Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:25
Behavioral task
behavioral1
Sample
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe
-
Size
1024KB
-
MD5
735c9a299b07d6e41236317e48c153a0
-
SHA1
a167f7b3149f788197e9709449f466c3c328743c
-
SHA256
1647e08b28ed77b18038fe6089831ee78b5bbaa859eff5554c543599c07cbe62
-
SHA512
6d900ebba98a350bf5ba78fd2bac4f5cbe05e65bc912cbfdaab10bddd5d1b418c8b1f7fbab5da09eed475d895315b0945d2859436da3ee9a323c9cc15e74f7de
-
SSDEEP
24576:EtaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:6aSHFaZRBEYyqmS2DiHPKQgmN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gfnnlffc.exeJnkldqkc.exeEdpgli32.exeEmbkoi32.exeIpldfi32.exeDeoaid32.exeGhhhcomg.exeMhafeb32.exeAlbpkc32.exePjmlbbdg.exeNnlhfn32.exeInainbcn.exeFipkjb32.exeIjegcm32.exeCenahpha.exeLaciofpa.exeHnoklk32.exeCflkpblf.exeIddljmpc.exeDjcoai32.exeLekmnajj.exePjhlml32.exeAcpbbi32.exeFmfnpa32.exeJfeopj32.exeAjkaii32.exeAhjgjj32.exeDkfadkgf.exeHcmgfbhd.exeBnmcjg32.exeDaekdooc.exeQjlnnemp.exeDfoiaj32.exeFjohde32.exePhodcg32.exeBlqllqqa.exeJkomneim.exeMngegmbc.exeMnnkgl32.exeMhbmphjm.exePhelcc32.exePekbga32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnnlffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpgli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embkoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhafeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmlbbdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijegcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnoklk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iddljmpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpbbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfnpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfeopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfadkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmgfbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjlnnemp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mngegmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phelcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekbga32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Fobiilai.exe family_berbew C:\Windows\SysWOW64\Fodeolof.exe family_berbew C:\Windows\SysWOW64\Gfnnlffc.exe family_berbew C:\Windows\SysWOW64\Gmkbnp32.exe family_berbew C:\Windows\SysWOW64\Gcekkjcj.exe family_berbew C:\Windows\SysWOW64\Gmmocpjk.exe family_berbew C:\Windows\SysWOW64\Hclakimb.exe family_berbew C:\Windows\SysWOW64\Hihicplj.exe family_berbew C:\Windows\SysWOW64\Hfofbd32.exe family_berbew C:\Windows\SysWOW64\Hcedaheh.exe family_berbew C:\Windows\SysWOW64\Ipldfi32.exe family_berbew C:\Windows\SysWOW64\Iakaql32.exe family_berbew C:\Windows\SysWOW64\Ibmmhdhm.exe family_berbew C:\Windows\SysWOW64\Ipckgh32.exe family_berbew C:\Windows\SysWOW64\Ijhodq32.exe family_berbew C:\Windows\SysWOW64\Idacmfkj.exe family_berbew C:\Windows\SysWOW64\Jbfpobpb.exe family_berbew C:\Windows\SysWOW64\Jiphkm32.exe family_berbew C:\Windows\SysWOW64\Jaimbj32.exe family_berbew C:\Windows\SysWOW64\Jbkjjblm.exe family_berbew C:\Windows\SysWOW64\Jkdnpo32.exe family_berbew C:\Windows\SysWOW64\Kpccnefa.exe family_berbew C:\Windows\SysWOW64\Kgmlkp32.exe family_berbew C:\Windows\SysWOW64\Kpepcedo.exe family_berbew C:\Windows\SysWOW64\Kbdmpqcb.exe family_berbew C:\Windows\SysWOW64\Kkpnlm32.exe family_berbew C:\Windows\SysWOW64\Lalcng32.exe family_berbew C:\Windows\SysWOW64\Ldmlpbbj.exe family_berbew C:\Windows\SysWOW64\Lpcmec32.exe family_berbew C:\Windows\SysWOW64\Laciofpa.exe family_berbew C:\Windows\SysWOW64\Laefdf32.exe family_berbew C:\Windows\SysWOW64\Mahbje32.exe family_berbew C:\Windows\SysWOW64\Mpdelajl.exe family_berbew C:\Windows\SysWOW64\Nnjbke32.exe family_berbew C:\Windows\SysWOW64\Njacpf32.exe family_berbew C:\Windows\SysWOW64\Odpjcm32.exe family_berbew C:\Windows\SysWOW64\Okolkg32.exe family_berbew C:\Windows\SysWOW64\Pnpemb32.exe family_berbew C:\Windows\SysWOW64\Pcojkhap.exe family_berbew C:\Windows\SysWOW64\Pgmcqggf.exe family_berbew C:\Windows\SysWOW64\Pjmlbbdg.exe family_berbew C:\Windows\SysWOW64\Aelcfilb.exe family_berbew C:\Windows\SysWOW64\Abpcon32.exe family_berbew C:\Windows\SysWOW64\Aealah32.exe family_berbew C:\Windows\SysWOW64\Blmacb32.exe family_berbew C:\Windows\SysWOW64\Blbknaib.exe family_berbew C:\Windows\SysWOW64\Baaplhef.exe family_berbew C:\Windows\SysWOW64\Clkndpag.exe family_berbew C:\Windows\SysWOW64\Ckpjfm32.exe family_berbew C:\Windows\SysWOW64\Chdkoa32.exe family_berbew C:\Windows\SysWOW64\Clbceo32.exe family_berbew C:\Windows\SysWOW64\Dhkapp32.exe family_berbew C:\Windows\SysWOW64\Dlijfneg.exe family_berbew C:\Windows\SysWOW64\Dojcgi32.exe family_berbew C:\Windows\SysWOW64\Echknh32.exe family_berbew C:\Windows\SysWOW64\Elbmlmml.exe family_berbew C:\Windows\SysWOW64\Fcfhof32.exe family_berbew C:\Windows\SysWOW64\Fomhdg32.exe family_berbew C:\Windows\SysWOW64\Fhjfhl32.exe family_berbew C:\Windows\SysWOW64\Ghopckpi.exe family_berbew C:\Windows\SysWOW64\Gbiaapdf.exe family_berbew C:\Windows\SysWOW64\Hihbijhn.exe family_berbew C:\Windows\SysWOW64\Hflcbngh.exe family_berbew C:\Windows\SysWOW64\Hcbpab32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Fobiilai.exeFodeolof.exeGfnnlffc.exeGmkbnp32.exeGcekkjcj.exeGmmocpjk.exeHclakimb.exeHihicplj.exeHfofbd32.exeHcedaheh.exeIpldfi32.exeIakaql32.exeIbmmhdhm.exeIpckgh32.exeIjhodq32.exeIdacmfkj.exeJbfpobpb.exeJiphkm32.exeJaimbj32.exeJbkjjblm.exeJkdnpo32.exeKpccnefa.exeKgmlkp32.exeKpepcedo.exeKbdmpqcb.exeKkpnlm32.exeLalcng32.exeLdmlpbbj.exeLpcmec32.exeLaciofpa.exeLaefdf32.exeMahbje32.exeMkbchk32.exeMamleegg.exeMkepnjng.exeMpaifalo.exeMkgmcjld.exeMpdelajl.exeNacbfdao.exeNklfoi32.exeNnjbke32.exeNcgkcl32.exeNjacpf32.exeNnolfdcn.exeNdidbn32.exeNjfmke32.exeNdkahnhh.exeOgjmdigk.exeOndeac32.exeOdnnnnfe.exeOnfbfc32.exeOdpjcm32.exeOnholckc.exeOkloegjl.exeObfhba32.exeOkolkg32.exeOdgqdlnj.exePgemphmn.exePnpemb32.exePclneicb.exePnbbbabh.exePcojkhap.exePndohaqe.exePgmcqggf.exepid process 3624 Fobiilai.exe 4920 Fodeolof.exe 4120 Gfnnlffc.exe 716 Gmkbnp32.exe 1508 Gcekkjcj.exe 4744 Gmmocpjk.exe 1120 Hclakimb.exe 4464 Hihicplj.exe 808 Hfofbd32.exe 3392 Hcedaheh.exe 4876 Ipldfi32.exe 4016 Iakaql32.exe 1016 Ibmmhdhm.exe 3472 Ipckgh32.exe 2768 Ijhodq32.exe 404 Idacmfkj.exe 1700 Jbfpobpb.exe 4732 Jiphkm32.exe 3584 Jaimbj32.exe 4852 Jbkjjblm.exe 1524 Jkdnpo32.exe 3372 Kpccnefa.exe 2832 Kgmlkp32.exe 4040 Kpepcedo.exe 2992 Kbdmpqcb.exe 2556 Kkpnlm32.exe 4980 Lalcng32.exe 4616 Ldmlpbbj.exe 1180 Lpcmec32.exe 4380 Laciofpa.exe 1776 Laefdf32.exe 2936 Mahbje32.exe 1644 Mkbchk32.exe 400 Mamleegg.exe 3916 Mkepnjng.exe 4736 Mpaifalo.exe 1748 Mkgmcjld.exe 2344 Mpdelajl.exe 1724 Nacbfdao.exe 4908 Nklfoi32.exe 3620 Nnjbke32.exe 4824 Ncgkcl32.exe 2372 Njacpf32.exe 3440 Nnolfdcn.exe 4608 Ndidbn32.exe 4136 Njfmke32.exe 1516 Ndkahnhh.exe 1136 Ogjmdigk.exe 4440 Ondeac32.exe 3528 Odnnnnfe.exe 3960 Onfbfc32.exe 5096 Odpjcm32.exe 3084 Onholckc.exe 1920 Okloegjl.exe 4188 Obfhba32.exe 2816 Okolkg32.exe 3260 Odgqdlnj.exe 712 Pgemphmn.exe 2168 Pnpemb32.exe 1488 Pclneicb.exe 1932 Pnbbbabh.exe 4880 Pcojkhap.exe 4252 Pndohaqe.exe 4460 Pgmcqggf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Emmkiclm.exeCkjbhmad.exeOkolkg32.exeMpoefk32.exeFpmggb32.exePeieba32.exeNhbfff32.exeEpjajeqo.exeFllkqn32.exeMmnhcb32.exeNeoieenp.exeBfbaonae.exeKqfngd32.exeNmenca32.exeMlklkgei.exeFobiilai.exeGbdgfa32.exeLbjlfi32.exeLpnlpnih.exePjgebf32.exeLepncd32.exeOlcbmj32.exeDheibpje.exeDfnbgc32.exeIkpaldog.exeAgeolo32.exeNmigoagp.exeBnkgeg32.exePleaoa32.exeDjcoai32.exeDojcgi32.exeMhbmphjm.exeOileggkb.exeOohgdhfn.exeKbceejpf.exeLbnngbbn.exeBlqllqqa.exeAdgbpc32.exeKfcdfbqo.exeHdkidohn.exeIkpjbq32.exeLclpdncg.exeCmnpgb32.exeHfpecg32.exedescription ioc process File created C:\Windows\SysWOW64\Dnkpihfh.dll Emmkiclm.exe File opened for modification C:\Windows\SysWOW64\Cnindhpg.exe Ckjbhmad.exe File opened for modification C:\Windows\SysWOW64\Ncqlkemc.exe File created C:\Windows\SysWOW64\Camjdd32.dll Okolkg32.exe File opened for modification C:\Windows\SysWOW64\Mcmabg32.exe Mpoefk32.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fpmggb32.exe File created C:\Windows\SysWOW64\Ijnmaj32.dll Peieba32.exe File created C:\Windows\SysWOW64\Jblpmmae.dll Nhbfff32.exe File opened for modification C:\Windows\SysWOW64\Ehailbaa.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Ikfhji32.dll Fllkqn32.exe File created C:\Windows\SysWOW64\Chkolm32.dll Mmnhcb32.exe File created C:\Windows\SysWOW64\Akcoajfm.dll File created C:\Windows\SysWOW64\Ojehbail.dll File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe File opened for modification C:\Windows\SysWOW64\Fkjfakng.exe File opened for modification C:\Windows\SysWOW64\Nhmeapmd.exe Neoieenp.exe File created C:\Windows\SysWOW64\Mlmgnn32.dll Bfbaonae.exe File opened for modification C:\Windows\SysWOW64\Lgqfdnah.exe Kqfngd32.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Nmenca32.exe File created C:\Windows\SysWOW64\Lqnlgjdd.dll Mlklkgei.exe File created C:\Windows\SysWOW64\Bdifpa32.dll File created C:\Windows\SysWOW64\Iondqhpl.exe File created C:\Windows\SysWOW64\Lcglnp32.dll Fobiilai.exe File created C:\Windows\SysWOW64\Fcneih32.dll Gbdgfa32.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Lbjlfi32.exe File created C:\Windows\SysWOW64\Lbmhlihl.exe Lpnlpnih.exe File opened for modification C:\Windows\SysWOW64\Pleaoa32.exe Pjgebf32.exe File created C:\Windows\SysWOW64\Binlfp32.dll File created C:\Windows\SysWOW64\Jbofpe32.dll File created C:\Windows\SysWOW64\Baegibae.exe File created C:\Windows\SysWOW64\Kiikpnmj.exe File opened for modification C:\Windows\SysWOW64\Dmjmekgn.exe File created C:\Windows\SysWOW64\Gddgpqbe.exe File created C:\Windows\SysWOW64\Jjhijoaa.dll Lepncd32.exe File created C:\Windows\SysWOW64\Ojgbfocc.exe Olcbmj32.exe File created C:\Windows\SysWOW64\Mhcmcm32.dll Dheibpje.exe File created C:\Windows\SysWOW64\Eiloco32.exe Dfnbgc32.exe File created C:\Windows\SysWOW64\Clmmco32.dll File created C:\Windows\SysWOW64\Enopghee.exe File created C:\Windows\SysWOW64\Ibjjhn32.exe Ikpaldog.exe File created C:\Windows\SysWOW64\Anogiicl.exe Ageolo32.exe File created C:\Windows\SysWOW64\Nccokk32.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Hehdfdek.exe File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Bnkgeg32.exe File opened for modification C:\Windows\SysWOW64\Podmkm32.exe Pleaoa32.exe File created C:\Windows\SysWOW64\Jekqmhia.exe File created C:\Windows\SysWOW64\Dhbmpk32.dll Djcoai32.exe File created C:\Windows\SysWOW64\Neiigifj.dll Dojcgi32.exe File created C:\Windows\SysWOW64\Knodgg32.dll Mhbmphjm.exe File created C:\Windows\SysWOW64\Odblin32.dll Oileggkb.exe File opened for modification C:\Windows\SysWOW64\Oeaoab32.exe Oohgdhfn.exe File created C:\Windows\SysWOW64\Icpnnd32.dll Kbceejpf.exe File opened for modification C:\Windows\SysWOW64\Lhkgoiqe.exe Lbnngbbn.exe File opened for modification C:\Windows\SysWOW64\Cnahdi32.exe Blqllqqa.exe File opened for modification C:\Windows\SysWOW64\Bigbmpco.exe File opened for modification C:\Windows\SysWOW64\Dgcihgaj.exe File created C:\Windows\SysWOW64\Hlppno32.exe File created C:\Windows\SysWOW64\Ageolo32.exe Adgbpc32.exe File opened for modification C:\Windows\SysWOW64\Llpmoiof.exe Kfcdfbqo.exe File created C:\Windows\SysWOW64\Hjhalefe.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Innfnl32.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Illddp32.dll Lclpdncg.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cmnpgb32.exe File created C:\Windows\SysWOW64\Mjhedo32.dll Hfpecg32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 5256 5596 -
Modifies registry class 64 IoCs
Processes:
Eokqkh32.exeOfeilobp.exeAnogiicl.exeIokgal32.exeInbqhhfj.exeFacqkg32.exeHgmgqc32.exeInnfnl32.exeQnhahj32.exeFajnfl32.exeOohgdhfn.exeIdacmfkj.exeLekehdgp.exePcbmka32.exeHbhijepa.exeBpnihiio.exeEeidoc32.exeBhpfqcln.exeDdligq32.exeNjnpppkn.exeBahmfj32.exeEolhbc32.exeFggfnc32.exeIggjga32.exeEchknh32.exeOqhacgdh.exeImfdff32.exeAndqdh32.exeLgffic32.exeMhafeb32.exeJgenbfoa.exeLaciofpa.exePgmcqggf.exeFehfljca.exeMlbbkfoq.exeAjqgidij.exeKjmmepfj.exeGjdaodja.exe735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exeJimekgff.exeHkehkocf.exeKpbfii32.exeCdnmfclj.exeBnmcjg32.exeFipkjb32.exeJcphab32.exeOgjmdigk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgccn32.dll" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iokgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inbqhhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnhahj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfpdfnd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeidoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpfqcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddligq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnpppkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Innfnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnmgane.dll" Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fggfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Iggjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgenbfoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fehfljca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhajknb.dll" Ajqgidij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnecgoki.dll" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gjdaodja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifpbd32.dll" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbfii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncilb32.dll" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jcphab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepkeokh.dll" Ogjmdigk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exeFobiilai.exeFodeolof.exeGfnnlffc.exeGmkbnp32.exeGcekkjcj.exeGmmocpjk.exeHclakimb.exeHihicplj.exeHfofbd32.exeHcedaheh.exeIpldfi32.exeIakaql32.exeIbmmhdhm.exeIpckgh32.exeIjhodq32.exeIdacmfkj.exeJbfpobpb.exeJiphkm32.exeJaimbj32.exeJbkjjblm.exeJkdnpo32.exedescription pid process target process PID 5024 wrote to memory of 3624 5024 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Fobiilai.exe PID 5024 wrote to memory of 3624 5024 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Fobiilai.exe PID 5024 wrote to memory of 3624 5024 735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe Fobiilai.exe PID 3624 wrote to memory of 4920 3624 Fobiilai.exe Fodeolof.exe PID 3624 wrote to memory of 4920 3624 Fobiilai.exe Fodeolof.exe PID 3624 wrote to memory of 4920 3624 Fobiilai.exe Fodeolof.exe PID 4920 wrote to memory of 4120 4920 Fodeolof.exe Gfnnlffc.exe PID 4920 wrote to memory of 4120 4920 Fodeolof.exe Gfnnlffc.exe PID 4920 wrote to memory of 4120 4920 Fodeolof.exe Gfnnlffc.exe PID 4120 wrote to memory of 716 4120 Gfnnlffc.exe Gmkbnp32.exe PID 4120 wrote to memory of 716 4120 Gfnnlffc.exe Gmkbnp32.exe PID 4120 wrote to memory of 716 4120 Gfnnlffc.exe Gmkbnp32.exe PID 716 wrote to memory of 1508 716 Gmkbnp32.exe Gcekkjcj.exe PID 716 wrote to memory of 1508 716 Gmkbnp32.exe Gcekkjcj.exe PID 716 wrote to memory of 1508 716 Gmkbnp32.exe Gcekkjcj.exe PID 1508 wrote to memory of 4744 1508 Gcekkjcj.exe Gmmocpjk.exe PID 1508 wrote to memory of 4744 1508 Gcekkjcj.exe Gmmocpjk.exe PID 1508 wrote to memory of 4744 1508 Gcekkjcj.exe Gmmocpjk.exe PID 4744 wrote to memory of 1120 4744 Gmmocpjk.exe Hclakimb.exe PID 4744 wrote to memory of 1120 4744 Gmmocpjk.exe Hclakimb.exe PID 4744 wrote to memory of 1120 4744 Gmmocpjk.exe Hclakimb.exe PID 1120 wrote to memory of 4464 1120 Hclakimb.exe Hihicplj.exe PID 1120 wrote to memory of 4464 1120 Hclakimb.exe Hihicplj.exe PID 1120 wrote to memory of 4464 1120 Hclakimb.exe Hihicplj.exe PID 4464 wrote to memory of 808 4464 Hihicplj.exe Hfofbd32.exe PID 4464 wrote to memory of 808 4464 Hihicplj.exe Hfofbd32.exe PID 4464 wrote to memory of 808 4464 Hihicplj.exe Hfofbd32.exe PID 808 wrote to memory of 3392 808 Hfofbd32.exe Hcedaheh.exe PID 808 wrote to memory of 3392 808 Hfofbd32.exe Hcedaheh.exe PID 808 wrote to memory of 3392 808 Hfofbd32.exe Hcedaheh.exe PID 3392 wrote to memory of 4876 3392 Hcedaheh.exe Ipldfi32.exe PID 3392 wrote to memory of 4876 3392 Hcedaheh.exe Ipldfi32.exe PID 3392 wrote to memory of 4876 3392 Hcedaheh.exe Ipldfi32.exe PID 4876 wrote to memory of 4016 4876 Ipldfi32.exe Iakaql32.exe PID 4876 wrote to memory of 4016 4876 Ipldfi32.exe Iakaql32.exe PID 4876 wrote to memory of 4016 4876 Ipldfi32.exe Iakaql32.exe PID 4016 wrote to memory of 1016 4016 Iakaql32.exe Ibmmhdhm.exe PID 4016 wrote to memory of 1016 4016 Iakaql32.exe Ibmmhdhm.exe PID 4016 wrote to memory of 1016 4016 Iakaql32.exe Ibmmhdhm.exe PID 1016 wrote to memory of 3472 1016 Ibmmhdhm.exe Ipckgh32.exe PID 1016 wrote to memory of 3472 1016 Ibmmhdhm.exe Ipckgh32.exe PID 1016 wrote to memory of 3472 1016 Ibmmhdhm.exe Ipckgh32.exe PID 3472 wrote to memory of 2768 3472 Ipckgh32.exe Ijhodq32.exe PID 3472 wrote to memory of 2768 3472 Ipckgh32.exe Ijhodq32.exe PID 3472 wrote to memory of 2768 3472 Ipckgh32.exe Ijhodq32.exe PID 2768 wrote to memory of 404 2768 Ijhodq32.exe Idacmfkj.exe PID 2768 wrote to memory of 404 2768 Ijhodq32.exe Idacmfkj.exe PID 2768 wrote to memory of 404 2768 Ijhodq32.exe Idacmfkj.exe PID 404 wrote to memory of 1700 404 Idacmfkj.exe Jbfpobpb.exe PID 404 wrote to memory of 1700 404 Idacmfkj.exe Jbfpobpb.exe PID 404 wrote to memory of 1700 404 Idacmfkj.exe Jbfpobpb.exe PID 1700 wrote to memory of 4732 1700 Jbfpobpb.exe Jiphkm32.exe PID 1700 wrote to memory of 4732 1700 Jbfpobpb.exe Jiphkm32.exe PID 1700 wrote to memory of 4732 1700 Jbfpobpb.exe Jiphkm32.exe PID 4732 wrote to memory of 3584 4732 Jiphkm32.exe Jaimbj32.exe PID 4732 wrote to memory of 3584 4732 Jiphkm32.exe Jaimbj32.exe PID 4732 wrote to memory of 3584 4732 Jiphkm32.exe Jaimbj32.exe PID 3584 wrote to memory of 4852 3584 Jaimbj32.exe Jbkjjblm.exe PID 3584 wrote to memory of 4852 3584 Jaimbj32.exe Jbkjjblm.exe PID 3584 wrote to memory of 4852 3584 Jaimbj32.exe Jbkjjblm.exe PID 4852 wrote to memory of 1524 4852 Jbkjjblm.exe Jkdnpo32.exe PID 4852 wrote to memory of 1524 4852 Jbkjjblm.exe Jkdnpo32.exe PID 4852 wrote to memory of 1524 4852 Jbkjjblm.exe Jkdnpo32.exe PID 1524 wrote to memory of 3372 1524 Jkdnpo32.exe Kpccnefa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\735c9a299b07d6e41236317e48c153a0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe23⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe24⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe25⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe26⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe27⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe28⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe29⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe30⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe32⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe33⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe34⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe35⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe36⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe37⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe38⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe39⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe40⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe41⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe42⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe43⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe44⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe45⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe46⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe47⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe48⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe50⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe51⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe52⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe53⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe54⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe55⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe56⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe58⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe59⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe60⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe61⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe62⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe63⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe64⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe66⤵PID:1440
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe67⤵PID:5080
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3852 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe69⤵PID:2568
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe70⤵PID:384
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe71⤵PID:4832
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe72⤵PID:1152
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe73⤵PID:3452
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe74⤵PID:3548
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe75⤵PID:1444
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe76⤵PID:3988
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe77⤵PID:1040
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe78⤵PID:2584
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe79⤵PID:5000
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe80⤵PID:3416
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe81⤵PID:3052
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe82⤵PID:4472
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe83⤵PID:4596
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe84⤵PID:2896
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe85⤵PID:4988
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe86⤵PID:4984
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe87⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe88⤵PID:4036
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe89⤵PID:2028
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe90⤵PID:5148
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe91⤵PID:5196
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe92⤵PID:5240
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe93⤵PID:5288
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe94⤵PID:5328
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe95⤵PID:5376
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe96⤵PID:5420
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe97⤵PID:5464
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe98⤵PID:5504
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe99⤵PID:5540
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe100⤵PID:5588
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe101⤵PID:5632
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe102⤵PID:5672
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe103⤵PID:5712
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe104⤵PID:5752
-
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe105⤵PID:5800
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe106⤵PID:5840
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe107⤵PID:5884
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe108⤵PID:5928
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe109⤵PID:5972
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe110⤵PID:6020
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe111⤵PID:6060
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe113⤵PID:5136
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe114⤵PID:5204
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe115⤵PID:5276
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe116⤵PID:5344
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe118⤵PID:5484
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe119⤵PID:5548
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe120⤵PID:5612
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe121⤵
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe122⤵PID:5776
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe123⤵PID:5784
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe124⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe125⤵PID:5992
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe126⤵PID:6068
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe127⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe128⤵PID:5192
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe129⤵PID:5320
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe130⤵PID:5404
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe131⤵PID:5536
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe132⤵PID:5640
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe133⤵PID:5680
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe134⤵PID:5892
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe135⤵PID:6000
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe136⤵PID:5188
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe137⤵PID:5372
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe138⤵PID:5520
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe139⤵PID:5736
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe140⤵PID:5964
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe141⤵PID:6136
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe142⤵PID:5384
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe143⤵PID:5624
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe144⤵PID:6056
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe145⤵PID:5336
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe146⤵PID:5936
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe147⤵PID:5448
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe148⤵PID:5312
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe149⤵PID:5760
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe150⤵PID:6168
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe151⤵PID:6212
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe152⤵PID:6252
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe153⤵PID:6300
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe154⤵PID:6348
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe155⤵PID:6392
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe156⤵
- Drops file in System32 directory
PID:6436 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe157⤵PID:6480
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe158⤵PID:6524
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe159⤵PID:6568
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe160⤵PID:6612
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe161⤵PID:6656
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe162⤵PID:6700
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe163⤵PID:6752
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe164⤵PID:6792
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe165⤵PID:6840
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6876 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe167⤵PID:6932
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe168⤵PID:6976
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe169⤵PID:7020
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe170⤵PID:7064
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe171⤵PID:7108
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe172⤵PID:7152
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe173⤵PID:6176
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe174⤵PID:6236
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe175⤵PID:6312
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe176⤵
- Drops file in System32 directory
PID:6376 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe177⤵PID:6456
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe178⤵PID:6520
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe179⤵PID:6588
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe180⤵PID:6652
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe181⤵PID:6728
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe182⤵PID:6800
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe183⤵PID:6864
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe184⤵PID:6924
-
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe185⤵
- Modifies registry class
PID:7012 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe186⤵PID:7076
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe187⤵
- Modifies registry class
PID:7160 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe188⤵PID:6204
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe189⤵PID:6336
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe190⤵PID:6468
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe191⤵PID:6516
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe192⤵PID:6648
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe193⤵PID:6708
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6848 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe195⤵PID:6904
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe196⤵PID:7148
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe197⤵PID:6308
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe198⤵PID:6552
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe199⤵PID:6740
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe200⤵PID:7072
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe201⤵PID:7120
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe202⤵PID:6916
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe203⤵PID:6292
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe204⤵PID:6432
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe205⤵PID:6972
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe206⤵
- Drops file in System32 directory
PID:7172 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe207⤵PID:7212
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe208⤵PID:7264
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe209⤵PID:7308
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe210⤵PID:7356
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe211⤵PID:7400
-
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe212⤵
- Drops file in System32 directory
PID:7444 -
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe213⤵PID:7496
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe214⤵
- Drops file in System32 directory
PID:7540 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe215⤵PID:7584
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe216⤵
- Modifies registry class
PID:7628 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe217⤵PID:7676
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe218⤵PID:7720
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe219⤵PID:7764
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe220⤵PID:7812
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe221⤵
- Drops file in System32 directory
PID:7856 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe222⤵PID:7896
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe223⤵PID:7936
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe224⤵PID:7980
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe225⤵PID:8024
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe226⤵PID:8068
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe227⤵PID:8112
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe228⤵PID:8156
-
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe229⤵PID:6460
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe230⤵PID:7232
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe231⤵PID:7284
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe232⤵PID:7364
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe233⤵
- Drops file in System32 directory
PID:7436 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe234⤵PID:7504
-
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe235⤵PID:7568
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe236⤵PID:7640
-
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe237⤵PID:7716
-
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe238⤵PID:7708
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe239⤵PID:7848
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe240⤵PID:7924
-
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe241⤵PID:7988
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe242⤵PID:8008