Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 23:30
Behavioral task
behavioral1
Sample
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
6d0479215381cc80c40722f6ba4ddc40
-
SHA1
e9e1276505a26d48e50c0a434160fd5b69b3289a
-
SHA256
0ef5f311f012290bbeab8187e8d6b51f65cc5aefb4ddcbcd4b2b58cd5129eae9
-
SHA512
0a3ec5ad7057fd91916f715401d429049bca39c4db1cdea70b4b7797e1f8c6bb4e639d0c1981911e1a744bdae7b480023e9b55cca245a4ec57207f5a02edee7c
-
SSDEEP
12288:+0zfqJBCzXjOYpV6yYPI3cpV6yYPeHCXwpnsKvNA+XTvZHWuEo3oWL5g:+0QBCzXjOYWHWIpsKv2EvZHp3oWNg
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pkhoae32.exeHkicaahi.exeNookip32.exeMjbogmdb.exeDpnkdq32.exeNiniei32.exeEdhjqc32.exeEipinkib.exeGnjjfegi.exeOkchnk32.exeGfmojenc.exeHpcodihc.exeJmhale32.exeBcbohigp.exeLicfngjd.exeAhoimd32.exeEigonjcj.exeBombmcec.exeLpebpm32.exeGahcmd32.exeInkjhi32.exeBjodjb32.exeJbjcolha.exeLllcen32.exeJfehed32.exeAhchda32.exeIldkgc32.exeLbngllob.exeObcceg32.exePcobaedj.exeLhkgoiqe.exeOgfcjm32.exeBmmpfn32.exeEbommi32.exeNlmllkja.exePqdqof32.exeEdmjfifl.exeKiejmi32.exeBblnindg.exeCfnqklgh.exeEcmeig32.exeKboljk32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nookip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpnkdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niniei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eipinkib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjfegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcbohigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Licfngjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahoimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eigonjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bombmcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gahcmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkjhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjcolha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllcen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfehed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ildkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obcceg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhkgoiqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmmpfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebommi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmllkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edmjfifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kboljk32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Nbkhfc32.exe family_berbew C:\Windows\SysWOW64\Nnaikd32.exe family_berbew C:\Windows\SysWOW64\Ndkahnhh.exe family_berbew C:\Windows\SysWOW64\Ondeac32.exe family_berbew C:\Windows\SysWOW64\Odnnnnfe.exe family_berbew C:\Windows\SysWOW64\Okhfjh32.exe family_berbew C:\Windows\SysWOW64\Oqgkhnjf.exe family_berbew C:\Windows\SysWOW64\Pjdilcla.exe family_berbew C:\Windows\SysWOW64\Pqpnombl.exe family_berbew C:\Windows\SysWOW64\Pbddcoei.exe family_berbew C:\Windows\SysWOW64\Ibjjhn32.exe family_berbew C:\Windows\SysWOW64\Jbjcolha.exe family_berbew C:\Windows\SysWOW64\Kpbmco32.exe family_berbew C:\Windows\SysWOW64\Kefkme32.exe family_berbew C:\Windows\SysWOW64\Kdgljmcd.exe family_berbew C:\Windows\SysWOW64\Llemdo32.exe family_berbew C:\Windows\SysWOW64\Ojgbfocc.exe family_berbew C:\Windows\SysWOW64\Opdghh32.exe family_berbew C:\Windows\SysWOW64\Oddmdf32.exe family_berbew C:\Windows\SysWOW64\Qcgffqei.exe family_berbew C:\Windows\SysWOW64\Afjlnk32.exe family_berbew C:\Windows\SysWOW64\Andqdh32.exe family_berbew C:\Windows\SysWOW64\Cjmgfgdf.exe family_berbew C:\Windows\SysWOW64\Deokon32.exe family_berbew C:\Windows\SysWOW64\Ekiohclf.exe family_berbew C:\Windows\SysWOW64\Eefaomcg.exe family_berbew C:\Windows\SysWOW64\Ekpmbddq.exe family_berbew C:\Windows\SysWOW64\Fajnfl32.exe family_berbew C:\Windows\SysWOW64\Fedmqk32.exe family_berbew C:\Windows\SysWOW64\Feapkk32.exe family_berbew C:\Windows\SysWOW64\Hghoeqmp.exe family_berbew C:\Windows\SysWOW64\Ibpiogmp.exe family_berbew C:\Windows\SysWOW64\Jpkphjeb.exe family_berbew C:\Windows\SysWOW64\Lifjnm32.exe family_berbew C:\Windows\SysWOW64\Likcilhh.exe family_berbew C:\Windows\SysWOW64\Lhdqnj32.exe family_berbew C:\Windows\SysWOW64\Opadhb32.exe family_berbew C:\Windows\SysWOW64\Ohqbhdpj.exe family_berbew C:\Windows\SysWOW64\Qqhcpo32.exe family_berbew C:\Windows\SysWOW64\Iklgah32.exe family_berbew C:\Windows\SysWOW64\Iahlcaol.exe family_berbew C:\Windows\SysWOW64\Jgcamf32.exe family_berbew C:\Windows\SysWOW64\Kndojobi.exe family_berbew C:\Windows\SysWOW64\Keqdmihc.exe family_berbew C:\Windows\SysWOW64\Kqnbkl32.exe family_berbew C:\Windows\SysWOW64\Jgadgf32.exe family_berbew C:\Windows\SysWOW64\Ikcmbfcj.exe family_berbew C:\Windows\SysWOW64\Ljdceo32.exe family_berbew C:\Windows\SysWOW64\Llflea32.exe family_berbew C:\Windows\SysWOW64\Lbngllob.exe family_berbew C:\Windows\SysWOW64\Lgffic32.exe family_berbew C:\Windows\SysWOW64\Ihdafkdg.exe family_berbew C:\Windows\SysWOW64\Mjbogmdb.exe family_berbew C:\Windows\SysWOW64\Mhfppabl.exe family_berbew C:\Windows\SysWOW64\Nbnpcj32.exe family_berbew C:\Windows\SysWOW64\Nacmdf32.exe family_berbew C:\Windows\SysWOW64\Nognnj32.exe family_berbew C:\Windows\SysWOW64\Nhbolp32.exe family_berbew C:\Windows\SysWOW64\Oidhlb32.exe family_berbew C:\Windows\SysWOW64\Oblmdhdo.exe family_berbew C:\Windows\SysWOW64\Oaajed32.exe family_berbew C:\Windows\SysWOW64\Pcobaedj.exe family_berbew C:\Windows\SysWOW64\Qhngolpo.exe family_berbew C:\Windows\SysWOW64\Ajggomog.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nbkhfc32.exeNnaikd32.exeNdkahnhh.exeOndeac32.exeOdnnnnfe.exeOkhfjh32.exeObangb32.exeOdpjcm32.exeOkjbpglo.exeOnholckc.exeOqgkhnjf.exeOgaceh32.exeOjopad32.exeOqihnn32.exeOcgdji32.exeOjalgcnd.exeObidhaog.exePcjapi32.exePjdilcla.exePbkamqmd.exePclneicb.exePjffbc32.exePqpnombl.exePcojkhap.exePjhbgb32.exePbpjhp32.exePcagphom.exePkhoae32.exePkjlge32.exePnihcq32.exePbddcoei.exeQecppkdm.exeQgallfcq.exeQjpiha32.exeQbgqio32.exeQchmagie.exeQloebdig.exeQnnanphk.exeQbimoo32.exeAegikj32.exeAlabgd32.exeAnpncp32.exeAhhblemi.exeAjfoiqll.exeAaqgek32.exeAcocaf32.exeAlfkbc32.exeAndgoobc.exeAeopki32.exeAhmlgd32.exeAngddopp.exeAaepqjpd.exeAhoimd32.exeAjneip32.exeBahmfj32.exeBdfibe32.exeBlmacb32.exeBnlnon32.exeBajjli32.exeBdhfhe32.exeBlpnib32.exeBnnjen32.exeBalfaiil.exeBdkcmdhp.exepid process 3764 Nbkhfc32.exe 1228 Nnaikd32.exe 624 Ndkahnhh.exe 3500 Ondeac32.exe 2128 Odnnnnfe.exe 3880 Okhfjh32.exe 4300 Obangb32.exe 3452 Odpjcm32.exe 516 Okjbpglo.exe 4576 Onholckc.exe 3440 Oqgkhnjf.exe 2524 Ogaceh32.exe 540 Ojopad32.exe 3968 Oqihnn32.exe 2528 Ocgdji32.exe 4396 Ojalgcnd.exe 3064 Obidhaog.exe 4536 Pcjapi32.exe 2408 Pjdilcla.exe 3660 Pbkamqmd.exe 4900 Pclneicb.exe 4464 Pjffbc32.exe 4828 Pqpnombl.exe 1068 Pcojkhap.exe 4972 Pjhbgb32.exe 3656 Pbpjhp32.exe 1980 Pcagphom.exe 1664 Pkhoae32.exe 5028 Pkjlge32.exe 1844 Pnihcq32.exe 2400 Pbddcoei.exe 4060 Qecppkdm.exe 3580 Qgallfcq.exe 2236 Qjpiha32.exe 3092 Qbgqio32.exe 2392 Qchmagie.exe 2540 Qloebdig.exe 2268 Qnnanphk.exe 864 Qbimoo32.exe 4956 Aegikj32.exe 4152 Alabgd32.exe 1072 Anpncp32.exe 1396 Ahhblemi.exe 1360 Ajfoiqll.exe 4388 Aaqgek32.exe 4068 Acocaf32.exe 1840 Alfkbc32.exe 4228 Andgoobc.exe 2804 Aeopki32.exe 2748 Ahmlgd32.exe 4604 Angddopp.exe 1412 Aaepqjpd.exe 3464 Ahoimd32.exe 696 Ajneip32.exe 1644 Bahmfj32.exe 4456 Bdfibe32.exe 4564 Blmacb32.exe 4716 Bnlnon32.exe 2640 Bajjli32.exe 4244 Bdhfhe32.exe 3360 Blpnib32.exe 640 Bnnjen32.exe 448 Balfaiil.exe 2104 Bdkcmdhp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Inkjhi32.exeEmnbdioi.exeDfiafg32.exeEdfdej32.exeKelalp32.exeBkmmaeap.exeBckkca32.exeCajcbgml.exeEkpmbddq.exePgkelj32.exeJdedak32.exeAhmlgd32.exeNiipjj32.exeIcdheded.exeNfgmjqop.exeKnflpoqf.exeFalcae32.exeFllkqn32.exeIloidijb.exeBcoenmao.exeBoipmj32.exeQfpbmfdf.exeEidbij32.exeGaopfe32.exeGcddpdpo.exeJfaedkdp.exePqmjog32.exeInomhbeq.exeEbommi32.exeBfhhoi32.exeFojedapj.exeNemmoe32.exeBejogg32.exeIbjjhn32.exeGlebhjlg.exeGgnlobej.exeNeccpd32.exeDahode32.exeDgbdlf32.exePnakhkol.exeAabmqd32.exeQqhcpo32.exeGphphj32.exeOkhfjh32.exeOpdghh32.exedescription ioc process File created C:\Windows\SysWOW64\Ibffhhek.exe Inkjhi32.exe File created C:\Windows\SysWOW64\Eplnpeol.exe Emnbdioi.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe File created C:\Windows\SysWOW64\Jkiocibf.dll File created C:\Windows\SysWOW64\Pjphcf32.dll File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File created C:\Windows\SysWOW64\Cmkkkihe.dll Edfdej32.exe File opened for modification C:\Windows\SysWOW64\Kihnmohm.exe Kelalp32.exe File created C:\Windows\SysWOW64\Bcddcbab.exe Bkmmaeap.exe File opened for modification C:\Windows\SysWOW64\Cfigpm32.exe Bckkca32.exe File opened for modification C:\Windows\SysWOW64\Apodoq32.exe File opened for modification C:\Windows\SysWOW64\Cdiooblp.exe Cajcbgml.exe File created C:\Windows\SysWOW64\Eolhbc32.exe Ekpmbddq.exe File opened for modification C:\Windows\SysWOW64\Pjjahe32.exe Pgkelj32.exe File created C:\Windows\SysWOW64\Injdmnab.dll Jdedak32.exe File created C:\Windows\SysWOW64\Phadlp32.dll Ahmlgd32.exe File opened for modification C:\Windows\SysWOW64\Npchgdcd.exe Niipjj32.exe File created C:\Windows\SysWOW64\Ikkpgafg.exe Icdheded.exe File opened for modification C:\Windows\SysWOW64\Mmkkmc32.exe File opened for modification C:\Windows\SysWOW64\Njciko32.exe Nfgmjqop.exe File opened for modification C:\Windows\SysWOW64\Kbbhqn32.exe Knflpoqf.exe File opened for modification C:\Windows\SysWOW64\Fdkpma32.exe Falcae32.exe File created C:\Windows\SysWOW64\Pdjpll32.dll Fllkqn32.exe File created C:\Windows\SysWOW64\Leabba32.dll Iloidijb.exe File created C:\Windows\SysWOW64\Pencqe32.dll File created C:\Windows\SysWOW64\Imbajm32.dll Bcoenmao.exe File created C:\Windows\SysWOW64\Bgpgng32.exe Boipmj32.exe File created C:\Windows\SysWOW64\Qhonib32.exe Qfpbmfdf.exe File opened for modification C:\Windows\SysWOW64\Empoiimf.exe Eidbij32.exe File created C:\Windows\SysWOW64\Gpaqbbld.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Jbhfhgch.dll File created C:\Windows\SysWOW64\Dknnoofg.exe File created C:\Windows\SysWOW64\Bkomqm32.dll Gcddpdpo.exe File created C:\Windows\SysWOW64\Fllifblf.dll Jfaedkdp.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe File opened for modification C:\Windows\SysWOW64\Lgibpf32.exe File created C:\Windows\SysWOW64\Okddnh32.dll File created C:\Windows\SysWOW64\Pclgkb32.exe Pqmjog32.exe File created C:\Windows\SysWOW64\Iqmidndd.exe Inomhbeq.exe File created C:\Windows\SysWOW64\Faimhjhp.dll Ebommi32.exe File opened for modification C:\Windows\SysWOW64\Mgbefe32.exe File created C:\Windows\SysWOW64\Banllbdn.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Fedmqk32.exe Fojedapj.exe File created C:\Windows\SysWOW64\Nacmdf32.exe Nemmoe32.exe File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe File opened for modification C:\Windows\SysWOW64\Fpimlfke.exe File created C:\Windows\SysWOW64\Bhikcb32.exe Bejogg32.exe File created C:\Windows\SysWOW64\Imoneg32.exe Ibjjhn32.exe File created C:\Windows\SysWOW64\Ogacbllg.dll File created C:\Windows\SysWOW64\Dbmdml32.dll File opened for modification C:\Windows\SysWOW64\Gpolbo32.exe File created C:\Windows\SysWOW64\Gododflk.exe Glebhjlg.exe File created C:\Windows\SysWOW64\Hiagomkq.dll Ggnlobej.exe File opened for modification C:\Windows\SysWOW64\Nhbolp32.exe Neccpd32.exe File created C:\Windows\SysWOW64\Neqopnhb.exe File created C:\Windows\SysWOW64\Iahici32.dll File created C:\Windows\SysWOW64\Ddgkpp32.exe Dahode32.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pnakhkol.exe File created C:\Windows\SysWOW64\Mnjgghdi.dll Aabmqd32.exe File opened for modification C:\Windows\SysWOW64\Acgolj32.exe Qqhcpo32.exe File opened for modification C:\Windows\SysWOW64\Ggahedjn.exe Gphphj32.exe File created C:\Windows\SysWOW64\Gfogkano.dll Okhfjh32.exe File opened for modification C:\Windows\SysWOW64\Ognpebpj.exe Opdghh32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 11920 15792 -
Modifies registry class 64 IoCs
Processes:
Cdkldb32.exeBblckl32.exeDanecp32.exeQjnkcekm.exePkjlge32.exeGcddpdpo.exeJgonlm32.exeCfcqpa32.exeKiejmi32.exeFbpnkama.exeCfpnph32.exeOoejohhq.exeFikbocki.exeIkkpgafg.exeFoabofnn.exeJhndljll.exeEhailbaa.exeMbighjdd.exeJpnchp32.exeJbbfdfkn.exeJbdbjf32.exeIlidbbgl.exeOpdghh32.exeQlmgopjq.exeIngpmmgm.exeDkgqfl32.exeQhngolpo.exeKbpbed32.exeHhfedm32.exeGdaociml.exeNcianepl.exeEolhbc32.exePiijno32.exeLpebpm32.exeMiemjaci.exeGgilil32.exeBqdblmhl.exeGgbook32.exeKgamnded.exeConclk32.exeNngokoej.exeDikpbl32.exeCalhnpgn.exeCcchof32.exeLoeolc32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdkldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bblckl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkjlge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll" Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcllpfj.dll" Jgonlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfcqpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhbcf32.dll" Fbpnkama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmhfb32.dll" Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkod32.dll" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Foabofnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpmd32.dll" Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehailbaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdbei32.dll" Jbbfdfkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmcbhlp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilidbbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlmgopjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbpbed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhfedm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdaociml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncianepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpebpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Miemjaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icndnfbg.dll" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkgmlcm.dll" Ggbook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgamnded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dikpbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpimcmab.dll" Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loeolc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exeNbkhfc32.exeNnaikd32.exeNdkahnhh.exeOndeac32.exeOdnnnnfe.exeOkhfjh32.exeObangb32.exeOdpjcm32.exeOkjbpglo.exeOnholckc.exeOqgkhnjf.exeOgaceh32.exeOjopad32.exeOqihnn32.exeOcgdji32.exeOjalgcnd.exeObidhaog.exePcjapi32.exePjdilcla.exePbkamqmd.exePclneicb.exedescription pid process target process PID 4776 wrote to memory of 3764 4776 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Oeaoab32.exe PID 4776 wrote to memory of 3764 4776 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Oeaoab32.exe PID 4776 wrote to memory of 3764 4776 6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe Oeaoab32.exe PID 3764 wrote to memory of 1228 3764 Nbkhfc32.exe Nnaikd32.exe PID 3764 wrote to memory of 1228 3764 Nbkhfc32.exe Nnaikd32.exe PID 3764 wrote to memory of 1228 3764 Nbkhfc32.exe Nnaikd32.exe PID 1228 wrote to memory of 624 1228 Nnaikd32.exe Ndkahnhh.exe PID 1228 wrote to memory of 624 1228 Nnaikd32.exe Ndkahnhh.exe PID 1228 wrote to memory of 624 1228 Nnaikd32.exe Ndkahnhh.exe PID 624 wrote to memory of 3500 624 Ndkahnhh.exe Ondeac32.exe PID 624 wrote to memory of 3500 624 Ndkahnhh.exe Ondeac32.exe PID 624 wrote to memory of 3500 624 Ndkahnhh.exe Ondeac32.exe PID 3500 wrote to memory of 2128 3500 Ondeac32.exe Odnnnnfe.exe PID 3500 wrote to memory of 2128 3500 Ondeac32.exe Odnnnnfe.exe PID 3500 wrote to memory of 2128 3500 Ondeac32.exe Odnnnnfe.exe PID 2128 wrote to memory of 3880 2128 Odnnnnfe.exe Okhfjh32.exe PID 2128 wrote to memory of 3880 2128 Odnnnnfe.exe Okhfjh32.exe PID 2128 wrote to memory of 3880 2128 Odnnnnfe.exe Okhfjh32.exe PID 3880 wrote to memory of 4300 3880 Okhfjh32.exe Obangb32.exe PID 3880 wrote to memory of 4300 3880 Okhfjh32.exe Obangb32.exe PID 3880 wrote to memory of 4300 3880 Okhfjh32.exe Obangb32.exe PID 4300 wrote to memory of 3452 4300 Obangb32.exe Odpjcm32.exe PID 4300 wrote to memory of 3452 4300 Obangb32.exe Odpjcm32.exe PID 4300 wrote to memory of 3452 4300 Obangb32.exe Odpjcm32.exe PID 3452 wrote to memory of 516 3452 Odpjcm32.exe Pefhlaie.exe PID 3452 wrote to memory of 516 3452 Odpjcm32.exe Pefhlaie.exe PID 3452 wrote to memory of 516 3452 Odpjcm32.exe Pefhlaie.exe PID 516 wrote to memory of 4576 516 Okjbpglo.exe Pidabppl.exe PID 516 wrote to memory of 4576 516 Okjbpglo.exe Pidabppl.exe PID 516 wrote to memory of 4576 516 Okjbpglo.exe Pidabppl.exe PID 4576 wrote to memory of 3440 4576 Onholckc.exe Oqgkhnjf.exe PID 4576 wrote to memory of 3440 4576 Onholckc.exe Oqgkhnjf.exe PID 4576 wrote to memory of 3440 4576 Onholckc.exe Oqgkhnjf.exe PID 3440 wrote to memory of 2524 3440 Oqgkhnjf.exe Ogaceh32.exe PID 3440 wrote to memory of 2524 3440 Oqgkhnjf.exe Ogaceh32.exe PID 3440 wrote to memory of 2524 3440 Oqgkhnjf.exe Ogaceh32.exe PID 2524 wrote to memory of 540 2524 Ogaceh32.exe Ojopad32.exe PID 2524 wrote to memory of 540 2524 Ogaceh32.exe Ojopad32.exe PID 2524 wrote to memory of 540 2524 Ogaceh32.exe Ojopad32.exe PID 540 wrote to memory of 3968 540 Ojopad32.exe Oqihnn32.exe PID 540 wrote to memory of 3968 540 Ojopad32.exe Oqihnn32.exe PID 540 wrote to memory of 3968 540 Ojopad32.exe Oqihnn32.exe PID 3968 wrote to memory of 2528 3968 Oqihnn32.exe Ocgdji32.exe PID 3968 wrote to memory of 2528 3968 Oqihnn32.exe Ocgdji32.exe PID 3968 wrote to memory of 2528 3968 Oqihnn32.exe Ocgdji32.exe PID 2528 wrote to memory of 4396 2528 Ocgdji32.exe Ojalgcnd.exe PID 2528 wrote to memory of 4396 2528 Ocgdji32.exe Ojalgcnd.exe PID 2528 wrote to memory of 4396 2528 Ocgdji32.exe Ojalgcnd.exe PID 4396 wrote to memory of 3064 4396 Ojalgcnd.exe Pabblb32.exe PID 4396 wrote to memory of 3064 4396 Ojalgcnd.exe Pabblb32.exe PID 4396 wrote to memory of 3064 4396 Ojalgcnd.exe Pabblb32.exe PID 3064 wrote to memory of 4536 3064 Obidhaog.exe Pcjapi32.exe PID 3064 wrote to memory of 4536 3064 Obidhaog.exe Pcjapi32.exe PID 3064 wrote to memory of 4536 3064 Obidhaog.exe Pcjapi32.exe PID 4536 wrote to memory of 2408 4536 Pcjapi32.exe Pjdilcla.exe PID 4536 wrote to memory of 2408 4536 Pcjapi32.exe Pjdilcla.exe PID 4536 wrote to memory of 2408 4536 Pcjapi32.exe Pjdilcla.exe PID 2408 wrote to memory of 3660 2408 Pjdilcla.exe Pbkamqmd.exe PID 2408 wrote to memory of 3660 2408 Pjdilcla.exe Pbkamqmd.exe PID 2408 wrote to memory of 3660 2408 Pjdilcla.exe Pbkamqmd.exe PID 3660 wrote to memory of 4900 3660 Pbkamqmd.exe Pclneicb.exe PID 3660 wrote to memory of 4900 3660 Pbkamqmd.exe Pclneicb.exe PID 3660 wrote to memory of 4900 3660 Pbkamqmd.exe Pclneicb.exe PID 4900 wrote to memory of 4464 4900 Pclneicb.exe Pjffbc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6d0479215381cc80c40722f6ba4ddc40_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe23⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe24⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe25⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe26⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe27⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe28⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe31⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe32⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe33⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe34⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe35⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe36⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe37⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe38⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe39⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe40⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe41⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe42⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe43⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe44⤵PID:4516
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe45⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe46⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe47⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe48⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe49⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe50⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe51⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe53⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe54⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe56⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe57⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe58⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe59⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe60⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe61⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe62⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe63⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe64⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe65⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe66⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe67⤵PID:1048
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe68⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe69⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe70⤵PID:1688
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe71⤵PID:8
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe72⤵PID:3348
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe73⤵PID:3640
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe74⤵PID:992
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe75⤵PID:1156
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe76⤵PID:748
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe77⤵PID:3084
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe78⤵PID:4940
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe79⤵PID:3328
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe80⤵PID:1456
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe81⤵PID:1472
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe82⤵PID:1824
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe83⤵PID:1652
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe84⤵PID:1480
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe85⤵PID:1756
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe86⤵PID:5156
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe87⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe88⤵PID:5228
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe89⤵PID:5264
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe90⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe91⤵PID:5336
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe92⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe93⤵PID:5408
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe94⤵PID:5444
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe95⤵PID:5480
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe96⤵PID:5516
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe97⤵PID:5552
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe98⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe99⤵PID:5624
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe100⤵PID:5660
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe102⤵PID:5732
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe103⤵PID:5768
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe104⤵PID:5804
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe105⤵PID:5840
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe106⤵PID:5876
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe107⤵PID:5912
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe108⤵PID:5948
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe109⤵PID:5984
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe110⤵PID:6020
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe111⤵PID:6056
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe112⤵
- Drops file in System32 directory
PID:6092 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe113⤵PID:6128
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe114⤵PID:3412
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe115⤵PID:400
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe116⤵PID:3644
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe117⤵PID:1324
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe118⤵PID:1292
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe119⤵PID:4180
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe120⤵PID:804
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe121⤵PID:5148
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe122⤵PID:5216
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe124⤵PID:5344
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe125⤵PID:5380
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe126⤵PID:5468
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe127⤵PID:5848
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe128⤵PID:5992
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe129⤵PID:2032
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe130⤵PID:4760
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe131⤵PID:3800
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe132⤵PID:6172
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe133⤵PID:6208
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe134⤵PID:6244
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe135⤵PID:6280
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe136⤵PID:6316
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe137⤵PID:6352
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe138⤵PID:6388
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe139⤵PID:6424
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe140⤵PID:6460
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe141⤵PID:6496
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe142⤵PID:6532
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe143⤵
- Modifies registry class
PID:6568 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe144⤵
- Modifies registry class
PID:6604 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe145⤵PID:6640
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe146⤵
- Drops file in System32 directory
PID:6676 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe147⤵PID:6712
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe148⤵PID:6748
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe149⤵PID:6784
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe150⤵PID:6820
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe151⤵PID:6856
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe152⤵PID:6892
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe153⤵PID:6928
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe154⤵PID:6964
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe155⤵PID:7000
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe156⤵
- Drops file in System32 directory
- Modifies registry class
PID:7036 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe157⤵PID:7072
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe158⤵PID:7108
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe159⤵PID:7144
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe160⤵PID:7184
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe161⤵PID:7220
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe162⤵PID:7256
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe163⤵PID:7292
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe164⤵PID:7328
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe165⤵PID:7364
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe166⤵PID:7400
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe167⤵PID:7436
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe168⤵PID:7472
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe169⤵PID:7508
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe170⤵PID:7544
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe171⤵PID:7580
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe172⤵PID:7616
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe173⤵PID:7836
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe174⤵PID:7876
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe175⤵
- Drops file in System32 directory
PID:7924 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe176⤵PID:7984
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe177⤵PID:8024
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8088 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe179⤵PID:8136
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe180⤵PID:7456
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe181⤵PID:7428
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe182⤵PID:5764
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe183⤵
- Modifies registry class
PID:7312 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe184⤵PID:7228
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe185⤵PID:7152
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7060 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe187⤵PID:6984
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe188⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe189⤵PID:6848
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe190⤵PID:6776
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe191⤵PID:6708
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe192⤵PID:6664
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe193⤵PID:6588
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe194⤵PID:6504
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe196⤵PID:1952
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe197⤵
- Modifies registry class
PID:6312 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe198⤵PID:4112
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe199⤵PID:6196
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe200⤵PID:5440
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe201⤵PID:5356
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe203⤵PID:5144
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe204⤵PID:2068
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe205⤵PID:5944
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe206⤵PID:3824
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe207⤵PID:7532
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe208⤵PID:7564
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe209⤵PID:7612
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe210⤵PID:5864
-
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe211⤵PID:7680
-
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe212⤵PID:7728
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe213⤵PID:7752
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe214⤵PID:7800
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe215⤵PID:6044
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe216⤵PID:5004
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe217⤵PID:7872
-
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe218⤵PID:7820
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe219⤵PID:8080
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe220⤵PID:8128
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe221⤵PID:2264
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe222⤵PID:6116
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe223⤵PID:7164
-
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe224⤵PID:8040
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8036 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe226⤵PID:6952
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe227⤵PID:6840
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6720 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe229⤵PID:6556
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe230⤵PID:6452
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe231⤵PID:6344
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe232⤵PID:6268
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe233⤵PID:5968
-
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe234⤵PID:1972
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe235⤵PID:4280
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe236⤵PID:4360
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe237⤵PID:7480
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe238⤵
- Modifies registry class
PID:7552 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe239⤵PID:7608
-
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe240⤵PID:7656
-
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe241⤵PID:7720
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe242⤵PID:7776