Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:49
Behavioral task
behavioral1
Sample
74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe
-
Size
1024KB
-
MD5
74113f4c02c13accb0c39c0d426b7fa0
-
SHA1
1715725cc9fbc3d1af03c15b7b95ba5e19c5d2bf
-
SHA256
026b11c0d97120f8b2cd6a4f7c2fc144638aebc2da010c850e3e4f64fba70411
-
SHA512
f0061a0abda1855e5cc54e1b4be71d08cca2dbba93adc672911e56663df69ce0bc486fe54a21fac0dc081e2776fdfbc834a5ecf77a6fd5339aed4f786e2aa42f
-
SSDEEP
24576:oz6taSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:ozYaSHFaZRBEYyqmS2DiHPKQgmN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eoocmoao.exeBlbknaib.exeIbobdqid.exeGmjlcj32.exeLnbklm32.exeLjilqnlm.exeBgbdcgld.exeDbjkkl32.exeIpflihfq.exeDphifcoi.exeMncmjfmk.exeCdiooblp.exeAoofle32.exeOjbacd32.exeGmkbnp32.exeOimkbaed.exeEagaoh32.exeKgninn32.exeEbeejijj.exeFojlngce.exeHbbmmi32.exeFmocba32.exeBejogg32.exeEkjfcipa.exeOcegdjij.exeQjpiha32.exeBjddphlq.exeEhonfc32.exeOjnblg32.exeBgehcmmm.exeFnmepn32.exeAaqgek32.exeBlfdia32.exePclgkb32.exeQgallfcq.exeFobiilai.exeIjdeiaio.exeFineoi32.exeJnpfop32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoocmoao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdcgld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphifcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdiooblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkbnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgninn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebeejijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojlngce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejogg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehonfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnblg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnmepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaqgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blfdia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgallfcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobiilai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fineoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpfop32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Bhdibj32.exe family_berbew C:\Windows\SysWOW64\Booaodnd.exe family_berbew C:\Windows\SysWOW64\Baaggo32.exe family_berbew C:\Windows\SysWOW64\Boegpc32.exe family_berbew C:\Windows\SysWOW64\Beppmmoi.exe family_berbew C:\Windows\SysWOW64\Clihig32.exe family_berbew C:\Windows\SysWOW64\Commqb32.exe family_berbew C:\Windows\SysWOW64\Cibank32.exe family_berbew C:\Windows\SysWOW64\Coagla32.exe family_berbew C:\Windows\SysWOW64\Cekohk32.exe family_berbew C:\Windows\SysWOW64\Dlegeemh.exe family_berbew C:\Windows\SysWOW64\Dabpnlkp.exe family_berbew C:\Windows\SysWOW64\Dephckaf.exe family_berbew C:\Windows\SysWOW64\Djnaji32.exe family_berbew C:\Windows\SysWOW64\Dphifcoi.exe family_berbew C:\Windows\SysWOW64\Elagacbk.exe family_berbew C:\Windows\SysWOW64\Lpocjdld.exe family_berbew C:\Windows\SysWOW64\Kmnjhioc.exe family_berbew C:\Windows\SysWOW64\Kcifkp32.exe family_berbew C:\Windows\SysWOW64\Lcpllo32.exe family_berbew C:\Windows\SysWOW64\Lmccchkn.exe family_berbew C:\Windows\SysWOW64\Lnhmng32.exe family_berbew C:\Windows\SysWOW64\Kdcijcke.exe family_berbew C:\Windows\SysWOW64\Kkihknfg.exe family_berbew C:\Windows\SysWOW64\Mncmjfmk.exe family_berbew C:\Windows\SysWOW64\Mkepnjng.exe family_berbew C:\Windows\SysWOW64\Kmegbjgn.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew C:\Windows\SysWOW64\Mpdelajl.exe family_berbew C:\Windows\SysWOW64\Nceonl32.exe family_berbew C:\Windows\SysWOW64\Jangmibi.exe family_berbew C:\Windows\SysWOW64\Jpjqhgol.exe family_berbew C:\Windows\SysWOW64\Njfmke32.exe family_berbew C:\Windows\SysWOW64\Ogjmdigk.exe family_berbew C:\Windows\SysWOW64\Nqpego32.exe family_berbew C:\Windows\SysWOW64\Ojhiqefo.exe family_berbew C:\Windows\SysWOW64\Occkojkm.exe family_berbew C:\Windows\SysWOW64\Obdkma32.exe family_berbew C:\Windows\SysWOW64\Ocegdjij.exe family_berbew C:\Windows\SysWOW64\Iakaql32.exe family_berbew C:\Windows\SysWOW64\Oqkdcn32.exe family_berbew C:\Windows\SysWOW64\Pcjapi32.exe family_berbew C:\Windows\SysWOW64\Pjffbc32.exe family_berbew C:\Windows\SysWOW64\Hmmhjm32.exe family_berbew C:\Windows\SysWOW64\Hbhdmd32.exe family_berbew C:\Windows\SysWOW64\Hadkpm32.exe family_berbew C:\Windows\SysWOW64\Qajadlja.exe family_berbew C:\Windows\SysWOW64\Qalnjkgo.exe family_berbew C:\Windows\SysWOW64\Qjbena32.exe family_berbew C:\Windows\SysWOW64\Qecppkdm.exe family_berbew C:\Windows\SysWOW64\Abkjdnoa.exe family_berbew C:\Windows\SysWOW64\Aejfpjne.exe family_berbew C:\Windows\SysWOW64\Aldomc32.exe family_berbew C:\Windows\SysWOW64\Alfkbc32.exe family_berbew C:\Windows\SysWOW64\Ajkhdp32.exe family_berbew C:\Windows\SysWOW64\Ahoimd32.exe family_berbew C:\Windows\SysWOW64\Bdkcmdhp.exe family_berbew C:\Windows\SysWOW64\Bopgjmhe.exe family_berbew C:\Windows\SysWOW64\Bejogg32.exe family_berbew C:\Windows\SysWOW64\Bajjli32.exe family_berbew C:\Windows\SysWOW64\Blfdia32.exe family_berbew C:\Windows\SysWOW64\Cacmah32.exe family_berbew C:\Windows\SysWOW64\Chmeobkq.exe family_berbew C:\Windows\SysWOW64\Cklaknjd.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Bhdibj32.exeBooaodnd.exeBaaggo32.exeBoegpc32.exeBeppmmoi.exeClihig32.exeCommqb32.exeCibank32.exeCoagla32.exeCekohk32.exeDlegeemh.exeDabpnlkp.exeDhlhjf32.exeDephckaf.exeDljqpd32.exeDpemacql.exeDagiil32.exeDjnaji32.exeDphifcoi.exeDcfebonm.exeDfdbojmq.exeDhcnke32.exeDpjflb32.exeDomfgpca.exeDakbckbe.exeEjbkehcg.exeElagacbk.exeEoocmoao.exeEckonn32.exeEfikji32.exeEjegjh32.exeEpopgbia.exeEcmlcmhe.exeEjgdpg32.exeEleplc32.exeEodlho32.exeEjjqeg32.exeEofinnkf.exeEbeejijj.exeEhonfc32.exeEqfeha32.exeFokbim32.exeFbioei32.exeFjqgff32.exeFmocba32.exeFomonm32.exeFbllkh32.exeFfggkgmk.exeFmapha32.exeFopldmcl.exeFbnhphbp.exeFfjdqg32.exeFihqmb32.exeFobiilai.exeFbqefhpm.exeFjhmgeao.exeFijmbb32.exeFqaeco32.exeGcpapkgp.exeGfnnlffc.exeGimjhafg.exeGqdbiofi.exeGogbdl32.exeGbenqg32.exepid process 808 Bhdibj32.exe 5108 Booaodnd.exe 5004 Baaggo32.exe 3116 Boegpc32.exe 2936 Beppmmoi.exe 928 Clihig32.exe 3464 Commqb32.exe 1232 Cibank32.exe 3792 Coagla32.exe 4592 Cekohk32.exe 3532 Dlegeemh.exe 1740 Dabpnlkp.exe 1580 Dhlhjf32.exe 960 Dephckaf.exe 3948 Dljqpd32.exe 2700 Dpemacql.exe 872 Dagiil32.exe 3060 Djnaji32.exe 912 Dphifcoi.exe 3708 Dcfebonm.exe 5044 Dfdbojmq.exe 3304 Dhcnke32.exe 2208 Dpjflb32.exe 2212 Domfgpca.exe 2436 Dakbckbe.exe 4476 Ejbkehcg.exe 540 Elagacbk.exe 5012 Eoocmoao.exe 2996 Eckonn32.exe 684 Efikji32.exe 4604 Ejegjh32.exe 2396 Epopgbia.exe 4336 Ecmlcmhe.exe 1504 Ejgdpg32.exe 464 Eleplc32.exe 2116 Eodlho32.exe 3284 Ejjqeg32.exe 2592 Eofinnkf.exe 3108 Ebeejijj.exe 4304 Ehonfc32.exe 1752 Eqfeha32.exe 3652 Fokbim32.exe 3296 Fbioei32.exe 4468 Fjqgff32.exe 5116 Fmocba32.exe 1840 Fomonm32.exe 3448 Fbllkh32.exe 2312 Ffggkgmk.exe 3168 Fmapha32.exe 2292 Fopldmcl.exe 4456 Fbnhphbp.exe 5100 Ffjdqg32.exe 264 Fihqmb32.exe 2012 Fobiilai.exe 2804 Fbqefhpm.exe 1916 Fjhmgeao.exe 2072 Fijmbb32.exe 4540 Fqaeco32.exe 4496 Gcpapkgp.exe 1896 Gfnnlffc.exe 1020 Gimjhafg.exe 1960 Gqdbiofi.exe 2244 Gogbdl32.exe 2516 Gbenqg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jfhlejnh.exeOohnonij.exeMicoed32.exeOcegdjij.exeDaolnf32.exeJpfepf32.exeKqmkae32.exeMnebeogl.exeKghjhemo.exeJjbako32.exeNqpego32.exeBclang32.exeEdemkd32.exeFdhcgaic.exeDkbocbog.exeBejogg32.exeFamjkl32.exeKeakgpko.exeIffmccbi.exeLcgblncm.exeEhnglm32.exeAjanck32.exeNlfelogp.exeNceonl32.exePfolbmje.exeEaonjngh.exeMebcop32.exeFbioei32.exeMkepnjng.exeGlhonj32.exeQddfkd32.exeGmggfp32.exeLqpamb32.exeJqglkmlj.exeElbhjp32.exeFoghnabl.exeAeddnp32.exeLenicahg.exeHippdo32.exeNclikl32.exePkbjjbda.exeIpqnahgf.exeOkjnnj32.exeCkmehb32.exeMeepdp32.exePoliea32.exeDlijfneg.exeElppfmoo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jmbdbd32.exe Jfhlejnh.exe File created C:\Windows\SysWOW64\Ojnblg32.exe Oohnonij.exe File created C:\Windows\SysWOW64\Mjellmbp.exe Micoed32.exe File created C:\Windows\SysWOW64\Mnaela32.dll Ocegdjij.exe File opened for modification C:\Windows\SysWOW64\Ddmhja32.exe Daolnf32.exe File created C:\Windows\SysWOW64\Jjoiil32.exe Jpfepf32.exe File opened for modification C:\Windows\SysWOW64\Kggcnoic.exe Kqmkae32.exe File opened for modification C:\Windows\SysWOW64\Ocdnln32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Mnebeogl.exe File opened for modification C:\Windows\SysWOW64\Kqpoakco.exe Kghjhemo.exe File opened for modification C:\Windows\SysWOW64\Eqkondfl.exe File created C:\Windows\SysWOW64\Qekdppan.dll Jjbako32.exe File created C:\Windows\SysWOW64\Hipnbb32.dll Nqpego32.exe File opened for modification C:\Windows\SysWOW64\Bjfjka32.exe Bclang32.exe File created C:\Windows\SysWOW64\Ejpfhnpe.exe Edemkd32.exe File opened for modification C:\Windows\SysWOW64\Fkbkdkpp.exe Fdhcgaic.exe File created C:\Windows\SysWOW64\Dfgcakon.exe Dkbocbog.exe File opened for modification C:\Windows\SysWOW64\Ipgbdbqb.exe File created C:\Windows\SysWOW64\Hehdfdek.exe File created C:\Windows\SysWOW64\Bhikcb32.exe Bejogg32.exe File created C:\Windows\SysWOW64\Ehjhee32.dll Famjkl32.exe File opened for modification C:\Windows\SysWOW64\Kechmoil.exe Keakgpko.exe File created C:\Windows\SysWOW64\Cfbcke32.exe File created C:\Windows\SysWOW64\Aaiqcnhg.exe File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe File created C:\Windows\SysWOW64\Ljkgblln.dll File created C:\Windows\SysWOW64\Iakaql32.exe Iffmccbi.exe File opened for modification C:\Windows\SysWOW64\Lknjmkdo.exe Lcgblncm.exe File created C:\Windows\SysWOW64\Fkmchi32.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Adgbpc32.exe Ajanck32.exe File created C:\Windows\SysWOW64\Noeahkfc.exe Nlfelogp.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll File created C:\Windows\SysWOW64\Emcnmpcj.dll File created C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File created C:\Windows\SysWOW64\Pnfdcjkg.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Eglgbdep.exe Eaonjngh.exe File created C:\Windows\SysWOW64\Mjokgg32.exe Mebcop32.exe File created C:\Windows\SysWOW64\Fjqgff32.exe Fbioei32.exe File created C:\Windows\SysWOW64\Ciiqgjgg.dll Mkepnjng.exe File created C:\Windows\SysWOW64\Clhkicgk.dll Glhonj32.exe File opened for modification C:\Windows\SysWOW64\Ajanck32.exe Qddfkd32.exe File opened for modification C:\Windows\SysWOW64\Gpecbk32.exe Gmggfp32.exe File created C:\Windows\SysWOW64\Gjmgfljg.dll Lqpamb32.exe File opened for modification C:\Windows\SysWOW64\Kpnjah32.exe File opened for modification C:\Windows\SysWOW64\Jaljgidl.exe Jjbako32.exe File opened for modification C:\Windows\SysWOW64\Jdbhkk32.exe Jqglkmlj.exe File opened for modification C:\Windows\SysWOW64\Eciplm32.exe Elbhjp32.exe File created C:\Windows\SysWOW64\Fafdkmap.exe Foghnabl.exe File created C:\Windows\SysWOW64\Ahcajk32.exe Aeddnp32.exe File created C:\Windows\SysWOW64\Mjkblhfo.exe Lenicahg.exe File created C:\Windows\SysWOW64\Gnhekleo.dll File opened for modification C:\Windows\SysWOW64\Haggelfd.exe Hippdo32.exe File created C:\Windows\SysWOW64\Qeekll32.dll Edemkd32.exe File opened for modification C:\Windows\SysWOW64\Nlcalieg.exe Nclikl32.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Lpfgmnfp.exe File created C:\Windows\SysWOW64\Fojkiimn.dll Ipqnahgf.exe File created C:\Windows\SysWOW64\Oeoblb32.exe Okjnnj32.exe File created C:\Windows\SysWOW64\Pgapfg32.dll Ckmehb32.exe File opened for modification C:\Windows\SysWOW64\Mjahlgpf.exe Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Pdhbmh32.exe Poliea32.exe File created C:\Windows\SysWOW64\Hjmgbm32.dll File created C:\Windows\SysWOW64\Hmjehihl.dll Dlijfneg.exe File opened for modification C:\Windows\SysWOW64\Eoolbinc.exe Elppfmoo.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4384 6724 -
Modifies registry class 64 IoCs
Processes:
Qgciaf32.exeGkaopp32.exeMlbbkfoq.exeHkeaqi32.exeNajceeoo.exeJpijnqkp.exeJfhlejnh.exeNfgmjqop.exeOneklm32.exeOehlkc32.exeJjbako32.exeMcbahlip.exeOjjffddl.exeJbdbjf32.exeFbnhphbp.exeHaggelfd.exeKdcijcke.exeFdffbake.exeKkeldnpi.exeDphifcoi.exeHlhccj32.exeEbhglj32.exeOmcjep32.exeFdnjgmle.exeKdgljmcd.exeNhlpfgbb.exeDoqpak32.exeGnjjfegi.exeFfggkgmk.exeLknjmkdo.exeMebcop32.exeNjpdnedf.exeIiibkn32.exeBjpjel32.exeQecppkdm.exeEmhldnkj.exeBgeaifia.exeDkdliame.exeDlijfneg.exeIbqpimpl.exeOjmcld32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppelifin.dll" Qgciaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgbikfp.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idajkk32.dll" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpijnqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll" Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Oneklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoppd32.dll" Ojjffddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicpplqn.dll" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" Kkeldnpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphifcoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omcjep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll" Kdgljmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqhki32.dll" Nhlpfgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnjjfegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffggkgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgbpn32.dll" Mebcop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljibbol.dll" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhldnkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebooppnl.dll" Ojmcld32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exeBhdibj32.exeBooaodnd.exeBaaggo32.exeBoegpc32.exeBeppmmoi.exeClihig32.exeCommqb32.exeCibank32.exeCoagla32.exeCekohk32.exeDlegeemh.exeDabpnlkp.exeDhlhjf32.exeDephckaf.exeDljqpd32.exeDpemacql.exeDagiil32.exeDjnaji32.exeDphifcoi.exeDcfebonm.exeDfdbojmq.exedescription pid process target process PID 2332 wrote to memory of 808 2332 74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe Bhdibj32.exe PID 2332 wrote to memory of 808 2332 74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe Bhdibj32.exe PID 2332 wrote to memory of 808 2332 74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe Bhdibj32.exe PID 808 wrote to memory of 5108 808 Bhdibj32.exe Booaodnd.exe PID 808 wrote to memory of 5108 808 Bhdibj32.exe Booaodnd.exe PID 808 wrote to memory of 5108 808 Bhdibj32.exe Booaodnd.exe PID 5108 wrote to memory of 5004 5108 Booaodnd.exe Baaggo32.exe PID 5108 wrote to memory of 5004 5108 Booaodnd.exe Baaggo32.exe PID 5108 wrote to memory of 5004 5108 Booaodnd.exe Baaggo32.exe PID 5004 wrote to memory of 3116 5004 Baaggo32.exe Boegpc32.exe PID 5004 wrote to memory of 3116 5004 Baaggo32.exe Boegpc32.exe PID 5004 wrote to memory of 3116 5004 Baaggo32.exe Boegpc32.exe PID 3116 wrote to memory of 2936 3116 Boegpc32.exe Beppmmoi.exe PID 3116 wrote to memory of 2936 3116 Boegpc32.exe Beppmmoi.exe PID 3116 wrote to memory of 2936 3116 Boegpc32.exe Beppmmoi.exe PID 2936 wrote to memory of 928 2936 Beppmmoi.exe Clihig32.exe PID 2936 wrote to memory of 928 2936 Beppmmoi.exe Clihig32.exe PID 2936 wrote to memory of 928 2936 Beppmmoi.exe Clihig32.exe PID 928 wrote to memory of 3464 928 Clihig32.exe Commqb32.exe PID 928 wrote to memory of 3464 928 Clihig32.exe Commqb32.exe PID 928 wrote to memory of 3464 928 Clihig32.exe Commqb32.exe PID 3464 wrote to memory of 1232 3464 Commqb32.exe Cibank32.exe PID 3464 wrote to memory of 1232 3464 Commqb32.exe Cibank32.exe PID 3464 wrote to memory of 1232 3464 Commqb32.exe Cibank32.exe PID 1232 wrote to memory of 3792 1232 Cibank32.exe Coagla32.exe PID 1232 wrote to memory of 3792 1232 Cibank32.exe Coagla32.exe PID 1232 wrote to memory of 3792 1232 Cibank32.exe Coagla32.exe PID 3792 wrote to memory of 4592 3792 Coagla32.exe Cekohk32.exe PID 3792 wrote to memory of 4592 3792 Coagla32.exe Cekohk32.exe PID 3792 wrote to memory of 4592 3792 Coagla32.exe Cekohk32.exe PID 4592 wrote to memory of 3532 4592 Cekohk32.exe Dlegeemh.exe PID 4592 wrote to memory of 3532 4592 Cekohk32.exe Dlegeemh.exe PID 4592 wrote to memory of 3532 4592 Cekohk32.exe Dlegeemh.exe PID 3532 wrote to memory of 1740 3532 Dlegeemh.exe Dabpnlkp.exe PID 3532 wrote to memory of 1740 3532 Dlegeemh.exe Dabpnlkp.exe PID 3532 wrote to memory of 1740 3532 Dlegeemh.exe Dabpnlkp.exe PID 1740 wrote to memory of 1580 1740 Dabpnlkp.exe Dhlhjf32.exe PID 1740 wrote to memory of 1580 1740 Dabpnlkp.exe Dhlhjf32.exe PID 1740 wrote to memory of 1580 1740 Dabpnlkp.exe Dhlhjf32.exe PID 1580 wrote to memory of 960 1580 Dhlhjf32.exe Dephckaf.exe PID 1580 wrote to memory of 960 1580 Dhlhjf32.exe Dephckaf.exe PID 1580 wrote to memory of 960 1580 Dhlhjf32.exe Dephckaf.exe PID 960 wrote to memory of 3948 960 Dephckaf.exe Dljqpd32.exe PID 960 wrote to memory of 3948 960 Dephckaf.exe Dljqpd32.exe PID 960 wrote to memory of 3948 960 Dephckaf.exe Dljqpd32.exe PID 3948 wrote to memory of 2700 3948 Dljqpd32.exe Dpemacql.exe PID 3948 wrote to memory of 2700 3948 Dljqpd32.exe Dpemacql.exe PID 3948 wrote to memory of 2700 3948 Dljqpd32.exe Dpemacql.exe PID 2700 wrote to memory of 872 2700 Dpemacql.exe Dagiil32.exe PID 2700 wrote to memory of 872 2700 Dpemacql.exe Dagiil32.exe PID 2700 wrote to memory of 872 2700 Dpemacql.exe Dagiil32.exe PID 872 wrote to memory of 3060 872 Dagiil32.exe Djnaji32.exe PID 872 wrote to memory of 3060 872 Dagiil32.exe Djnaji32.exe PID 872 wrote to memory of 3060 872 Dagiil32.exe Djnaji32.exe PID 3060 wrote to memory of 912 3060 Djnaji32.exe Dphifcoi.exe PID 3060 wrote to memory of 912 3060 Djnaji32.exe Dphifcoi.exe PID 3060 wrote to memory of 912 3060 Djnaji32.exe Dphifcoi.exe PID 912 wrote to memory of 3708 912 Dphifcoi.exe Dcfebonm.exe PID 912 wrote to memory of 3708 912 Dphifcoi.exe Dcfebonm.exe PID 912 wrote to memory of 3708 912 Dphifcoi.exe Dcfebonm.exe PID 3708 wrote to memory of 5044 3708 Dcfebonm.exe Dfdbojmq.exe PID 3708 wrote to memory of 5044 3708 Dcfebonm.exe Dfdbojmq.exe PID 3708 wrote to memory of 5044 3708 Dcfebonm.exe Dfdbojmq.exe PID 5044 wrote to memory of 3304 5044 Dfdbojmq.exe Dhcnke32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\74113f4c02c13accb0c39c0d426b7fa0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe23⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe24⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe25⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe26⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe27⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe28⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe30⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe31⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe32⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe33⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe34⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe35⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe36⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe37⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe38⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe39⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe42⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe43⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe45⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe47⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe48⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe50⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe51⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe53⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe54⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe56⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe57⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe58⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe59⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe60⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe61⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe62⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe63⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe64⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe65⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe66⤵PID:4828
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe68⤵PID:4992
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe69⤵PID:3808
-
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe70⤵PID:728
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe71⤵PID:4980
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe72⤵PID:4232
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe73⤵PID:4632
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe74⤵PID:3972
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe75⤵PID:3268
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe76⤵
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe77⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe78⤵PID:2104
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe79⤵PID:4984
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe80⤵PID:4224
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe81⤵PID:4436
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe82⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe83⤵PID:1212
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe84⤵PID:2764
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe86⤵
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe87⤵PID:4972
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe88⤵
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe89⤵PID:4460
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe90⤵PID:4840
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe91⤵PID:3620
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe92⤵PID:1092
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe93⤵PID:4136
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe94⤵PID:3472
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe95⤵PID:2384
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe96⤵PID:1744
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe97⤵PID:5160
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe98⤵PID:5204
-
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe99⤵PID:5248
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe100⤵PID:5292
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe101⤵PID:5332
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe102⤵PID:5372
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe103⤵PID:5412
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe104⤵PID:5452
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe106⤵PID:5532
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe107⤵PID:5580
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe109⤵PID:5688
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe110⤵PID:5736
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe111⤵PID:5792
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe112⤵PID:5852
-
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe113⤵PID:5892
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe115⤵PID:6032
-
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe116⤵PID:6088
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe117⤵PID:6124
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe118⤵PID:5152
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe119⤵PID:5144
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe120⤵PID:3300
-
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe121⤵PID:5360
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe122⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe123⤵PID:5484
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe124⤵PID:5552
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe125⤵PID:5612
-
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe126⤵PID:5716
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe127⤵PID:5816
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe128⤵PID:5884
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe129⤵PID:6020
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe130⤵PID:6084
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe131⤵PID:5148
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe132⤵PID:5268
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe133⤵PID:5380
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe134⤵PID:5472
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe135⤵PID:5616
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe136⤵PID:5772
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe137⤵PID:5952
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe138⤵PID:6120
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe139⤵PID:5228
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe140⤵PID:5480
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe141⤵PID:5724
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe142⤵PID:6076
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe143⤵PID:5352
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe144⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe145⤵
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe146⤵PID:5672
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe147⤵PID:5356
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe148⤵PID:5200
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe149⤵PID:6132
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe150⤵PID:6156
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe151⤵PID:6192
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe152⤵PID:6236
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe153⤵PID:6276
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe154⤵PID:6320
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe155⤵PID:6360
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe156⤵
- Drops file in System32 directory
PID:6412 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6452 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe158⤵PID:6496
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe159⤵PID:6536
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe160⤵PID:6580
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe161⤵PID:6620
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe162⤵PID:6656
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe163⤵
- Modifies registry class
PID:6704 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe164⤵PID:6748
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe165⤵PID:6792
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe166⤵
- Drops file in System32 directory
PID:6836 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe167⤵PID:6876
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe168⤵PID:6924
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe169⤵PID:6972
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe170⤵PID:7024
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe171⤵PID:7064
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe172⤵
- Drops file in System32 directory
PID:7112 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe173⤵PID:7156
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe174⤵PID:6176
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe175⤵PID:6256
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe176⤵PID:6308
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe177⤵PID:6388
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe178⤵
- Modifies registry class
PID:6460 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe179⤵PID:6520
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe180⤵PID:6604
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe181⤵PID:6672
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe182⤵
- Modifies registry class
PID:6740 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe183⤵PID:6808
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe184⤵PID:6888
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe186⤵PID:6988
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe187⤵PID:6820
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe188⤵PID:7152
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe189⤵PID:6188
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe190⤵PID:6304
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe191⤵PID:6404
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe192⤵PID:6516
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe193⤵PID:6644
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe194⤵PID:6756
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe195⤵PID:5448
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe196⤵PID:6956
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe197⤵PID:1508
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe198⤵PID:7140
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe199⤵PID:6224
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe200⤵PID:6448
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe201⤵PID:6588
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe202⤵PID:6744
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe203⤵PID:4688
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe204⤵PID:7104
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe205⤵PID:6344
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe206⤵PID:6564
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe207⤵PID:6872
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe208⤵PID:7120
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe209⤵
- Modifies registry class
PID:6544 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7072 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe212⤵PID:6212
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe213⤵PID:7164
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe214⤵
- Modifies registry class
PID:6712 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe215⤵PID:7196
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe216⤵PID:7236
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe217⤵PID:7276
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe218⤵PID:7328
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe219⤵PID:7368
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe220⤵PID:7408
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe221⤵PID:7460
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe222⤵PID:7500
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe223⤵PID:7548
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7592 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe225⤵PID:7636
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe226⤵PID:7680
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe227⤵PID:7724
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe228⤵PID:7768
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe229⤵PID:7812
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe230⤵PID:7856
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe231⤵PID:7892
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe232⤵PID:7940
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe233⤵PID:7984
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe234⤵PID:8028
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe235⤵PID:8068
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe236⤵PID:8116
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe237⤵PID:8152
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe238⤵PID:7204
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe239⤵PID:7284
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe240⤵PID:7352
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe241⤵PID:7416
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe242⤵PID:7484