Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:21
Behavioral task
behavioral1
Sample
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe
-
Size
94KB
-
MD5
fc05d7f67a375700e42284fdf43e2bb0
-
SHA1
4f7e897276285e384782e72b56631dcf6cc82a45
-
SHA256
4e63170aa477645fed390e0e02384aabf1d39d576058ea9147b0846e377898f0
-
SHA512
d08581f587afd4ab0cf8d98dbd94b46323b57073b46d6f1650d7a03e0eba1ce3e58fcd5ec15ef36331527036e1f0c2f510b14a9f0c2599da2b8df4f8aab47098
-
SSDEEP
1536:zU3/337J13JahXZlWsDE96Js3X+PIEEUrW+B6Y3AJDGRQDsRfRa9HprmRfRZ:4P7J13+1LJs3uv5eDs5wkpv
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ojnblg32.exeEjpfhnpe.exeJnhpoamf.exeNeafjdkn.exeJoffnk32.exeDjmibn32.exePkfblfab.exeJmbdbd32.exeKiodmn32.exeJfaloa32.exeLhncdi32.exeJglklggl.exeFllpbldb.exeOohnonij.exeAimkjp32.exeJifhaenk.exeMhbmphjm.exeAeiofcji.exeCmlcbbcj.exeFfbnph32.exeEjflhm32.exeJgogbgei.exePiphgq32.exeMdmnlj32.exeQgpogili.exeBnpppgdj.exeGhklce32.exeLpfijcfl.exeLehaho32.exeEmehdh32.exeIbkpcg32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojnblg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpfhnpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joffnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkfblfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmbdbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiodmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhncdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fllpbldb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohnonij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aimkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbmphjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmlcbbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piphgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgpogili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghklce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpfijcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehaho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emehdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibkpcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/1220-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ejbkehcg.exe family_berbew behavioral2/memory/1544-12-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Epmcab32.exe family_berbew behavioral2/memory/3412-20-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Eckonn32.exe family_berbew behavioral2/memory/1604-24-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Elccfc32.exe family_berbew behavioral2/memory/4196-31-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ebploj32.exe family_berbew behavioral2/memory/2664-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ejgdpg32.exe family_berbew behavioral2/memory/1588-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ecphimfb.exe family_berbew behavioral2/memory/1164-56-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ehlaaddj.exe family_berbew behavioral2/memory/4296-64-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Eqciba32.exe family_berbew behavioral2/memory/4928-76-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ebeejijj.exe family_berbew behavioral2/memory/3852-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ejlmkgkl.exe family_berbew behavioral2/memory/396-88-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Eoifcnid.exe family_berbew behavioral2/memory/3752-95-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ffbnph32.exe family_berbew behavioral2/memory/2020-104-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fcgoilpj.exe family_berbew behavioral2/memory/4664-117-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fjqgff32.exe family_berbew behavioral2/memory/4584-120-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fqkocpod.exe family_berbew behavioral2/memory/4200-128-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fbllkh32.exe family_berbew behavioral2/memory/4692-136-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fifdgblo.exe family_berbew behavioral2/memory/4052-144-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fopldmcl.exe family_berbew behavioral2/memory/1628-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Ffjdqg32.exe family_berbew behavioral2/memory/3960-159-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fqohnp32.exe family_berbew behavioral2/memory/4992-168-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fbqefhpm.exe family_berbew behavioral2/memory/4576-175-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fjhmgeao.exe family_berbew behavioral2/memory/3716-184-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fmficqpc.exe family_berbew behavioral2/memory/4632-192-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Fodeolof.exe family_berbew behavioral2/memory/1560-200-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Gfnnlffc.exe family_berbew behavioral2/memory/756-212-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Gimjhafg.exe family_berbew behavioral2/memory/4532-216-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Gcbnejem.exe family_berbew behavioral2/memory/3652-223-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Gfqjafdq.exe family_berbew behavioral2/memory/2024-237-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Giofnacd.exe family_berbew behavioral2/memory/4644-245-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Gqfooodg.exe family_berbew behavioral2/memory/4432-247-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew C:\Windows\SysWOW64\Giacca32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Ejbkehcg.exeEpmcab32.exeEckonn32.exeElccfc32.exeEbploj32.exeEjgdpg32.exeEcphimfb.exeEhlaaddj.exeEqciba32.exeEbeejijj.exeEjlmkgkl.exeEoifcnid.exeFfbnph32.exeFcgoilpj.exeFjqgff32.exeFqkocpod.exeFbllkh32.exeFifdgblo.exeFopldmcl.exeFfjdqg32.exeFqohnp32.exeFbqefhpm.exeFjhmgeao.exeFmficqpc.exeFodeolof.exeGfnnlffc.exeGimjhafg.exeGcbnejem.exeGfqjafdq.exeGiofnacd.exeGqfooodg.exeGiacca32.exeGcggpj32.exeGjapmdid.exeGmoliohh.exeGpnhekgl.exeGbldaffp.exeGjclbc32.exeGameonno.exeHclakimb.exeHfjmgdlf.exeHihicplj.exeHapaemll.exeHcnnaikp.exeHjhfnccl.exeHmfbjnbp.exeHpenfjad.exeHbckbepg.exeHimcoo32.exeHadkpm32.exeHccglh32.exeHjmoibog.exeHaggelfd.exeHfcpncdk.exeHibljoco.exeIcgqggce.exeIffmccbi.exeIidipnal.exeIakaql32.exeIcjmmg32.exeIfhiib32.exeImbaemhc.exeIcljbg32.exeIjfboafl.exepid process 1544 Ejbkehcg.exe 3412 Epmcab32.exe 1604 Eckonn32.exe 4196 Elccfc32.exe 2664 Ebploj32.exe 1588 Ejgdpg32.exe 1164 Ecphimfb.exe 4296 Ehlaaddj.exe 4928 Eqciba32.exe 3852 Ebeejijj.exe 396 Ejlmkgkl.exe 3752 Eoifcnid.exe 2020 Ffbnph32.exe 4664 Fcgoilpj.exe 4584 Fjqgff32.exe 4200 Fqkocpod.exe 4692 Fbllkh32.exe 4052 Fifdgblo.exe 1628 Fopldmcl.exe 3960 Ffjdqg32.exe 4992 Fqohnp32.exe 4576 Fbqefhpm.exe 3716 Fjhmgeao.exe 4632 Fmficqpc.exe 1560 Fodeolof.exe 756 Gfnnlffc.exe 4532 Gimjhafg.exe 3652 Gcbnejem.exe 2024 Gfqjafdq.exe 4644 Giofnacd.exe 4432 Gqfooodg.exe 3996 Giacca32.exe 1028 Gcggpj32.exe 3664 Gjapmdid.exe 1368 Gmoliohh.exe 2360 Gpnhekgl.exe 2032 Gbldaffp.exe 3104 Gjclbc32.exe 4768 Gameonno.exe 2200 Hclakimb.exe 4920 Hfjmgdlf.exe 3812 Hihicplj.exe 4384 Hapaemll.exe 3976 Hcnnaikp.exe 3100 Hjhfnccl.exe 3492 Hmfbjnbp.exe 1972 Hpenfjad.exe 3968 Hbckbepg.exe 4608 Himcoo32.exe 4396 Hadkpm32.exe 1444 Hccglh32.exe 3520 Hjmoibog.exe 1224 Haggelfd.exe 524 Hfcpncdk.exe 5000 Hibljoco.exe 2448 Icgqggce.exe 4292 Iffmccbi.exe 2312 Iidipnal.exe 512 Iakaql32.exe 1288 Icjmmg32.exe 3808 Ifhiib32.exe 4560 Imbaemhc.exe 1636 Icljbg32.exe 632 Ijfboafl.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jkdnpo32.exeAcnemi32.exeFqkocpod.exeKiggbhda.exeOqfdnhfk.exeJkomneim.exeBlfdia32.exeKmfmmcbo.exeLigqhc32.exeJdcpcf32.exePnlaml32.exePndohaqe.exeGcddpdpo.exeKlimip32.exeDjgjlelk.exeJghabl32.exeOlhlhjpd.exePedbahod.exeGcbnejem.exeHammhcij.exeGfembo32.exeMffjcopi.exeQqhcpo32.exeDinmhkke.exeFbqefhpm.exeMgghhlhq.exeKbceejpf.exeCnffqf32.exeGhpendjj.exeJpmlnjco.exeIinlemia.exeLaalifad.exeKimnbd32.exeQcgffqei.exeFkcboack.exeLelchgne.exeJcioiood.exeDpckjfgg.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Oclkgccf.exe File created C:\Windows\SysWOW64\Lppaheqp.dll Jkdnpo32.exe File created C:\Windows\SysWOW64\Aflaie32.exe Acnemi32.exe File created C:\Windows\SysWOW64\Fkemhahj.dll File created C:\Windows\SysWOW64\Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe File created C:\Windows\SysWOW64\Jlolpq32.exe File created C:\Windows\SysWOW64\Gddfpk32.dll Fqkocpod.exe File created C:\Windows\SysWOW64\Kgjgne32.exe Kiggbhda.exe File created C:\Windows\SysWOW64\Madjhb32.exe File created C:\Windows\SysWOW64\Bldqfd32.dll File created C:\Windows\SysWOW64\Ineedcfb.dll File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe Oqfdnhfk.exe File opened for modification C:\Windows\SysWOW64\Jnmijq32.exe Jkomneim.exe File opened for modification C:\Windows\SysWOW64\Afgacokc.exe File created C:\Windows\SysWOW64\Cbqlfkmi.exe Blfdia32.exe File created C:\Windows\SysWOW64\Klimip32.exe Kmfmmcbo.exe File created C:\Windows\SysWOW64\Llemdo32.exe Ligqhc32.exe File created C:\Windows\SysWOW64\Nffaen32.dll File opened for modification C:\Windows\SysWOW64\Jfaloa32.exe Jdcpcf32.exe File created C:\Windows\SysWOW64\Elocna32.dll Pnlaml32.exe File created C:\Windows\SysWOW64\Pmiikh32.exe File created C:\Windows\SysWOW64\Lckggdbo.dll File opened for modification C:\Windows\SysWOW64\Nclikl32.exe File created C:\Windows\SysWOW64\Pengdk32.exe Pndohaqe.exe File created C:\Windows\SysWOW64\Dekclg32.dll Gcddpdpo.exe File created C:\Windows\SysWOW64\Kbceejpf.exe Klimip32.exe File created C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Knbiofhg.exe Jghabl32.exe File created C:\Windows\SysWOW64\Gjfnedho.exe File opened for modification C:\Windows\SysWOW64\Odocigqg.exe Olhlhjpd.exe File created C:\Windows\SysWOW64\Moefhk32.dll Pedbahod.exe File created C:\Windows\SysWOW64\Ioenpjfm.dll File created C:\Windows\SysWOW64\Qahlom32.dll File opened for modification C:\Windows\SysWOW64\Gfqjafdq.exe Gcbnejem.exe File created C:\Windows\SysWOW64\Anhginhk.dll Hammhcij.exe File created C:\Windows\SysWOW64\Igpdfb32.exe File created C:\Windows\SysWOW64\Hlkfbocp.exe File created C:\Windows\SysWOW64\Jgbcdnbb.dll Gfembo32.exe File created C:\Windows\SysWOW64\Pbplbf32.dll Mffjcopi.exe File created C:\Windows\SysWOW64\Blcnqjjo.dll File created C:\Windows\SysWOW64\Leckbi32.dll Qqhcpo32.exe File created C:\Windows\SysWOW64\Cpjdachc.dll Dinmhkke.exe File opened for modification C:\Windows\SysWOW64\Fjhmgeao.exe Fbqefhpm.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mgghhlhq.exe File created C:\Windows\SysWOW64\Kfoafi32.exe Kbceejpf.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cnffqf32.exe File created C:\Windows\SysWOW64\Fddanicf.dll Ghpendjj.exe File opened for modification C:\Windows\SysWOW64\Jblijebc.exe Jpmlnjco.exe File created C:\Windows\SysWOW64\Jkchlonc.dll File created C:\Windows\SysWOW64\Eeelnp32.exe File opened for modification C:\Windows\SysWOW64\Nfaemp32.exe File created C:\Windows\SysWOW64\Ppcbba32.dll File opened for modification C:\Windows\SysWOW64\Jaedgjjd.exe Iinlemia.exe File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe Laalifad.exe File created C:\Windows\SysWOW64\Klljnp32.exe Kimnbd32.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qcgffqei.exe File opened for modification C:\Windows\SysWOW64\Famjkl32.exe Fkcboack.exe File created C:\Windows\SysWOW64\Lkpkgebb.dll Lelchgne.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll File created C:\Windows\SysWOW64\Jfhlejnh.exe Jcioiood.exe File created C:\Windows\SysWOW64\Knbiofhg.exe Jghabl32.exe File created C:\Windows\SysWOW64\Jhkjmn32.dll Dpckjfgg.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 19084 19008 -
Modifies registry class 64 IoCs
Processes:
Ffbnph32.exeOnmhgb32.exeIbagcc32.exeNnolfdcn.exeHgghjjid.exeNhpbfpka.exeIdebdcdo.exeCjaifp32.exeJdgafjpn.exeLgneampk.exeJfcbjk32.exeAfmhck32.exeBmemac32.exeCajcbgml.exeNeffpj32.exeJhpqaiji.exeEaakpm32.exeMfhfhong.exeGcbnejem.exeAjiknpjj.exeIicbehnq.exeIppggbck.exePjeoglgc.exeLekehdgp.exeFgppmd32.exeAmodep32.exeGgkiol32.exeJidbflcj.exeKagichjo.exeLpfijcfl.exeAelcfilb.exeKmfmmcbo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dboiieof.dll" Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibagcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgghjjid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkehk32.dll" Idebdcdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjaifp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdgafjpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" Lgneampk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfcbjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" Bmemac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cajcbgml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqkihfg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eaakpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfhfhong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcbnejem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll" Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lekehdgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgppmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdlndji.dll" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepfdc32.dll" Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllbndih.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aelcfilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll" Kmfmmcbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlndcmq.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exeEjbkehcg.exeEpmcab32.exeEckonn32.exeElccfc32.exeEbploj32.exeEjgdpg32.exeEcphimfb.exeEhlaaddj.exeEqciba32.exeEbeejijj.exeEjlmkgkl.exeEoifcnid.exeFfbnph32.exeFcgoilpj.exeFjqgff32.exeFqkocpod.exeFbllkh32.exeFifdgblo.exeFopldmcl.exeFfjdqg32.exeFqohnp32.exedescription pid process target process PID 1220 wrote to memory of 1544 1220 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Ejbkehcg.exe PID 1220 wrote to memory of 1544 1220 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Ejbkehcg.exe PID 1220 wrote to memory of 1544 1220 fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe Ejbkehcg.exe PID 1544 wrote to memory of 3412 1544 Ejbkehcg.exe Epmcab32.exe PID 1544 wrote to memory of 3412 1544 Ejbkehcg.exe Epmcab32.exe PID 1544 wrote to memory of 3412 1544 Ejbkehcg.exe Epmcab32.exe PID 3412 wrote to memory of 1604 3412 Epmcab32.exe Eckonn32.exe PID 3412 wrote to memory of 1604 3412 Epmcab32.exe Eckonn32.exe PID 3412 wrote to memory of 1604 3412 Epmcab32.exe Eckonn32.exe PID 1604 wrote to memory of 4196 1604 Eckonn32.exe Elccfc32.exe PID 1604 wrote to memory of 4196 1604 Eckonn32.exe Elccfc32.exe PID 1604 wrote to memory of 4196 1604 Eckonn32.exe Elccfc32.exe PID 4196 wrote to memory of 2664 4196 Elccfc32.exe Ebploj32.exe PID 4196 wrote to memory of 2664 4196 Elccfc32.exe Ebploj32.exe PID 4196 wrote to memory of 2664 4196 Elccfc32.exe Ebploj32.exe PID 2664 wrote to memory of 1588 2664 Ebploj32.exe Ejgdpg32.exe PID 2664 wrote to memory of 1588 2664 Ebploj32.exe Ejgdpg32.exe PID 2664 wrote to memory of 1588 2664 Ebploj32.exe Ejgdpg32.exe PID 1588 wrote to memory of 1164 1588 Ejgdpg32.exe Ecphimfb.exe PID 1588 wrote to memory of 1164 1588 Ejgdpg32.exe Ecphimfb.exe PID 1588 wrote to memory of 1164 1588 Ejgdpg32.exe Ecphimfb.exe PID 1164 wrote to memory of 4296 1164 Ecphimfb.exe Ehlaaddj.exe PID 1164 wrote to memory of 4296 1164 Ecphimfb.exe Ehlaaddj.exe PID 1164 wrote to memory of 4296 1164 Ecphimfb.exe Ehlaaddj.exe PID 4296 wrote to memory of 4928 4296 Ehlaaddj.exe Eqciba32.exe PID 4296 wrote to memory of 4928 4296 Ehlaaddj.exe Eqciba32.exe PID 4296 wrote to memory of 4928 4296 Ehlaaddj.exe Eqciba32.exe PID 4928 wrote to memory of 3852 4928 Eqciba32.exe Ebeejijj.exe PID 4928 wrote to memory of 3852 4928 Eqciba32.exe Ebeejijj.exe PID 4928 wrote to memory of 3852 4928 Eqciba32.exe Ebeejijj.exe PID 3852 wrote to memory of 396 3852 Ebeejijj.exe Ejlmkgkl.exe PID 3852 wrote to memory of 396 3852 Ebeejijj.exe Ejlmkgkl.exe PID 3852 wrote to memory of 396 3852 Ebeejijj.exe Ejlmkgkl.exe PID 396 wrote to memory of 3752 396 Ejlmkgkl.exe Eoifcnid.exe PID 396 wrote to memory of 3752 396 Ejlmkgkl.exe Eoifcnid.exe PID 396 wrote to memory of 3752 396 Ejlmkgkl.exe Eoifcnid.exe PID 3752 wrote to memory of 2020 3752 Eoifcnid.exe Ffbnph32.exe PID 3752 wrote to memory of 2020 3752 Eoifcnid.exe Ffbnph32.exe PID 3752 wrote to memory of 2020 3752 Eoifcnid.exe Ffbnph32.exe PID 2020 wrote to memory of 4664 2020 Ffbnph32.exe Fcgoilpj.exe PID 2020 wrote to memory of 4664 2020 Ffbnph32.exe Fcgoilpj.exe PID 2020 wrote to memory of 4664 2020 Ffbnph32.exe Fcgoilpj.exe PID 4664 wrote to memory of 4584 4664 Fcgoilpj.exe Fjqgff32.exe PID 4664 wrote to memory of 4584 4664 Fcgoilpj.exe Fjqgff32.exe PID 4664 wrote to memory of 4584 4664 Fcgoilpj.exe Fjqgff32.exe PID 4584 wrote to memory of 4200 4584 Fjqgff32.exe Fqkocpod.exe PID 4584 wrote to memory of 4200 4584 Fjqgff32.exe Fqkocpod.exe PID 4584 wrote to memory of 4200 4584 Fjqgff32.exe Fqkocpod.exe PID 4200 wrote to memory of 4692 4200 Fqkocpod.exe Fbllkh32.exe PID 4200 wrote to memory of 4692 4200 Fqkocpod.exe Fbllkh32.exe PID 4200 wrote to memory of 4692 4200 Fqkocpod.exe Fbllkh32.exe PID 4692 wrote to memory of 4052 4692 Fbllkh32.exe Fifdgblo.exe PID 4692 wrote to memory of 4052 4692 Fbllkh32.exe Fifdgblo.exe PID 4692 wrote to memory of 4052 4692 Fbllkh32.exe Fifdgblo.exe PID 4052 wrote to memory of 1628 4052 Fifdgblo.exe Fopldmcl.exe PID 4052 wrote to memory of 1628 4052 Fifdgblo.exe Fopldmcl.exe PID 4052 wrote to memory of 1628 4052 Fifdgblo.exe Fopldmcl.exe PID 1628 wrote to memory of 3960 1628 Fopldmcl.exe Ffjdqg32.exe PID 1628 wrote to memory of 3960 1628 Fopldmcl.exe Ffjdqg32.exe PID 1628 wrote to memory of 3960 1628 Fopldmcl.exe Ffjdqg32.exe PID 3960 wrote to memory of 4992 3960 Ffjdqg32.exe Fqohnp32.exe PID 3960 wrote to memory of 4992 3960 Ffjdqg32.exe Fqohnp32.exe PID 3960 wrote to memory of 4992 3960 Ffjdqg32.exe Fqohnp32.exe PID 4992 wrote to memory of 4576 4992 Fqohnp32.exe Fbqefhpm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\fc05d7f67a375700e42284fdf43e2bb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe24⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe25⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe26⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe27⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe28⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe30⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe31⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe32⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe33⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe34⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Gbjhlfhb.exeC:\Windows\system32\Gbjhlfhb.exe35⤵PID:3708
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe36⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe37⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe38⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe39⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe40⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe41⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe42⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe43⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe44⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe45⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe46⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe47⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe48⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe49⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe50⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe51⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe52⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe53⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe54⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe55⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe56⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe57⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe58⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe59⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe61⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe62⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe63⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe64⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe65⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe66⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe67⤵PID:996
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe68⤵PID:2960
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe69⤵
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe70⤵PID:1496
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe71⤵PID:1100
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe72⤵PID:4708
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe73⤵
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe74⤵PID:4784
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe75⤵
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe77⤵PID:1420
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe78⤵PID:924
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe79⤵PID:2088
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe80⤵PID:2896
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe81⤵PID:732
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe82⤵PID:392
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe83⤵
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe84⤵PID:1192
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe85⤵PID:4308
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe86⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe87⤵PID:4060
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe88⤵PID:544
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe89⤵PID:4508
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe90⤵PID:4024
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe91⤵PID:4220
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe92⤵PID:4952
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe93⤵PID:720
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe94⤵PID:2388
-
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe95⤵PID:2440
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe96⤵
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe97⤵PID:3348
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe98⤵PID:2544
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe99⤵PID:4964
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe100⤵PID:1372
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe101⤵PID:3928
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe102⤵PID:5136
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe103⤵PID:5196
-
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe104⤵PID:5240
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe105⤵PID:5284
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe106⤵PID:5352
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe107⤵PID:5400
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe108⤵PID:5472
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe109⤵PID:5520
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe110⤵PID:5564
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe111⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe112⤵PID:5708
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe113⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe114⤵PID:5808
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe117⤵PID:5932
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe118⤵PID:5984
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe119⤵PID:6040
-
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe120⤵PID:6084
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe121⤵PID:6128
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe122⤵PID:5180
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe123⤵PID:5232
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe124⤵PID:5336
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe125⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe126⤵PID:5512
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe127⤵PID:5556
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe128⤵PID:5696
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe129⤵PID:5788
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe130⤵PID:5860
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe131⤵PID:5944
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe132⤵PID:6004
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe133⤵PID:6072
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe134⤵PID:5148
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe135⤵PID:5272
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe136⤵PID:5396
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe137⤵PID:5544
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe138⤵PID:5736
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe139⤵PID:5840
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe140⤵PID:5976
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe141⤵PID:6092
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe142⤵PID:5128
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe143⤵PID:5384
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe144⤵PID:5704
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe145⤵PID:5928
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe146⤵PID:6120
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe147⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe148⤵PID:5948
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe149⤵PID:6048
-
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe150⤵PID:5540
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe151⤵PID:5248
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe152⤵PID:6068
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe153⤵PID:6180
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe154⤵PID:6224
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe155⤵PID:6264
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe156⤵PID:6304
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe157⤵PID:6348
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe158⤵PID:6392
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe159⤵PID:6436
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe160⤵PID:6476
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe161⤵PID:6520
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe162⤵PID:6560
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe163⤵PID:6600
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe164⤵PID:6640
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe165⤵PID:6680
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe166⤵PID:6720
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe167⤵
- Modifies registry class
PID:6760 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe168⤵PID:6804
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe169⤵PID:6844
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe170⤵PID:6892
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe171⤵PID:6932
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe172⤵PID:6972
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe173⤵PID:7016
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe174⤵PID:7060
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe175⤵PID:7104
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7148 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe177⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe178⤵PID:6232
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe179⤵PID:6292
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe180⤵PID:6356
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe181⤵PID:6424
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe182⤵PID:6488
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe183⤵PID:6568
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe184⤵PID:6632
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe185⤵PID:6712
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe186⤵PID:6780
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe187⤵PID:6832
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe188⤵PID:6916
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe189⤵PID:6996
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe190⤵PID:7092
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe191⤵PID:6060
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe192⤵PID:6172
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe193⤵PID:6336
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe194⤵PID:6400
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe195⤵PID:6552
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe196⤵PID:6636
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe197⤵
- Modifies registry class
PID:6768 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe198⤵
- Modifies registry class
PID:6840 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe199⤵PID:7012
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe200⤵PID:5628
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe201⤵PID:7156
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe202⤵PID:6256
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe203⤵PID:6404
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe204⤵PID:6608
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe205⤵PID:2968
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe206⤵PID:7004
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe207⤵PID:2964
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe208⤵PID:4208
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe209⤵PID:6472
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe210⤵PID:6728
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe211⤵PID:7048
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe212⤵PID:6188
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe213⤵PID:6548
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe214⤵PID:7112
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe215⤵PID:6772
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe216⤵PID:6536
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe217⤵
- Drops file in System32 directory
PID:6700 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe218⤵PID:7180
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe219⤵PID:7220
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe220⤵PID:7260
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe221⤵PID:7300
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe222⤵PID:7344
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe223⤵PID:7388
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe224⤵PID:7428
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe225⤵
- Modifies registry class
PID:7480 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe226⤵PID:7524
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe227⤵PID:7568
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe228⤵PID:7604
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe229⤵PID:7656
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe230⤵PID:7696
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe231⤵PID:7740
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe232⤵PID:7784
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe233⤵PID:7824
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe234⤵PID:7868
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe235⤵PID:7912
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe236⤵PID:7956
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe237⤵PID:7996
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe238⤵PID:8044
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe239⤵PID:8080
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe240⤵PID:8132
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe241⤵PID:8172
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe242⤵PID:7192