Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:28
Behavioral task
behavioral1
Sample
e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe
-
Size
368KB
-
MD5
e6971b7d5c0b0ebe5c21d5ef20f2c030
-
SHA1
9d16e61138cbae4521b359c76c6318c2101c42eb
-
SHA256
47c49522a2e877bfc216b3ab6c0654cf8e1d29d8ea35e05fd589c0e2e1676504
-
SHA512
32cd0d1dc4d1d342e3ee0fb0f909eb8721688435cc6b63564394b3fbb72ee2874a01fbf0e4e1b0d3bcc2f2db4a260a707e4a27a2df3a927dcfcd9eb4397da8c1
-
SSDEEP
6144:sdc4fEePmwUE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOJfTo9t:NBUmwaAD6RrI1+lDMEAD6Rr2NWL
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Plcdiabk.exeMjhqjg32.exeJbiejoaj.exePakllc32.exeHckeoeno.exeHkbmqb32.exeDbbffdlq.exeDfpgffpm.exeGbmingjo.exeHpjmnjqn.exeIggjga32.exeFhgbhfbe.exeMmnhcb32.exeHibafp32.exeBchomn32.exeCbbnpg32.exePqmjog32.exeEepjpb32.exeMibpda32.exeMcpnhfhf.exeBljlfh32.exeEbhglj32.exeEekaebcm.exeMiifeq32.exeNphhmj32.exeElnoopdj.exeJqknkedi.exeCecbmf32.exeIggaah32.exeElbhjp32.exeQemhbj32.exeFhflnpoi.exePgkelj32.exeHplicjok.exeChjaol32.exeCenahpha.exeBoipmj32.exeBmofagfp.exeLdgccb32.exeDheibpje.exeMgddhf32.exeBfkedibe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbiejoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkbmqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgbhfbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibafp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mibpda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bljlfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eekaebcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cecbmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggaah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhflnpoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boipmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldgccb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgddhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfkedibe.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Kgbefoji.exe family_berbew C:\Windows\SysWOW64\Kcifkp32.exe family_berbew C:\Windows\SysWOW64\Kibnhjgj.exe family_berbew C:\Windows\SysWOW64\Kmnjhioc.exe family_berbew C:\Windows\SysWOW64\Kpmfddnf.exe family_berbew C:\Windows\SysWOW64\Lcmofolg.exe family_berbew C:\Windows\SysWOW64\Lkdggmlj.exe family_berbew C:\Windows\SysWOW64\Lijdhiaa.exe family_berbew C:\Windows\SysWOW64\Ldohebqh.exe family_berbew C:\Windows\SysWOW64\Laciofpa.exe family_berbew C:\Windows\SysWOW64\Ldaeka32.exe family_berbew C:\Windows\SysWOW64\Ljnnch32.exe family_berbew C:\Windows\SysWOW64\Lgbnmm32.exe family_berbew C:\Windows\SysWOW64\Mahbje32.exe family_berbew C:\Windows\SysWOW64\Mgekbljc.exe family_berbew C:\Windows\SysWOW64\Mdiklqhm.exe family_berbew C:\Windows\SysWOW64\Mkbchk32.exe family_berbew C:\Windows\SysWOW64\Mamleegg.exe family_berbew C:\Windows\SysWOW64\Mjhqjg32.exe family_berbew C:\Windows\SysWOW64\Mcpebmkb.exe family_berbew C:\Windows\SysWOW64\Mnfipekh.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew C:\Windows\SysWOW64\Njljefql.exe family_berbew C:\Windows\SysWOW64\Ngpjnkpf.exe family_berbew C:\Windows\SysWOW64\Njogjfoj.exe family_berbew C:\Windows\SysWOW64\Nqiogp32.exe family_berbew C:\Windows\SysWOW64\Ncgkcl32.exe family_berbew C:\Windows\SysWOW64\Ncihikcg.exe family_berbew C:\Windows\SysWOW64\Nbkhfc32.exe family_berbew C:\Windows\SysWOW64\Nggqoj32.exe family_berbew C:\Windows\SysWOW64\Nbmelbid.exe family_berbew C:\Windows\SysWOW64\Ogjmdigk.exe family_berbew C:\Windows\SysWOW64\Odpjcm32.exe family_berbew C:\Windows\SysWOW64\Qkmhlekj.exe family_berbew C:\Windows\SysWOW64\Acjjfggb.exe family_berbew C:\Windows\SysWOW64\Abngjnmo.exe family_berbew C:\Windows\SysWOW64\Bjpaooda.exe family_berbew C:\Windows\SysWOW64\Cknnpm32.exe family_berbew C:\Windows\SysWOW64\Clbceo32.exe family_berbew C:\Windows\SysWOW64\Dhkapp32.exe family_berbew C:\Windows\SysWOW64\Dojcgi32.exe family_berbew C:\Windows\SysWOW64\Ecmeig32.exe family_berbew C:\Windows\SysWOW64\Fchddejl.exe family_berbew C:\Windows\SysWOW64\Ffimfqgm.exe family_berbew C:\Windows\SysWOW64\Gododflk.exe family_berbew C:\Windows\SysWOW64\Gdcdbl32.exe family_berbew C:\Windows\SysWOW64\Gmlhii32.exe family_berbew C:\Windows\SysWOW64\Hiefcj32.exe family_berbew C:\Windows\SysWOW64\Immapg32.exe family_berbew C:\Windows\SysWOW64\Ildkgc32.exe family_berbew C:\Windows\SysWOW64\Jlkagbej.exe family_berbew C:\Windows\SysWOW64\Jefbfgig.exe family_berbew C:\Windows\SysWOW64\Jbjcolha.exe family_berbew C:\Windows\SysWOW64\Jmpgldhg.exe family_berbew C:\Windows\SysWOW64\Kbceejpf.exe family_berbew C:\Windows\SysWOW64\Kmncnb32.exe family_berbew C:\Windows\SysWOW64\Liimncmf.exe family_berbew C:\Windows\SysWOW64\Mdhdajea.exe family_berbew C:\Windows\SysWOW64\Mlhbal32.exe family_berbew C:\Windows\SysWOW64\Ngmgne32.exe family_berbew C:\Windows\SysWOW64\Ocnjidkf.exe family_berbew C:\Windows\SysWOW64\Ofnckp32.exe family_berbew C:\Windows\SysWOW64\Odapnf32.exe family_berbew C:\Windows\SysWOW64\Pqdqof32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Kgbefoji.exeKcifkp32.exeKibnhjgj.exeKmnjhioc.exeKpmfddnf.exeLcmofolg.exeLkdggmlj.exeLijdhiaa.exeLdohebqh.exeLaciofpa.exeLdaeka32.exeLjnnch32.exeLgbnmm32.exeMahbje32.exeMgekbljc.exeMdiklqhm.exeMkbchk32.exeMamleegg.exeMjhqjg32.exeMcpebmkb.exeMnfipekh.exeMcbahlip.exeNjljefql.exeNgpjnkpf.exeNjogjfoj.exeNqiogp32.exeNcgkcl32.exeNcihikcg.exeNbkhfc32.exeNggqoj32.exeNbmelbid.exeOgjmdigk.exeOndeac32.exeOdnnnnfe.exeOgljjiei.exeOjjffddl.exeOdpjcm32.exeOjmcld32.exeOqgkhnjf.exeOcegdjij.exeOnklabip.exeObfhba32.exeOcgdji32.exeOjalgcnd.exeOnmhgb32.exeOdgqdlnj.exePcjapi32.exePjdilcla.exePqnaim32.exePeimil32.exePkceffcd.exePnbbbabh.exePqpnombl.exePcojkhap.exePjhbgb32.exePbpjhp32.exePengdk32.exePjkombfj.exePbbgnpgl.exePeqcjkfp.exePkjlge32.exePnihcq32.exePagdol32.exeQcepkg32.exepid process 3560 Kgbefoji.exe 4000 Kcifkp32.exe 2992 Kibnhjgj.exe 2096 Kmnjhioc.exe 1892 Kpmfddnf.exe 4836 Lcmofolg.exe 3324 Lkdggmlj.exe 100 Lijdhiaa.exe 3668 Ldohebqh.exe 1108 Laciofpa.exe 3492 Ldaeka32.exe 3956 Ljnnch32.exe 4036 Lgbnmm32.exe 4116 Mahbje32.exe 716 Mgekbljc.exe 3688 Mdiklqhm.exe 432 Mkbchk32.exe 3028 Mamleegg.exe 3680 Mjhqjg32.exe 1428 Mcpebmkb.exe 4848 Mnfipekh.exe 4352 Mcbahlip.exe 2204 Njljefql.exe 4176 Ngpjnkpf.exe 2080 Njogjfoj.exe 1992 Nqiogp32.exe 4004 Ncgkcl32.exe 2400 Ncihikcg.exe 4500 Nbkhfc32.exe 400 Nggqoj32.exe 1068 Nbmelbid.exe 5088 Ogjmdigk.exe 4928 Ondeac32.exe 4088 Odnnnnfe.exe 5024 Ogljjiei.exe 4796 Ojjffddl.exe 3508 Odpjcm32.exe 4828 Ojmcld32.exe 3912 Oqgkhnjf.exe 1240 Ocegdjij.exe 1712 Onklabip.exe 2588 Obfhba32.exe 3440 Ocgdji32.exe 1576 Ojalgcnd.exe 4040 Onmhgb32.exe 4360 Odgqdlnj.exe 1388 Pcjapi32.exe 1664 Pjdilcla.exe 2008 Pqnaim32.exe 3556 Peimil32.exe 2836 Pkceffcd.exe 1692 Pnbbbabh.exe 680 Pqpnombl.exe 700 Pcojkhap.exe 1928 Pjhbgb32.exe 1616 Pbpjhp32.exe 3916 Pengdk32.exe 2620 Pjkombfj.exe 4912 Pbbgnpgl.exe 3640 Peqcjkfp.exe 4228 Pkjlge32.exe 4644 Pnihcq32.exe 1788 Pagdol32.exe 840 Qcepkg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cehkhecb.exeKihnmohm.exeJkhgmf32.exeGikkfqmf.exeAbngjnmo.exeEemnjbaj.exeIbcmom32.exeBkjiao32.exeDhlpqc32.exeCnindhpg.exeEmmdom32.exeJedeph32.exePgbbek32.exeHgkkkcbc.exeAjhddjfn.exeJehhaaci.exeKbmoen32.exeGpqjglii.exee6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exeNeeqea32.exeDhocqigp.exeHdicienl.exeKldmckic.exeBogcgj32.exeDlncan32.exeLekehdgp.exeLgokmgjm.exeJdmgfedl.exeNcihikcg.exeGdcdbl32.exeFhgbhfbe.exeJngjch32.exeIggaah32.exeBhbcfbjk.exeQkmhlekj.exeBlbknaib.exeAcqimo32.exeLjfhqh32.exeOqhacgdh.exeDfoiaj32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Clbceo32.exe Cehkhecb.exe File opened for modification C:\Windows\SysWOW64\Kpbfii32.exe Kihnmohm.exe File opened for modification C:\Windows\SysWOW64\Jqdoem32.exe Jkhgmf32.exe File created C:\Windows\SysWOW64\Gpecbk32.exe Gikkfqmf.exe File created C:\Windows\SysWOW64\Nbnlaldg.exe File created C:\Windows\SysWOW64\Aahamf32.dll Abngjnmo.exe File opened for modification C:\Windows\SysWOW64\Ehljfnpn.exe Eemnjbaj.exe File opened for modification C:\Windows\SysWOW64\Jeaikh32.exe Ibcmom32.exe File opened for modification C:\Windows\SysWOW64\Eohmkb32.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll File opened for modification C:\Windows\SysWOW64\Badanigc.exe Bkjiao32.exe File created C:\Windows\SysWOW64\Dohjem32.dll File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe File created C:\Windows\SysWOW64\Ednhgjia.dll Dhlpqc32.exe File opened for modification C:\Windows\SysWOW64\Cdbfab32.exe Cnindhpg.exe File opened for modification C:\Windows\SysWOW64\Ennqfenp.exe Emmdom32.exe File created C:\Windows\SysWOW64\Cefofm32.dll Jedeph32.exe File created C:\Windows\SysWOW64\Moefhk32.dll Pgbbek32.exe File opened for modification C:\Windows\SysWOW64\Hmechmip.exe Hgkkkcbc.exe File created C:\Windows\SysWOW64\Fbjena32.exe File created C:\Windows\SysWOW64\Bohgljdl.dll File created C:\Windows\SysWOW64\Idnljnaa.dll Ajhddjfn.exe File created C:\Windows\SysWOW64\Jblijebc.exe Jehhaaci.exe File opened for modification C:\Windows\SysWOW64\Kqpoakco.exe Kbmoen32.exe File opened for modification C:\Windows\SysWOW64\Gfkbde32.exe Gpqjglii.exe File created C:\Windows\SysWOW64\Didmdo32.dll File created C:\Windows\SysWOW64\Kgbefoji.exe e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Jepjhg32.exe File opened for modification C:\Windows\SysWOW64\Nloiakho.exe Neeqea32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Hoogfnnb.exe Hdicienl.exe File created C:\Windows\SysWOW64\Iinjhh32.exe File opened for modification C:\Windows\SysWOW64\Adgmoigj.exe File opened for modification C:\Windows\SysWOW64\Kihnmohm.exe Kldmckic.exe File opened for modification C:\Windows\SysWOW64\Bjlgdc32.exe Bogcgj32.exe File opened for modification C:\Windows\SysWOW64\Aaldccip.exe File created C:\Windows\SysWOW64\Clbidkde.dll File created C:\Windows\SysWOW64\Flnakb32.dll Dlncan32.exe File opened for modification C:\Windows\SysWOW64\Lmbmibhb.exe Lekehdgp.exe File created C:\Windows\SysWOW64\Lmiciaaj.exe Lgokmgjm.exe File created C:\Windows\SysWOW64\Jkgpbp32.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Bfkbfd32.exe File opened for modification C:\Windows\SysWOW64\Hnlodjpa.exe File created C:\Windows\SysWOW64\Kemooo32.exe File opened for modification C:\Windows\SysWOW64\Mhoahh32.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Gohhpe32.exe Gdcdbl32.exe File opened for modification C:\Windows\SysWOW64\Fkeodaai.exe Fhgbhfbe.exe File created C:\Windows\SysWOW64\Iidphgcn.exe File created C:\Windows\SysWOW64\Mnegbp32.exe File created C:\Windows\SysWOW64\Hjdipffl.dll Jngjch32.exe File opened for modification C:\Windows\SysWOW64\Ijfnmc32.exe Iggaah32.exe File created C:\Windows\SysWOW64\Bomkcm32.exe Bhbcfbjk.exe File created C:\Windows\SysWOW64\Qjhbfd32.exe File created C:\Windows\SysWOW64\Obhehh32.dll File opened for modification C:\Windows\SysWOW64\Hpfbcn32.exe File created C:\Windows\SysWOW64\Qbgqio32.exe Qkmhlekj.exe File created C:\Windows\SysWOW64\Aneonqmj.dll Blbknaib.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Hmkqgckn.dll File created C:\Windows\SysWOW64\Jfpbkoql.dll Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Dlkbjqgm.exe Dfoiaj32.exe File opened for modification C:\Windows\SysWOW64\Pnmopk32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 15352 14832 -
Modifies registry class 64 IoCs
Processes:
Fllpbldb.exeCmiflbel.exeEhfjah32.exeHkbmqb32.exeDbjkkl32.exeOnjegled.exeOhnebd32.exeOcgmpccl.exeOfqpqo32.exeAbngjnmo.exeGgcfja32.exeEdhakj32.exeKmkfhc32.exeKeqdmihc.exeCjecpkcg.exeNjljefql.exeGepmlimi.exeNlkngo32.exeMgobel32.exeEcoangbg.exeDlkbjqgm.exeLbpdblmo.exeLjclki32.exeOjdnid32.exeCenahpha.exeCjkjpgfi.exeGkaopp32.exeDocmgjhp.exeEoekia32.exeCefoce32.exeKpeiioac.exeGddbcp32.exeKmieae32.exeNlcalieg.exeLmiciaaj.exeOondnini.exeCioilg32.exeEoideh32.exeChmeobkq.exeHpfcdojl.exeHginecde.exeJklinohd.exeKmnjhioc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fllpbldb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmoejcc.dll" Ehfjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kideagnd.dll" Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll" Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abngjnmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggcfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbngp32.dll" Edhakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmkfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keqdmihc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkfijp.dll" Gepmlimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjfkm32.dll" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbpdblmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nholna32.dll" Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eoekia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdofn32.dll" Cefoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obncjbkf.dll" Gddbcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppadk32.dll" Oondnini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcaoeoo.dll" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjfni32.dll" Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll" Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll" Kmnjhioc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exeKgbefoji.exeKcifkp32.exeKibnhjgj.exeKmnjhioc.exeKpmfddnf.exeLcmofolg.exeLkdggmlj.exeLijdhiaa.exeLdohebqh.exeLaciofpa.exeLdaeka32.exeLjnnch32.exeLgbnmm32.exeMahbje32.exeMgekbljc.exeMdiklqhm.exeMkbchk32.exeMamleegg.exeMjhqjg32.exeMcpebmkb.exeMnfipekh.exedescription pid process target process PID 3020 wrote to memory of 3560 3020 e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe Kgbefoji.exe PID 3020 wrote to memory of 3560 3020 e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe Kgbefoji.exe PID 3020 wrote to memory of 3560 3020 e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe Kgbefoji.exe PID 3560 wrote to memory of 4000 3560 Kgbefoji.exe Kcifkp32.exe PID 3560 wrote to memory of 4000 3560 Kgbefoji.exe Kcifkp32.exe PID 3560 wrote to memory of 4000 3560 Kgbefoji.exe Kcifkp32.exe PID 4000 wrote to memory of 2992 4000 Kcifkp32.exe Kibnhjgj.exe PID 4000 wrote to memory of 2992 4000 Kcifkp32.exe Kibnhjgj.exe PID 4000 wrote to memory of 2992 4000 Kcifkp32.exe Kibnhjgj.exe PID 2992 wrote to memory of 2096 2992 Kibnhjgj.exe Kmnjhioc.exe PID 2992 wrote to memory of 2096 2992 Kibnhjgj.exe Kmnjhioc.exe PID 2992 wrote to memory of 2096 2992 Kibnhjgj.exe Kmnjhioc.exe PID 2096 wrote to memory of 1892 2096 Kmnjhioc.exe Kpmfddnf.exe PID 2096 wrote to memory of 1892 2096 Kmnjhioc.exe Kpmfddnf.exe PID 2096 wrote to memory of 1892 2096 Kmnjhioc.exe Kpmfddnf.exe PID 1892 wrote to memory of 4836 1892 Kpmfddnf.exe Lcmofolg.exe PID 1892 wrote to memory of 4836 1892 Kpmfddnf.exe Lcmofolg.exe PID 1892 wrote to memory of 4836 1892 Kpmfddnf.exe Lcmofolg.exe PID 4836 wrote to memory of 3324 4836 Lcmofolg.exe Lkdggmlj.exe PID 4836 wrote to memory of 3324 4836 Lcmofolg.exe Lkdggmlj.exe PID 4836 wrote to memory of 3324 4836 Lcmofolg.exe Lkdggmlj.exe PID 3324 wrote to memory of 100 3324 Lkdggmlj.exe Lijdhiaa.exe PID 3324 wrote to memory of 100 3324 Lkdggmlj.exe Lijdhiaa.exe PID 3324 wrote to memory of 100 3324 Lkdggmlj.exe Lijdhiaa.exe PID 100 wrote to memory of 3668 100 Lijdhiaa.exe Ldohebqh.exe PID 100 wrote to memory of 3668 100 Lijdhiaa.exe Ldohebqh.exe PID 100 wrote to memory of 3668 100 Lijdhiaa.exe Ldohebqh.exe PID 3668 wrote to memory of 1108 3668 Ldohebqh.exe Laciofpa.exe PID 3668 wrote to memory of 1108 3668 Ldohebqh.exe Laciofpa.exe PID 3668 wrote to memory of 1108 3668 Ldohebqh.exe Laciofpa.exe PID 1108 wrote to memory of 3492 1108 Laciofpa.exe Ldaeka32.exe PID 1108 wrote to memory of 3492 1108 Laciofpa.exe Ldaeka32.exe PID 1108 wrote to memory of 3492 1108 Laciofpa.exe Ldaeka32.exe PID 3492 wrote to memory of 3956 3492 Ldaeka32.exe Ljnnch32.exe PID 3492 wrote to memory of 3956 3492 Ldaeka32.exe Ljnnch32.exe PID 3492 wrote to memory of 3956 3492 Ldaeka32.exe Ljnnch32.exe PID 3956 wrote to memory of 4036 3956 Ljnnch32.exe Lgbnmm32.exe PID 3956 wrote to memory of 4036 3956 Ljnnch32.exe Lgbnmm32.exe PID 3956 wrote to memory of 4036 3956 Ljnnch32.exe Lgbnmm32.exe PID 4036 wrote to memory of 4116 4036 Lgbnmm32.exe Mahbje32.exe PID 4036 wrote to memory of 4116 4036 Lgbnmm32.exe Mahbje32.exe PID 4036 wrote to memory of 4116 4036 Lgbnmm32.exe Mahbje32.exe PID 4116 wrote to memory of 716 4116 Mahbje32.exe Mgekbljc.exe PID 4116 wrote to memory of 716 4116 Mahbje32.exe Mgekbljc.exe PID 4116 wrote to memory of 716 4116 Mahbje32.exe Mgekbljc.exe PID 716 wrote to memory of 3688 716 Mgekbljc.exe Mdiklqhm.exe PID 716 wrote to memory of 3688 716 Mgekbljc.exe Mdiklqhm.exe PID 716 wrote to memory of 3688 716 Mgekbljc.exe Mdiklqhm.exe PID 3688 wrote to memory of 432 3688 Mdiklqhm.exe Mkbchk32.exe PID 3688 wrote to memory of 432 3688 Mdiklqhm.exe Mkbchk32.exe PID 3688 wrote to memory of 432 3688 Mdiklqhm.exe Mkbchk32.exe PID 432 wrote to memory of 3028 432 Mkbchk32.exe Mamleegg.exe PID 432 wrote to memory of 3028 432 Mkbchk32.exe Mamleegg.exe PID 432 wrote to memory of 3028 432 Mkbchk32.exe Mamleegg.exe PID 3028 wrote to memory of 3680 3028 Mamleegg.exe Mjhqjg32.exe PID 3028 wrote to memory of 3680 3028 Mamleegg.exe Mjhqjg32.exe PID 3028 wrote to memory of 3680 3028 Mamleegg.exe Mjhqjg32.exe PID 3680 wrote to memory of 1428 3680 Mjhqjg32.exe Mcpebmkb.exe PID 3680 wrote to memory of 1428 3680 Mjhqjg32.exe Mcpebmkb.exe PID 3680 wrote to memory of 1428 3680 Mjhqjg32.exe Mcpebmkb.exe PID 1428 wrote to memory of 4848 1428 Mcpebmkb.exe Mnfipekh.exe PID 1428 wrote to memory of 4848 1428 Mcpebmkb.exe Mnfipekh.exe PID 1428 wrote to memory of 4848 1428 Mcpebmkb.exe Mnfipekh.exe PID 4848 wrote to memory of 4352 4848 Mnfipekh.exe Mcbahlip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e6971b7d5c0b0ebe5c21d5ef20f2c030_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe23⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe25⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe26⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe27⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe28⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe30⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe31⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe32⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe33⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe34⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe35⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe36⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe37⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe38⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe39⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe40⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe41⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe42⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe43⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe44⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe45⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe46⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe47⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe48⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe49⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe50⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe51⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe52⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe53⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe54⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe55⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe56⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe57⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe58⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe59⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe60⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe61⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe62⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe63⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe64⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe65⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe66⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe67⤵PID:1196
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe68⤵PID:4208
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe69⤵PID:4532
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe70⤵PID:1404
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe71⤵PID:4520
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe72⤵PID:3692
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe73⤵PID:1060
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe74⤵PID:3816
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe75⤵PID:1300
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe76⤵PID:1520
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe78⤵PID:2472
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe79⤵PID:1580
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe80⤵PID:816
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe81⤵PID:4624
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe82⤵PID:764
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe83⤵PID:4112
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe84⤵PID:1524
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe85⤵PID:1492
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe86⤵PID:2920
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe87⤵PID:3096
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe88⤵PID:3840
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe90⤵PID:4356
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe91⤵PID:5160
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe92⤵PID:5204
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe93⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe94⤵PID:5288
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe95⤵PID:5336
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe96⤵PID:5376
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe97⤵PID:5424
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe98⤵PID:5468
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe99⤵PID:5512
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe100⤵PID:5556
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe101⤵PID:5600
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe102⤵PID:5640
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe103⤵PID:5688
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe104⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe105⤵PID:5776
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe106⤵PID:5820
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe107⤵PID:5856
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe108⤵PID:5908
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe109⤵PID:5952
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe110⤵PID:5996
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe112⤵PID:6084
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe113⤵PID:6128
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe114⤵
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe115⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe116⤵PID:5276
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe117⤵PID:5324
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe118⤵PID:5432
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe119⤵PID:5536
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe120⤵PID:5624
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe121⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe122⤵PID:5756
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe123⤵PID:5844
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe124⤵PID:5896
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe125⤵PID:5980
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe126⤵PID:6064
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe127⤵PID:6112
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe128⤵PID:5188
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe129⤵PID:5284
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe130⤵PID:5384
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe131⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe132⤵PID:5720
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe133⤵PID:5816
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe134⤵PID:5972
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe135⤵PID:6032
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe136⤵PID:5124
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe137⤵PID:5412
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe139⤵PID:5768
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe140⤵PID:5940
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe141⤵
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe142⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe143⤵PID:5900
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe144⤵PID:5608
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe145⤵PID:5740
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6176 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe147⤵PID:6228
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe148⤵PID:6272
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe149⤵PID:6320
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe150⤵PID:6392
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe151⤵PID:6440
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe152⤵
- Modifies registry class
PID:6516 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe153⤵PID:6560
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe154⤵PID:6604
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe155⤵PID:6656
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe156⤵PID:6696
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe157⤵PID:6744
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe158⤵PID:6792
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe159⤵PID:6832
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe160⤵PID:6884
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe161⤵PID:6944
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe162⤵PID:6988
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe163⤵PID:7032
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe164⤵PID:7072
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe165⤵PID:7120
-
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe166⤵PID:7164
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe167⤵PID:6212
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe168⤵PID:6288
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe169⤵
- Drops file in System32 directory
PID:6376 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe170⤵PID:6456
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe171⤵PID:6552
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe172⤵PID:6620
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe173⤵PID:6712
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe174⤵PID:6784
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe175⤵PID:6868
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe176⤵PID:6936
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe177⤵PID:7000
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe178⤵PID:7096
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe179⤵PID:6164
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe180⤵PID:6360
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe181⤵PID:6500
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe182⤵PID:6644
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe183⤵PID:6760
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe184⤵PID:6880
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe185⤵PID:6984
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe186⤵PID:7160
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe187⤵PID:6256
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe188⤵PID:6416
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe189⤵PID:6668
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe190⤵PID:6840
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe191⤵PID:7112
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe192⤵PID:6452
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe193⤵PID:6736
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe194⤵PID:7080
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe195⤵PID:6624
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe196⤵PID:7084
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe197⤵PID:6980
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe198⤵PID:6400
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe199⤵PID:7228
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe200⤵PID:7276
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe201⤵PID:7312
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe202⤵PID:7356
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe203⤵PID:7400
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe204⤵PID:7444
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe205⤵PID:7484
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe206⤵PID:7532
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe207⤵PID:7576
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe208⤵PID:7624
-
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe209⤵PID:7668
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe210⤵PID:7712
-
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe211⤵PID:7756
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe212⤵PID:7800
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe213⤵PID:7844
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe214⤵PID:7888
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe215⤵PID:7928
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe216⤵
- Drops file in System32 directory
PID:7972 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe217⤵PID:8012
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe218⤵PID:8060
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe219⤵PID:8104
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe220⤵PID:8140
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe221⤵
- Drops file in System32 directory
PID:8184 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe222⤵PID:7216
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe223⤵PID:7296
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe224⤵PID:7384
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe225⤵PID:7464
-
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe226⤵PID:7528
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe227⤵PID:7604
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe228⤵PID:7676
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe229⤵PID:7740
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe230⤵PID:7812
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe231⤵PID:7904
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe232⤵PID:8004
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe233⤵PID:8068
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe234⤵PID:8128
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe235⤵PID:7128
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe236⤵PID:7252
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe237⤵PID:7436
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe238⤵PID:7520
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe239⤵PID:7656
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe240⤵PID:7752
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe241⤵
- Modifies registry class
PID:7808 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe242⤵PID:7992