jagmpg32.exe Jklanp32.exe PID 1144 wrote to memory of 1660 1144 Jagmpg32.exe Jklanp32.exe PID 1144 wrote to memory of 1660 1144 Jagmpg32.exe Jklanp32.exe PID 1660 wrote to memory of 1460 1660 Jklanp32.exe Jnkmjk32.exe PID 1660 wrote to memory of 1460 1660 Jklanp32.exe Jnkmjk32.exe PID 1660 wrote to memory of 1460 1660 Jklanp32.exe Jnkmjk32.exe PID 1660 wrote to memory of 1460 1660 Jklanp32.exe Jnkmjk32.exe PID 1460 wrote to memory of 1804 1460 Jnkmjk32.exe Jcgfbb32.exe PID 1460 wrote to memory of 1804 1460 Jnkmjk32.exe Jcgfbb32.exe PID 1460 wrote to memory of 1804 1460 Jnkmjk32.exe Jcgfbb32.exe PID 1460 wrote to memory of 1804 1460 Jnkmjk32.exe Jcgfbb32.exe PID 1804 wrote to memory of 2972 1804 Jcgfbb32.exe Jnmjok32.exe PID 1804 wrote to memory of 2972 1804 Jcgfbb32.exe Jnmjok32.exe PID 1804 wrote to memory of 2972 1804 Jcgfbb32.exe Jnmjok32.exe PID 1804 wrote to memory of 2972 1804 Jcgfbb32.exe Jnmjok32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8fff6c153edff0ccc2cbaa8ae517f510_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe33⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe34⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe36⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe37⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe38⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe39⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe40⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe43⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe46⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe47⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe48⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe50⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe52⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe53⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe54⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe55⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe59⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe61⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe63⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe64⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe65⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe66⤵PID:648
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe67⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe68⤵PID:940
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe69⤵PID:1632
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe70⤵PID:904
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe71⤵PID:1756
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe72⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe74⤵PID:2872
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe75⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe76⤵PID:2924
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe77⤵PID:1880
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe78⤵PID:1884
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:288 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe81⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe82⤵PID:2408
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe84⤵PID:1312
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe86⤵PID:1548
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe89⤵PID:2236
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe90⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe91⤵PID:2592
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe92⤵PID:2556
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe93⤵PID:1948
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe94⤵PID:2348
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe95⤵PID:2492
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe96⤵PID:1564
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe97⤵PID:1648
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe98⤵PID:932
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe100⤵PID:2320
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe101⤵PID:2080
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe102⤵PID:2952
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe103⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe104⤵PID:2856
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe105⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe106⤵PID:1520
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe107⤵PID:2912
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe108⤵PID:1856
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe109⤵PID:1092
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe110⤵PID:2372
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe112⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe113⤵PID:1228
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe114⤵PID:956
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe116⤵PID:2572
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe117⤵PID:2392
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe118⤵PID:1552
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe119⤵PID:1068
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe120⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe121⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe122⤵PID:804
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe123⤵PID:2000
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe124⤵PID:2928
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe125⤵PID:2880
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe126⤵PID:3016
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe127⤵PID:2584
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe128⤵PID:2412
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe129⤵PID:2468
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe130⤵
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe131⤵PID:668
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe132⤵PID:1992
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe133⤵PID:1820
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe134⤵PID:2136
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe135⤵PID:2840
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe136⤵PID:2560
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe137⤵PID:2640
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe138⤵PID:2172
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe139⤵PID:1080
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe140⤵PID:2956
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe141⤵PID:1060
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe142⤵PID:2076
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe143⤵PID:1728
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe144⤵PID:2396
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe145⤵PID:1332
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe147⤵PID:2800
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe148⤵PID:2632
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe150⤵PID:2380
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe151⤵PID:476
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe152⤵PID:1748
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe153⤵PID:1248
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe154⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe155⤵PID:2868
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe156⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe157⤵PID:1904
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe158⤵PID:1464
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe159⤵PID:1128
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe160⤵PID:756
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe161⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe162⤵PID:2680
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe163⤵PID:3000
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe164⤵PID:1656
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe165⤵PID:836
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe166⤵PID:2524
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe167⤵PID:2832
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe168⤵PID:3020
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe169⤵PID:2540
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe170⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe172⤵PID:2588
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe173⤵
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe174⤵PID:1296
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe175⤵PID:2648
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe176⤵PID:1736
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe177⤵PID:1996
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe178⤵PID:1956
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe179⤵PID:1760
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe180⤵PID:2704
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe181⤵PID:2180
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe182⤵PID:1056
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe183⤵PID:1972
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe185⤵PID:1588
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe186⤵PID:2424
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe187⤵PID:688
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe188⤵PID:2232
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe189⤵PID:3096
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe190⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe191⤵PID:3176
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe192⤵PID:3216
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe193⤵PID:3256
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe194⤵
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe195⤵PID:3336
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe196⤵PID:3376
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe197⤵PID:3416
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe198⤵PID:3456
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe199⤵PID:3496
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3536 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe201⤵PID:3576
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe202⤵
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe203⤵PID:3656
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe204⤵
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe205⤵PID:3736
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe206⤵PID:3776
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe207⤵PID:3816
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe208⤵PID:3856
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe209⤵
- Drops file in System32 directory
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe210⤵PID:3936
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe212⤵PID:4016
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe213⤵PID:4060
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe214⤵PID:1704
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe215⤵PID:3120
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe216⤵PID:3164
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe217⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe218⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe219⤵PID:3332
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe220⤵PID:3368
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe221⤵PID:3424
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe222⤵PID:3476
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe223⤵PID:3532
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe224⤵PID:3568
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe225⤵PID:3612
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe226⤵
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe228⤵
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe229⤵
- Modifies registry class
PID:3812 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe230⤵PID:3876
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe231⤵PID:3944
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe232⤵PID:3972
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe233⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe234⤵PID:4076
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe235⤵PID:3104
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe236⤵PID:3148
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe237⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe238⤵PID:3292
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe239⤵PID:3344
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe240⤵PID:3412
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe241⤵PID:3448
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe242⤵PID:3520