Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:30
Behavioral task
behavioral1
Sample
0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe
-
Size
346KB
-
MD5
0f90055f8742415b5ae99f63da7b3e20
-
SHA1
8e4ce5fe62e2e8b7b070b0904b5209204bf9417a
-
SHA256
f2ebbacb5dd2f2afb7609c65d381e1b0c895e72f08a6c28e01fbdfc4a569eb2c
-
SHA512
96c6a9d54263adbc3c8c902268a3946f7cac3b1f55e9139d060f60c6e1e624308b8079ccb75d1ee9b0fac03d873b5f3a565dc9c8a4bc0589bf1986c3ae31a4c4
-
SSDEEP
3072:2awGlHPsPgU5QdDrFDHZtObmOm3AIpwbjshrmP24ho1mtye3lFDrFDHZtOk6Tsos:vwgv2ho5t13LJhrmMsFj5tzOvfFOM6
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Deanodkh.exeKebbafoj.exeOlgemcli.exeDjqblj32.exeHgabkoee.exeQfpbmfdf.exeEangpgcl.exeMalgcg32.exeDjhpgofm.exePoomegpf.exeKcejco32.exeJddnfd32.exeQnhahj32.exeNlglfe32.exePoaqemao.exeHgelek32.exeAkhcfe32.exeFmpqfq32.exeNkjjij32.exeQjlnnemp.exeDdcqedkk.exePhedhmhi.exeJnjejjgh.exeHbmcbime.exeEdemkd32.exeAojlaeei.exeIggjga32.exeEcmeig32.exeIihkpg32.exeGingkqkd.exeNpjebj32.exeEobocb32.exePgkelj32.exeEapedd32.exeMidfokpm.exeBopocbcq.exeNqmhbpba.exeBapiabak.exeEbjcajjd.exeIkdcmpnl.exeEkiohclf.exeGdfoio32.exeIljpij32.exeAdgbpc32.exeGdppbfff.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgemcli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djqblj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgabkoee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfpbmfdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poomegpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlglfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poaqemao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpqfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcqedkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjejjgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmcbime.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edemkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmeig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eobocb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkelj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapedd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midfokpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekiohclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdppbfff.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Mpkbebbf.exe family_berbew C:\Windows\SysWOW64\Mjcgohig.exe family_berbew C:\Windows\SysWOW64\Mgghhlhq.exe family_berbew C:\Windows\SysWOW64\Mnapdf32.exe family_berbew C:\Windows\SysWOW64\Mkepnjng.exe family_berbew C:\Windows\SysWOW64\Maohkd32.exe family_berbew C:\Windows\SysWOW64\Mglack32.exe family_berbew C:\Windows\SysWOW64\Maaepd32.exe family_berbew C:\Windows\SysWOW64\Nkjjij32.exe family_berbew C:\Windows\SysWOW64\Nceonl32.exe family_berbew C:\Windows\SysWOW64\Nklfoi32.exe family_berbew C:\Windows\SysWOW64\Nnjbke32.exe family_berbew C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Njcpee32.exe family_berbew C:\Windows\SysWOW64\Nqmhbpba.exe family_berbew C:\Windows\SysWOW64\Nqpego32.exe family_berbew C:\Windows\SysWOW64\Oboaabga.exe family_berbew C:\Windows\SysWOW64\Occkojkm.exe family_berbew C:\Windows\SysWOW64\Ocegdjij.exe family_berbew C:\Windows\SysWOW64\Oqihnn32.exe family_berbew C:\Windows\SysWOW64\Obidhaog.exe family_berbew C:\Windows\SysWOW64\Pgemphmn.exe family_berbew C:\Windows\SysWOW64\Pqnaim32.exe family_berbew C:\Windows\SysWOW64\Pnbbbabh.exe family_berbew C:\Windows\SysWOW64\Pkfblfab.exe family_berbew C:\Windows\SysWOW64\Pengdk32.exe family_berbew C:\Windows\SysWOW64\Pnfkma32.exe family_berbew C:\Windows\SysWOW64\Pgopffec.exe family_berbew C:\Windows\SysWOW64\Qecppkdm.exe family_berbew C:\Windows\SysWOW64\Qbgqio32.exe family_berbew C:\Windows\SysWOW64\Qnnanphk.exe family_berbew C:\Windows\SysWOW64\Agffge32.exe family_berbew C:\Windows\SysWOW64\Aanjpk32.exe family_berbew C:\Windows\SysWOW64\Ahmlgd32.exe family_berbew C:\Windows\SysWOW64\Bahmfj32.exe family_berbew C:\Windows\SysWOW64\Bobcpmfc.exe family_berbew C:\Windows\SysWOW64\Cliaoq32.exe family_berbew C:\Windows\SysWOW64\Cdiooblp.exe family_berbew C:\Windows\SysWOW64\Docmgjhp.exe family_berbew C:\Windows\SysWOW64\Dohfbj32.exe family_berbew C:\Windows\SysWOW64\Dedkdcie.exe family_berbew C:\Windows\SysWOW64\Ecjhcg32.exe family_berbew C:\Windows\SysWOW64\Ednaqo32.exe family_berbew C:\Windows\SysWOW64\Ehgqln32.exe family_berbew C:\Windows\SysWOW64\Fohoigfh.exe family_berbew C:\Windows\SysWOW64\Fkopnh32.exe family_berbew C:\Windows\SysWOW64\Fakdpb32.exe family_berbew C:\Windows\SysWOW64\Fkciihgg.exe family_berbew C:\Windows\SysWOW64\Gofkje32.exe family_berbew C:\Windows\SysWOW64\Gdeqhl32.exe family_berbew C:\Windows\SysWOW64\Gdhmnlcj.exe family_berbew C:\Windows\SysWOW64\Gcimkc32.exe family_berbew C:\Windows\SysWOW64\Hcmgfbhd.exe family_berbew C:\Windows\SysWOW64\Hcpclbfa.exe family_berbew C:\Windows\SysWOW64\Iicbehnq.exe family_berbew C:\Windows\SysWOW64\Iejcji32.exe family_berbew C:\Windows\SysWOW64\Ibnccmbo.exe family_berbew C:\Windows\SysWOW64\Ipbdmaah.exe family_berbew C:\Windows\SysWOW64\Jmknaell.exe family_berbew C:\Windows\SysWOW64\Jfeopj32.exe family_berbew C:\Windows\SysWOW64\Jcioiood.exe family_berbew C:\Windows\SysWOW64\Kbaipkbi.exe family_berbew C:\Windows\SysWOW64\Klimip32.exe family_berbew C:\Windows\SysWOW64\Kebbafoj.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Mpkbebbf.exeMjcgohig.exeMgghhlhq.exeMnapdf32.exeMkepnjng.exeMaohkd32.exeMglack32.exeMaaepd32.exeNkjjij32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNnmopdep.exeNjcpee32.exeNqmhbpba.exeNqpego32.exeOboaabga.exeOcckojkm.exeOcegdjij.exeOqihnn32.exeObidhaog.exePgemphmn.exePqnaim32.exePnbbbabh.exePkfblfab.exePengdk32.exePnfkma32.exePgopffec.exeQecppkdm.exeQbgqio32.exeQnnanphk.exeAgffge32.exeAanjpk32.exeAldomc32.exeAbngjnmo.exeAlfkbc32.exeAbpcon32.exeAhmlgd32.exeAbbpem32.exeAdcmmeog.exeAjneip32.exeBahmfj32.exeBhaebcen.exeBbgipldd.exeBeeflhdh.exeBdhfhe32.exeBhdbhcck.exeBehbag32.exeBlbknaib.exeBopgjmhe.exeBaocghgi.exeBdmpcdfm.exeBobcpmfc.exeBemlmgnp.exeBlfdia32.exeBoepel32.exeCacmah32.exeCliaoq32.exeCeaehfjj.exeClkndpag.exeCahfmgoo.exeClnjjpod.exeCbgbgj32.exeCdiooblp.exepid process 1536 Mpkbebbf.exe 996 Mjcgohig.exe 3448 Mgghhlhq.exe 4200 Mnapdf32.exe 3652 Mkepnjng.exe 3016 Maohkd32.exe 3432 Mglack32.exe 5028 Maaepd32.exe 2152 Nkjjij32.exe 2408 Nceonl32.exe 3800 Nklfoi32.exe 1380 Nnjbke32.exe 4692 Nnmopdep.exe 4480 Njcpee32.exe 1276 Nqmhbpba.exe 4116 Nqpego32.exe 1404 Oboaabga.exe 808 Occkojkm.exe 3212 Ocegdjij.exe 812 Oqihnn32.exe 4712 Obidhaog.exe 1416 Pgemphmn.exe 3056 Pqnaim32.exe 3980 Pnbbbabh.exe 3716 Pkfblfab.exe 2644 Pengdk32.exe 2360 Pnfkma32.exe 5020 Pgopffec.exe 1952 Qecppkdm.exe 3812 Qbgqio32.exe 4160 Qnnanphk.exe 4208 Agffge32.exe 1848 Aanjpk32.exe 4796 Aldomc32.exe 4868 Abngjnmo.exe 1836 Alfkbc32.exe 4520 Abpcon32.exe 1112 Ahmlgd32.exe 2420 Abbpem32.exe 2640 Adcmmeog.exe 1860 Ajneip32.exe 3292 Bahmfj32.exe 3208 Bhaebcen.exe 2740 Bbgipldd.exe 2828 Beeflhdh.exe 1688 Bdhfhe32.exe 4804 Bhdbhcck.exe 3736 Behbag32.exe 1900 Blbknaib.exe 4812 Bopgjmhe.exe 5056 Baocghgi.exe 1212 Bdmpcdfm.exe 3780 Bobcpmfc.exe 1824 Bemlmgnp.exe 3552 Blfdia32.exe 1784 Boepel32.exe 684 Cacmah32.exe 1852 Cliaoq32.exe 4500 Ceaehfjj.exe 1344 Clkndpag.exe 772 Cahfmgoo.exe 4916 Clnjjpod.exe 1652 Cbgbgj32.exe 3308 Cdiooblp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mcpnhfhf.exeBgehcmmm.exeHdkidohn.exeGglpibgm.exeJiokfpph.exeOboaabga.exeIihkpg32.exeNfgmjqop.exeIokgal32.exeMchppmij.exeIqipio32.exeNeafjdkn.exeEleepoob.exeEdemkd32.exeNbnpcj32.exeEhimanbq.exeEachem32.exeCaghhk32.exeKipkhdeq.exeLdanqkki.exeAqaffn32.exeMpieqeko.exeNklbmllg.exeNlnkmnah.exeGpfjma32.exeCbgbgj32.exeLekehdgp.exePlhnda32.exeLjbfpo32.exeGigaka32.exeGofkje32.exeBciehh32.exeLjfhqh32.exeJjjpnlbd.exeLknojl32.exeKndojobi.exeGpecbk32.exeJjgchm32.exeQmmnjfnl.exeCidjbmcp.exeDadeieea.exeImfdff32.exePdmpje32.exeMdhdajea.exedescription ioc process File created C:\Windows\SysWOW64\Fbelcblk.exe File created C:\Windows\SysWOW64\Olcjhi32.dll Mcpnhfhf.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File opened for modification C:\Windows\SysWOW64\Hgiepjga.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Ibingd32.dll File created C:\Windows\SysWOW64\Gochjpho.exe Gglpibgm.exe File created C:\Windows\SysWOW64\Mhghfqcd.dll Jiokfpph.exe File created C:\Windows\SysWOW64\Odalmibl.exe File created C:\Windows\SysWOW64\Qgmbjkdp.dll Oboaabga.exe File created C:\Windows\SysWOW64\Mhpbkngk.dll File created C:\Windows\SysWOW64\Pacghh32.dll Iihkpg32.exe File created C:\Windows\SysWOW64\Nnneknob.exe Nfgmjqop.exe File opened for modification C:\Windows\SysWOW64\Ibicnh32.exe Iokgal32.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll Mchppmij.exe File opened for modification C:\Windows\SysWOW64\Aefjii32.exe File created C:\Windows\SysWOW64\Ppmflc32.dll Iqipio32.exe File created C:\Windows\SysWOW64\Dgcaaddl.dll Neafjdkn.exe File created C:\Windows\SysWOW64\Bgmakofh.dll Eleepoob.exe File created C:\Windows\SysWOW64\Efdjgo32.exe Edemkd32.exe File created C:\Windows\SysWOW64\Nihipdhl.exe Nbnpcj32.exe File created C:\Windows\SysWOW64\Eokqkh32.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe File opened for modification C:\Windows\SysWOW64\Eleiam32.exe Ehimanbq.exe File opened for modification C:\Windows\SysWOW64\Fdbdah32.exe Eachem32.exe File created C:\Windows\SysWOW64\Qknhhh32.dll Caghhk32.exe File opened for modification C:\Windows\SysWOW64\Kpanan32.exe File created C:\Windows\SysWOW64\Kpjcdn32.exe Kipkhdeq.exe File opened for modification C:\Windows\SysWOW64\Lgokmgjm.exe Ldanqkki.exe File created C:\Windows\SysWOW64\Aglnbhal.exe Aqaffn32.exe File opened for modification C:\Windows\SysWOW64\Oacoqnci.exe File created C:\Windows\SysWOW64\Chqogq32.exe File opened for modification C:\Windows\SysWOW64\Mbhamajc.exe Mpieqeko.exe File created C:\Windows\SysWOW64\Neafjdkn.exe Nklbmllg.exe File created C:\Windows\SysWOW64\Nbgcih32.exe Nlnkmnah.exe File created C:\Windows\SysWOW64\Gdafnpqh.exe Gpfjma32.exe File created C:\Windows\SysWOW64\Ghaddm32.dll Cbgbgj32.exe File created C:\Windows\SysWOW64\Lmbmibhb.exe Lekehdgp.exe File created C:\Windows\SysWOW64\Qcbfakec.exe Plhnda32.exe File created C:\Windows\SysWOW64\Domdjj32.exe File created C:\Windows\SysWOW64\Lalnmiia.exe Ljbfpo32.exe File created C:\Windows\SysWOW64\Ecgflaec.dll Gigaka32.exe File created C:\Windows\SysWOW64\Phdnngdn.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe File opened for modification C:\Windows\SysWOW64\Gmjlcj32.exe Gofkje32.exe File opened for modification C:\Windows\SysWOW64\Bjcmebie.exe Bciehh32.exe File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Jlhljhbg.exe Jjjpnlbd.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe File created C:\Windows\SysWOW64\Hemikcpm.dll File created C:\Windows\SysWOW64\Lmpkadnm.exe Lknojl32.exe File opened for modification C:\Windows\SysWOW64\Kenggi32.exe Kndojobi.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gpecbk32.exe File created C:\Windows\SysWOW64\Gologg32.dll Jjgchm32.exe File created C:\Windows\SysWOW64\Qddfkd32.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Dpnbog32.exe Cidjbmcp.exe File created C:\Windows\SysWOW64\Fmplqd32.dll File opened for modification C:\Windows\SysWOW64\Afpjel32.exe File created C:\Windows\SysWOW64\Ipenkiei.dll Dadeieea.exe File opened for modification C:\Windows\SysWOW64\Ipdqba32.exe Imfdff32.exe File created C:\Windows\SysWOW64\Pgllfp32.exe Pdmpje32.exe File created C:\Windows\SysWOW64\Afpjel32.exe File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Meiaib32.exe Mdhdajea.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 11940 11512 -
Modifies registry class 64 IoCs
Processes:
Oeicejia.exeBggnof32.exeCndikf32.exePhedhmhi.exeAhchda32.exePnfkma32.exeMgaokl32.exeKlqcioba.exeKgopidgf.exeAomifecf.exeCliaoq32.exeNlphbnoe.exeMpkbebbf.exeDahhio32.exeHjhalefe.exeFpbmfn32.exeDdmaok32.exeJkmgblok.exeBfedoc32.exeFfpicn32.exeEmaedo32.exeCjkjpgfi.exeOiihahme.exeDbjkkl32.exeHioiji32.exeOhnohn32.exeOcckojkm.exeBqmeal32.exeCmdfgm32.exeHcbpab32.exeOpemca32.exeAjdjin32.exeMiomdk32.exeLklbdm32.exeEjlbhh32.exeMegljppl.exeBcoenmao.exeOehlkc32.exeJnjejjgh.exeMelnob32.exeMjdebfnd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polalahi.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhajknb.dll" Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klqcioba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomifecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdhga32.dll" Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogigdpmb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkbebbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahhio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganmcc32.dll" Hjhalefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmgblok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haffcnib.dll" Bfedoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khddfdcl.dll" Emaedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbalhp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghnikdd.dll" Oiihahme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hioiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chalkm32.dll" Ohnohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Occkojkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiilpik.dll" Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opemca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igegpo32.dll" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaff32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miomdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghghj32.dll" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeohm32.dll" Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Megljppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll" Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhkgijk.dll" Mjdebfnd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exeMpkbebbf.exeMjcgohig.exeMgghhlhq.exeMnapdf32.exeMkepnjng.exeMaohkd32.exeMglack32.exeMaaepd32.exeNkjjij32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNnmopdep.exeNjcpee32.exeNqmhbpba.exeNqpego32.exeOboaabga.exeOcckojkm.exeOcegdjij.exeOqihnn32.exeObidhaog.exedescription pid process target process PID 2504 wrote to memory of 1536 2504 0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe Mpkbebbf.exe PID 2504 wrote to memory of 1536 2504 0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe Mpkbebbf.exe PID 2504 wrote to memory of 1536 2504 0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe Mpkbebbf.exe PID 1536 wrote to memory of 996 1536 Mpkbebbf.exe Mjcgohig.exe PID 1536 wrote to memory of 996 1536 Mpkbebbf.exe Mjcgohig.exe PID 1536 wrote to memory of 996 1536 Mpkbebbf.exe Mjcgohig.exe PID 996 wrote to memory of 3448 996 Mjcgohig.exe Mgghhlhq.exe PID 996 wrote to memory of 3448 996 Mjcgohig.exe Mgghhlhq.exe PID 996 wrote to memory of 3448 996 Mjcgohig.exe Mgghhlhq.exe PID 3448 wrote to memory of 4200 3448 Mgghhlhq.exe Mnapdf32.exe PID 3448 wrote to memory of 4200 3448 Mgghhlhq.exe Mnapdf32.exe PID 3448 wrote to memory of 4200 3448 Mgghhlhq.exe Mnapdf32.exe PID 4200 wrote to memory of 3652 4200 Mnapdf32.exe Mkepnjng.exe PID 4200 wrote to memory of 3652 4200 Mnapdf32.exe Mkepnjng.exe PID 4200 wrote to memory of 3652 4200 Mnapdf32.exe Mkepnjng.exe PID 3652 wrote to memory of 3016 3652 Mkepnjng.exe Maohkd32.exe PID 3652 wrote to memory of 3016 3652 Mkepnjng.exe Maohkd32.exe PID 3652 wrote to memory of 3016 3652 Mkepnjng.exe Maohkd32.exe PID 3016 wrote to memory of 3432 3016 Maohkd32.exe Mglack32.exe PID 3016 wrote to memory of 3432 3016 Maohkd32.exe Mglack32.exe PID 3016 wrote to memory of 3432 3016 Maohkd32.exe Mglack32.exe PID 3432 wrote to memory of 5028 3432 Mglack32.exe Maaepd32.exe PID 3432 wrote to memory of 5028 3432 Mglack32.exe Maaepd32.exe PID 3432 wrote to memory of 5028 3432 Mglack32.exe Maaepd32.exe PID 5028 wrote to memory of 2152 5028 Maaepd32.exe Nkjjij32.exe PID 5028 wrote to memory of 2152 5028 Maaepd32.exe Nkjjij32.exe PID 5028 wrote to memory of 2152 5028 Maaepd32.exe Nkjjij32.exe PID 2152 wrote to memory of 2408 2152 Nkjjij32.exe Nceonl32.exe PID 2152 wrote to memory of 2408 2152 Nkjjij32.exe Nceonl32.exe PID 2152 wrote to memory of 2408 2152 Nkjjij32.exe Nceonl32.exe PID 2408 wrote to memory of 3800 2408 Nceonl32.exe Nklfoi32.exe PID 2408 wrote to memory of 3800 2408 Nceonl32.exe Nklfoi32.exe PID 2408 wrote to memory of 3800 2408 Nceonl32.exe Nklfoi32.exe PID 3800 wrote to memory of 1380 3800 Nklfoi32.exe Nnjbke32.exe PID 3800 wrote to memory of 1380 3800 Nklfoi32.exe Nnjbke32.exe PID 3800 wrote to memory of 1380 3800 Nklfoi32.exe Nnjbke32.exe PID 1380 wrote to memory of 4692 1380 Nnjbke32.exe Nnmopdep.exe PID 1380 wrote to memory of 4692 1380 Nnjbke32.exe Nnmopdep.exe PID 1380 wrote to memory of 4692 1380 Nnjbke32.exe Nnmopdep.exe PID 4692 wrote to memory of 4480 4692 Nnmopdep.exe Njcpee32.exe PID 4692 wrote to memory of 4480 4692 Nnmopdep.exe Njcpee32.exe PID 4692 wrote to memory of 4480 4692 Nnmopdep.exe Njcpee32.exe PID 4480 wrote to memory of 1276 4480 Njcpee32.exe Nqmhbpba.exe PID 4480 wrote to memory of 1276 4480 Njcpee32.exe Nqmhbpba.exe PID 4480 wrote to memory of 1276 4480 Njcpee32.exe Nqmhbpba.exe PID 1276 wrote to memory of 4116 1276 Nqmhbpba.exe Nqpego32.exe PID 1276 wrote to memory of 4116 1276 Nqmhbpba.exe Nqpego32.exe PID 1276 wrote to memory of 4116 1276 Nqmhbpba.exe Nqpego32.exe PID 4116 wrote to memory of 1404 4116 Nqpego32.exe Oboaabga.exe PID 4116 wrote to memory of 1404 4116 Nqpego32.exe Oboaabga.exe PID 4116 wrote to memory of 1404 4116 Nqpego32.exe Oboaabga.exe PID 1404 wrote to memory of 808 1404 Oboaabga.exe Occkojkm.exe PID 1404 wrote to memory of 808 1404 Oboaabga.exe Occkojkm.exe PID 1404 wrote to memory of 808 1404 Oboaabga.exe Occkojkm.exe PID 808 wrote to memory of 3212 808 Occkojkm.exe Ocegdjij.exe PID 808 wrote to memory of 3212 808 Occkojkm.exe Ocegdjij.exe PID 808 wrote to memory of 3212 808 Occkojkm.exe Ocegdjij.exe PID 3212 wrote to memory of 812 3212 Ocegdjij.exe Oqihnn32.exe PID 3212 wrote to memory of 812 3212 Ocegdjij.exe Oqihnn32.exe PID 3212 wrote to memory of 812 3212 Ocegdjij.exe Oqihnn32.exe PID 812 wrote to memory of 4712 812 Oqihnn32.exe Obidhaog.exe PID 812 wrote to memory of 4712 812 Oqihnn32.exe Obidhaog.exe PID 812 wrote to memory of 4712 812 Oqihnn32.exe Obidhaog.exe PID 4712 wrote to memory of 1416 4712 Obidhaog.exe Pgemphmn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0f90055f8742415b5ae99f63da7b3e20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe23⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe24⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe25⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe26⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe27⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe29⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe30⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe31⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe32⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe33⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe34⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe35⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe36⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe37⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe38⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe39⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe40⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe41⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe42⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe43⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe44⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe45⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe46⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe48⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe49⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe50⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe51⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe52⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe53⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe54⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe55⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe56⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe57⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe58⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe60⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe61⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe62⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe63⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe65⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe66⤵PID:1408
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe67⤵PID:1460
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe68⤵PID:3544
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe69⤵PID:1216
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe70⤵PID:4980
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe71⤵PID:2116
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe72⤵PID:4280
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe73⤵PID:2084
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe74⤵PID:3480
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe75⤵PID:3896
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe76⤵PID:2452
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe77⤵PID:1608
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe78⤵PID:2220
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe79⤵PID:4040
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe80⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe81⤵PID:2880
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe82⤵PID:1940
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3956 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe84⤵PID:3840
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe85⤵PID:4492
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe86⤵PID:3504
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe87⤵PID:4384
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe88⤵PID:4324
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe89⤵PID:2920
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe90⤵PID:1548
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe91⤵PID:4036
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe92⤵PID:2736
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5084 -
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4276 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe95⤵PID:1568
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe96⤵
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe97⤵PID:5016
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe98⤵PID:4700
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe99⤵PID:2272
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe100⤵PID:1152
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe101⤵PID:1728
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe102⤵PID:1584
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe103⤵PID:1552
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe104⤵PID:2300
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe105⤵PID:4564
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe106⤵PID:2068
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe107⤵PID:3844
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe108⤵PID:2864
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe109⤵PID:3612
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe110⤵PID:3704
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe111⤵PID:1544
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe112⤵PID:3256
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe113⤵PID:2292
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe114⤵PID:2392
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe115⤵PID:5148
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe116⤵PID:5192
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe117⤵PID:5236
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe118⤵PID:5284
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe119⤵
- Drops file in System32 directory
PID:5328 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe121⤵PID:5416
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe122⤵PID:5452
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe123⤵PID:5504
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe124⤵PID:5548
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe125⤵PID:5592
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe126⤵PID:5636
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe127⤵PID:5680
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe128⤵PID:5724
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe129⤵PID:5768
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe130⤵PID:5812
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe131⤵PID:5856
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe132⤵PID:5896
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe133⤵PID:5940
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe134⤵PID:5984
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe135⤵PID:6032
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe136⤵PID:6072
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe137⤵PID:6120
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe138⤵PID:5144
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe139⤵PID:5220
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe140⤵PID:5276
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe141⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe142⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe143⤵PID:5480
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe144⤵PID:5532
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe145⤵PID:5624
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe146⤵PID:5676
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe147⤵PID:5752
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe148⤵PID:5820
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe149⤵PID:5880
-
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe150⤵PID:5948
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe151⤵PID:6020
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe152⤵PID:6100
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe153⤵PID:5140
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe155⤵PID:5356
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe156⤵PID:5448
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe157⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe158⤵PID:5664
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe159⤵PID:5760
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe160⤵PID:5872
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe161⤵PID:5972
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe162⤵PID:6096
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe163⤵PID:5200
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe164⤵PID:5316
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe165⤵PID:5544
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe166⤵PID:5672
-
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe167⤵PID:5836
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe168⤵PID:6040
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe169⤵PID:5188
-
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe170⤵PID:5476
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe171⤵PID:5764
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe172⤵PID:6024
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe173⤵PID:5396
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe174⤵PID:5808
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe175⤵PID:5320
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe176⤵PID:6084
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe177⤵PID:5744
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe178⤵PID:5124
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe179⤵PID:6172
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe180⤵PID:6216
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6260 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe182⤵PID:6304
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe183⤵PID:6348
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe184⤵PID:6392
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe185⤵
- Drops file in System32 directory
PID:6436 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe186⤵PID:6480
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe187⤵PID:6524
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe188⤵
- Modifies registry class
PID:6568 -
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe189⤵PID:6612
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe190⤵PID:6656
-
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe191⤵PID:6704
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe192⤵PID:6748
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe193⤵PID:6792
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe194⤵
- Drops file in System32 directory
PID:6832 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe195⤵PID:6884
-
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe196⤵PID:6928
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe197⤵PID:6976
-
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe198⤵PID:7020
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe199⤵PID:7064
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe200⤵PID:7108
-
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe201⤵PID:7152
-
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe202⤵
- Drops file in System32 directory
PID:6192 -
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe203⤵PID:6248
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe204⤵PID:6324
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe205⤵PID:6384
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe206⤵PID:6452
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe207⤵PID:6520
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe208⤵PID:6592
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe209⤵PID:6652
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe210⤵PID:6736
-
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe211⤵PID:6800
-
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe212⤵
- Drops file in System32 directory
PID:6872 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe213⤵PID:6940
-
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe214⤵PID:7004
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe215⤵PID:7084
-
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe216⤵
- Modifies registry class
PID:7160 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe217⤵PID:6232
-
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe218⤵
- Drops file in System32 directory
PID:6340 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe219⤵PID:6424
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe220⤵PID:6544
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe221⤵PID:6676
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe222⤵PID:6776
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe223⤵PID:6876
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe224⤵PID:6916
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe225⤵PID:7116
-
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe226⤵PID:6168
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe227⤵PID:6376
-
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe228⤵PID:6504
-
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe229⤵PID:6744
-
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6936 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe231⤵
- Drops file in System32 directory
PID:7100 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe232⤵PID:6864
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe233⤵PID:6768
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe234⤵PID:7080
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe235⤵PID:6648
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe236⤵PID:5956
-
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe237⤵PID:6960
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe238⤵PID:7092
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe239⤵PID:7216
-
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe240⤵PID:7260
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe241⤵PID:7304
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe242⤵PID:7348