Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 03:21
Behavioral task
behavioral1
Sample
74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe
-
Size
300KB
-
MD5
74f1370bfad3961e8ba3e4e3b08e4fd0
-
SHA1
768293a19686c1856b5352ee1144f851f658c746
-
SHA256
b437fa8bd95f658458af17ad75b95009a36eb7a0458da0e61eed3a576412683b
-
SHA512
dc3ad256e9f832e35c78715dd2f528b2582eff44d49bd65f104fea8e3235e1590eaafbe7fa3c6a7df0cc4fff1415f7dab7a27f0cd80e424939a566e1938c1585
-
SSDEEP
6144:+ntVqufhcmoZjwszeXmr8SeNpgdyuH1l+/Wd:aymCjb87g4/c
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bnmcjg32.exeEecdjmfi.exeJblijebc.exeMgbefe32.exeIkdcmpnl.exeLnmkfh32.exeFmmmfj32.exeLggldm32.exeNaecop32.exeGgkqgaol.exeGacepg32.exeGcfqfc32.exeMlklkgei.exeNjkkbehl.exeHibjli32.exeIndfca32.exeAamknj32.exeDkcndeen.exeKkfcndce.exeHplbickp.exeJjpode32.exeNbkhfc32.exeJgfdmlcm.exeDhlpqc32.exeEdmclccp.exeLhijijbg.exeCdpjlb32.exeGppcmeem.exeIfbbig32.exeDlieda32.exeAlbpkc32.exeNqbpojnp.exeJbhfjljd.exeHheoid32.exeEfblbbqd.exeNgjkfd32.exeAlhhhcal.exeKnnhjcog.exeEidlnd32.exeAajohjon.exeGohaeo32.exeIkokan32.exeLhncdi32.exeJbdlop32.exeMdiklqhm.exeEbhglj32.exePefabkej.exePoodpmca.exeCodhnb32.exeMkmkkjko.exePjmlbbdg.exeNdcdmikd.exePjcbbmif.exeKijjbofj.exeFfimfqgm.exePlejdkmm.exeEiieicml.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecdjmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblijebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbefe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqgaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacepg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkkbehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcndeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplbickp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfdmlcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlpqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppcmeem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlieda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhfjljd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hheoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhhhcal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnhjcog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohaeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikokan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhncdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poodpmca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codhnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmlbbdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijjbofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffimfqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plejdkmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiieicml.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Lddbqa32.exe family_berbew C:\Windows\SysWOW64\Mpkbebbf.exe family_berbew C:\Windows\SysWOW64\Majopeii.exe family_berbew C:\Windows\SysWOW64\Mdiklqhm.exe family_berbew C:\Windows\SysWOW64\Mcnhmm32.exe family_berbew C:\Windows\SysWOW64\Mcpebmkb.exe family_berbew C:\Windows\SysWOW64\Mkgmcjld.exe family_berbew C:\Windows\SysWOW64\Mcbahlip.exe family_berbew C:\Windows\SysWOW64\Ngpjnkpf.exe family_berbew C:\Windows\SysWOW64\Ncgkcl32.exe family_berbew C:\Windows\SysWOW64\Nnmopdep.exe family_berbew C:\Windows\SysWOW64\Nbkhfc32.exe family_berbew C:\Windows\SysWOW64\Ncldnkae.exe family_berbew C:\Windows\SysWOW64\Njfmke32.exe family_berbew C:\Windows\SysWOW64\Nbmelbid.exe family_berbew C:\Windows\SysWOW64\Odnnnnfe.exe family_berbew C:\Windows\SysWOW64\Ocqnij32.exe family_berbew C:\Windows\SysWOW64\Ogjmdigk.exe family_berbew C:\Windows\SysWOW64\Oqgkhnjf.exe family_berbew C:\Windows\SysWOW64\Ojopad32.exe family_berbew C:\Windows\SysWOW64\Ogcpjhoq.exe family_berbew C:\Windows\SysWOW64\Ojalgcnd.exe family_berbew C:\Windows\SysWOW64\Pnpemb32.exe family_berbew C:\Windows\SysWOW64\Pghieg32.exe family_berbew C:\Windows\SysWOW64\Pnbbbabh.exe family_berbew C:\Windows\SysWOW64\Peljol32.exe family_berbew C:\Windows\SysWOW64\Pndohaqe.exe family_berbew C:\Windows\SysWOW64\Pcagphom.exe family_berbew C:\Windows\SysWOW64\Pjmlbbdg.exe family_berbew C:\Windows\SysWOW64\Pbddcoei.exe family_berbew C:\Windows\SysWOW64\Qajadlja.exe family_berbew C:\Windows\SysWOW64\Qnnanphk.exe family_berbew C:\Windows\SysWOW64\Ajiknpjj.exe family_berbew C:\Windows\SysWOW64\Bhikcb32.exe family_berbew C:\Windows\SysWOW64\Dldpkoil.exe family_berbew C:\Windows\SysWOW64\Eaklidoi.exe family_berbew C:\Windows\SysWOW64\Eleiam32.exe family_berbew C:\Windows\SysWOW64\Fdgdgnbm.exe family_berbew C:\Windows\SysWOW64\Fdnjgmle.exe family_berbew C:\Windows\SysWOW64\Gbdgfa32.exe family_berbew C:\Windows\SysWOW64\Ildkgc32.exe family_berbew C:\Windows\SysWOW64\Ilidbbgl.exe family_berbew C:\Windows\SysWOW64\Jedeph32.exe family_berbew C:\Windows\SysWOW64\Jbhfjljd.exe family_berbew C:\Windows\SysWOW64\Jlbgha32.exe family_berbew C:\Windows\SysWOW64\Kpjcdn32.exe family_berbew C:\Windows\SysWOW64\Kefkme32.exe family_berbew C:\Windows\SysWOW64\Ncdgcf32.exe family_berbew C:\Windows\SysWOW64\Nggjdc32.exe family_berbew C:\Windows\SysWOW64\Pgnilpah.exe family_berbew C:\Windows\SysWOW64\Qnjnnj32.exe family_berbew C:\Windows\SysWOW64\Anadoi32.exe family_berbew C:\Windows\SysWOW64\Beglgani.exe family_berbew C:\Windows\SysWOW64\Cdabcm32.exe family_berbew C:\Windows\SysWOW64\Cfdhkhjj.exe family_berbew C:\Windows\SysWOW64\Dhfajjoj.exe family_berbew C:\Windows\SysWOW64\Daqbip32.exe family_berbew C:\Windows\SysWOW64\Ekpmbddq.exe family_berbew C:\Windows\SysWOW64\Ekgbccni.exe family_berbew C:\Windows\SysWOW64\Fgppmd32.exe family_berbew C:\Windows\SysWOW64\Fhdfbfdh.exe family_berbew C:\Windows\SysWOW64\Gglpibgm.exe family_berbew C:\Windows\SysWOW64\Ggqida32.exe family_berbew C:\Windows\SysWOW64\Hkehkocf.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lddbqa32.exeMpkbebbf.exeMajopeii.exeMdiklqhm.exeMcnhmm32.exeMcpebmkb.exeMkgmcjld.exeMcbahlip.exeNgpjnkpf.exeNcgkcl32.exeNnmopdep.exeNbkhfc32.exeNcldnkae.exeNjfmke32.exeNbmelbid.exeOgjmdigk.exeOdnnnnfe.exeOcqnij32.exeOqgkhnjf.exeOjopad32.exeOgcpjhoq.exeOjalgcnd.exePnpemb32.exePghieg32.exePnbbbabh.exePeljol32.exePndohaqe.exePcagphom.exePjmlbbdg.exePbddcoei.exeQajadlja.exeQnnanphk.exeAgffge32.exeAjdbcano.exeAbkjdnoa.exeAcmflf32.exeAldomc32.exeAbngjnmo.exeAelcfilb.exeAjiknpjj.exeAeopki32.exeAlhhhcal.exeAaepqjpd.exeAealah32.exeBdfibe32.exeBnlnon32.exeBeeflhdh.exeBalfaiil.exeBjdkjo32.exeBaocghgi.exeBhikcb32.exeBbnpqk32.exeBdolhc32.exeCeoibflm.exeCogmkl32.exeCeaehfjj.exeChpada32.exeCecbmf32.exeChbnia32.exeColffknh.exeCefoce32.exeChghdqbf.exeCkedalaj.exeDldpkoil.exepid process 1160 Lddbqa32.exe 4296 Mpkbebbf.exe 2516 Majopeii.exe 4684 Mdiklqhm.exe 4084 Mcnhmm32.exe 4108 Mcpebmkb.exe 4376 Mkgmcjld.exe 4744 Mcbahlip.exe 1420 Ngpjnkpf.exe 1120 Ncgkcl32.exe 536 Nnmopdep.exe 2232 Nbkhfc32.exe 3684 Ncldnkae.exe 3316 Njfmke32.exe 4460 Nbmelbid.exe 4312 Ogjmdigk.exe 1976 Odnnnnfe.exe 3400 Ocqnij32.exe 1448 Oqgkhnjf.exe 4212 Ojopad32.exe 220 Ogcpjhoq.exe 4444 Ojalgcnd.exe 3580 Pnpemb32.exe 4724 Pghieg32.exe 1584 Pnbbbabh.exe 2992 Peljol32.exe 3688 Pndohaqe.exe 4636 Pcagphom.exe 3484 Pjmlbbdg.exe 1880 Pbddcoei.exe 1612 Qajadlja.exe 2868 Qnnanphk.exe 4388 Agffge32.exe 3440 Ajdbcano.exe 4672 Abkjdnoa.exe 3908 Acmflf32.exe 4884 Aldomc32.exe 1232 Abngjnmo.exe 4968 Aelcfilb.exe 4964 Ajiknpjj.exe 3096 Aeopki32.exe 4856 Alhhhcal.exe 2664 Aaepqjpd.exe 1396 Aealah32.exe 4748 Bdfibe32.exe 4268 Bnlnon32.exe 4292 Beeflhdh.exe 3496 Balfaiil.exe 2432 Bjdkjo32.exe 4868 Baocghgi.exe 1412 Bhikcb32.exe 2744 Bbnpqk32.exe 3572 Bdolhc32.exe 3576 Ceoibflm.exe 1952 Cogmkl32.exe 1728 Ceaehfjj.exe 3700 Chpada32.exe 1988 Cecbmf32.exe 3360 Chbnia32.exe 3336 Colffknh.exe 632 Cefoce32.exe 3260 Chghdqbf.exe 4280 Ckedalaj.exe 2096 Dldpkoil.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pcagphom.exeIemppiab.exeCmgjgcgo.exeIlqoobdd.exeHdnldd32.exeHbnjmp32.exeEmaedo32.exeBmofagfp.exeMbighjdd.exeBpdnjple.exeKfjhkjle.exeLfkaag32.exeHibafp32.exeCceddf32.exeBhblllfo.exeMgkjhe32.exeJgnqgqan.exeNjmhhefi.exeOndljl32.exeCdcoim32.exeQnnanphk.exeKiidgeki.exeOhnebd32.exeCgjjdf32.exeGpnmbl32.exeNgpjnkpf.exeDhfajjoj.exeEdmclccp.exeGmeakf32.exeMajjng32.exeMkmkkjko.exeCpbjkn32.exeFmcjpl32.exeEdplhjhi.exeJgfdmlcm.exeLjobpiql.exePnpemb32.exeBdpaeehj.exeAelcfilb.exeKplpjn32.exeKijjbofj.exeDinmhkke.exeMiifeq32.exeLjgpkonp.exeBmkjkd32.exeIldkgc32.exeKcndbp32.exeHoaojp32.exeIpgbdbqb.exeFljcmlfd.exePcepkfld.exeOjgjndno.exeCpdgqmnb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Pjmlbbdg.exe Pcagphom.exe File created C:\Windows\SysWOW64\Bkblkg32.dll Iemppiab.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cmgjgcgo.exe File created C:\Windows\SysWOW64\Npdopj32.dll Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Qfmfefni.exe File created C:\Windows\SysWOW64\Pokhgc32.dll Hdnldd32.exe File opened for modification C:\Windows\SysWOW64\Helfik32.exe Hbnjmp32.exe File created C:\Windows\SysWOW64\Eehnem32.exe Emaedo32.exe File opened for modification C:\Windows\SysWOW64\Eqmlccdi.exe File created C:\Windows\SysWOW64\Bblnindg.exe Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Mehcdfch.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Hlfpph32.dll Bpdnjple.exe File created C:\Windows\SysWOW64\Ocdfloja.dll Kfjhkjle.exe File created C:\Windows\SysWOW64\Liimncmf.exe Lfkaag32.exe File opened for modification C:\Windows\SysWOW64\Hckeoeno.exe Hibafp32.exe File opened for modification C:\Windows\SysWOW64\Aimogakj.exe File opened for modification C:\Windows\SysWOW64\Cjomap32.exe Cceddf32.exe File created C:\Windows\SysWOW64\Kolfbd32.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Miifeq32.exe Mgkjhe32.exe File created C:\Windows\SysWOW64\Jnhidk32.exe Jgnqgqan.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Njmhhefi.exe File opened for modification C:\Windows\SysWOW64\Opeiadfg.exe Ondljl32.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Cdcoim32.exe File created C:\Windows\SysWOW64\Hhimhobl.exe File opened for modification C:\Windows\SysWOW64\Agffge32.exe Qnnanphk.exe File created C:\Windows\SysWOW64\Kpbmco32.exe Kiidgeki.exe File created C:\Windows\SysWOW64\Opemca32.exe Ohnebd32.exe File opened for modification C:\Windows\SysWOW64\Cabomkll.exe Cgjjdf32.exe File created C:\Windows\SysWOW64\Ghqomgid.dll Gpnmbl32.exe File opened for modification C:\Windows\SysWOW64\Abfdpfaj.exe File opened for modification C:\Windows\SysWOW64\Njedbjej.exe File created C:\Windows\SysWOW64\Ncgkcl32.exe Ngpjnkpf.exe File created C:\Windows\SysWOW64\Ddmaok32.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Embccf32.dll Edmclccp.exe File created C:\Windows\SysWOW64\Gdoihpbk.exe Gmeakf32.exe File created C:\Windows\SysWOW64\Mhdckaeo.exe Majjng32.exe File opened for modification C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Ckgohf32.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Kpikki32.dll File created C:\Windows\SysWOW64\Nmqmbmdf.dll Fmcjpl32.exe File opened for modification C:\Windows\SysWOW64\Ekjded32.exe Edplhjhi.exe File opened for modification C:\Windows\SysWOW64\Jblijebc.exe Jgfdmlcm.exe File opened for modification C:\Windows\SysWOW64\Lmmolepp.exe Ljobpiql.exe File opened for modification C:\Windows\SysWOW64\Pghieg32.exe Pnpemb32.exe File created C:\Windows\SysWOW64\Iahici32.dll Bdpaeehj.exe File opened for modification C:\Windows\SysWOW64\Ajiknpjj.exe Aelcfilb.exe File created C:\Windows\SysWOW64\Bdkfmkdc.dll Kplpjn32.exe File created C:\Windows\SysWOW64\Khmknk32.exe Kijjbofj.exe File created C:\Windows\SysWOW64\Dpgeee32.exe Dinmhkke.exe File created C:\Windows\SysWOW64\Mjaofnii.dll File opened for modification C:\Windows\SysWOW64\Npcoakfp.exe Miifeq32.exe File created C:\Windows\SysWOW64\Kejocggj.dll Ljgpkonp.exe File created C:\Windows\SysWOW64\Eeiakn32.dll Bmkjkd32.exe File opened for modification C:\Windows\SysWOW64\Iemppiab.exe Ildkgc32.exe File created C:\Windows\SysWOW64\Kplqhmfl.dll File created C:\Windows\SysWOW64\Dfpcgbim.dll Kcndbp32.exe File opened for modification C:\Windows\SysWOW64\Hifcgion.exe Hoaojp32.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Ipgbdbqb.exe File created C:\Windows\SysWOW64\Fllpbldb.exe Fljcmlfd.exe File created C:\Windows\SysWOW64\Knhebpni.dll Pcepkfld.exe File created C:\Windows\SysWOW64\Omegjomb.exe Ojgjndno.exe File opened for modification C:\Windows\SysWOW64\Chkobkod.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Fhphpicg.dll File opened for modification C:\Windows\SysWOW64\Kcoccc32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 14048 13960 -
Modifies registry class 64 IoCs
Processes:
Ajiknpjj.exeBdolhc32.exeLiimncmf.exeEecdjmfi.exeBdfibe32.exeDjhpgofm.exeKbghfc32.exeLpneegel.exeDfjpfj32.exeAdcjop32.exeNghekkmn.exePcagphom.exeHjedffig.exeMehcdfch.exeOampjeml.exeHpofii32.exeBdgged32.exe74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exeNjkkbehl.exeFljcmlfd.exeBpfkpp32.exeDdmaok32.exeCijpahho.exeGkkgpc32.exeDkcndeen.exeFdepgkgj.exePjmjdm32.exeNjjdho32.exeGhaliknf.exeNeafjdkn.exeHcblpdgg.exeImgicgca.exeHopnqdan.exeGdgfce32.exeGfheof32.exeFmmmfj32.exeGpgind32.exeMokmdh32.exeNbgcih32.exeGmojkj32.exeFdlkdhnk.exeFkofga32.exeImoneg32.exeIbmeoq32.exeIdhnkf32.exeGidnkkpc.exeGfngap32.exeCceddf32.exeNlphbnoe.exeDglkoeio.exeHobkfd32.exeInmpcc32.exeAcmflf32.exeHnhghcki.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cleqadmh.dll" Ajiknpjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liimncmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecdjmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbbpbop.dll" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einbcgha.dll" Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciepangh.dll" Lpneegel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcagphom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdeookg.dll" Mehcdfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oampjeml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpofii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambahc32.dll" Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfndjhh.dll" Gkkgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngfalmm.dll" Fdepgkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghlmgij.dll" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcdpe32.dll" Gdgfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkklk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gmojkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlkdhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll" Imoneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhnkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfngap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mennkfdm.dll" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphbnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglkoeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inmpcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acmflf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhghcki.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exeLddbqa32.exeMpkbebbf.exeMajopeii.exeMdiklqhm.exeMcnhmm32.exeMcpebmkb.exeMkgmcjld.exeMcbahlip.exeNgpjnkpf.exeNcgkcl32.exeNnmopdep.exeNbkhfc32.exeNcldnkae.exeNjfmke32.exeNbmelbid.exeOgjmdigk.exeOdnnnnfe.exeOcqnij32.exeOqgkhnjf.exeOjopad32.exeOgcpjhoq.exedescription pid process target process PID 4404 wrote to memory of 1160 4404 74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe Lddbqa32.exe PID 4404 wrote to memory of 1160 4404 74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe Lddbqa32.exe PID 4404 wrote to memory of 1160 4404 74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe Lddbqa32.exe PID 1160 wrote to memory of 4296 1160 Lddbqa32.exe Mpkbebbf.exe PID 1160 wrote to memory of 4296 1160 Lddbqa32.exe Mpkbebbf.exe PID 1160 wrote to memory of 4296 1160 Lddbqa32.exe Mpkbebbf.exe PID 4296 wrote to memory of 2516 4296 Mpkbebbf.exe Majopeii.exe PID 4296 wrote to memory of 2516 4296 Mpkbebbf.exe Majopeii.exe PID 4296 wrote to memory of 2516 4296 Mpkbebbf.exe Majopeii.exe PID 2516 wrote to memory of 4684 2516 Majopeii.exe Mdiklqhm.exe PID 2516 wrote to memory of 4684 2516 Majopeii.exe Mdiklqhm.exe PID 2516 wrote to memory of 4684 2516 Majopeii.exe Mdiklqhm.exe PID 4684 wrote to memory of 4084 4684 Mdiklqhm.exe Mcnhmm32.exe PID 4684 wrote to memory of 4084 4684 Mdiklqhm.exe Mcnhmm32.exe PID 4684 wrote to memory of 4084 4684 Mdiklqhm.exe Mcnhmm32.exe PID 4084 wrote to memory of 4108 4084 Mcnhmm32.exe Mcpebmkb.exe PID 4084 wrote to memory of 4108 4084 Mcnhmm32.exe Mcpebmkb.exe PID 4084 wrote to memory of 4108 4084 Mcnhmm32.exe Mcpebmkb.exe PID 4108 wrote to memory of 4376 4108 Mcpebmkb.exe Mkgmcjld.exe PID 4108 wrote to memory of 4376 4108 Mcpebmkb.exe Mkgmcjld.exe PID 4108 wrote to memory of 4376 4108 Mcpebmkb.exe Mkgmcjld.exe PID 4376 wrote to memory of 4744 4376 Mkgmcjld.exe Mcbahlip.exe PID 4376 wrote to memory of 4744 4376 Mkgmcjld.exe Mcbahlip.exe PID 4376 wrote to memory of 4744 4376 Mkgmcjld.exe Mcbahlip.exe PID 4744 wrote to memory of 1420 4744 Mcbahlip.exe Ngpjnkpf.exe PID 4744 wrote to memory of 1420 4744 Mcbahlip.exe Ngpjnkpf.exe PID 4744 wrote to memory of 1420 4744 Mcbahlip.exe Ngpjnkpf.exe PID 1420 wrote to memory of 1120 1420 Ngpjnkpf.exe Ncgkcl32.exe PID 1420 wrote to memory of 1120 1420 Ngpjnkpf.exe Ncgkcl32.exe PID 1420 wrote to memory of 1120 1420 Ngpjnkpf.exe Ncgkcl32.exe PID 1120 wrote to memory of 536 1120 Ncgkcl32.exe Nnmopdep.exe PID 1120 wrote to memory of 536 1120 Ncgkcl32.exe Nnmopdep.exe PID 1120 wrote to memory of 536 1120 Ncgkcl32.exe Nnmopdep.exe PID 536 wrote to memory of 2232 536 Nnmopdep.exe Nbkhfc32.exe PID 536 wrote to memory of 2232 536 Nnmopdep.exe Nbkhfc32.exe PID 536 wrote to memory of 2232 536 Nnmopdep.exe Nbkhfc32.exe PID 2232 wrote to memory of 3684 2232 Nbkhfc32.exe Ncldnkae.exe PID 2232 wrote to memory of 3684 2232 Nbkhfc32.exe Ncldnkae.exe PID 2232 wrote to memory of 3684 2232 Nbkhfc32.exe Ncldnkae.exe PID 3684 wrote to memory of 3316 3684 Ncldnkae.exe Njfmke32.exe PID 3684 wrote to memory of 3316 3684 Ncldnkae.exe Njfmke32.exe PID 3684 wrote to memory of 3316 3684 Ncldnkae.exe Njfmke32.exe PID 3316 wrote to memory of 4460 3316 Njfmke32.exe Nbmelbid.exe PID 3316 wrote to memory of 4460 3316 Njfmke32.exe Nbmelbid.exe PID 3316 wrote to memory of 4460 3316 Njfmke32.exe Nbmelbid.exe PID 4460 wrote to memory of 4312 4460 Nbmelbid.exe Ogjmdigk.exe PID 4460 wrote to memory of 4312 4460 Nbmelbid.exe Ogjmdigk.exe PID 4460 wrote to memory of 4312 4460 Nbmelbid.exe Ogjmdigk.exe PID 4312 wrote to memory of 1976 4312 Ogjmdigk.exe Odnnnnfe.exe PID 4312 wrote to memory of 1976 4312 Ogjmdigk.exe Odnnnnfe.exe PID 4312 wrote to memory of 1976 4312 Ogjmdigk.exe Odnnnnfe.exe PID 1976 wrote to memory of 3400 1976 Odnnnnfe.exe Ocqnij32.exe PID 1976 wrote to memory of 3400 1976 Odnnnnfe.exe Ocqnij32.exe PID 1976 wrote to memory of 3400 1976 Odnnnnfe.exe Ocqnij32.exe PID 3400 wrote to memory of 1448 3400 Ocqnij32.exe Oqgkhnjf.exe PID 3400 wrote to memory of 1448 3400 Ocqnij32.exe Oqgkhnjf.exe PID 3400 wrote to memory of 1448 3400 Ocqnij32.exe Oqgkhnjf.exe PID 1448 wrote to memory of 4212 1448 Oqgkhnjf.exe Ojopad32.exe PID 1448 wrote to memory of 4212 1448 Oqgkhnjf.exe Ojopad32.exe PID 1448 wrote to memory of 4212 1448 Oqgkhnjf.exe Ojopad32.exe PID 4212 wrote to memory of 220 4212 Ojopad32.exe Ogcpjhoq.exe PID 4212 wrote to memory of 220 4212 Ojopad32.exe Ogcpjhoq.exe PID 4212 wrote to memory of 220 4212 Ojopad32.exe Ogcpjhoq.exe PID 220 wrote to memory of 4444 220 Ogcpjhoq.exe Ojalgcnd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\74f1370bfad3961e8ba3e4e3b08e4fd0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe23⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3580 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe25⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe26⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe27⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe28⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe31⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe32⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe34⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe35⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe36⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe38⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe39⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe42⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe44⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe45⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe47⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe48⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe49⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe50⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe51⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe52⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe55⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe56⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe57⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe58⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe59⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe60⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe61⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe62⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe63⤵PID:2272
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe64⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe65⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe66⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe67⤵PID:1572
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe68⤵PID:448
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe69⤵PID:1140
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe70⤵PID:3216
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe71⤵PID:4628
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe72⤵PID:5080
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe73⤵PID:2192
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe74⤵PID:524
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe75⤵PID:2472
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe76⤵PID:2968
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe77⤵PID:4028
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe78⤵PID:1940
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe79⤵PID:2172
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe80⤵PID:4380
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe81⤵PID:4584
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe83⤵PID:1660
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe84⤵PID:3988
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe85⤵PID:1760
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe86⤵PID:4860
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe88⤵PID:1596
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe89⤵PID:1904
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe90⤵PID:1604
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe91⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe92⤵PID:832
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe93⤵PID:3616
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe94⤵PID:2700
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe95⤵PID:592
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe96⤵
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe97⤵PID:1068
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe99⤵PID:4932
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe100⤵PID:3264
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe101⤵
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe102⤵
- Drops file in System32 directory
PID:4656 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe103⤵PID:5180
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe104⤵PID:5240
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe105⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe106⤵PID:5348
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe107⤵PID:5392
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe108⤵PID:5452
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe109⤵PID:5496
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe110⤵PID:5560
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe111⤵PID:5604
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe112⤵PID:5660
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe113⤵PID:5708
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe114⤵PID:5756
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe115⤵PID:5800
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe116⤵PID:5844
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe117⤵PID:5900
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe118⤵PID:5940
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe119⤵PID:6000
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe120⤵
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe121⤵PID:6084
-
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe122⤵PID:6128
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe123⤵
- Drops file in System32 directory
PID:5148 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe124⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe125⤵PID:5320
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe126⤵PID:5432
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe127⤵PID:5536
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe128⤵PID:5612
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe129⤵PID:5692
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe130⤵PID:5744
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe132⤵PID:5924
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe133⤵PID:5996
-
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe134⤵PID:6068
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe135⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe136⤵
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe137⤵PID:5344
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe138⤵PID:5508
-
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe139⤵PID:5656
-
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe140⤵PID:5792
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe141⤵PID:5884
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe142⤵PID:6016
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe143⤵PID:6120
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe144⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe145⤵PID:5544
-
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe146⤵PID:5736
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe147⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe148⤵
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe149⤵PID:5376
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe150⤵PID:5764
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe151⤵PID:6080
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe152⤵PID:5504
-
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe153⤵PID:6052
-
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe154⤵PID:5856
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe155⤵PID:6192
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe156⤵PID:6244
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe157⤵PID:6288
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe158⤵PID:6332
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe159⤵PID:6376
-
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe160⤵PID:6420
-
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe161⤵PID:6456
-
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe162⤵
- Drops file in System32 directory
PID:6508 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe163⤵
- Drops file in System32 directory
PID:6556 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe164⤵PID:6600
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe165⤵PID:6640
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe166⤵PID:6684
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe167⤵PID:6728
-
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6772 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe169⤵PID:6816
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe170⤵PID:6856
-
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe171⤵PID:6900
-
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe172⤵PID:6944
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe173⤵PID:6988
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe174⤵PID:7032
-
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe175⤵PID:7076
-
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe176⤵PID:7120
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe177⤵PID:7164
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe178⤵PID:6180
-
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe179⤵PID:6240
-
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe180⤵PID:6316
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe181⤵PID:6360
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6444 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe183⤵PID:6500
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe184⤵PID:6580
-
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe185⤵PID:6648
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe186⤵PID:6720
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe187⤵PID:6780
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe188⤵PID:6844
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe189⤵PID:6908
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe190⤵PID:6964
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe191⤵PID:7040
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe192⤵PID:7108
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe193⤵PID:7148
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe194⤵PID:6232
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe195⤵PID:6412
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe196⤵PID:6532
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe197⤵PID:6704
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe198⤵PID:6840
-
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe199⤵
- Drops file in System32 directory
PID:6972 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe200⤵PID:7156
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe201⤵PID:6392
-
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe202⤵PID:6692
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe203⤵PID:6892
-
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe204⤵PID:6200
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe205⤵PID:6632
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe206⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7132 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe207⤵PID:6832
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe208⤵PID:6572
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe209⤵PID:6804
-
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe210⤵PID:7180
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe211⤵PID:7220
-
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe212⤵PID:7264
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe213⤵PID:7308
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe214⤵
- Drops file in System32 directory
PID:7348 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe215⤵PID:7396
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe216⤵
- Drops file in System32 directory
PID:7440 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe217⤵PID:7484
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe218⤵PID:7524
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe219⤵PID:7572
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe220⤵PID:7620
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe221⤵
- Drops file in System32 directory
PID:7664 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe222⤵
- Modifies registry class
PID:7708 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe223⤵PID:7752
-
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe224⤵PID:7792
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe225⤵PID:7836
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe226⤵PID:7880
-
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe227⤵PID:7924
-
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe228⤵PID:7964
-
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8016 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe230⤵PID:8064
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe231⤵PID:8108
-
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe232⤵
- Drops file in System32 directory
PID:8152 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe233⤵PID:6868
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe234⤵PID:7228
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe235⤵PID:7288
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe236⤵PID:7356
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe237⤵PID:7428
-
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe238⤵PID:7508
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe239⤵PID:7580
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe240⤵PID:7652
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe241⤵PID:7700
-
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe242⤵PID:7780